Email Security - ESA Email Pipeline Overview

In this post I want to cover the ESA Email pipeline. The email pipeline represents how emails are processed through the system from start to finish. The pipeline consists of 3 main phases:

  1. Receipt: SMTP Server - receives SMTP connection from remote client

  2. Work Queue: Essentially determines what to do with the messages & processes incoming/outgoing mail

  3. Delivery: SMTP Client - start SMTP client conversation to deliver/drop/bounce message

For the first phase of the email pipeline the SMTP Server can have unique settings configured per listener. The Host Access Table (HAT) is one of the main components in phase 1 that spcifically states hosts that are allowed to connect to a listener (AKA - hosts allowed to send email).


Other main components in this phase consist of Sender Groups & Mail Flow Policies. The groups allow us to associate one or more senders into a group, which then allow us to configure filters & mail flow policies on the respective group. Mail Flow Policies let us express a group of HAT parameters. Parameters consist of access rules, rate limits, custom SMTP codes/responses). Both Sender Groups & Mail Flow Policies are defined in a configured listener's HAT.


Lastly, for phase 1 there are other components that are used for incoming SMTP connections. An overview of each:

  • Received Header: ability to include/not include Reciever:header to all messages received via given listener

  • Default Domain: ability to configure a listener to automatically append a default domain to sender addresses that do not contain fqdn

  • Bounce Verification: all outgoing mail is tagged with a key; if mail is sent back as a bounce, the ESA recognizes the tag and mail is delivered

  • Domain Map: ability to construct a domain map table which performs rewrites on the envelope recipient

  • Recipient Access Table (RAT): ability to specify a list of all local domains for which the ESA accepts mail

  • Alias Tables: ability to redirect messages to one or more recipients

  • LDAP Recipient Acceptance: ability to rely on LDAP infrastructure to define how the recipient email address of incoming messages should be handled

  • SMTP Call-Ahead Recipient Validation: ability to suspend & verify the recipient before further processing

The second phase of the email pipeline is known as the Work Queue. This is where the received message is processed before moving to the delivery phase. High level overview of Work Queue processing consists of masquerading, routing, filtering, anti-span/av scanning, file reputation scanning and analysis, outbreak filters, and quarantining. The components for phase 2 are as follows:

  • LDAP Recipient Acceptance: ability to rely on LDAP infrastructure to define how the recipient email address of incoming messages should be handled

  • Masquerading or LDAP Masquerading: ability to rewrite the envelope sender

  • LDAP Routing: ability to configure appliance to route messages to appropriate address via LDAP

  • Message Filters: ability to configure special rules describing how to handle messages and attachments as messages are received

  • Filter actions allow messages to be dropped,

  • bounced, archived, quarantined, blind carbon copied, or altered.

  • Anti-Spam Scanning: ability to deter spam attacks

  • AV Scanning: ability to scan messages/attachments via integrated AV engines

  • Safelist Scanning: ability to create list of blocks that the ESA scans against during work queue processing

Scanning Actions:

-attempt to repair the attachment

-drop the attachment

-modify the subject header

-add an additional X- header

-send the message to a different address or mailhost

-archive the message

-delete the message

  • Graymail Detection/Unsubscribing: ability to configure appliance to detect graymail and safely unsubscribe on behalf of end user

  • File Reputation Scanning & File Analysis: ability to configure ESA to scan message attachments for emerging and targeted threats

  • Content Filters: ability to create filters that are to be applied to messages on a per-recipient or per-sender basis

  • Outbreak Filters: ability to act proactively against new outbreaks; see tidbit here:<>

Lastly, these Work Queue features can send messages into a quarantined state:

  • Spam Filters

  • Messages Filters

  • Anti-Virus

  • Outbreak Filters

  • Content Filters

  • File Analysis

The final phase of the email pipeline consists of email processing for delivery. This phase has several components that consists of:

  • Virtual Gateways: ability to separate the ESA appliance into multiple virtual appliances

  • Encryption:

  • DKIM Signing:

  • Delivery Limits: ability to set limits on delivery & concurrent connections

  • Domain-based Limits: ability to configure max connections for each domain

  • Domain-based Routing: ability to redirect messages for a particular domain to specific MX host, without rewriting the envelope recipient

  • Global Unsubscribe: ability to verify all recipient addresses against a list of users/domains/email addresses/IP Addresses

  • Bounce Limits: ability to handle hard/soft bounces on each respective listener

That wraps up this post on the ESA Email Pipeline. See more via the <esa> tag, Cheers!


0 comments

Recent Posts

See All

"The What?" - In this blog I want to share some valuable Digital Network Architecture Center (DNAC) tips & tricks that I have collected that are quite useful when needing to troubleshoot/perform some

I recently started pursuing email security studies. Other posts have mentioned this, and a recent post shared a deeper look at SPF. In this blog I want to cover DKIM & DMARC. Starting with DKIM, it

In the post I want to breakdown & cover SPF in more detail. Especially as I continue to embark on the email security journey/track. before beginning, here is another brief overview of what SPF entai