Introduction
This document describes how to configure and use the new UTF-8 International Domain Name (IDN) feature added to Secure Email Gateway (ESA) and Secure Email Cloud Gateway (CES) in the 14.x code
Contributed by Anvitha Prabhu and Libin Varghese, Cisco TAC Engineer.
Requirements
Cisco recommends that you have knowledge of these topics:
ESA concepts and configuration
Components Used
The information in this document is based on AsyncOS for ESA 14.0 and later.
The information in this document was created from the devices in a specific lab environment. All of the devices used in this document started with a cleared (default) configuration. If your network is live, ensure that you understand the potential impact of any command.
Languages supported in 14.x for IDN Support
Indian Regional languages
Hindi, Tamil, Telugu, Kannada, Marati, Punjabi, Malayalam, Bengali, Gujarati, Urdu, Assamese, Nepali, Bangla, Bodo, Dogri, Kashmiri, Konkani, Maithili, Manipuri, Oriya, Sanskrit, Santali, Sindhi, Tulu.
European/Asian languages
French, Russian, Japanese, German, Ukrainian, Korean, Spanish, Italian, Chinese, Dutch, Thai, Arabic, Kazakh
IDN Supported Formats
- Full IDN domain : अनअन्विता@जीमेल.कोम , ಅನ್ವಿತಾ@ಯಾಹೂ.ಜೊತೆ
- Partial IDN domain : .कोम , ಯಾಹೂ.ಜೊತೆ
- ASCII, IDN combination : test@जीमेल.कोम
Where is IDN Supported?
SMTP Routes
Navigate to Network -> SMTP Routes -> Add Route -> Add the IDN domain -> Submit -> Commit
DNS Domains
We can Add or edit IDN domains in DNS servers.
Navigate to Network -> DNS -> Edit settings -> Add the IDN domain under "alternate DNS server overrides"
NOTE:
• Public IDN domains are resolved by public/Internet root DNS server.
• Local IDN domains: In Local DNS server, create zone files with records in punycode format equivalent of IDN domains [eg: xn--2scrj9c.xn--2scrj9c.] to handle the resolution of local IDN domain names.
Listener - RAT/HAT
We can use IDN support in:
- Inbound/Outbound Listeners -> Add/Edit IDN domains in Default domain
- HAT/RAT ->Add/Edit IDN domains in HAT/RAT
- Import/Export HAT/RAT tables with IDN's
To configure Recipient Access Table (RAT) with IDN, navigate to Mail policies -> Recipient Access Table (RAT) and Click Add Recipient -> Add the IDN Domain -> Submit -> Commit
To configure Host Access Table (HAT) sender Groups with IDN domains, navigate to Mail policies -> HAT Overview -> Add new Sender group -> Submit and add senders with IDN hostname -> Submit -> Commit
NOTE: You can follow the same process to edit any sender group and add the IDN Domains.
Incoming/Outgoing Mail Policies - Sender/Recepients
To configure Incoming Mail policies to handle IDN, navigate to Mail Policies -> Add Policy -> Provide policy name-> Add Users
You can choose to use IDN domains in Both Sender/recepient or try any combination ->Submit ->Commit
NOTE: You can follow the same process for Outgoing Mail Policies.
Exception table
To add IDN domain names to Exception Table, navigate to
Mail Policy -> Exception Table -> Add Sender Verification Exception -> Add the IDN Domains -> Submit -> Commit
Address Lists
To add IDN domain names to Address List, navigate to
Mail Policy -> Address List -> Add address List -> Enter the IDN domains in the box -> Submit -> Commit
Destination Controls
To add IDN domain names to destination control, navigate to
Mail Policies -> Destination Controls -> Add Destination -> You can add the IDN Domain name -> Submit -> Commit
Bounce Profiles
Recipient for Bounce and Warning Messages can be configured with IDN Domain name under Bounce Profiles.
Navigate to Network -> Bounce Profiles -> Add Bounce Profile -> Enter name -> Configure the values for bounce Profile -> For Recipient for Bounce and Warning Messages -> Select Atlernate address and you can choose to use IDN Domain address.
LDAP
You can now have the LDAP accept/group queries with IDN Domain names as shown in the image.
Local Spam Quarantine
You can see the Local SPM Quarantine displays the IDN Domain names in user email address/domains/subject
NOTE: Local PVO Quarantine shows similar behavior as spam quarantine.
