This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Custom NDR messages from Appliance

Hi, 

 

Is there any way to customize NDR messages which are going outside through Sophos Email Appliance. Anyone using that?

we dont want to stop the NDR messages which are generating from exchange server. 

Rgrds

Anu



This thread was automatically locked due to age.
Parents
  • Hi Anu,

    The best approach is to ensure that recipient validation is not set to via downstream look ahead in the appliances smtp options.  (set to via directory services) This will ensure that you only accept valid mail as exchange will not reject a message / generate an ndr until the DATA command is completed. 

    As for a custom NDR message this would be done in exchange as its exchange that is bouncing the message.

    If you wish to make a policy to intercept, change or allow an ndr from exchange you may wish to make an outbound data control rule based on message header Subject .. or some other X-header your exchange would generate.. From there you could create a banner under the additional actions. 

Reply
  • Hi Anu,

    The best approach is to ensure that recipient validation is not set to via downstream look ahead in the appliances smtp options.  (set to via directory services) This will ensure that you only accept valid mail as exchange will not reject a message / generate an ndr until the DATA command is completed. 

    As for a custom NDR message this would be done in exchange as its exchange that is bouncing the message.

    If you wish to make a policy to intercept, change or allow an ndr from exchange you may wish to make an outbound data control rule based on message header Subject .. or some other X-header your exchange would generate.. From there you could create a banner under the additional actions. 

Children
  • Hi,

    Thanks for your reply.

    If i would change the smtp options to check via directory services, then how the sophos will identify a user is having mailbox or not? checking the email address filed?

    Also what all the pre-requisites has to be done before doing this change?

    Regards

    Anu

  • Hi Anu,

    step 1

    When you enable directory services part of the initial config will be to set up a "ad query string"  by default this string will pull down the primary email address.. if you have additional or unique configurations you may need to adjust the query string.

    step 2

    under accounts / usergroups .. make sure "Select groups from directory services" is checked off as well at the bottom "Directory services alias maps" is enabled

    step 3

    enable recipient validation under the smtp options to "via directory services"

     

    once this is properly configured the appliance will query AD and pull down every email address it sees.. It will then apply that list to post fix.. that way when mail is been scanned invalid mail will be automatically rejected if postfix does not have a record for the address.  thus the appliance will generate the ndr immediately and not pass the message downstream to exchange.   This will help prevent the case where a spammer gets a bunch of invalid email past the appliance, exchange generates thousands of ndr's and the appliance spends the next 5 days trying to deliver a bunch of invalid email.

    the other thing this does is ensure that none of those invalid messages are scanned, hence freeing up resources for the appliance to scan legitimate email.

     

    few links for you.

    social.technet.microsoft.com/.../5392.active-directory-ldap-syntax-filters.aspx
    technet.microsoft.com/.../adexplorer.aspx
    https://blogs.technet.microsoft.com/dubaisec/2016/02/01/who-can-add-workstation-to-the-domain/

     

    the first one contains sample query strings and some componets

    the second one is a ldap drilling tool that will let you drill down and produce a query string based on the result

    the 3rd one goes over the requirements for the AD account.. in short the appliance will need to touch a new object (its self) to the domain.. the test is used to complete the last step of joining.