Re: Sender authorized Mail FROM

Gregoire LECOMTE · ‎04-27-2009

Hello,

We would like to allow only incoming mails from know sender Mail From address for our internal smtp. (not internet).

Does someone already implement this? what component do you use (dictionnary, content filter, Exception table, ...)?

Thx

kluu_ironport · ‎04-27-2009

Do you have two listeners? One for inbound traffic (e.g. originating from the Internet) and one four outbound traffic (e.g. originating from internal mailservers).

If you do, this would make it much easier to do. Internet traffic is generally considered Inbound Mail (e.g. Incoming listener) and internal traffic is considered Outbound Mail (e.g. Outgoing listener).

If you have this, then click on "Mail Policies > Outgoing Mail Policies". Have two policies.

1. Allowed Sender From Domains
2. Default Policy

On #1, add all the Sender From (mail from:) that you want to allow to relay and deliver.

For #2, set that to drop.

Let me know if you have any questions.

Jason Meyer · ‎05-05-2009

This is something that I have been thinking about lately also... I work with roughly 16,000 mailboxes so I could easily add the domains to an outgoing policy to test for valid domains... but I think glecomte is asking how he can verify that actual FROM address is valid...

In my environment I have lots of web developers and application developers that like to setup scripts to send e-mails from non-existant domains, for the most part these e-mails go through, but if they send the e-mail TO a bad address it bounces back and sits on IronPort...

Any opinions on best ways to stop this? If I setup a filter to test for valid domain I will break the working e-mails... Currently I am monitoring the e-mail that gets stuck on my IronPort boxes and if I see a abnormaly high number I contact the originator of the e-mail and try to explain why sending e-mail FROM a valid address is important...

any thoughts/comments??

mychrislo_ironport · ‎05-06-2009

Under the "RELAYED" policy, you can use the "Use Sender Verification Exception Table" to allow some bad "mail from" to get through...

This is something that I have been thinking about lately also...  I work with roughly 16,000 mailboxes so I could easily add the domains to an outgoing policy to test for valid domains...  but I think glecomte is asking how he can verify that actual FROM address is valid...

In my environment I have lots of web developers and application developers that like to setup scripts to send e-mails from non-existant domains, for the most part these e-mails go through, but if they send the e-mail TO a bad address it bounces back and sits on IronPort...  

Any opinions on best ways to stop this?  If I setup a filter to test for valid domain I will break the working e-mails...  Currently I am monitoring the e-mail that gets stuck on my IronPort boxes and if I see a abnormaly high number I contact the originator of the e-mail and try to explain why sending e-mail FROM a valid address is important...

any thoughts/comments??

kyerramr · ‎05-06-2009

If incoming connections from these app servers are made to match to an accept policy, perform a recipient validation (LDAP). This way message would be rejected at the conversation rather than bouncing after a delivery failure.

kyerramr · ‎05-06-2009

Glecomte,

If you want to validate if mail from address belongs to a valid domain, user Sender Address verification.

Please elaborate if this isn't your requirement.

mychrislo_ironport · ‎05-06-2009

There are practically 4 "meaning" of "valid mail from".

1. RFC822 (or 2822 whatever) compliant ( "My Name@mydomain.com is NOT)

2. a DNS query valid domain (me@nonexist-hotmail.com is NOT, but hotmail.com is valid)

3. a valid internal domain (me@hotmail.com is NOT valid, nonexist@mydomain.com is _still_ valid)

4. a valid LDAP internal user (myemailexist@mydomain.com is valid)

mychrislo_ironport · ‎05-06-2009

If you look for authorization. You need simply SMTP auth. (that's for Glecomte).

rvdwesten_ironport · ‎05-06-2009

You can also use a group query for this, create a mail policy where the sender address must exist in a group and drop() all messages from the default outgoing mail policy.