When configuring the default settings for a listener’s Host Access Table, you can choose the listener’s SPF/SIDF conformance
level and the SMTP actions (ACCEPT or REJECT) that the appliance
performs, based on the SPF/SIDF verification results. You can also define the SMTP response that the appliance
sends when it rejects a message.
Depending on the conformance level, the appliance performs a check against the HELO identity, MAIL FROM identity, or PRA
identity. You can specify whether the appliance
proceeds with the session (ACCEPT) or terminates the session (REJECT) for each of the following SPF/SIDF verification
results for each identity check:
- None.
No verification can be performed due to the lack of information.
- Neutral. The
domain owner does not assert whether the client is authorized to use the given
identity.
- SoftFail. The
domain owner believes the host is not authorized to use the given identity but
is not willing to make a definitive statement.
- Fail. The client is not authorized to send
mail with the given identity.
- TempError. A transient error occurred during
verification.
- PermError. A permanent error occurred during
verification.
The appliance
accepts the message for a Pass result unless you configure the SIDF Compatible conformance level to downgrade a Pass result
of the PRA identity to None if there are Resent-Sender: or Resent-From: headers present in the message. The appliance
then takes the SMTP action specified for when the PRA check returns None.
If you choose not to define the SMTP actions for an identity check, the appliance
automatically accepts all verification results, including Fail.
The appliance
terminates the session if the identity verification result matches a REJECT action for any of the enabled identity checks.
For example, an administrator configures a listener to accept messages based on all HELO identity check results, including
Fail, but also configures it to reject messages for a Fail result from the MAIL FROM identity check. If a message fails the
HELO identity check, the session proceeds because the appliance
accepts that result. If the message then fails the MAIL FROM identity check, the listener terminates the session and then
returns the STMP response for the REJECT action.
The SMTP response is a code number and message that the appliance
returns when it rejects a message based on the SPF/SIDF verification result. The TempError result returns a different
SMTP response from the other verification results. For TempError, the default response code is 451 and the default message
text is #4.4.3 Temporary error occurred during SPF verification . For all other verification results, the default response
code is 550 and the default message text is #5.7.1 SPF unauthorized mail is prohibited . You can specify your own response
code and message text for TempError and the other verification results.
Optionally, you can configure the appliance
to return a third-party response from the SPF publisher domain if the REJECT action is taken for Neutral, SoftFail, or
Fail verification result. By default, the appliance
returns the following response:
550-#5.7.1 SPF unauthorized mail is prohibited.
550-The domain example.com explains:
550 <Response text from SPF domain publisher>
To enable these SPF/SIDF settings, use the listenerconfig -> edit
subcommand and select a listener. Then use the hostaccess -> default
subcommand to edit the Host Access Table’s default settings. Answer yes to the
following prompts to configure the SPF controls:
Would you like to change SPF/SIDF settings? [N]> yes
|
Would you like to perform SPF/SIDF Verification? [Y]> yes
|
The following SPF control settings are available for the Host Access
Table:
Table 17. SPF Control Settings
Conformance Level
|
Available SPF Control Settings
|
SPF Only
|
- whether to perform HELO identity check
- SMTP actions taken based on the results of the following
identity checks:
- HELO identity (if enabled)
- MAIL FROM Identity
- SMTP response code and text returned for the REJECT action
- verification time out (in seconds)
|
SIDF Compatible
|
- whether to perform a HELO identity check
- whether the verification downgrades a Pass result of the PRA
identity to None if the Resent-Sender: or Resent-From: headers are present in
the message
- SMTP actions taken based on the results of the following
identity checks:
- HELO identity (if enabled)
- MAIL FROM Identity
- PRA Identity
- SMTP response code and text returned for the REJECT action
- verification timeout (in seconds)
|
SIDF Strict
|
- SMTP actions taken based on the results of the following
identity checks:
- MAIL FROM Identity
- PRA Identity
- SMTP response code and text returned in case of SPF REJECT
action
- verification timeout (in seconds)
|
The following example shows a user configuring the SPF/SIDF verification using the SPF Only conformance level. The appliance
performs the HELO identity check and accepts the None and Neutral verification results and rejects the others. The CLI
prompts for the SMTP actions are the same for all identity types. The user does not define the SMTP actions for the MAIL FROM
identity. The appliance
automatically accepts all verification results for the identity. The appliance
uses the default reject code and text for all REJECT results.