Does SenderBase function correctly behind NAT?

Available Languages

Download Options

  • PDF     (7.2 KB)
    View with Adobe Reader on a variety of devices
Updated:November 16, 2015
Document ID:118061

Bias-Free Language

The documentation set for this product strives to use bias-free language. For the purposes of this documentation set, bias-free is defined as language that does not imply discrimination based on age, disability, gender, racial identity, ethnic identity, sexual orientation, socioeconomic status, and intersectionality. Exceptions may be present in the documentation due to language that is hardcoded in the user interfaces of the product software, language used based on RFP documentation, or language that is used by a referenced third-party product. Learn more about how Cisco is using Inclusive Language.

Introduction

This document describes SenderBase and its functionality behind Network Address Translation (NAT) for the Cisco Email Security Appliance (ESA).

Does SenderBase function correctly behind NAT?

SenderBase is an IP-based reputation service that assigns SenderBase Reputation Service (SBRS) scores to IP addresses. SenderBase scores range from -10 to +10, which reflects the likelihood that a sending IP address tries to send spam. Highly negative scores indicate senders who are very likely to be sending spam; highly positive scores indicate senders who are unlikely to be sending spam.

The SMTP listener on an ESA does SBRS score queries using DNS queries based on the IP address of the incoming TCP connection.  If the IP address that the email appliance sees is the "real" address of the sender, then SBRS functions as expected.

Note: If a firewall uses NAT for the source IP address, it will not insert a new message header that contains the original source IP address. Without a message header that contains the original IP address, the Incoming Relay feature will not work. Without the header information for the source IP address, the ESA cannot determine the original source IP address.

Most enterprises that use NAT do so in order to hide internal addresses from the Internet (or because they do not have sufficient IP addresses to operate without a NAT or NAPT function). In those cases, SenderBase works successfully because the IP address of the external sender is not modified in any way.

Some enterprises with more complex network topologies do network address translation or proxy connections towards the inside of their networks. In those cases, SenderBase queries will not work properly and should be disabled on the incoming listener. (From the CLI, listenerconfig > edit > setup.)

If you have any doubt whether the addresses are being converted or not or whether connections are being proxied, simply examine the mail_logs file (use a CLI command such as tail mail_logs). This shows you each incoming connection to each listener, and you will quickly be able to see whether the IP addresses the ESA sees are from the general Internet or not.

Note: Be careful to look only at connections to Public or Inbound listeners on the ESA mail logs.

Related Information

Revision History

Revision Publish Date Comments
1.0
16-Nov-2015
Initial Release
TAC Authored

Contributed by Cisco Engineers

Was this Document Helpful?

FeedbackFeedback

Contact Cisco

This Document Applies to These Products