Connections
|
Maximum message size
|
The
maximum size of a message that will be accepted by this listener. The smallest
possible maximum message size is 1 kilobyte.
|
Maximum concurrent connections from a single IP
|
The
maximum number of concurrent connections allowed to connect to this listener
from a single IP address.
|
Maximum messages per connection
|
The
maximum number of messages that can be sent through this listener per
connection from a remote host.
|
Maximum recipients per message
|
That
maximum number of recipients per message that will be accepted from this host.
|
SMTP Banner
|
Custom SMTP Banner Code
|
The
SMTP code returned when a connection is established with this listener.
|
Custom SMTP Banner Text
|
The
SMTP banner text returned when a connection is established with this listener.
|
Custom SMTP Reject Banner Code
|
The
SMTP code returned when a connection is rejected by this listener.
|
Custom SMTP Reject Banner Text
|
The
SMTP banner text returned when a connection is rejected by this listener.
|
Override SMTP Banner Host Name
|
By default, the
email gateway will include the hostname associated with the interface of the listener when displaying the SMTP banner to remote hosts (for
example: 220- hostname ESMTP ). You may choose to override this banner by entering a different hostname here. Additionally, you may leave the hostname
field blank to choose not to display a hostname in the banner.
|
Rate
Limit for Hosts
|
Max.
Recipients per Hour
|
The
maximum number of recipients per hour this listener will receive from a remote
host. The number of recipients per sender IP address is tracked globally. Each
listener tracks its own rate limiting threshold; however, because all listeners
validate against a single counter, it is more likely that the rate limit will
be exceeded if the same IP address (sender) is connecting to multiple
listeners.
|
Max.
Recipients per Hour Code
|
The
SMTP code returned when a host exceeds the maximum number of recipients per
hour defined for this listener.
|
Max.
Recipients Per Hour Exceeded Text
|
The
SMTP banner text returned when a host exceeds the maximum number of recipients
per hour defined for this listener.
|
Rate
Limit for Sender
|
Max.
Recipients per Time Interval
|
The
maximum number of recipients during a specified time period that this listener
will receive from a unique envelope sender, based on the mail-from address. The
number of recipients is not tracked globally. Each listener tracks its own rate
limiting threshold; however, because all listeners validate against a single
counter, it is more likely that the rate limit will be exceeded if messages
from the same mail-from address are received by multiple listeners.
Select whether to use the default maximum recipients, accept unlimited
recipients, or specify another maximum number of recipients.
Use
the Default Mail Flow Policy settings to specify the maximum number of
recipients and the time interval that will be used by the other mail flow
policies by default. The time interval can only be specified using the Default
Mail Flow Policy.
|
Sender Rate Limit Exceeded Error Code
|
The
SMTP code returned when an envelope exceeds the maximum number of recipients
for the time interval defined for this listener.
|
Sender Rate Limit Exceeded Error Text
|
The
SMTP banner text returned when an envelope sender exceeds the maximum number of
recipients for the time interval defined for this listener.
|
Exceptions
|
If
you want certain envelope senders to be exempt from the defined rate limit,
select an address list that contains the envelope senders. See
Using a List of Sender Addresses for Incoming Connection Rulesfor
more information.
|
Flow Control
|
Use
SenderBase for Flow Control
|
Enable “look ups” to the IP Reputation Service for this listener.
|
Group
by Similarity of IP Addresses: (significant bits 0-32)
|
Used
to track and rate limit incoming mail on a per-IP address basis while managing
entries in a listener’s Host Access Table (HAT) in large CIDR blocks. You
define a range of significant bits (from 0 to 32) by which to group similar IP
addresses for the purposes of rate limiting, while still maintaining an
individual counter for each IP address within that range. Requires “Use
SenderBase” to be disabled. For more information about HAT significant bits,
see
Configuring Routing and Delivery Features.
|
Directory Harvest Attack
Prevention (DHAP)
|
Directory Harvest Attack Prevention: Maximum Invalid Recipients Per Hour
|
The
maximum number of invalid recipients per hour this listener will receive from a
remote host. This threshold represents the total number of RAT rejections and
SMTP call-ahead server rejections combined with the total number of messages to
invalid LDAP recipients dropped in the SMTP conversation or bounced in the work
queue (as configured in the LDAP accept settings on the associated listener).
For more information on configuring DHAP for LDAP accept queries, see
Working with LDAP Queries.
|
Directory Harvest Attack Prevention: Drop Connection if DHAP threshold is
Reached within an SMTP Conversation
|
The email gateway will drop a connection to a host if the threshold of invalid recipients is reached.
|
Max.
Invalid Recipients Per Hour Code:
|
Specify the code to use when dropping connections. The default code is 550.
|
Max.
Invalid Recipients Per Hour Text:
|
Specify the text to use for dropped connections. The default text is “Too many
invalid recipients.”
|
Drop
Connection if DHAP threshold is reached within an SMTP Conversation
|
Enable to drop connections if the DHAP threshold is reached within an SMTP
conversation.
|
Max.
