Cisco Cisco Email Security Appliance C190 Mode D'Emploi
21-26
Cisco AsyncOS 9.5 for Email User Guide
Chapter 21 Email Authentication
Enabling SPF and SIDF
•
Neutral. The domain owner does not assert whether the client is authorized to use the given identity.
•
SoftFail. The domain owner believes the host is not authorized to use the given identity but is not
willing to make a definitive statement.
willing to make a definitive statement.
•
Fail. The client is not authorized to send mail with the given identity.
•
TempError. A transient error occurred during verification.
•
PermError. A permanent error occurred during verification.
The appliance accepts the message for a Pass result unless you configure the SIDF Compatible
conformance level to downgrade a Pass result of the PRA identity to None if there are Resent-Sender:
or Resent-From: headers present in the message. The appliance then takes the SMTP action specified for
when the PRA check returns None.
conformance level to downgrade a Pass result of the PRA identity to None if there are Resent-Sender:
or Resent-From: headers present in the message. The appliance then takes the SMTP action specified for
when the PRA check returns None.
If you choose not to define the SMTP actions for an identity check, the appliance automatically accepts
all verification results, including Fail.
all verification results, including Fail.
The appliance terminates the session if the identity verification result matches a REJECT action for any
of the enabled identity checks. For example, an administrator configures a listener to accept messages
based on all HELO identity check results, including Fail, but also configures it to reject messages for a
Fail result from the MAIL FROM identity check. If a message fails the HELO identity check, the session
proceeds because the appliance accepts that result. If the message then fails the MAIL FROM identity
check, the listener terminates the session and then returns the STMP response for the REJECT action.
of the enabled identity checks. For example, an administrator configures a listener to accept messages
based on all HELO identity check results, including Fail, but also configures it to reject messages for a
Fail result from the MAIL FROM identity check. If a message fails the HELO identity check, the session
proceeds because the appliance accepts that result. If the message then fails the MAIL FROM identity
check, the listener terminates the session and then returns the STMP response for the REJECT action.
The SMTP response is a code number and message that the appliance returns when it rejects a message
based on the SPF/SIDF verification result. The TempError result returns a different SMTP response from
the other verification results. For TempError, the default response code is
based on the SPF/SIDF verification result. The TempError result returns a different SMTP response from
the other verification results. For TempError, the default response code is
451
and the default message
text is
#4.4.3 Temporary error occurred during SPF verification
. For all other verification results,
the default response code is
550
and the default message text is
#5.7.1 SPF unauthorized mail is
prohibited
. You can specify your own response code and message text for TempError and the other
verification results.
Optionally, you can configure the appliance to return a third-party response from the SPF publisher
domain if the REJECT action is taken for Neutral, SoftFail, or Fail verification result. By default, the
appliance returns the following response:
domain if the REJECT action is taken for Neutral, SoftFail, or Fail verification result. By default, the
appliance returns the following response:
To enable these SPF/SIDF settings, use the
listenerconfig -> edit
subcommand and select a listener.
Then use the
hostaccess -> default
subcommand to edit the Host Access Table’s default settings.
Answer
yes
to the following prompts to configure the SPF controls:
550-#5.7.1 SPF unauthorized mail is prohibited.
550-The domain example.com explains:
550 <Response text from SPF domain publisher>
Would you like to change SPF/SIDF settings? [N]> yes
Would you like to perform SPF/SIDF Verification? [Y]> yes