Introduction
This document describes how to alter the entry in the Host Access Table (HAT) or add an IP address to solve the issue.
I have added the domain 'example.com' to the ACCEPTLIST sender group. Why is it not working?
From the Cisco Email Security Appliance (ESA), there are times when you have added the domain example.com to your ACCEPTLIST sender group, but when you receive mail from example.com, the message does not process in this sender group.
Merely adding a domain name to the HAT will not work, as the HAT matches hostnames and IP addresses and not sender domain names. Remember, you are configuring a HOST Access Table, not a DOMAIN access table.
Ensure that by looking at the ESA's mail logs, the sender includes a hostname that ends with the domain example.com. If so, alter your entry in the HAT from 'example.com' to '.example.com' to use the "." delimiter in the domain.
This entry will then match all hostnames, which DNS PTR record ends with example.com.
For instance, it will match mx0.example.com as well as cluster1.mx1.example.com.
The system acquires and verifies the remote host's IP address's validity by performing a double DNS lookup. This verification includes a reverse DNS (PTR) lookup on the connecting host's IP address, followed by a forward DNS (A) lookup on the PTR lookup results. The system then checks that the results of the A lookup match the results of the PTR lookup. If the results do not match, or an A record does not exist, the system only uses the IP address to check the HAT entries.
If the hostname does not end with example.com, you can add the IP address directly to the HAT. You can find the IP address of the connecting mail server in the mail logs as well.
Related Information
Feedback