Re: DHAP

araudevain · ‎01-14-2011

HI,

I've got some questions about DHAP.

My question is that I see in the Mail_Logs that some SMTP servers are blocked because of the dhap_limit (which is 50) for the sender group it is in but when I look in Monitor > Incoming Mail for this spécific address, I see only 23 messages stopped as invalid Recipients.

I don't know how to explain why the Ironport refuses connections from that host where as it shows in the GUI only 23 messages stopped as invalid Recipients

Thanks

Arnaud

Christopher Smith · ‎01-29-2011

Greetings,

If the configuration settings for the effected listener have been verified then the first thing I would recommend in this case is to consult the mail logs for the time period in question. See if the entires here add up to the expected value first.

You will find entries describing the DHAP event in the mail_logs.

Here is an example of an entry in the mail_logs when "DHAP" occurs.

Tue Oct 18 00:25:35 2005 Warning: LDAP: Dropping connection due to
potential Directory Harvest Attack from host=(192.168.10.1', None),
dhap_limit=4, sender_group=SUSPECTLIST

Please note that we do look for /24 netmask by default

You can use this query on the CLI: grep "dhap_limit= " mail_logs

In a previous release, DHAP counters were based solely on the rejections detected during LDAP acceptance queries. Now, the DHAP counters include both RAT rejections and LDAP acceptance query rejections. DHAP settings are now configured in the Mail Flow Policy rather than in the Listener settings.

There can be several reasons why there is a discrepancy. See if the details in the logs add up first. If they do, then check the data in monitor again, are there any other discrepancies for other data?

Christopher C Smith

CSE

Cisco IronPort Customer Support

araudevain · ‎01-31-2011

Christopher,

Thanks for your answer, I didn't know that the RAT rejections were included in the DHAP couters. So that could explain my problem.

Arnaud