Cisco Cisco Email Security Appliance C650 Guía Del Usuario
5-31
Cisco IronPort AsyncOS 7.5 for Email Advanced Configuration Guide
OL-25137-01
Chapter 5 Email Authentication
Enabling SPF and SIDF via the CLI
The AsyncOS CLI supports more control settings for each SPF/SIDF
conformance level. When configuring the default settings for a listener’s Host
Access Table, you can choose the listener’s SPF/SIDF conformance level and the
SMTP actions (ACCEPT or REJECT) that the appliance performs, based on the
SPF/SIDF verification results. You can also define the SMTP response that the
appliance sends when it rejects a message.
conformance level. When configuring the default settings for a listener’s Host
Access Table, you can choose the listener’s SPF/SIDF conformance level and the
SMTP actions (ACCEPT or REJECT) that the appliance performs, based on the
SPF/SIDF verification results. You can also define the SMTP response that the
appliance sends when it rejects a message.
Depending on the conformance level, the appliance performs a check against the
HELO identity, MAIL FROM identity, or PRA identity. You can specify whether
the appliance proceeds with the session (ACCEPT) or terminates the session
(REJECT) for each of the following SPF/SIDF verification results for each
identity check:
HELO identity, MAIL FROM identity, or PRA identity. You can specify whether
the appliance proceeds with the session (ACCEPT) or terminates the session
(REJECT) for each of the following SPF/SIDF verification results for each
identity check:
•
None. No verification can be performed due to the lack of information.
•
Neutral. The domain owner does not assert whether the client is authorized
to use the given identity.
to use the given identity.
•
SoftFail. The domain owner believes the host is not authorized to use the
given identity but is not willing to make a definitive statement.
given identity but is not willing to make a definitive statement.
•
Fail. The client is not authorized to send mail with the given identity.
•
TempError. A transient error occurred during verification.
•
PermError. A permanent error occurred during verification.
The appliance accepts the message for a Pass result unless you configure the SIDF
Compatible conformance level to downgrade a Pass result of the PRA identity to
None if there are Resent-Sender: or Resent-From: headers present in the message.
The appliance then takes the SMTP action specified for when the PRA check
returns None.
Compatible conformance level to downgrade a Pass result of the PRA identity to
None if there are Resent-Sender: or Resent-From: headers present in the message.
The appliance then takes the SMTP action specified for when the PRA check
returns None.
If you choose not to define the SMTP actions for an identity check, the appliance
automatically accepts all verification results, including Fail.
automatically accepts all verification results, including Fail.
The appliance terminates the session if the identity verification result matches a
REJECT action for any of the enabled identity checks. For example, an
administrator configures a listener to accept messages based on all HELO identity
check results, including Fail, but also configures it to reject messages for a Fail
result from the MAIL FROM identity check. If a message fails the HELO identity
check, the session proceeds because the appliance accepts that result. If the
message then fails the MAIL FROM identity check, the listener terminates the
session and then returns the STMP response for the REJECT action.
REJECT action for any of the enabled identity checks. For example, an
administrator configures a listener to accept messages based on all HELO identity
check results, including Fail, but also configures it to reject messages for a Fail
result from the MAIL FROM identity check. If a message fails the HELO identity
check, the session proceeds because the appliance accepts that result. If the
message then fails the MAIL FROM identity check, the listener terminates the
session and then returns the STMP response for the REJECT action.