This document describes how to alter the entry in the Host Access Table (HAT) or add an IP address to solve the issue.
I have added the domain example.com to the WHITELIST sender group, why is it not working?
From the Cisco Email Security Appliance (ESA), there are times when you have added the domain example.com to your WHITELIST sender group, but when you receive mail from example.com the message is not treated in this sender group.
Simply adding a domain name to the HAT will not work, as the HAT is matching hostnames and IP addresses and not sender domain names. Remember, you are configuring a HOST Access Table, not a DOMAIN access table.
Ensure, by looking at the mail logs of the ESA, that the sender that needs to be whitelisted has a hostname that ends with the domain example.com. If so, alter your entry in the HAT from 'example.com' to '.example.com'.
This entry will then match all hostnames which DNS PTR record ends with example.com.
For instance it will match mx0.example.com as well as cluster1.mx1.example.com.
The system acquires and verifies the validity of the remote host's IP address by performing a double DNS lookup. This consists of a reverse DNS (PTR) lookup on the IP address of the connecting host, followed by a forward DNS (A) lookup on the results of the PTR lookup. The system then checks that the results of the A lookup match the results of the PTR lookup. If the results do not match, or if an A record does not exist, the system only uses the IP address to match entries in the HAT.
If the hostname does not end with example.com, you can also add the IP address directly to the HAT. You can find the IP address of the connecting mail server in the mail logs as well.