Cisco Cisco Email Security Appliance X1070 Guida Utente
17-23
Cisco AsyncOS 8.0.1 for Email User Guide
Chapter 17 Email Authentication
Enabling SPF and SIDF
Step 7
If you choose a conformance level of SPF, configure whether to perform a test against the HELO identity.
You might use this option to improve performance by disabling the HELO check. This can be useful
because the
You might use this option to improve performance by disabling the HELO check. This can be useful
because the
spf-passed
filter rule checks the PRA or the MAIL FROM Identities first. The appliance
only performs the HELO check for the SPF conformance level.
Enabling SPF and SIDF via the CLI
The AsyncOS CLI supports more control settings for each SPF/SIDF conformance level. When
configuring the default settings for a listener’s Host Access Table, you can choose the listener’s
SPF/SIDF conformance level and the SMTP actions (ACCEPT or REJECT) that the appliance performs,
based on the SPF/SIDF verification results. You can also define the SMTP response that the appliance
sends when it rejects a message.
configuring the default settings for a listener’s Host Access Table, you can choose the listener’s
SPF/SIDF conformance level and the SMTP actions (ACCEPT or REJECT) that the appliance performs,
based on the SPF/SIDF verification results. You can also define the SMTP response that the appliance
sends when it rejects a message.
Depending on the conformance level, the appliance performs a check against the HELO identity, MAIL
FROM identity, or PRA identity. You can specify whether the appliance proceeds with the session
(ACCEPT) or terminates the session (REJECT) for each of the following SPF/SIDF verification results
for each identity check:
FROM identity, or PRA identity. You can specify whether the appliance proceeds with the session
(ACCEPT) or terminates the session (REJECT) for each of the following SPF/SIDF verification results
for each identity check:
•
None. No verification can be performed due to the lack of information.
•
Neutral. The domain owner does not assert whether the client is authorized to use the given identity.
•
SoftFail. The domain owner believes the host is not authorized to use the given identity but is not
willing to make a definitive statement.
willing to make a definitive statement.
•
Fail. The client is not authorized to send mail with the given identity.
•
TempError. A transient error occurred during verification.
•
PermError. A permanent error occurred during verification.
The appliance accepts the message for a Pass result unless you configure the SIDF Compatible
conformance level to downgrade a Pass result of the PRA identity to None if there are Resent-Sender:
or Resent-From: headers present in the message. The appliance then takes the SMTP action specified for
when the PRA check returns None.
conformance level to downgrade a Pass result of the PRA identity to None if there are Resent-Sender:
or Resent-From: headers present in the message. The appliance then takes the SMTP action specified for
when the PRA check returns None.
If you choose not to define the SMTP actions for an identity check, the appliance automatically accepts
all verification results, including Fail.
all verification results, including Fail.
The appliance terminates the session if the identity verification result matches a REJECT action for any
of the enabled identity checks. For example, an administrator configures a listener to accept messages
based on all HELO identity check results, including Fail, but also configures it to reject messages for a
Fail result from the MAIL FROM identity check. If a message fails the HELO identity check, the session
proceeds because the appliance accepts that result. If the message then fails the MAIL FROM identity
check, the listener terminates the session and then returns the STMP response for the REJECT action.
of the enabled identity checks. For example, an administrator configures a listener to accept messages
based on all HELO identity check results, including Fail, but also configures it to reject messages for a
Fail result from the MAIL FROM identity check. If a message fails the HELO identity check, the session
proceeds because the appliance accepts that result. If the message then fails the MAIL FROM identity
check, the listener terminates the session and then returns the STMP response for the REJECT action.
The SMTP response is a code number and message that the appliance returns when it rejects a message
based on the SPF/SIDF verification result. The TempError result returns a different SMTP response from
the other verification results. For TempError, the default response code is
based on the SPF/SIDF verification result. The TempError result returns a different SMTP response from
the other verification results. For TempError, the default response code is
451
and the default message
text is
#4.4.3 Temporary error occurred during SPF verification
. For all other verification results,
the default response code is
550
and the default message text is
#5.7.1 SPF unauthorized mail is
prohibited
. You can specify your own response code and message text for TempError and the other
verification results.