one of the key requirements of BATV would be that all in- and outbound e-mails pass the IronPort systems. We have, however, some e-mail domains, that are hosted at a different entity and internally routed to us.
For these domains, customers send their outbound mail over our infrastructure (e-mails would leave the infrastructure with the variable prvs= string prepended to the address), but inbound e-mails and therefore (in)valid bounces (DSN/NDR) would be delivered to the other entity, which in case of an invalid bounce, doesn't know the recipient (with the prepended prvs= string) and would refuse the e-mails, while invalid bounces would still be accepted -- Confusing, right! ;)
Is there a way to exclude these specific domains from the BATV?
Another question. If you have seperated your in- and outbound systems, would BATV still work and make sense. Does the "bookkeeping" of the variable prepended prvs= strings take place on the Mailflowcentral?
For your first question, about exclude specific domains from BATV, see if this Support Portal KB article can help.
How to exempt Bounce Verification for one or more internal mail servers?
To exempt Bounce Verification for one or more domains in the internal network that relay through the IronPort Appliance, proceed with the following steps:
I. Set up a new public listener. The IP address of this listener would be the same as the private listeners, however it would listen on a different port say 2525. From GUI:
1. Click on Network tab and select Listeners 2. Click on Add Listener button 3. On the Add Listener page, add the name of the listener 4. Select Private for the Type of Listener 5. Select the same interface as the other listeners, but use port 2525 for this listener
II. Remove all of the SenderGroups on this listener except the WHITELIST. Add the IP addresses of the internal mail servers that send email for this special domain that they need exceptions for. The connection behavior for the mail flow policy associated with the ALL SenderGroup would be set to REJECT. From GUI:
1. Click on Mail Policies tab and select HAT Overview 2. Select New Listener under Overview for Listener pull down menu 3. Click on Delete icon for all the SenderGroups except WHITELIST SenderGroup 4. Click on WHITELIST and click on Add Sender button 5. Add the IP address(s) of the internal mail servers that send email for this special domain that they need exceptions for. 6. On HAT Overview page, click on ALL SenderGroup and select REJECT mail flow policy.
III. RAT on the new listener would be set to "ALL -> ACCEPT". From GUI:
1. Click on Mail Policies tab and select Recipient Access Table(RAT) 2. Select New Listener under Overview for Listener pull down menu 3. Click on ALL SenderGroup 4. On Edit Recipient Access Table page, select the Action as Accept 5. Click on Submit
IV. The "Smart exceptions to tagging" settings in bounce verification would be ENABLED(it was already enabled so we did not have to make a change). This prevents emails matching the accept connection behavior from being BV tagged. From GUI:
1. Click on Mail Policies and select Bounce Verification 1. Click on Edit Settings button 1. Make sure that Smart exceptions to tagging is set to enabled 1. Click on Commit Changes
DocumentationCode download linksGoalRequirementLimitationsSupported ISR
and UCS-E ModelSupported ISRG2 and UCS-E Blades:Supported ISR4K and
UCS-E Blades:Step by Step ConfigurationConfigure one of the connectivity
options to access the Cisco IMC from the n...
Firepower Threat Defense (NGFWv) on UCS E-series - Transparent Mode in
HA DocumentationCode download linksGoalRequirementLimitationsSupported
ISR and UCS-E ModelSupported ISRG2 and UCS-E Blades:Supported ISR4K and
UCS-E Blades:Step by Step ConfigurationCo...
Question I am currently unable to specify "crypto keyring" command when
configuring VPN connection on my cisco 2901 router. The following
licenses have been activated on my router :