Not sure if others knew this, but it came as a big surprise to me. When you add an address to the safe list, it's essentially telling the Fortimail to bypass SPF checking. Yes, in retrospect I should have realized this because SPF is one of the antispam checks which are ignored for safe lists.
But this seems like a terrible idea to me because we're telling the system to skip over all antispam protection based upon the sender... and we're not checking to see if the person sending is who they say they are. Essentially, we're doing Authorization without Authentication. It seems like SPF checks should be MORE important for people in the safe list, not less.
This seems like a really big deal to me... because knowing that a company is going to mark it's most common business partners as trusted, you can then confidently spoof mail from that domain without having to worry about SPF checks. I can see that we'd need a way to override the SPF check for certain business partners that just can't get the SPF thing right, but these would be the exception.
I know that we can do a SPF check at the Session level, but when it fails there it only increases the reputation score, we don't have the option to set a specific action here, so we can't count on this being effective.
It really seems like there should be a setting for an action to apply under SPF in the session profile, or the SPF check should be moved (or added) to the content section so that having a domain on the safe list doesn't remove the ability to enforce an SPF check for that domain.
Jeff Roback
Sorry to beat a dead horse, but just ran into another problem with this.... A few users had added their own address to their user safe list... yes I know they're not supposed to do that... but they did it anyway, and now they're getting spoofed messages from themselves. Would be really nice if there was a way to block users from doing this, and or just apply the SPF restrictions to the users on the safelist.
Jeff
Jeff Roback
Have to agree with you Jeff, this decision make no sense.
So you want to allow someone to contact you because you want their emails to be delivered and to bypass all the filters but at the same time you want to be sure that they are legit.
Bypassing SPF/DKIM/DMACR or ARC checks because an address is added to the safe list will allow for spoofed messages to be delivered
The behavior has changed from version 7.x and above onwards. There is a command to enforce the SPF, DKIM, and DMARC check even when sender is in safelist
config antispam settings
safelist-bypass-sender-auth {enable | disable}
end
Enable: to bypass sender authentication mechanism (SPF/DMARC/DKIM) for safelisted senders.
When disabled, if the scan result of SPF, DKIM, or DMARC is a failure, and the sender is safelisted, the result of SPF, DKIM, and DMARC takes precedence.
Technical Tip: How to perform SPF, DKIM, and DMARC Antispam checks even if the sender is included in a safe list
https://community.fortinet.com/t5/FortiMail/Technical-Tip-How-to-perform-SPF-DKIM-and-DMARC-Antispam...
Thanks,
Nagaraj
Select Forum Responses to become Knowledge Articles!
Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.
User | Count |
---|---|
1735 | |
1107 | |
752 | |
447 | |
240 |
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Copyright 2024 Fortinet, Inc. All Rights Reserved.