03-26-2020 06:18 AM
Hi,
according to the documentation, when you set SPF conformance level to SPF only, no PRA identity verification takes place (as that is part of the outdated SIDF).
At the same time, the documentation also mentions this:
You can only use the spf-status message filter rule to check results against HELO, MAIL FROM, and PRA identities. You cannot use the spf-status content filter rule to check against identities. The spf-status content filter checks only the PRA identity.
Does this mean if conformance is set to SPF (not SIDF-compatible), I *have* to use message filters and can't use content filters?
03-27-2020 09:53 AM
03-27-2020 05:54 PM
Thanks Pratham. Is it possible this information/documentation is outdated? Because I have set up content filters and they seem to work just fine on MAILFROM and HELO identities. AsyncOS 12.5.x, set to SPF conformity. Logs contain SPF status based on MAILFROM and HELO and content filters are applied. The filters work fine.
03-28-2020 01:36 AM
03-28-2020 04:37 AM
Hi Pratham,
yes, our ESA is pushing mails into a quarantine that only show SPF MAILFROM in the logs. We actually never see any mention of PRA at all in the logs. Which would be logical to me, as PRA - as I understand it - is part of SIDF. Which is disabled when you set conformity to SPF only (not SIDF compatible).
That's why I am wondering.
Why are the other identities not available in content filters, anyway?
03-28-2020 09:47 PM - edited 03-28-2020 09:48 PM
Hi,
I was able to check on the user guide for Async OS version 12.5 and it mentions as below:
"You can only use the spf-status message filter rule to check results against HELO, MAIL FROM, and PRA identities. You cannot use the spf-status content filter rule to check against identities. The spf-status content filter checks only the PRA identity."
So I am not sure what is causing the emails to get quarantined with SPF only since it doesn't check the PRA identity. Maybe you can open a TAC case and provide more details to investigate further on this on the case.
For the other identities, not available in content filters are something which development teams are looking under the enhancement request as below:
https://bst.cloudapps.cisco.com/bugsearch/bug/CSCvc10619
Cheers,
Pratham
03-29-2020 03:49 AM
Thanks. This enhancement request has been open for four years. To be honest, I am starting to get fed up with Cisco and all the little inconsistencies in ESA. Just like the other bugs I reported about. Does Cisco ever fix any of them?
I am starting to wonder if it was the right decision to go with Cisco for email security.
03-29-2020 01:32 PM - edited 03-30-2020 05:23 AM
Hello,
We had a defect a few years back where the SPF content-filter would only trigger against the first SPF verification within the headers (commonly PRA). However, this was supposedly fixed back in 9.7.2 and 10.0, and now the SPF content filter should trigger against any/all verdicts. So, if you're seeing unexpected behavior then it may be configuration related or something else within these emails. As mentioned, it may be best to open a case so that we can help investigate.
Thanks!
-Dennis M.
03-29-2020 04:15 PM
@dmccabej wrote:Hello,
We had a defect a few years back where the SPF content-filter would only trigger against the first SPF verification within the headers (commonly PRA). However, this was supposedly fixed back in 9.7.2 and 10.0, and now the SPF content filter should trigger against any/all verdicts.
That's what I am seeing on my end. If this has been fixed since 9.x - years ago - then why doesn't the documentation reflect that? All your docs, all your FAQs, all still claim that in content filters only PRA is available.
This is annoying.
03-30-2020 05:40 AM
Hello,
We have thousands of pieces of documentation and anything referencing this particular bit of information would need to have been manually updated. It's unfortunate, but, it more than likely just slipped through the cracks.
If you wish to provide me with any/all links of where our documentation is stating otherwise, I'll be more than happy to go in and correct the ones I can fix myself and then file enhancements for anything I need to escalate.
Thanks!
-Dennis M.
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: