When combined with an access rule (ACCEPT or REJECT), the parameters listed in Table 5-3 on page 5-9 are predefined as the following four mail flow policies for each public listener you create: • $ACCEPTED
• $BLOCKED • $THROTTLED • $TRUSTED
Step 1 Access the GUI. (See Accessing the GUI, page 2-2.) Step 2 Click Mail Policies > HAT Overview.
The Overview page is displayed. If listeners are configured, the Host Access Table overview page defined for the first alphabetical listener is displayed. Select the desired listener from the Listener list.
Figure 5-11 Predefined Mail Flow Policies for Public Listeners
Step 3 Click the name of a Mail Flow Policy to view the connection behavior and parameters for that policy.
Note By default, C150/160 customers are prompted to create only one public listener during the systemsetup command. Public listeners created on Cisco IronPort C150/160 appliances also include a $RELAYED mail flow policy that is used to relay mail for internal systems (as shown in Figure 5-12). For more information, see RELAYLIST, page 5-30. The $RELAYLIST policy is shown only on private listeners on Cisco IronPort X1050/1060/1070, C650/660/670, and C350/360/370 appliances.
Figure 5-12 Predefined Mail Flow Policies for Single Listener
In this table, “Default” means that the default value as defined by the listener is used.
Table 5-11 Predefined Mail Flow Policies for Public Listeners
Policy Name
Primary Behavior (Access
Rule) Parameters Value
$ACCEPTED
(Used by All)
ACCEPT Maximum messages / session: Maximum recipients / message: Maximum message size:
Maximum concurrent connections: SMTP Banner Code:
SMTP Banner Text: Override Hostname: Use TLS:
Use McAfee virus scanning: Maximum recipients / hour: Maximum rcpt / hour Error Code: Max recipients / hour Text: Use SenderBase: Default Default Default Default Default Default Default Default Default No default Default Default ON
Note: All parameters for the $ACCEPTED policy are user-defined in the CLI systemsetup and listenerconfig commands. Select “y” when prompted with the question:
Would you like to change the default host access policy?
to modify these values. To change these values using the GUI, follow the steps in Figure 5-7Viewing Default Mail Flow Policies, page 5-14.
$BLOCKED REJECT Maximum messages / session: Maximum recipients / message: Maximum message size:
Maximum concurrent connections: SMTP Banner Code:
SMTP Banner Text: Override Hostname: Use TLS:
Use McAfee virus scanning: Maximum recipients / hour: Maximum rcpt / hour Error Code: Max recipients / hour Text: Use SenderBase: N/A N/A N/A N/A Default Default Default N/A N/A N/A N/A N/A N/A
* If enabled.
$ACCEPTED is a named policy, which is the same as the public listener’s default HAT settings. You can assign the $ACCEPTED policy to any sender group you create. (See Adding a New Sender Group, page 5-31 and Connections, page 5-9. See also Working with the HAT, page 5-38).
The final ALL entry in a HAT for a public listener also uses the $ACCEPTED policy as the primary behavior.
Each public listener, by default, has the sender groups and corresponding mail flow policies shown in
Table 5-12 defined by default.
These four basic sender groups and mail flow policies enable a framework for you to begin classifying the email flowing into your gateway on a public listener. In “Using Email Security Monitor” in the Cisco IronPort AsyncOS for Email Daily Management Guide, you will be able to see the real-time flow of email
$THROTTLED ACCEPT Maximum messages / session: Maximum recipients / message: Maximum message size:
Maximum concurrent connections: SMTP Banner Code:
SMTP Banner Text: Override Hostname Use TLS:
Use McAfee virus scanning: Maximum recipients / hour: Maximum rcpt / hour Error Code: Max recipients / hour Text: Use SenderBase:
Envelope Sender DNS Ver:
1 25 10MB 1 Default Default Default Default Default* 20 Default Default ON ON
$TRUSTED ACCEPT Maximum messages / session: Maximum recipients / message: Maximum message size:
Maximum concurrent connections: SMTP Banner Code:
SMTP Banner Text: Override Hostname: Use TLS:
Use McAfee virus scanning: Maximum recipients / hour: Maximum rcpt / hour Error Code: Max recipients / hour Text: Use SenderBase: 5,000 5,000 100 MB 600 Default Default Default Default OFF* -1(Disable) N/A N/A OFF
Table 5-11 Predefined Mail Flow Policies for Public Listeners (Continued)
Policy Name
Primary Behavior (Access
Rule) Parameters Value
Table 5-12 Predefined Sender Groups and Mail Flow Policies for Public Listeners
This Sender Group: Uses this Mail Flow Policy:
WHITELIST $TRUSTED
BLACKLIST $BLOCKED
SUSPECTLIST $THROTTLED
into your gateway and be able to make changes to a listener’s HAT in real-time. (You can add IP addresses, domains, or organizations to an existing sender group, edit the existing or pre-defined policies, or create new mail flow policies.)
WHITELIST
Add senders you trust to the Whitelist sender group. The $TRUSTED mail flow policy is configured so that email from senders you trust has no rate limiting enabled, and the content from those senders is not scanned by the Anti-Spam or Anti-Virus software.
BLACKLIST
Senders in the Blacklist sender group are rejected (by the parameters set in the $BLOCKED mail flow policy). Adding senders to this group rejects connections from those hosts by returning a 5XX SMTP response in the SMTP HELO command.
SUSPECTLIST
The Suspectlist sender group contains a mail flow policy that throttles, or slows, the rate of incoming mail. If senders are suspicious, you can add them to the Suspectlist sender group, where the mail flow policy dictates that:
• Rate limiting limits the maximum number of messages per session, the maximum number of recipients per message, the maximum message size, and the maximum number of concurrent connections you are willing to accept from a remote host.
• The maximum recipients per hour from the remote host is set to 20 recipients per hour. Note that this setting is the maximum throttling available. You can increase the number of recipients to receive per hour if this parameter is too aggressive.
• The content of messages will be scanned by the anti-spam scanning engine and the anti-virus scanning engine (if you have these feature enabled for the system).
• The Cisco IronPort SenderBase Reputation Service will be queried for more information about the sender.
UNKNOWNLIST
The Unknownlist sender group may be useful if you are undecided about the mail flow policy you should use for a given sender. The mail flow policy for this group dictates that mail is accepted for senders in this group, but the Cisco IronPort Anti-Spam software (if enabled for the system), the anti-virus scanning engine, and the Cisco IronPort SenderBase Reputation Service should all be used to gain more information about the sender and the message content. Rate limits for senders in this group are also enabled with default values. For more information on virus scanning engines, see Anti-Virus Scanning, page 8-1. For more information on the SenderBase Reputation Service, see Reputation Filtering, page 7-1.