Mail Gateway recipient filtering
Recipient filtering is a crucial part of modern e-mail filtering. All edge (fronting) mail gateways should be aware of all e-mail accounts inside the organisation in order to prevent back-scatter. That said you should always configure SPG/VSP to do recipient verification.
If you chose not to, you will encounter;
- If messages to unknown recipient aren't rejected in the front-end, bounces (DSN) will most likely be generated on the back-end servers and you may cause back-scatter (and back-scatter spam) to originate from within your organisation.
- This is also a license issue. Halon SPG/VSP is licensed per e-mail recipients so scanning for non-existing recipient will cause you to overrun your license. Users counted for in your license may be seen on the Mail Gateway → Reporting → Statistic's tab.
Recipient filtering policies are set per Mail Gateway → Domain and are defined with a HSL Mail Recipient flow, configured on the Mail Gateway → Flow → Recipient's tab. Recipient flows are execute for each "RCPT TO" and policies are chosen by the Mail Gateway → Domain → Recipient Flow configuration per domain.
The recipient flow policy comes with some pre-configured blocks that should be preferred over custom scripts. Among these the simplest and enabled per-default are the SMTP Forwarding Verification.
Contents |
LDAP Verification
An LDAP search will be done for a mail address, depending on your LDAP server you will need to do custom configuration. See the LDAP documentation for help.
SMTP Forwarding Verification
A SMTP forwarding verification will be done (MAIL FROM: <>, RCPT TO: <user@example.org>) to verify against your backend SMTP server (if Per-Domain is chosen; the Mail Gateway → Domain → Send To will be chosen per domain). The result of this verification is cached for 24 hours.
If you choose this method you must verify that the backend server actually rejects unknown recipient, this is known to be an issue with Microsoft Exchange servers see the chapter about #Catch-all.
File Verification
Lookup recipient by file (uploaded to the FTP), in the format of;
recipient1@example.org recipient2@example.org recipient3@example.org
Custom scripts
More examples are available in in the HSL Mail Recipient documentation.
if (!in_file($recipient, "file://users.txt")) {
Reject("User Unknown");
}
Catch-all
Many mail servers are configured to accept any e-mail address (such as xyz123@your-company.com, even if such a user does not exist). In order for the license not to exceed, this has to be disabled. The phenomenon are sometimes referred to as catch-all. Also make sure that the e-mail server does not "trust" the SPG/VSP: sometimes servers accept any e-mails from computers with internal addresses. The user count is reset whenever the appliance is restarted.
Disabling catch-all in Exchange 2010 and Exchange 2007
Recipient filtering is a part of Exchanges anti-spam functionality, and therefore requires the anti-spam module to be installed; so if it's not follow this guide about [How to install Microsoft Anti Spam Agents on Exchange 2007] on microsoft.com. Once installed, disable anti-spam for all modules except for "Recipient filtering". It is important because the Exchange server should trust the VSP/SPG and should not reject (causing the VSP/SPG to boucne) any messages due to anti-spam.
Select option for the "Recipient filtering" and choose "Block messages sent to recipients not in the global address list", restart the Exchange server. Restart the VSP/SPG appliance and no unknown users should be allowed and the recipient count should be reset to a sane value.
Disabling catch-all in Exchange 2003
Read this external [Guide].
Caching
If you have done major changes to the recipient verification process you may want to clear its internal cache (which results for most recipient flow modules are kept for 24 hours). It can be done from the Mail Gateway → Settings → Clear cache button. Users counted for in the license (Mail Gateway → Reporting → Statistics → Export Users) cannot be "cleared" without a reboot.
