Understanding the components and flow of the email security stack.
Components
| Component | Role |
|---|---|
| SEG / ESA (Email Security Appliance) | Inbound/outbound email filtering. Policies, rules, HAT, quarantine routing |
| SMA (Security Management Appliance) | Centralised management of ESAs. Quarantine and message tracking |
| FireEye | Advanced threat detection. Sits inline and inspects email for malware/phishing |
| MTA (Mail Transfer Agent) | Routes email between systems |
Email inbound flow (simplified)
External sender → SEG (HAT check, SBRS, filters) → FireEye (threat scan) → Internal mail server
Key SEG concepts
| Term | Description |
|---|---|
| HAT (Host Access Table) | Controls which senders are accepted, throttled, or blocked based on IP/domain |
| SBRS | Sender Base Reputation Score — Cisco’s rating of a sender’s trustworthiness |
| Sender Group | A group of senders in the HAT (e.g. BLOCKED_LIST, WHITELIST) |
| MFP (Mail Flow Policy) | Defines what action to take for a sender group |
| Dictionary | A list of terms/domains used for matching in filters |
Related Notes
- Seg note
- SEG - SBRS (Sender Base Reputation Score)
- SEG - HAT overview sender group
- SEG - Checking blacklist senders dictionary
- FireEye - Queue types
- FireEye - Get logs