When configuring the default settings for a listener’s Host Access
Table, you can choose the listener’s SPF/SIDF conformance level and the SMTP
actions (ACCEPT or REJECT) that the appliance performs, based on the SPF/SIDF
verification results. You can also define the SMTP response that the appliance
sends when it rejects a message.
Depending on the conformance level, the appliance performs a check
against the HELO identity, MAIL FROM identity, or PRA identity. You can specify
whether the appliance proceeds with the session (ACCEPT) or terminates the
session (REJECT) for each of the following SPF/SIDF verification results for
each identity check:
- None.
No verification can be performed due to the lack of information.
- Neutral. The
domain owner does not assert whether the client is authorized to use the given
identity.
- SoftFail. The
domain owner believes the host is not authorized to use the given identity but
is not willing to make a definitive statement.
- Fail. The client is not authorized to send
mail with the given identity.
- TempError. A transient error occurred during
verification.
- PermError. A permanent error occurred during
verification.
The appliance accepts the message for a Pass result unless you
configure the SIDF Compatible conformance level to downgrade a Pass result of
the PRA identity to None if there are Resent-Sender: or Resent-From: headers
present in the message. The appliance then takes the SMTP action specified for
when the PRA check returns None.
If you choose not to define the SMTP actions for an identity check, the
appliance automatically accepts all verification results, including Fail.
The appliance terminates the session if the identity verification
result matches a REJECT action for any of the enabled identity checks. For
example, an administrator configures a listener to accept messages based on all
HELO identity check results, including Fail, but also configures it to reject
messages for a Fail result from the MAIL FROM identity check. If a message
fails the HELO identity check, the session proceeds because the appliance
accepts that result. If the message then fails the MAIL FROM identity check,
the listener terminates the session and then returns the STMP response for the
REJECT action.
The SMTP response is a code number and message that the appliance
returns when it rejects a message based on the SPF/SIDF verification result.
The TempError result returns a different SMTP response from the other
verification results. For TempError, the default response code is 451 and the
default message text is #4.4.3 Temporary error occurred during SPF verification
. For all other verification results, the default response code is 550 and the
default message text is #5.7.1 SPF unauthorized mail is prohibited . You can
specify your own response code and message text for TempError and the other
verification results.
Optionally, you can configure the appliance to return a third-party
response from the SPF publisher domain if the REJECT action is taken for
Neutral, SoftFail, or Fail verification result. By default, the appliance
returns the following response:
550-#5.7.1 SPF unauthorized mail is prohibited.
550-The domain example.com explains:
550 <Response text from SPF domain publisher>
To enable these SPF/SIDF settings, use the listenerconfig -> edit
subcommand and select a listener. Then use the hostaccess -> default
subcommand to edit the Host Access Table’s default settings. Answer yes to the
following prompts to configure the SPF controls:
Would you like to change SPF/SIDF settings? [N]> yes
|
Would you like to perform SPF/SIDF Verification? [Y]> yes
|
The following SPF control settings are available for the Host Access
Table:
Table 17. SPF Control Settings
Conformance Level
|
Available SPF Control Settings
|
SPF Only
|
- whether to perform HELO identity check
- SMTP actions taken based on the results of the following
identity checks:
- HELO identity (if enabled)
- MAIL FROM Identity
- SMTP response code and text returned for the REJECT action
- verification time out (in seconds)
|
SIDF Compatible
|
- whether to perform a HELO identity check
- whether the verification downgrades a Pass result of the PRA
identity to None if the Resent-Sender: or Resent-From: headers are present in
the message
- SMTP actions taken based on the results of the following
identity checks:
- HELO identity (if enabled)
- MAIL FROM Identity
- PRA Identity
- SMTP response code and text returned for the REJECT action
- verification timeout (in seconds)
|
SIDF Strict
|
- SMTP actions taken based on the results of the following
identity checks:
- MAIL FROM Identity
- PRA Identity
- SMTP response code and text returned in case of SPF REJECT
action
- verification timeout (in seconds)
|
The following example shows a user configuring the SPF/SIDF
verification using the SPF Only conformance level. The appliance performs the
HELO identity check and accepts the None and Neutral verification results and
rejects the others. The CLI prompts for the SMTP actions are the same for all
identity types. The user does not define the SMTP actions for the MAIL FROM
identity. The appliance automatically accepts all verification results for the
identity. The appliance uses the default reject code and text for all REJECT
results.