Table of Contents
Recipient accounting model
The ESG accounting system is based on active recipient (or sender) addresses, which includes all
email address that have successfully received (or sent) a scanned email. Extra automatic measures
have been put in place to avoid paying for invalid email addresses.
The list of active recipients is created by searching for messages that have been successfully
delivered from or to a configured relayed in "Admin > Mail Transport > Relay". This means that
bounced deliveries or rejected emails are not accounted for.
Once a recipient is accounted for, it will remain accounted for until it naturally expires after 30
days of inactivity or is invalidated due to configuration control. For instance, if a configured
relay use a "valid recipient list" to verify currently enabled email addresses, a license will automatically
expire when its address is removed from the list.
The accounting process occurs every night but can be re-computed at will from the web UI.
Mailbox accounting model
Depending on your commercial agreement with Libraesva, your licensing may be mailbox based.
The mailbox accounting model uses the same rule as recipient accounting to identify actively used
recipient addresses. Once recipients have been collected, the system determines the active mailboxes
by using the information available in ESG user manager (found under "Admin > Authentication >
User Management > User"). The active mailbox appears in the list as "type = mailbox" with
the user's primary address listed as the accounted address.
Mailbox accounting typically results in a lower license count as distribution lists and user
secondary emails are immediately excluded from the computation. However, there may be exceptions
to this rule, such as when a user receives email only through distribution lists. In this case, the
user is considered active, even if their primary address is never used.
Starting with ESG 5.2, there is a new type of user called a "Functional User" that is not accounted
for in mailbox licensing. These users can only be created automatically by the importer from
Microsoft 365, Google Workspace, or LDAP and represent Shared Mailboxes or Groups that are not
bound to any users. Functional users cannot log into ESG and have limited quarantine capabilities,
just like the account in external environments.
NOTE: mailbox accounting is very precise in identifying active users, but requires administrators
to properly manage users and integration layers. Please refer to the following paragraphs for
Licensing knowledge base
What are license types listed on license usage?
When accessing "Admin > Appliance > Licensing > License Usage," you may notice a "type" column
in addition to the accounted license.
A license of type Recipient identifies a simple active recipient that is accounted for and is
not bound to any user stored on ESG. Since this is an active recipient, it is accounted for in
all licensing models.
A license of type Mailbox identifies an accounted active mailbox, and the email shown is
the primary (and unique) address of the user. If your license model is simply recipient-based, this is
exactly the same as a recipient license for a user's primary address. For mailbox accounting, this
refers to an active user who has received at least one email to their inbox; to find details about
which email they received, open the detailed view to see user information and quickly search the
mail logs for hints.
A license of type Free identifies an accounted active mailbox or recipient address that has been
discounted by Libraesva ESG, either manually from Accounting support or remotely using code automation.
These are not accounted for in final costs but are listed for transparency.
How can I configure email aliases as in ESG before 5.2
Starting with Libraesva ESG 5.2, users have a primary and globally unique address that is used
for domain attribution and license accounting. The concept of email aliases is no longer used. Instead,
users may have one or more secondary addresses for the same mailbox.
The old email alias concept is similar to the new secondary email address system. However, the previous
implementation had a long list of heuristics to discriminate an address from an alias, that were
imprecise and not clearly visible from the user interface.
Our testing of the new licensing system has shown that it can identify mailboxes much better thanks
to the user integration layer, configured by the administrators. This has resulted in lower average
A note on Microsoft Shared Mailboxes on hybrid configuration
The Microsoft 365 integration layer has the capability to differentiate between real users and shared
mailboxes by analyzing the licenses assigned to external users. Users without licenses are imported
as "Functional users" in Libraesva ESG, ensuring that both software have the same licensing.
However, the hybrid configuration can be more complicated due to the limited API provided
by Microsoft. Even actual mailboxes may not have assigned licenses. To address this limitation,
for synchronized hybrid users without licenses, we utilize the
accountEnabled user property
to distinguish between "Users" and "Functional Users".
As a result, there may be slight differences in accounting between ESG licensing and Microsoft
Exchange licensing. To minimize this disparity, it is recommended that Hybrid Shared Mailboxes
be configured with
accountEnabled = $FALSE.
accountEnabled = $FALSE) is considered a security issue. Therefore, blocking sign-in for all your Shared Mailbox is the best configuration for both Microsoft 365 account security and for Libraesva ESG licensing.
Maintenance of users when using an external integration
Mailbox accounting is much more precise when used in conjunction with external user imports, such
as Microsoft 365, Google Workspace, and LDAP. However, these importers do not automatically
remove mailboxes or valid recipients for security and stability reasons. Therefore, periodic
maintenance is crucial, especially a few days before your next licensing cycle.
To make maintenance easier, here are a few helpful tips:
- Ensure that all relays listed under "Admin > Mail Transport > Relays > Relays" are using
the "Valid Recipient List" as the recipient verification method. Other methods may incur higher
costs if an invalid address is mistakenly accepted by your server.
- Access "Admin > Mail Transport > Valid Recipients > Cleanup Old Import" and delete any email
addresses that are no longer updated by your configured external sets. If you manually import,
ensure you execute all imports at least once before proceeding.
- Access "Admin > Authentication > User Management > Cleanup Old Import" and remove any users
that are no longer updated by your configured external sets. If you manually import, ensure
you execute all imports at least once before proceeding.
- Starting with ESG 5.2, the LDAP integration layers now support Group management, which allows
for the assignment of group emails as a user's secondary address. Ensure your old configuration
is updated accordingly.
- If you come across any licenses that you do not recognize, access the detailed view for that
license and click on recipient addresses to swiftly search for the accounted email. If you
find any email that you do not want to receive or scan, take the appropriate action on the Web UI.
This may include disabling a user's secondary email or updating your LDAP configuration.
If you have any additional queries or concerns, please contact our Customer Support for further
assistance and information.