When configuring the default settings for a listener’s Host Access Table, you can choose the listener’s SPF/SIDF conformance
level and the SMTP actions (ACCEPT or REJECT) that the
email gateway performs, based on the SPF/SIDF verification results. You can also define the SMTP response that the
email gateway sends when it rejects a message.
Depending on the conformance level, the appliance performs a check against the HELO identity, MAIL FROM identity, or PRA
identity. You can specify whether the
email gateway proceeds with the session (ACCEPT) or terminates the session (REJECT) for each of the following SPF/SIDF verification results
for each identity check:
- None.
No verification can be performed due to the lack of information.
- Neutral. The
domain owner does not assert whether the client is authorized to use the given
identity.
- SoftFail. The
domain owner believes the host is not authorized to use the given identity but
is not willing to make a definitive statement.
- Fail. The client is not authorized to send
mail with the given identity.
- TempError. A transient error occurred during
verification.
- PermError. A permanent error occurred during
verification.
The
email gateway accepts the message for a Pass result unless you configure the SIDF Compatible conformance level to downgrade a Pass result
of the PRA identity to None if there are Resent-Sender: or Resent-From: headers present in the message. The
email gateway then takes the SMTP action specified for when the PRA check returns None.
If you choose not to define the SMTP actions for an identity check, the
email gateway automatically accepts all verification results, including Fail.
The
email gateway terminates the session if the identity verification result matches a REJECT action for any of the enabled identity checks.
For example, an administrator configures a listener to accept messages based on all HELO identity check results, including
Fail, but also configures it to reject messages for a Fail result from the MAIL FROM identity check. If a message fails the
HELO identity check, the session proceeds because the
email gateway accepts that result. If the message then fails the MAIL FROM identity check, the listener terminates the session and then
returns the STMP response for the REJECT action.
The SMTP response is a code number and message that the
email gateway returns when it rejects a message based on the SPF/SIDF verification result. The TempError result returns a different SMTP
response from the other verification results. For TempError, the default response code is 451 and the default message text
is #4.4.3 Temporary error occurred during SPF verification . For all other verification results, the default response code
is 550 and the default message text is #5.7.1 SPF unauthorized mail is prohibited . You can specify your own response code
and message text for TempError and the other verification results.
Optionally, you can configure the
email gateway to return a third-party response from the SPF publisher domain if the REJECT action is taken for Neutral, SoftFail, or Fail
verification result. By default, the
email gateway returns the following response:
550-#5.7.1 SPF unauthorized mail is prohibited.
550-The domain example.com explains:
550 <Response text from SPF domain publisher>
To enable these SPF/SIDF settings, use the listenerconfig -> edit
subcommand and select a listener. Then use the hostaccess -> default
subcommand to edit the Host Access Table’s default settings. Answer yes to the
following prompts to configure the SPF controls:
Would you like to change SPF/SIDF settings? [N]> yes
|
Would you like to perform SPF/SIDF Verification? [Y]> yes
|
The following SPF control settings are available for the Host Access
Table:
Table 17. SPF Control Settings
Conformance Level
|
Available SPF Control Settings
|
SPF Only
|
- whether to perform HELO identity check
- SMTP actions taken based on the results of the following
identity checks:
- HELO identity (if enabled)
- MAIL FROM Identity
- SMTP response code and text returned for the REJECT action
- verification time out (in seconds)
|
SIDF Compatible
|
- whether to perform a HELO identity check
- whether the verification downgrades a Pass result of the PRA
identity to None if the Resent-Sender: or Resent-From: headers are present in
the message
- SMTP actions taken based on the results of the following
identity checks:
- HELO identity (if enabled)
- MAIL FROM Identity
- PRA Identity
- SMTP response code and text returned for the REJECT action
- verification timeout (in seconds)
|
SIDF Strict
|
- SMTP actions taken based on the results of the following
identity checks:
- MAIL FROM Identity
- PRA Identity
- SMTP response code and text returned in case of SPF REJECT
action
- verification timeout (in seconds)
|
The following example shows a user configuring the SPF/SIDF verification using the SPF Only conformance level. The
email gateway performs the HELO identity check and accepts the None and Neutral verification results and rejects the others. The CLI prompts
for the SMTP actions are the same for all identity types. The user does not define the SMTP actions for the MAIL FROM identity.
The
email gateway automatically accepts all verification results for the identity. The
email gateway uses the default reject code and text for all REJECT results.