Verification and Troubleshooting
1) The Reports on ESA and SMA (Secure Email and Web Manager) now support IDN. We can see usernames/domain/email address in IDN format on reports
Navigate to Monitor -> Internal Users
2) In Message Tracking we can see the IDN domain name and also filter with the IDN domains/usernames/email address
3) Use CLI command grep or tail to view "mail_logs" and we see the IDN domains in the logs
Mon Feb 8 21:47:11 2021 Info: Start MID 23569633 ICID 148853
Mon Feb 8 21:47:11 2021 Info: MID 23569633 ICID 148853 From: <टॉम@जीमेल.कोम>
Mon Feb 8 21:47:19 2021 Info: MID 23569633 ICID 148853 RID 0 To: <test@lab.com>
Mon Feb 8 21:47:52 2021 Info: MID 23569633 Subject 'Please read as this is very आशा for both the countries.'
Mon Feb 8 21:47:52 2021 Info: MID 23569633 SDR: Domains for which SDR is requested: reverse DNS host: sample.host.com, helo: lab.com, env-from: जीमेल.कोम, header-from: Not Present, reply-to: Not Present
Mon Feb 8 21:47:53 2021 Info: MID 23569633 SDR: Consolidated Sender Reputation: Tainted, Threat Category: N/A, Suspected Domain(s) : lab.com. Youngest Domain Age: 3 months 29 days for domain: lab.com
Mon Feb 8 21:47:53 2021 Info: MID 23569633 SDR: Tracker Header : 87dSxFfNYdSiOahrxSUZFOrdpenKiF6J2uKiPf+SFKCtj52hNCpe6LDQ8UFAliGnUDA7FsuXLvHTcaATt6AKG4PWLpwEeo/dcIPBUOdxB48=
Mon Feb 8 21:47:53 2021 Info: MID 23569633 ready 605 bytes from <टॉम@जीमेल.कोम>
Mon Feb 8 21:47:53 2021 Info: MID 23569633 matched all recipients for per-recipient policy DEFAULT in the inbound table
Mon Feb 8 21:47:53 2021 Info: MID 23569633 interim verdict using engine: CASE spam positive
Mon Feb 8 21:47:53 2021 Info: MID 23569633 using engine: CASE spam positive
Mon Feb 8 21:47:53 2021 Info: ISQ: Tagging MID 23569633 for quarantine
Mon Feb 8 21:47:53 2021 Info: MID 23569633 interim AV verdict using McAfee CLEAN
Mon Feb 8 21:47:53 2021 Info: MID 23569633 interim AV verdict using Sophos CLEAN
Mon Feb 8 21:47:53 2021 Info: MID 23569633 antivirus negative
Mon Feb 8 21:47:53 2021 Info: MID 23569633 AMP file reputation verdict : SKIPPED (no attachment in message)
Mon Feb 8 21:47:53 2021 Info: MID 23569633 using engine: GRAYMAIL negative
Mon Feb 8 21:47:53 2021 Info: MID 23569633 Custom Log Entry: SDR Age is less than 1 Year
Mon Feb 8 21:47:53 2021 Info: MID 23569633 Outbreak Filters: verdict negative
Mon Feb 8 21:47:53 2021 Info: MID 23569633 Message-ID '<d35764$mf971@esa1.lab.com>'
Mon Feb 8 21:47:53 2021 Info: MID 23569633 queued for delivery
Mon Feb 8 21:47:53 2021 Info: New SMTP DCID 250225 interface 10.0.202.17 address 10.0.201.5 port 6025
Mon Feb 8 21:47:53 2021 Info: DCID 250225 STARTTLS command not supported
Mon Feb 8 21:47:53 2021 Info: Delivery start DCID 250225 MID 23569633 to RID [0] to offbox IronPort Spam Quarantine
Mon Feb 8 21:47:53 2021 Info: Message done DCID 250225 MID 23569633 to RID [0] (external quarantine)
Mon Feb 8 21:47:53 2021 Info: MID 23569633 RID [0] Response 'ok: Message 27293054 accepted'
Mon Feb 8 21:47:53 2021 Info: Message finished MID 23569633 done
Mon Feb 8 21:47:58 2021 Info: DCID 250225 close
Related Information