The AsyncOS CLI
supports more control settings for each SPF/SIDF conformance level. When
configuring the default settings for a listener’s Host Access Table, you can
choose the listener’s SPF/SIDF conformance level and the SMTP actions (ACCEPT
or REJECT) that the appliance performs, based on the SPF/SIDF verification
results. You can also define the SMTP response that the appliance sends when it
rejects a message.
Depending on the
conformance level, the appliance performs a check against the HELO identity,
MAIL FROM identity, or PRA identity. You can specify whether the appliance
proceeds with the session (ACCEPT) or terminates the session (REJECT) for each
of the following SPF/SIDF verification results for each identity check:
The appliance accepts
the message for a Pass result unless you configure the SIDF Compatible
conformance level to downgrade a Pass result of the PRA identity to None if
there are Resent-Sender: or Resent-From: headers present in the message. The
appliance then takes the SMTP action specified for when the PRA check returns
None.
If you choose not to
define the SMTP actions for an identity check, the appliance automatically
accepts all verification results, including Fail.
The appliance
terminates the session if the identity verification result matches a REJECT
action for any of the enabled identity checks. For example, an administrator
configures a listener to accept messages based on all HELO identity check
results, including Fail, but also configures it to reject messages for a Fail
result from the MAIL FROM identity check. If a message fails the HELO identity
check, the session proceeds because the appliance accepts that result. If the
message then fails the MAIL FROM identity check, the listener terminates the
session and then returns the STMP response for the REJECT action.
The SMTP response is
a code number and message that the appliance returns when it rejects a message
based on the SPF/SIDF verification result. The TempError result returns a
different SMTP response from the other verification results. For TempError, the
default response code is 451 and the default message text is
#4.4.3 Temporary error occurred during SPF verification
. For all other verification results, the default response code is 550 and the
default message text is
#5.7.1 SPF unauthorized mail is prohibited . You can
specify your own response code and message text for TempError and the other
verification results.
Optionally, you can
configure the appliance to return a third-party response from the SPF publisher
domain if the REJECT action is taken for Neutral, SoftFail, or Fail
verification result. By default, the appliance returns the following response:
550-#5.7.1 SPF unauthorized mail is prohibited.
550-The domain example.com explains:
550 <Response text from SPF domain publisher>
To enable these
SPF/SIDF settings, use the
listenerconfig -> edit subcommand and select a
listener. Then use the
hostaccess -> default
subcommand to edit the Host Access Table’s default settings.
The following SPF
control settings are available for the Host Access Table
SPF Control Settings
via the CLI
Conformance
Level
|
Available
SPF Control Settings
|
SPF Only
|
- whether
to perform HELO identity check
- SMTP
actions taken based on the results of the following identity checks:
- HELO
identity (if enabled)
- MAIL
FROM Identity
- SMTP
response code and text returned for the REJECT action
-
verification time out (in seconds)
|
SIDF
Compatible
|
- whether
to perform a HELO identity check
- whether
the verification downgrades a Pass result of the PRA identity to None if the
Resent-Sender: or Resent-From: headers are present in the message
- SMTP
actions taken based on the results of the following identity checks:
- HELO
identity (if enabled)
- MAIL
FROM Identity
- PRA
Identity
- SMTP
response code and text returned for the REJECT action
-
verification timeout (in seconds)
|
SIDF Strict
|
- SMTP
actions taken based on the results of the following identity checks:
- MAIL
FROM Identity
- PRA
Identity
- SMTP
response code and text returned in case of SPF REJECT action
-
verification timeout (in seconds)
|
The appliance
performs the HELO identity check and accepts the None and Neutral verification
results and rejects the others. The CLI prompts for the SMTP actions are the
same for all identity types. The user does not define the SMTP actions for the
MAIL FROM identity. The appliance automatically accepts all verification
results for the identity. The appliance uses the default reject code and text
for all REJECT results.
You can also
configure this in the command-line interface using the
listenerconfig command.