Solved: ESA Bounce Verification

ccna_security · ‎08-01-2019

HI. I test bounce verification in esa. I googled how to do that and found this commands to test bounce verification functionality.

Connecting to ESA using telnet: I connected to esa via telnet and write this command bellow

telnet  esa.example.com 25
Trying 192.168.1.254...
Connected to mail.texno.com
Escape character is '^]'.
220 mail.texno.com ESMTP
helo
250 mail.texno.com

MAIL FROM command with null sender address

mail from:
250 sender <> ok
rcpt to: frnak@texno.com
550 #5.1.0 Rejected by bounce verification.   (It is ok. I thought that my configuration works )

MAIL FROM command with MAILER-DEAMON@test.com

mail from: MAILER-DAEMON@test.com
250 sender <MAILER-DAEMON@test.com> ok
rcpt to: frnak@texno.com
250 recipient <frnak@texno.az> ok       (Shouldn't it show "Rejected by bounce verification")


https://www.cisco.com/c/en/us/support/docs/security/email-security-appliance/118466-qa-esa-00.html

Mathew Huynh · ‎08-04-2019

Hey Ccns90

Thank you for bringing this article to my attention.

I believe the article is inaccurate and we should not treat the email with MAILER-DAEMON@domain.com as a bounce event but as a standard envelope sender hence why it is allowed.

The ESA will treat envelope sender with a null value <> as a bounce email and without a proper address tagging it will be dropped due to bounce verification.

I will have this article updated.

Regards,

Mathew

View solution in original post

ppreenja · ‎08-04-2019

Hi Ccns90,

Thank you for your query.

The value "Use Default (No)" and "No" is the same.

"Use Default (No)" means that if we are not selecting any option between "Yes" or "No" the ESA appliance takes the value as "No" by default.

I hope that answers your query.

Regards,
Pratham

View solution in original post

Mathew Huynh · ‎08-04-2019

To add to Pratham,

Default (No) means it's inheriting the settings from the Default Policy Parameters.
Where "No" alone means, override the default parameters with this setting.
In your circumstance, both No will mean the same.
(If you go to the GUI > Mail Policies > Mail flow Policies you will see Default Policy Parameters).

View solution in original post

Mathew Huynh · ‎08-04-2019

Hey Ccns90

Thank you for bringing this article to my attention.

I believe the article is inaccurate and we should not treat the email with MAILER-DAEMON@domain.com as a bounce event but as a standard envelope sender hence why it is allowed.

The ESA will treat envelope sender with a null value <> as a bounce email and without a proper address tagging it will be dropped due to bounce verification.

I will have this article updated.

Regards,

Mathew

ccna_security · ‎08-04-2019

Hi Mathew

So i properly configured bounce verification right?

Mathew Huynh · ‎08-04-2019

Hello Ccns90,
Yep your setup is correct if it is rejecting null envelope sender.
Please ensure that after you enabled bounce verification tagging key and on the destination controls, you have also enabled it on the relevant mail flow policies if not yet already done.
Regards,
Mathew

ccna_security · ‎08-04-2019

Thank you in order to warn me. I gave configured on destination control not on mail policies. Could you please tell me which mail policy i should apply to? I have 5 mail policies

Mathew Huynh · ‎08-04-2019

Hey Ccns90,
Bounce Verification is enabled at the mail flow policy level.
This means in GUI -> Mail Policies -> HAT Overview (or Mail Flow Policies) you need to make sure you enable it on the flow chosen.
Most emails would (by default) match the UNKNOWNLIST due to SBRS matching, but you can configure it on selective mail flow policy to your security requirement.

ccna_security · ‎08-04-2019

Do you think it would be enough to apply only to Unknown mail flow policy?

I am goung to configure spf as well and not sure which mail flow policy it should be applied.

ccna_security · ‎08-04-2019

By the way i looked at configuration in mail policies flow there is no bounce verification line to enable. Only Consider Unragged Bounces to be valid shown with Use defaultNo Yes No choices. I choosed use default no

Mathew Huynh · ‎08-04-2019

Hey Ccns90,
Sorry for the late reply.
To the other query:
Do you think it would be enough to apply only to Unknown mail flow policy?
I am going to configure spf as well and not sure which mail flow policy it should be applied.

* Typically UNKNOWNLIST is fine, I would also put it into suspectlist as there can be instances of a potential spamming mail server trying to initiate a bounce-storm.
Consider untagged bounces as valid -> No is the bounce verification feature, if you have set this then you're all good.
The only other requirement is the address tagging to be configured in GUI > Mail Policies > Destination Controls.

ppreenja · ‎08-04-2019

Hi Ccns90,

I have checked on the same and could see that I am having similar results.
As informed by Mathew, it seems that the article needs to be corrected and we will work towards the same to get it updated.
Thank you for bringing this up to our notice.
Highly appreciated.

Regards,
Pratham

ccna_security · ‎08-04-2019

Thanks for your help i really appreciate. Could you please tell me the difference between Use default no and No? In a bounce verification field i choosed Use Default No

ppreenja · ‎08-04-2019

Hi Ccns90,

Thank you for your query.

The value "Use Default (No)" and "No" is the same.

"Use Default (No)" means that if we are not selecting any option between "Yes" or "No" the ESA appliance takes the value as "No" by default.

I hope that answers your query.

Regards,
Pratham

Mathew Huynh · ‎08-04-2019

To add to Pratham,

Default (No) means it's inheriting the settings from the Default Policy Parameters.
Where "No" alone means, override the default parameters with this setting.
In your circumstance, both No will mean the same.
(If you go to the GUI > Mail Policies > Mail flow Policies you will see Default Policy Parameters).

ccna_security · ‎08-04-2019

Thank you so much guys for your help. My issue almost solved thanks to both of you.