Cisco Cisco Email Security Appliance C650 Guía Del Usuario
5-25
Cisco IronPort AsyncOS 7.6 for Email Advanced Configuration Guide
OL-25137-01
Chapter 5 Email Authentication
Note
More settings are available via the CLI. See
for
more information.
Step 6
If you choose a conformance level of SIDF-compatible, configure whether the verification downgrades
a Pass result of the PRA identity to None if there are Resent-Sender: or Resent-From: headers present in
the message. You might choose this option for security purposes.
a Pass result of the PRA identity to None if there are Resent-Sender: or Resent-From: headers present in
the message. You might choose this option for security purposes.
Step 7
If you choose a conformance level of SPF, configure whether to perform a test against the HELO identity.
You might use this option to improve performance by disabling the HELO check. This can be useful
because the
You might use this option to improve performance by disabling the HELO check. This can be useful
because the
spf-passed
filter rule checks the PRA or the MAIL FROM Identities first. The appliance
only performs the HELO check for the SPF conformance level.
Enabling SPF and SIDF via the CLI
The AsyncOS CLI supports more control settings for each SPF/SIDF conformance level. When
configuring the default settings for a listener’s Host Access Table, you can choose the listener’s
SPF/SIDF conformance level and the SMTP actions (ACCEPT or REJECT) that the appliance performs,
based on the SPF/SIDF verification results. You can also define the SMTP response that the appliance
sends when it rejects a message.
configuring the default settings for a listener’s Host Access Table, you can choose the listener’s
SPF/SIDF conformance level and the SMTP actions (ACCEPT or REJECT) that the appliance performs,
based on the SPF/SIDF verification results. You can also define the SMTP response that the appliance
sends when it rejects a message.
Depending on the conformance level, the appliance performs a check against the HELO identity, MAIL
FROM identity, or PRA identity. You can specify whether the appliance proceeds with the session
(ACCEPT) or terminates the session (REJECT) for each of the following SPF/SIDF verification results
for each identity check:
FROM identity, or PRA identity. You can specify whether the appliance proceeds with the session
(ACCEPT) or terminates the session (REJECT) for each of the following SPF/SIDF verification results
for each identity check:
•
None. No verification can be performed due to the lack of information.
•
Neutral. The domain owner does not assert whether the client is authorized to use the given identity.
•
SoftFail. The domain owner believes the host is not authorized to use the given identity but is not
willing to make a definitive statement.
willing to make a definitive statement.
•
Fail. The client is not authorized to send mail with the given identity.
•
TempError. A transient error occurred during verification.
SIDF
The SPF/SIDF verification behaves according to RFC4406.
-The PRA Identity is determined with full conformance to the standard.
- SPF v1.0 records are treated as spf2.0/mfrom,pra.
- For a nonexistent domain or a malformed identity, a verdict of Fail is
returned.
returned.
SIDF Compatible
The SPF/SIDF verification behaves according to RFC4406 except for
the following differences:
the following differences:
- SPF v1.0 records are treated as spf2.0/mfrom.
- For a nonexistent domain or a malformed identity, a verdict of None is
returned.
returned.
NOTE: This conformance option was introduced at the request of the
OpenSPF community (www.openspf.org).
OpenSPF community (www.openspf.org).
Table 5-1
SPF/SIDF Conformance Levels
Conformance Level
Description