Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1055
Views
0
Helpful
1
Replies

Sender Groups & MailFlow policies - IP Segment based ?? or not .. on ESA

rolelael
Level 1
Level 1

‎01-18-2019 12:24 AM - edited ‎01-18-2019 01:58 AM

Cisco ESA AsyncOS 11.1.0-128

 

Hello

 

Recently we bumped into an issue ..

 

We have a sender group called applicationservers, were we have IP segments in it  ( from internal datacenter segments ), example 10.64.0.0/24 etc ….

 

This sender group is assigned a mail flow policy ACCEPTED with limites set like max recip. / hour 10.000 and max connections 10 etc

 

We found that it looks like the counter is increased for the complete segment listed in the sender group and not on the IP from which an application server is sending

 

Example 2 servers : 

a) 10.64.10.10 sends 12000 recipients in 1 hour , gets rate limited at 10.000 = ok

b) 10.64.10.11 send 1200 recipients in the same hour ,gets also rate limited due to the segment limit

 

We never saw this issue..... and maybe we overlooked it when setting up our esa's….

 

Can someone confirm this behaviour ? Is this normal ? So counts on segment based an not individual ip's in the same segment

 

Tx

Labels:
0 Helpful
1 Reply 1

Libin Varghese
Cisco Employee
Cisco Employee

‎01-23-2019 02:17 AM

This would be the current design, yes.

 

This was changed based on requests around Async OS 8 since limits being applied to individual IP's was resulting in the ESA accepting a lot more emails than it should, so the limit is now applied to the complete subnet.

 

A defect was filed to confirm this and was assessed and confirmed to be how the current working would continue to be.

 

https://bst.cloudapps.cisco.com/bugsearch/bug/CSCuv17771/?reffering_site=dumpcr

 

Regards,

Libin

 

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents