Looking for best practices regarding junk destination domains
By doing regular tophosts on our outgoing appliances, I usually find many junk destination domains: that can be internal non-routable domains (typically mail sent from applications), mispelled domains, external non-routable domains, ...
I was thinking of adding a specific mail policy for such domains, but before doing that I wondered if you guys have something more clever to advise!
Most junk domains are related to mail from hosts that have Relay access or bounces generated on-box for domains that do not exist. We can prevent some of these by changing what is accepted into the ESA in the first place via Sender Verification.
Sender Verification rejects mail from any Envelope Sender address which does not exist in DNS based on an MX and A record lookup. This is applied on each Mail Flow Policy. You can do all Policies to affect mail in both directions, or take the more cautious approach of only enforcing this on non-Relay and less trusted Sender Groups. Mail Flow Policies are accessed from the Mail Policies tab.
Relay to invalid Recipients is a bit trickier. Since these tend to be less common, I'd suggest allowing Sender Verification to be enabled for some time (at least 4-7 days) so those situations are cleared from the system's Delivery Status output. This should shorten the list of domains that cannot be delivered to considerably - and most reamining will relate to Relayed mail.
You would then use Tracking or the mail_logs to get details about specific messages to specific domains. Based on your findings, you can take corrective actions. Some possible situations:
- If an internal host is sending automated emails to or from a non-existent domain: I'd recommend approaching the admin of the tool that creates that email so they can correct the tool.
- If inbound mail is accepted for an invalid domain: You will want to check the RAT to make sure only valid domains are listed. Any entry in the format of .domain.com is a wildcard that allows mail to be accepted for email@example.com - you may want to replace wildacard entries with exact domains that are verified to exist internally.
- If a specific domain is often typoed by users: You can use Destination Controls to refer to a Bounce Profile with a shorter Max Queue Age. This lets the mail bounce much earlier than normal emails so the user becomes aware in a timely manner and the Delivery Status stays cleaner.
DocumentationCode download linksGoalRequirementLimitationsSupported ISR
and UCS-E ModelSupported ISRG2 and UCS-E Blades:Supported ISR4K and
UCS-E Blades:Step by Step ConfigurationConfigure one of the connectivity
options to access the Cisco IMC from the n...
Firepower Threat Defense (NGFWv) on UCS E-series - Transparent Mode in
HA DocumentationCode download linksGoalRequirementLimitationsSupported
ISR and UCS-E ModelSupported ISRG2 and UCS-E Blades:Supported ISR4K and
UCS-E Blades:Step by Step ConfigurationCo...
Question I am currently unable to specify "crypto keyring" command when
configuring VPN connection on my cisco 2901 router. The following
licenses have been activated on my router :