Guest

User Guide for AsyncOS 11.1 for Cisco Cloud Email Security

Book Contents
Find Matches in This Book
Available Languages
Download Options

Book Title

User Guide for AsyncOS 11.1 for Cisco Cloud Email Security

Chapter Title

Accepting or Rejecting Connections Based on Domain Name or Recipient Address

Results

Updated:
April 17, 2018

Chapter: Accepting or Rejecting Connections Based on Domain Name or Recipient Address

Accepting or Rejecting Connections Based on Domain Name or Recipient Address

This chapter contains the following sections:

Overview of Accepting or Rejecting Connections Based on the Recipient’s Address

AsyncOS uses a Recipient Access Table (RAT) for each public listener to manage accept and reject actions for recipient addresses. Recipient addresses include these:

  • Domains
  • Email addresses
  • Groups of email addresses

The System Setup Wizard guides the administrator in configuring at least one public listener (with default values) on the appliance. Configuring a public listener during setup involves specifying default local domains or specific addresses to accept mail. These local domains or specific addresses are the first entries in the RAT for that public listener.

For each public listener, the default entry, “All Other Recipients”, rejects email from all recipients. The administrator defines all local domains for which the appliance accepts messages. Optionally, you can also define specific users for whom the appliance will accept or reject messages. AsyncOS allows you to define acceptable local domains and specific users using the Recipient Access Table (RAT).

You might need to configure a listener to accept messages for multiple domains. For example, if your organization uses the domain currentcompanyname.com and it previously used oldcompanyname.com , then you might accept messages for both currentcompanyname.com and oldcompanyname.com . In this case, include both local domains in the RAT for your public listener.

(Note: the Domain Map feature can map messages from one domain to another. See the Domain Map feature section of the “Configuring Routing and Delivery Features” chapter.)

Overview of the Recipient Access Table (RAT)

The Recipient Access Table defines which recipients are accepted by a public listener. At a minimum, the table specifies the address and whether to accept or reject it.

The Recipient Access Table (RAT) page shows a listing of the entries in the RAT including the order, default action, and whether or not the entry has been configured to bypass LDAP accept queries.

Accessing the RAT using the GUI

GUI

Navigate to Mail Policies > Recipient Access Table (RAT).

Accessing the RAT using the CLI

CLI

Use the listenerconfig command with the edit > rcptaccess > new subcommands.

Editing the Default RAT Entry

Before you begin

  • Set up a public listener.
  • Plan edits with caution, ensuring you do not create an open relay on the Internet. An open relay (sometimes called an “insecure relay” or a “third-party” relay) is an SMTP email server that allows third-party relay of email messages. By processing mail that is neither for — nor from — a local user, an open relay makes it possible for an unscrupulous sender to route large volumes of spam through your gateway. By default, the RAT rejects all recipients to prevent creation of an open relay.
  • Note that you cannot delete the default entry from the RAT.
    Step 1   Navigate to Mail Policies > Recipient Access Table (RAT).
    Step 2   Click All Other Recipients.

    Domains and Users

    Modifying the Domains For Which to Accept Messages using the RAT

    Use the Mail Policies > Recipient Access Table (RAT) page to configure the local domains and specific users for which the appliance accepts messages. On this page, you can perform the following tasks:

    • Add, delete, and modify entries in the RAT.
    • Change the order of the entries.
    • Export RAT entries to a text file.
    • Import RAT entries from a text file. Importing from a text file overwrites the existing entries.

    Adding Domains and Users For Which to Accept Messages

      Step 1   Navigate to the Mail Policies > Recipient Access Table (RAT) page.
      Step 2   Choose the listener to edit in the Overview for Listener field.
      Step 3   Click Add Recipient.
      Step 4   Select an order for the entry.
      Step 5   Enter the recipient address.
      Step 6   Choose to accept or reject the recipient.
      Step 7   (Optional) Choose to bypass LDAP acceptance queries for the recipient.
      Step 8   (Optional) Use a custom SMTP response for this entry.
      1. Select Yes for Custom SMTP Response.
      2. Enter an SMTP response code and text. Include the SMTP response to the RCPT TO command for the recipient.
      Step 9   (Optional) Choose to bypass throttling by selecting Yes for Bypass Receiving Control.
      Step 10   Submit and commit your changes.

      Defining Recipient Addresses

      The RAT allows you to define a recipient or group of recipients. Recipients can be defined by full email address, domain, partial domain, username, or IP address:

      [IPv4 address]

      Specific Internet Protocol version 4 (IPv4) address of the host. Note that the IP address must be between the “ [] ” characters.

      [IPv6 address]

      Specific Internet Protocol version 6 (IPv6) address of the host. Note that the IP address must be between the “ [] ” characters.

      division.example.com

      Fully-qualified domain name.

      .partialhost

      Everything within the “partialhost” domain.

      user@domain

      Complete email address.

      user@

      Anything with the given username.

      user@[IP_address ]

      Username at a specific IPv4 or IPv6 address. Note that the IP address must be between the “ [] ” characters.

