Cisco ESA dns verification

ccna_security · ‎12-16-2019

Dear all.

is there any way to send email to quarantine if email was not being verified by Envelop Sender DNS verification? User complained that he didn't get email from xxx.com domain. when I looked at logs observed that domain was not verified by dns verification and rejected. I want to send that rejected emails to quarantine in case of DNS verification failure.

marc.luescherFRE · ‎12-16-2019

PTR validation is happening when a session is established from the remote server to your ESA. To safe processing cycles on the ESA the session is dropped with either one of the three error codes and no further processing is being performed.

It is not possible to capture a copy of failed messages but I think this would be a good feature request.

Sorry there is no better answer but I had similar issues before. The only way we found a get early alerts is to monitor the smtp_logs for those 3 error messages or strings and create an alert when a certain threshold get exceeded.

-Marc

ccna_security · ‎12-16-2019

Hi marc.luescherFRE

as we get several email dropped due to Verification, we only applied that feature only SUSPECTED Mail Policy. do you think it is OK?

marc.luescherFRE · ‎12-16-2019

It is always a compromise to deal with email security.

In our case making sure that all patient emails can be delivered is the most important goal. That limits my possibilities to enforce some TLS and DMARC restrictions.

I like your idea and see this as a good compromise. we created an additional mail policy for such bad PTR records and are reviewing the assigned senders once every 90 days so we can move them up again.

I hope this helps

-Marc

ccna_security · ‎12-16-2019

Dear Marc. Actually i didnt understand clearly. I enabled verification in suspected (-3,-1) mail policy. I want to know that whether it is enough

marc.luescherFRE · ‎12-16-2019

Hi there,

that will work if the hosts fall into the suspected range.

-Marc

ccna_security · ‎12-17-2019

Thanks Marc.