I searched this forum for DHAP related issues, but can't seem to find an answer to my question. We have a C100 and have DHAP enabled. The typical setting for a mail policy is about 10 invalid recipients, and a 5xx "Too many recipients for this hour" is returned.
For the past week, we've been getting so much invalid from recipeints from google.com, rr.com, and yahoo.com (domains that typically don't do this to us) that we've gone up to over 50% of our daily volume is invalid recipient. Typically this is somewhere around 2% to 7% on a daily basis.
My main concern is how does this affect the performance of the ironport? So far, the cpu usage/queue is looks ok. After the DHAP threshold is met, does the c100 silently drop the connection or does it always send the 5xx response?
I understand that the DHAP counter gets resets at the beginning of every hour. Does this mean that once google.com reaches the DHAP threshold that the entire domain is denied until the next hour when the counter resets or is the DHAP counter set specifically for servers and only the servers get denied?
I've read in some posts to change the 5xx response to 4xx - how does this affect the ironport and the mail servers who got blocked for the hour? Does this mean that the servers will simply keep trying over and over again later? How does this make the situation better?
Hi, This really depends on what version you are on, Version 5.5 doesn't drop rcpts based on the attackers IP address anymore. What version are you running? Plus changing the 4xx code within the listener settings for the accept query is really on stating what to do if the LDAP server is unreachable. What traditionaly happens is once the 10 invalid rcpts is reached the rest are silently dropped so that no notifications are sent apart from alerts to yourself. Also in 5.5 both RAT rejects and LDAP accept rejects count towards the invalid rcpts number.
More information is available on the KB, search for asnwer id: 514
Thank you for your answers. We have c100 version 4.7.1. So after the threshold is reached, the rest is silently dropped until the counter resets. So, I assume this includes dropping valid emails from the offending server.
Hi There, Absolutely correct, anything that goes over the DHAP limit within that hour will be silently dropped. I would suggest upgrading to the latest version as you are missing out on a great lot of functionality being on 4.7. Not just the enhanced LDAP features but also bounce verification, DKIM and also Encryption. Plus the reporting is a load better too :)
Table of ContentsIntroductionVersion HistoryPossible Future
UpdatesDocuments PurposeNAT Operation in ASA 8.3+ SectionsRule Types
Network Object NATTwice NAT / Manual NATRule Types used per SectionNAT
Types used with Twice NAT / Manual NAT and Network Obje...
Table of Contents Introduction:This document describes details on how
NAT-T works. Background: ESP encrypts all critical information,
encapsulating the entire inner TCP/UDP datagram within an ESP header.
ESP is an IP protocol in the same sense that TCP an...