      Note that “ user@IP_address ” (without the bracket characters) is not a valid address. The system will append the brackets when it receives the message to create a valid address, which could affect whether a recipient is matched in the RAT.


      Note
      When you add a domain to the Recipient Access Table in step 4 of the System Setup Wizard in the GUI (see Step 3: Network), you might want to consider adding a second entry to specify subdomains. For example, if you type the domain example.net , you might also want to enter .example.net . The second entry ensures that mail destined for any subdomain of example.net will match in the Recipient Access Table. Note that only specifying .example.com in the RAT will accept for all subdomains of .example.com but will not accept mail for complete email address recipients without a subdomain (for example joe@example.com).

      Bypassing LDAP Accept for Special Recipients

      If you configure LDAP acceptance queries, you may wish to bypass the acceptance query for certain recipients. This feature can be useful if there are recipients for whom you receive email which you do not want to be delayed or queued during LDAP queries, such as customercare@example.com .

      If you configure the recipient address to be rewritten in the work queue prior to the LDAP acceptance query, (such as aliasing or using a domain map), the rewritten address will not bypass LDAP acceptance queries. For example you use an alias table to map customercare@example.com to bob@example.com and sue@example.com . If you configure bypassing LDAP acceptance for customercare@example.com , an LDAP acceptance query is still run for bob@example.com and sue@example.com after the aliasing takes place.

      To configure bypassing LDAP acceptance via the GUI, select Bypass LDAP Accept Queries for this Recipient when you add or edit the RAT entry.

      To configure bypassing LDAP acceptance queries via the CLI, answer yes to the following question when you enter recipients using the listenerconfig -> edit -> rcptaccess command: 

      Would you like to bypass LDAP ACCEPT for this entry? [Y]> y

      When you configure a RAT entry to bypass LDAP acceptance, be aware that the order of RAT entries affects how recipient addresses are matched. The RAT matches the recipient address with the first RAT entry that qualifies. For example, you have the following RAT entries: postmaster@ironport.com and ironport.com. You configure the entry for postmaster@ironport.com to bypass LDAP acceptance queries, and you configure the entry for ironport.com for ACCEPT. When you receive mail for postmaster@ironport.com, the LDAP acceptance bypass will occur only if the entry for postmaster@ironport.com is before the entry for ironport.com. If the entry for ironport.com is before the postmaster@ironport.com entry, the RAT matches the recipient address to this entry and applies the ACCEPT action.

      Bypassing Throttling for Special Recipients

      For recipient entries, you can specify that the recipient bypasses throttling control mechanisms enabled on the listener.

      This feature is useful if there are certain recipients for whom you do not want to limit messages. For example, many users will want to receive email for the address “ postmaster@domain ” on a listener, even if the sending domain is being throttled based on the receiving control defined in mail flow policies. Specifying this recipient to bypass receiving control in a listener’s RAT allows the listener to receive unlimited messages for the recipient “ postmaster@domain ” while retaining mail flow policies for other recipients in the same domain. Recipients will avoid being counted against the recipients-per-hour counter maintained by the system if the sending domain is being limited.

      To specify certain recipients to bypass receiving control via the GUI, select Yes for the “Bypass Receiving Control” setting when adding or editing a RAT entry:

      To specify certain recipients to bypass receiving control via the CLI, answer yes to the following question when you enter recipients using the listenerconfig > edit > rcptaccess command: 

      Would you like to bypass receiving control for this entry?  [N]> y

      Rearranging the Order of Domains and Users in the Recipient Access Table

        Step 1   Navigate to the Mail Policies > Recipient Access Table (RAT) page.
        Step 2   Choose the listener to edit in the Overview for Listener field.
        Step 3   Click Edit Order.
        Step 4   Change the order by arranging the values in the Order column.
        Step 5   Submit and commit your changes.

        Exporting the Recipient Access Table to an External File

          Step 1   Navigate to the Mail Policies > Recipient Access Table (RAT) page.
          Step 2   Choose the listener to edit in the Overview for Listener field.
          Step 3   Click Export RAT.
          Step 4   Enter a file name for the exported entries.

          This is the name of the file that will be created in the configuration directory on the appliance.

          Step 5   Submit and commit your changes.

          Importing the Recipient Access Table from an External File

          When you import Recipient Access Table entries from a text file, all of the existing entries are removed from the Recipient Access Table.

            Step 1   Navigate to the Mail Policies > Recipient Access Table (RAT) page.
            Step 2   Choose the listener to edit in the Overview for Listener field.
            Step 3   Click Import RAT.
            Step 4   Select a file from the list.

            AsyncOS lists all text files in the configuration directory on the appliance.

            Step 5   Click Submit.

            A warning message displays asking you to confirm that you want to remove all of the existing Recipient Access Table entries.

            Step 6   Click Import.
            Step 7   Commit your changes.

            You can place “comments” in the file. Lines that begin with a ‘#’ character are considered comments and are ignored by AsyncOS. For example:



            Example: 
            # File exported by the GUI at 20060530T220526
.example.com  ACCEPT 
ALL  REJECT

            Was this Document Helpful?

            FeedbackFeedback

            Contact Cisco

            Related Support Community Discussions