01-10-2018 05:47 AM - edited 03-08-2019 07:31 PM
We have a lot of applications sending email through the ESA Relay interface to the outgoing internet interface. We are now in te process of setting SPF, DKIM and DMARC for all our domains (1000+), but we noticed that a lot of email is send with unknown or fake (developers have a lot of fantasy) or internal domains. These emails must be blocked, but we wonder what the best approach is to this problem.
I've looked at the Sender Verification Exception Table, which looks like how the RAT is functioning for incoming trafic but I wonder if there is any other better approach to this problem.
Any better solution?
01-10-2018 06:03 AM
01-10-2018 06:15 AM
Do you have any advise what mechanism to use?
Do you have Sender Verification enabled on the Relay interface?
With the use of the sender verification exception table?
01-10-2018 07:06 AM
When envelope sender verification is enabled on a mail flow policy AsyncOS performs an MX record query for the domain of the sender address. AsyncOS then performs an A record lookup based on the result of the MX record lookup. If the DNS server returns “NXDOMAIN” (there is no record for this domain), AsyncOS treats that domain as non-existent.
However, if the DNS server returns “SERVFAIL,” it is categorized as “Envelope Senders whose domain does not resolve.” SERVFAIL means that the domain does exist but DNS is having transient problems looking up the record.
The exception table is used to add domains to it for which you would like to bypass the envelope sender verification.
Ideally this check is used on inbound connections, since relay policy would be used for your internal trusted servers validating their DNS records would not be of much help.
Regards,
Libin Varghese
01-10-2018 07:56 AM
That means that sender verification is not the way to go for blocking rogue domains on our relay interface. Problem is that we have a huge amount of servers/application allowed to use the relay interfaces. How can we block any domain, not on our "domain list', from escaping to the internet.
Must we build an Outgoing Content Filter based on Envelope Sender? I'm searching for the equivalent of the RAT but for outgoing traffic.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide