What we usually do in HAT is to turn the "envelope sender DNS verification" on.
Ironport will try to determinate if the domain exists. And ironport will do it through dns queries at the domain in the sender.
It is not just about if the domain exist or not.
What we'd like to achieve is to reject the messages if the domain exist but has invalid MX record entry (such as mx record that has 0, localhost, 127.0.0.1 or any numbers that is not valid for an mx record).
You could use a filter to check the bogusmx.rfc-ignorant.org zone and bounce the message if the envelope sender matches.
Unless I totally missed it in my search of the v4.7 documentation, AsyncOS only knows how to look up the IP address of the incoming SMTP client in DNSBLs. It doesn't know how to look up the domain name of the MAIL FROM address.
Personally, I wish they'd provide a way to implement these checks directly, rather than having to depend on an external DNSBL. It's not like AsyncOS can't figure it out on its own, since the rules are pretty deterministic. That said, being able to look up the MAIL FROM domain in a DNSBL could have other uses.
Table of ContentsIntroductionVersion HistoryPossible Future
UpdatesDocuments PurposeNAT Operation in ASA 8.3+ SectionsRule Types
Network Object NATTwice NAT / Manual NATRule Types used per SectionNAT
Types used with Twice NAT / Manual NAT and Network Obje...
Table of Contents Introduction:This document describes details on how
NAT-T works. Background: ESP encrypts all critical information,
encapsulating the entire inner TCP/UDP datagram within an ESP header.
ESP is an IP protocol in the same sense that TCP an...