test

Sun Java System Messaging Server 6.3 Administration Guide

15.5 Reference Information

This section provides reference information for the SPF channel keywords and the SPF MTA options. SPF support is implemented through four channel keywords applied to the incoming tcp_* channel (typically tcp_local). The following table shows the keywords and their descriptions.

Table 15–2 SPF Keywords

Keyword 

Description 

spfnone

Disables SPF processing 

spfhelo

Enables SPF processing for the domain name specified as an argument to HELO or EHLO. 

spfmailfrom

Enables SPF processing for the domain name provided for the originator envelope address after receiving the MAIL FROM:. 

spfrcptto

Enables SPF process for the domain name provided for the originator envelope address after receiving the RCPT TO:. Processing is the same as spfmailfrom except that it is delayed in the SMTP transaction until after the RCPT TO: command has been issued and the recipient has otherwise been confirmed to be a valid recipient.

Note –

spfmailfrom and spfrcptto are conflicting keywords and you should only specify one of these two keywords on the channel. You can, however, use spfhelo in conjunction with either spfmailfrom or spfrcptto to perform both kinds of SPF checks.

There is additional support to establish limits on SPF processing and to control whether SMTP commands will be accepted, failed with a 4xx response (temporary failure), or failed with a 5xx response (permanent failure) for the various SPF results including: Fail, SoftFail, PermError, and TempError.

The following MTA options, in option.dat, can be used to place limits on SPF processing.

Table 15–3 SPF Limiting Options

Option 

Description 

SPF_MAX_RECURSION

Specifies the number of recursions that will be allowed into nested SPF records due to include: or redirect=. Exceeding this limit will result in a PermError.

Default: 10 (mandated by the RFC) 

SPF_MAX_DNS_QUERIES

Specifies the number of mechanisms or modifiers that require DNS lookups (including include:, a:, mx:, ptr:, exists:, redirect=, and exp=). Note that the limit is not counted as the number of actual DNS lookups, so one mechanism could lead to several DNS queries. Exceeding this limit will result in a PermError.

Default: 10 (mandated by the RFC) 

SPF_MAX_TIME

Specifies the number of seconds that will be allowed for the SPF processing to complete. Exceeding this value will result in a TempError. The default value is more generous than the RFC suggests.

Default: 45 

Additionally, the following MTA options in option.dat can be configured to control the behavior of the SMTP server in response to SPF results of Fail, SoftFail, PermError, and TempError. For each of these results, the SMTP server can send back a 2xx (success) response, 4xx (temporary failure), or 5xx (permanent failure). Also, for Fail and SoftFail, the MTA can distinguish between an SPF result as the result of an "all" mechanism versus an otherwise explicitly referenced match. You can then make a distinction between a particular result and the SPF record's default result. The valid values for any of these options is 2, 4, or 5. The values of 2, 4, or 5 correspond to 2xx, 4xx, or 5xx responses from the SMTP server as a result of getting that particular SPF status. So, for example, if SPF_SMTP_STATUS_FAIL=2 and the SPF record explicitly blocks us with a "-a:192.168.1.44" (our IP address), then instead of responding with a 5xx response, we'll accept the address with a "250 OK" instead.

Table 15–4 SPF Failure and Error Options

Option 

Description 

SPF_SMTP_STATUS_FAIL

Used when the match of an SPF record is a "-" flagged mechanism other than "-all" 

Default: 5  

SPF_SMTP_STATUS_FAIL_ALL

Used when the matching mechanism is "-all" 

Default: 5  

SPF_SMTP_STATUS_SOFTFAIL

Used when the match of an SPF record is a "~" flagged mechanism other than "~all" 

Default: 2  

SPF_SMTP_STATUS_SOFTFAIL_ALL

Used when the matching mechanism is "~all" 

Default: 2  

SPF_SMTP_STATUS_TEMPERROR

Used when there is a temporary failure, usually related to DNS processing problems. 

Default: 4  

SPF_SMTP_STATUS_PERMERROR

Used when there is a permanent failure, usually due to syntax or other technical errors found during SPF processing. (Note that this will be due to a non-local error.) 

Default: 5