Introduction
This document describes what a mail flow policy is on the Email Security Appliance (ESA), and the actions that are associated to a mail flow policy.
What is a mail flow policy?
A mail flow policy allows you to control or limit the flow of email messages from a sender to the listener during the SMTP conversation. You control SMTP conversations by defining the following types of parameters in the mail flow policy:
- Connection parameters, such as maximum number of messages per connection.
- Rate limiting parameters, such as maximum number of recipients per hour.
- Modify custom SMTP codes and responses communicated during the SMTP conversation.
- Enable spam detection.
- Enable virus protection.
- Encryption, such as using TLS to encrypt the SMTP connection.
- Authentication parameters, such as using DKIM to verify incoming mail.
Mail flow policies perform one of the following actions on connections from remote hosts:
- ACCEPT. Connection is accepted, and email acceptance is then further restricted by listener settings, including the Recipient Access Table (RAT)(for public listeners).
- REJECT. Connection is initially accepted, but the client attempting to connect gets a 4XX or 5XX SMTP status code. No email is accepted.
Note: You can also configure AsyncOS to perform this rejection at the message recipient level (RCPT TO), rather than at the start of the SMTP conversation. Rejecting messages in this way delays the message rejection and bounces the message, allowing AsyncOS to retain more detailed information about the rejected messages. This setting is configured from the CLI listenerconfig > setup command.
- TCPREFUSE. Connection is refused at the TCP level.
- RELAY. Connection is accepted. Receiving for any recipient is allowed and is not constrained by the RAT.
- CONTINUE. The mapping in the Host Access Table (HAT) is ignored, and processing of the HAT continues. If the incoming connection matches a later entry that is not CONTINUE, that entry is used instead. The CONTINUE rule is used to facilitate the editing of the HAT in the GUI.
Keep in mind, mail flow policies are at the beginning of the email pipeline, so these parameters are applied as remote hosts attempt to establish connections with the ESA.
Mail flow policies differ from Incoming and Outgoing Mail Policies, which define anti-spam, anti-virus, virus outbreak, and content filter parameters to be applied to mail received from or destined for specified domains, groups of email addresses or specific email addresses.
The default mail flow policies can be modified and new mail flow policies can be defined.
There are four default mail flow policies defined on public listeners:
- ACCEPTED
- BLOCKED
- THROTTLED
- TRUSTED
Private listeners use the following mail flow policies:
Related Information