Invalid Recipients Per Hour Code
|
Specify the code to use when dropping connections due to DHAP within an SMTP
conversation. The default code is 550.
|
Max.
Invalid Recipients Per Hour Text:
|
Specify the text to use when dropping connections due to DHAP within an SMTP
conversation.
|
Spam
Detection
|
Anti-spam scanning
|
Enable anti-spam scanning on this listener.
|
Virus Detection
|
Anti-virus scanning
|
Enable the anti-virus scanning on this listener.
|
Sender Domain Reputation Verification
|
Sender Domain Reputation Verification
|
Enable sender domain reputation verification.
|
Encryption and
Authentication
|
TLS
|
Deny,
Prefer, or Require Transport Layer Security (TLS) in SMTP conversations for
this listener.
If you select Preferred, you can make TLS mandatory for envelope senders from a specific domain or with a specific email
address by selecting an Address List that specifies those domains and email addresses. When an envelope sender matching a
domain or address in this list tries to send a message over a connection that does not use TLS, the
email gateway rejects the connection and the sender will have to try again using TLS.
The Verify Client Certificate option directs the
email gateway to establish a TLS connection to the user’s mail application if the client certificate is valid. If you select this option
for the TLS Preferred setting, the
email gateway still allows a non-TLS connection if the user doesn’t have a certificate, but rejects a connection if the user has an invalid
certificate. For the TLS Required setting, selecting this option requires the user to have a valid certificate in order for
the
email gateway to allow the connection.
For
information on creating an address list, see
Using a List of Sender Addresses for Incoming Connection Rules.
For
information on using client certificates for TLS connections, see
Establishing a TLS Connection from the Email Gateway.
|
SMTP
Authentication
|
Allows, disallow, or requires SMTP Authentication from remote hosts connecting
to the listener. SMTP Authentication is described in detail in the “LDAP
Queries” chapter.
|
If
Both TLS and SMTP Authentication are enabled:
|
Require TLS to offer SMTP Authentication.
|
Domain Key/ DKIM Signing
|
Enable Domain Keys or DKIM signing on this listener (ACCEPT and RELAY only).
|
DKIM
Verification
|
Enable DKIM verification.
|
S/MIME Decryption and
Verification
|
S/MIME Decryption/Verification
|
- Enable S/MIME decryption
or verification.
- Choose whether to retain
or remove the digital signature from the messages after S/MIME verification.
For triple wrapped messages, only the inner signature is retained or removed.
|
S/MIME Public Key
Harvesting
|
S/MIME Public Key Harvesting
|
Enable S/MIME public key harvesting.
|
Harvest Certificates on Verification Failure
|
Choose whether to harvest public keys if the verification of the incoming
signed messages fail.
|
Store
Updated Certificate
|
Choose whether to harvest updated public keys.
|
SPF/SIDF Verification
|
Enable SPF/SIDF Verification
|
Enable SPF/SIDF signing on this listener. For more information, see
Email Authentication.
|
Conformance Level
|
Set
the SPF/SIDF conformance level. You can choose from SPF, SIDF or SIDF
Compatible. For details, see
Email Authentication.
|
Downgrade PRA verification result if 'Resent-Sender:' or 'Resent-From:' were
used:
|
If
you choose a conformance level of SIDF compatible, configure whether you want
to downgrade Pass result of the PRA Identity verification to None if there are
Resent-Sender: or Resent-From: headers present in the message. You may choose
this option for security purposes.
|
HELO
Test
|
Configure whether you want to perform a test against the HELO identity (Use
this for SPF and SIDF Compatible conformance levels).
|
DMARC Verification
|
Enable DMARC Verification
|
Enable DMARC verification on this listener. For more information, see
DMARC Verification.
|
Use
DMARC Verification Profile
|
Select the DMARC verification profile that you want to use on this listener.
|
DMARC
Feedback Reports
|
Enable sending of DMARC aggregate feedback reports.
For
more information about DMARC aggregate feedback report, see
DMARC Aggregate Reports.
Note
|
DMARC specification requires the feedback report messages to be DMARC
compliant. Make sure that these messages are DKIM signed or you must publish
appropriate SPF records.
|
|
Untagged Bounces
|
Consider Untagged Bounces to be Valid
|
Applies only if bounce verification tagging (discussed in the “Configuring Routing and Delivery Features” chapter) is enabled.
By default, the appliance considers untagged bounces invalid and either rejects the bounce or adds a custom header, depending
on the Bounce Verification settings. If you choose to consider untagged bounces to be valid, the
email gateway accepts the bounce message.
|
Envelope Sender DNS Verification
|
|
See
Verifying Senders.
|
Exception Table
|
Use
Exception Table
|
Use
the sender verification domain exception table. You can only have one exception
table, but you can enable it per mail flow policy. See
Sender Verification Exception Table
for more information.
|