How can I verify that my TCPREFUSE or REJECT access rule is working?

How can I verify that my TCPREFUSE or REJECT access rule is working?

Environment: Cisco Email Security Appliance (ESA), all versions of AsyncOS

TCPREFUSE and REJECT are the two connection behaviors that are normally associated with the BLOCKED Mail Flow Policy. These access rules allow you to choose whether to block messages from a remote host with a notification (hard bounce) or to simply drop the connection. See What is the difference between REJECT and TCPREFUSE?

If you would like to determine whether a remote host is being dropped due to TCPREFUSE or REJECT, you can view entries in the mail logs. Mail logs will only contain entries for TCPREFUSE if verbose connection logging is enabled. Additionally you can use a protocol analyzer, such as tcpdump, to monitor the conversations at the packet level. When using a protocol analyzer, you will notice different conversations for TCPREFUSE vs REJECT.

The TCP connection flow between the ESA and the remote Message Transfer Agent (MTA) for the Reject connection is like this:

                          SYN
 Remote MTA -----------> ESA
                       SYN, ACK
 ESA -----------> Remote MTA
                          ACK
 Remote MTA -----------> ESA
                       5XX Code
 ESA -----------> Remote MTA
                        FIN, ACK
 ESA -----------> Remote MTA
                           ACK
 Remote MTA -----------> ESA
                       FIN, ACK
 Remote MTA -----------> ESA
                           ACK
 ESA -----------> Remote MTA

The TCP connection flow between the ESA and the remote MTA for the TCP Refuse connection is like this:

                           SYN
 Remote MTA -----------> ESA
                        SYN, ACK
 ESA -----------> Remote MTA
                             ACK
 Remote MTA -----------> ESA
                         RST, ACK
 ESA -----------> Remote MTA