Re: Pre-Queue Message Operations on ESA

RoBu · ‎04-30-2020

Hello all,

until which operation in the ESA workflow (emailrep.-> MaliflowPolicy -> AcceptanceControl -> AS/AV -> Filereputation -> ..) is the connection from the sender on hold (Pre-Queue- Filtering)?

Or when does the sender get the final "250 ok" in the SMTP-DIALOG?

Regards

RoBu

RoBu · ‎05-01-2020

Maybe some explanations for the question:

The german law says, that if you accept a message ("250 ok" in the SMTP dialoque) you have to deliver the mail to the postbox, no matter if it's spam or just crap. Other mail solutions receive all the data, do all the checks (AV/AS/RecipientCheck, ...) and if all checks are done they accept the mail with a "250 ok" or reject the mail. Means they pre-queue the mails.

I checked the ESA mail flow (i.e. https://image.slidesharecdn.com/ciscowebandemailsecurityoverview-150818000102-lva1-app6892/95/cisco-web-and-email-security-overview-25-638.jpg?cb=1458676317) but i cant see when the mail is declared as accepted to the sender. According to the maillogs the ICID is closed before all checks are done, sometimes after.

Thanx for the help!

Ken Stieers · ‎05-01-2020

ICID is "incoming connection id" you could be getting many messages on that connection from another mail system, so you can't depend on it as the end of any one message.

Some of the checks happen before the mail is accepted: ip reputation, acceptance query, DMARC/SPF/DKiM

All of the AV, antispam, antiphis, etc and actions based on DMARC/SPF/happen in the workqueue.
Once mail is in the workqueue, it has had a 250 sent...

Ken Stieers · ‎05-01-2020

So... in noodling about this, if that law really means what it seems to mean...

You have to stamp everything that comes in as SPAM/VIRUS/whatever and deliver it and HOPE that the user does the right thing with it...