cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
110
Views
0
Helpful
7
Replies
Highlighted
Beginner

Question about SPF actions

Hi,

according to the documentation, when you set SPF conformance level to SPF only, no PRA identity verification takes place (as that is part of the outdated SIDF). 

At the same time, the documentation also mentions this:

You can only use the spf-status message filter rule to check results against HELO, MAIL FROM, and PRA identities. You cannot use the spf-status content filter rule to check against identities. The spf-status content filter checks only the PRA identity.

Does this mean if conformance is set to SPF (not SIDF-compatible), I *have* to use message filters and can't use content filters?

 

7 REPLIES 7
Highlighted
Cisco Employee

Re: Question about SPF actions

Hello,

If you set conformance to SPF only and you don't use message filters to check on HELO, MAIL FROM and PRA identities then with the use of only content filters you can check on the PRA identity only due to which the email can still get delivered even if the SPF status is failed.

Hence, if you want to be more granular you need to apply and use message filters. Please refer the below article for more details:
https://www.cisco.com/c/en/us/support/docs/security/email-security-appliance/118574-qa-esa-00.html

I hope this answers your query.

Cheers,
Pratham
Highlighted
Beginner

Re: Question about SPF actions

Thanks Pratham. Is it possible this information/documentation is outdated? Because I have set up content filters and they seem to work just fine on MAILFROM and HELO identities. AsyncOS 12.5.x, set to SPF conformity. Logs contain SPF status based on MAILFROM and HELO and content filters are applied. The filters work fine. 

 

Highlighted
Cisco Employee

Re: Question about SPF actions

Hello,

If you have setup content filters and set SPF conformity. It means the logs will show SPF status based on MAILFROM, PRA and HELO, however, the content filter which you apply will work on the PRA identity only but the spf status of MAILFROM and HELO will still be visible to you in the mail logs.

For instance, SPF verification is enabled for all incoming messages on Cisco IronPort Mail Flow Policies. A content filter exists which will quarantine or drop the messages if SPF-Verification fails:

SPF-Verification spf-status == "fail"
Action: 'Quarantine'

mail_log or message tracking shows the following details:

Thu Aug 20 17:27:37 2009 Info: MID 6153849 SPF: helo identity postmaster@example None
Thu Aug 20 17:27:37 2009 Info: MID 6153849 SPF: mailfrom identity user@example.com Fail (v=spf1)
Thu Aug 20 17:28:15 2009 Info: MID 6153849 SPF: pra identity user@example.com None headers from Thu Aug 20 17:28:15 2009 Info: MID 6153849 ready 197 bytes from
However, message is processed and delivered normally which should have been quarantined if the content filters checked for mailfrom identity as well.

What I understand from your comment above, do you mean that in the above similar scenario the mails are getting quarantined for you in the Async OS version 12.5?

Cheers,
Pratham
Highlighted
Beginner

Re: Question about SPF actions

Hi Pratham,

yes, our ESA is pushing mails into a quarantine that only show SPF MAILFROM in the logs. We actually never see any mention of PRA at all in the logs. Which would be logical to me, as PRA - as I understand it - is part of SIDF. Which is disabled when you set conformity to SPF only (not SIDF compatible). 

That's why I am wondering.

Why are the other identities not available in content filters, anyway?

 

Highlighted
Cisco Employee

Re: Question about SPF actions

Hi,

I was able to check on the user guide for Async OS version 12.5 and it mentions as below:

"You can only use the spf-status message filter rule to check results against HELO, MAIL FROM, and PRA identities. You cannot use the spf-status content filter rule to check against identities. The spf-status content filter checks only the PRA identity."

 

Guide Link: https://www.cisco.com/c/en/us/td/docs/security/esa/esa12-5/user_guide/b_ESA_Admin_Guide_12_5/b_ESA_Admin_Guide_12_1_chapter_010110.html#con_1148061


So I am not sure what is causing the emails to get quarantined with SPF only since it doesn't check the PRA identity. Maybe you can open a TAC case and provide more details to investigate further on this on the case.

For the other identities, not available in content filters are something which development teams are looking under the enhancement request as below:
https://bst.cloudapps.cisco.com/bugsearch/bug/CSCvc10619

Cheers,
Pratham

Highlighted
Beginner

Re: Question about SPF actions

Thanks. This enhancement request has been open for four years. To be honest, I am starting to get fed up with Cisco and all the little inconsistencies in ESA. Just like the other bugs I reported about. Does Cisco ever fix any of them?

I am starting to wonder if it was the right decision to go with Cisco for email security. 

Highlighted
Cisco Employee

Re: Question about SPF actions

Hello,

 

We had a defect a few years back where the SPF content-filter would only trigger against the first SPF verification within the headers (commonly PRA). However, this was supposedly fixed back in 9.7.2 and 10.0, and now the SPF content filter should trigger against any/all verdicts. So, if you're seeing unexpected behavior then it may be configuration related or something else within these emails. As mentioned, it may be best to open a case so that we can help investigate. 

 

Thanks!

-Dennis M.