11-10-2009 08:32 PM
What is everyone's thoughts/expierence with trying to enforce valid FROM e-mail addresses? I work for an organization of 16,000 users and currently any IT person can write a script to send e-mail FROM any address even an invalid one. The problem that I'm seeing is now this e-mail has no valid place to bounce back to if it fails to deliver for whatever reason. This has caused everything from thousands of e-mails queued up on our appliances that have no place to deliver to, to the IT person not being able to track down a simple delivery failure because it couldn't come back to their mailbox. The big concern that I have is when e-mail leaves our environment with an invalid FROM address, I'm guessing this can't be good for our sender reputation. Any thoughts? Do I try to enforce valid FROM/Sender e-mail addresses?
Thanks and LONG LIVE THE NATION!
11-12-2009 07:39 PM
If you do you may find a lot of automated applications aren't using valid from fields.
11-12-2009 07:54 PM
I've all ready found them and yeah, it's ugly. I'm just wondering if I clean it up or look the other way. I want to clean it up and have a good oppurtunity to do so but just wondering what everyone else's thoughts/expierience is. I'm concerned that at somepoint we will get blacklisted becasue some automated program sent a million e-mails to the wrong external domain and all eyes fall upon me and they say why did the IronPort appliances allow this???
11-13-2009 03:27 AM
In a way, your first target is to, at least, enforce outgoing (relay) mails are originating from your own domains. right?
So at least they dont bounce back to domains you do not own.
So you can try header-dictionary-match on mail-from and do something (drop/modify/archive?)
If you cannot drop them, I'd also setup a lame mta to process them by alt-mailhost these "less-legitimate" messages i.e. let the lame mta has all the bad reputation.
11-13-2009 08:12 AM
In a way, your first target is to, at least, enforce outgoing (relay) mails are originating from your own domains. right?
11-13-2009 10:10 AM
In a way, your first target is to, at least, enforce outgoing (relay) mails are originating from your own domains. right?
To do exactly this I'm considdering to use a messagefilter, it could just use my RAT or SMTP Routes, so I wouldn''t have to change the filter everytime we add or delete a domain.
Any idea?
11-13-2009 10:13 AM
yes, that would be nice, unfortunately not all domains in our case have LDAP.
11-29-2010 01:19 PM
Just checking to see if there has been any further developments on this topic from CISCO/IronPort.
I took over an installation that had 200+ domains that we hosted and I'm narrowing that down to one. Due to the number of e-mail domains we had the IronPort appliances were basically originally configured to allow anything from our internal network to be delivered. Now that we have consolidated down to only a handful of e-mail domains I am starting to clean this up.
Currently I am just using mail polices that does a LDAP lookup on the sender address and then in a policy following that I use a content filter on the Sender header. Any sent e-mail that misses the LDAP lookup is invalid and then I have a content filter on the following policy looking for that same domain. If the content filter has any hits the sender must not have been in the LDAP and thus invalid.
I also have some e-mail domains that are sending e-mail via my appliances that I don't have access to LDAP for and I guess I could use the Envelope Sender matches dictionary content method.
The challenge that I'm starting to find though is if someone has 'forwarding' turned on an account. Still working to find a way to resolve that.
Anyway, wanted to send the discussion to the top and see if anyone else out there was fighting the good fight.
Long live the Nation!
Jason
12-01-2010 05:01 AM
Hello Jason,
another possibility of using LDAP for sender verification is described in this knowledge base article, where a public listener is modified to relay outbound messages.
(if anybody cannot access it please let me know, and I'll post the solution here). The advantage of this is that messages with invalid senders get bounced right away before they enter the workqueue, so no filter needed. Drawback is that it needs to be implemented carefully, otherwise, with a RAT set to "Allow" on anything, a wrong LDAP query could make that appliance to be an open relay.
Hope that helps,
Andreas
01-14-2011 09:11 PM
Long Live the Nation!
I am wondering if you drop those "invalid" from mails after you do ldaplookup and content filter check.
Any complaints?
As you already go this far already. And in your environment, seems you can do
if all check fails
- you can drop it
OR
- you can actually rewrite the return address into one of your dedicated domain (say. blackhole@bounce.yourdomain.com)
- (may need resent-from or x-original-mailfrom header)
- let these go outbound
- inbound , drop anything to (blackhole@bounce.yourdomain.com)
endif
Chris Lo
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide