ESA FAQ: What is a mail flow policy?

Available Languages

Updated:August 7, 2014
Document ID:118179

Bias-Free Language

The documentation set for this product strives to use bias-free language. For the purposes of this documentation set, bias-free is defined as language that does not imply discrimination based on age, disability, gender, racial identity, ethnic identity, sexual orientation, socioeconomic status, and intersectionality. Exceptions may be present in the documentation due to language that is hardcoded in the user interfaces of the product software, language used based on RFP documentation, or language that is used by a referenced third-party product. Learn more about how Cisco is using Inclusive Language.

Introduction

This document describes what a mail flow policy is on the Email Security Appliance (ESA), and the actions that are associated to a mail flow policy.

What is a mail flow policy?

A mail flow policy allows you to control or limit the flow of email messages from a sender to the listener during the SMTP conversation. You control SMTP conversations by defining the following types of parameters in the mail flow policy:

  • Connection parameters, such as maximum number of messages per connection.
  • Rate limiting parameters, such as maximum number of recipients per hour.
  • Modify custom SMTP codes and responses communicated during the SMTP conversation.
  • Enable spam detection.
  • Enable virus protection.
  • Encryption, such as using TLS to encrypt the SMTP connection.
  • Authentication parameters, such as using DKIM to verify incoming mail.

Mail flow policies perform one of the following actions on connections from remote hosts:

  • ACCEPT. Connection is accepted, and email acceptance is then further restricted by listener settings, including the Recipient Access Table (RAT)(for public listeners).
  • REJECT. Connection is initially accepted, but the client attempting to connect gets a 4XX or 5XX SMTP status code. No email is accepted.

Note: You can also configure AsyncOS to perform this rejection at the message recipient level (RCPT TO), rather than at the start of the SMTP conversation. Rejecting messages in this way delays the message rejection and bounces the message, allowing AsyncOS to retain more detailed information about the rejected messages. This setting is configured from the CLI listenerconfig > setup command.

  • TCPREFUSE. Connection is refused at the TCP level.
  • RELAY. Connection is accepted. Receiving for any recipient is allowed and is not constrained by the RAT.
  • CONTINUE. The mapping in the Host Access Table (HAT) is ignored, and processing of the HAT continues. If the incoming connection matches a later entry that is not CONTINUE, that entry is used instead. The CONTINUE rule is used to facilitate the editing of the HAT in the GUI.

Keep in mind, mail flow policies are at the beginning of the email pipeline, so these parameters are applied as remote hosts attempt to establish connections with the ESA.

Mail flow policies differ from Incoming and Outgoing Mail Policies, which define anti-spam, anti-virus, virus outbreak, and content filter parameters to be applied to mail received from or destined for specified domains, groups of email addresses or specific email addresses.

The default mail flow policies can be modified and new mail flow policies can be defined.

There are four default mail flow policies defined on public listeners:

  • ACCEPTED
  • BLOCKED
  • THROTTLED
  • TRUSTED

Private listeners use the following mail flow policies:

  • ACCEPTED
  • BLOCKED
  • RELAYED

Related Information

Revision History

Revision Publish Date Comments
1.0
07-Aug-2014
Initial Release
TAC Authored

Contributed by Cisco Engineers

  • Nasir Shakour and Robert Sherwin
    Cisco TAC Engineers.

Was this Document Helpful?

FeedbackFeedback

Contact Cisco

This Document Applies to These Products