Cisco Cisco Email Security Appliance C650 Referencia técnica
E X A M P L E - C O N F I G U R I N G S P F A N D S I D F
C H A P T E R 3 : T H E C O M M A N D S : R E F E R E N C E E X A M P L E S
271
Example - Configuring SPF and SIDF
When configuring the default settings for a listener’s Host Access Table, you can choose the
listener’s SPF/SIDF conformance level and the SMTP actions (ACCEPT or REJECT) that the
appliance performs, based on the SPF/SIDF verification results. You can also define the SMTP
response that the appliance sends when it rejects a message.
listener’s SPF/SIDF conformance level and the SMTP actions (ACCEPT or REJECT) that the
appliance performs, based on the SPF/SIDF verification results. You can also define the SMTP
response that the appliance sends when it rejects a message.
Depending on the conformance level, the appliance performs a check against the HELO
identity, MAIL FROM identity, or PRA identity. You can specify whether the appliance
proceeds with the session (ACCEPT) or terminates the session (REJECT) for each of the
following SPF/SIDF verification results for each identity check:
identity, MAIL FROM identity, or PRA identity. You can specify whether the appliance
proceeds with the session (ACCEPT) or terminates the session (REJECT) for each of the
following SPF/SIDF verification results for each identity check:
• None. No verification can be performed due to the lack of information.
• Neutral. The domain owner does not assert whether the client is authorized to use the
given identity.
• SoftFail. The domain owner believes the host is not authorized to use the given identity
but is not willing to make a definitive statement.
• Fail. The client is not authorized to send mail with the given identity.
• TempError. A transient error occurred during verification.
• PermError. A permanent error occurred during verification.
The appliance accepts the message for a Pass result unless you configure the SIDF Compatible
conformance level to downgrade a Pass result of the PRA identity to None if there are Resent-
Sender: or Resent-From: headers present in the message. The appliance then takes the SMTP
action specified for when the PRA check returns None.
conformance level to downgrade a Pass result of the PRA identity to None if there are Resent-
Sender: or Resent-From: headers present in the message. The appliance then takes the SMTP
action specified for when the PRA check returns None.
If you choose not to define the SMTP actions for an identity check, the appliance
automatically accepts all verification results, including Fail.
automatically accepts all verification results, including Fail.
The appliance terminates the session if the identity verification result matches a REJECT action
for any of the enabled identity checks. For example, an administrator configures a listener to
accept messages based on all HELO identity check results, including Fail, but also configures
it to reject messages for a Fail result from the MAIL FROM identity check. If a message fails the
HELO identity check, the session proceeds because the appliance accepts that result. If the
message then fails the MAIL FROM identity check, the listener terminates the session and then
returns the STMP response for the REJECT action.
for any of the enabled identity checks. For example, an administrator configures a listener to
accept messages based on all HELO identity check results, including Fail, but also configures
it to reject messages for a Fail result from the MAIL FROM identity check. If a message fails the
HELO identity check, the session proceeds because the appliance accepts that result. If the
message then fails the MAIL FROM identity check, the listener terminates the session and then
returns the STMP response for the REJECT action.
The SMTP response is a code number and message that the appliance returns when it rejects
a message based on the SPF/SIDF verification result. The TempError result returns a different
a message based on the SPF/SIDF verification result. The TempError result returns a different
Directory Harvest Attack
Prevention: Maximum Invalid
Recipients Per Hour
Prevention: Maximum Invalid
Recipients Per Hour
dhap_limit
Number
150
Table 3-12 Advanced HAT Parameter Syntax
Parameter
Syntax
Values
Example Values