Enterprise Software

Barracuda Spam Firewall with Microsoft Exchange


Last week I took a first look at the Barracuda Spam Firewall and went through the quick-start setup. Within an hour, I had the basic configuration covered and had tested it by temporarily rerouting some live traffic to the Barracuda box. It seemed to work well, but before putting it into production, there were a few of the more advanced options that I wanted to configure.

Single Sign-on

Available on the Model 400 and upwards, single sign-on will allow the Barracuda to hook in to LDAP (including Active Directory), Radius, or POP3 services to authorise users logging in to manage their spam. This makes life easier for both the users and your administrators as authentication is against a single source.

Configuring single sign-on is relatively easy. First of all, set the ‘Login Realm Selector' to ‘Enabled' and enter a realm name for local logons; I used the default of Barracuda as I couldn't think of anything better to call it. To have the Barracuda authenticate against Active Directory, use the following settings substituting the realm name and auth host with those relevant to your domain:

Realm Name: MYDOMAIN

Auth. Type: LDAP

Auth. Host: exchange.mydomain.local

Auth. Port: 389

Username Template: __USERNAME__@mydomain.local

Auth. Default: Yes

Assuming the quarantine type is set to per-user, the Barracuda's login page should now show your domain as the default logon realm and allow access using domain credentials.

MS Exchange Accelerator

The second advanced feature I want to make use of is the MS Exchange accelerator; this hooks in to Active Directory and checks the validity of an address before accepting the e-mail. This is required because Exchange accepts messages for all recipients regardless of whether or not they actually exist. Why would it do that? The idea is that if mail were rejected for non-existent addresses, then dictionary spammers could probe mail servers and produce an inventory of valid e-mail addresses. The problem is that transporting and processing all of that mail destined for non-existent users puts a massive strain on servers and has a negative impact on services. So long as spam filtering is working properly, it doesn't really matter whether or not dictionary attackers could reverse engineer a list of your users' e-mail addresses; in reality, most of the users have signed up for newsletters and all sorts of other things, which has most likely seen their address passed around spamming circles.

Setup is again relatively straightforward:

LDAP Server: dc1.mydomain.local dc2.mydomain.local

LDAP Port: 389

Exchange Accelerator/LDAP Verification: Yes

Unify Email Aliases: Yes (uses a single account for all aliases a user may have)

SSL/TLS Mode: StartTLS

Require SSL/TLS: No

Bind DN: rouser (user that has read access to all user information in AD)

Bind Password: password123

LDAP Filter: (|(othermailbox=smtp$${recipient_email})(othermailbox=smtp:${recipient_email})(proxyaddresses=smtp$${recipient_email})(proxyaddresses=smtp:${recipient_email})(mail=${recipient_email})(userPrincipalName=${recipient_email}))

LDAP Search Base: ${defaultNamingContext}

LDAP UID: sAMAccountName

LDAP Primary Email Attribute: mail

Canary Email: canary@mydomain.com

Valid Email (for testing): myaddress@mydomain.com

Clicking on the Test LDAP button will pop-up a small window and you will see something like:

Found address myaddress@mydomain.com in 1.24 seconds.

Uniquely identifying attribute 'sAMAccountName' has value of my.user.

Primary e-mail alias attribute 'mail' has value of my.address@mydomain.com.

A neat way to test this is to open up a command window and type:

C:> telnet smtp.mydomain.com 25
220 barracuda.mydomain.com ESMTP
# HELO mydomain.com
250 barracuda.mydomain.com Hello host82-164-212-144.range82-164.btcentralplus.com [82.164.212.144], pleased to meet you
# MAIL FROM: joe.bloggs@aol.com
250 OK
# RCPT TO: doesntexist@mydomain.com
550 No such user (doesnotexist@mydomain.com)
# QUIT
221 Bye

You can see that e-mail to non-existent addresses is being rejected.

With these last few features configured, tested, and a valid SSL certificate installed, I'm confident that I can put the Barracuda Spam Firewall into production without any serious issues springing up. Once users have been trained to use the quarantine site and Outlook plug-in, I'll expect the amount of time required for dealing with spam and managing spam-related issues to significantly decrease.

I noticed quite a bit of positive feedback on the Barracuda Spam Firewall last week. If you've been using a Barracuda I'd appreciate your tips on acclimatising users to the quarantine system and your opinion on the Outlook plug-in.

8 comments
krolrules
krolrules

400 and up you say? Odd, because I have the 300 model, and I'm using LDAP too. Also, I am using it through ISA server 2004 in a DMZ. Check out my article on www.isaserver.org.

scottdm
scottdm

We have been using a Barracuda with GroupWise (GWhiz was not very effective). After the first month or so of finding the right level between blocking and quarantine, I only tweak the settings about once a month. I have almost no complaints from users who were getting 30-40 spam emails per day to almost nothing. I had to call tech support once and they were able to resolve the issue quickly although I did need to restore from a backup I did for the settings. I think that that is the only time in the last 18 months that the box has ever been turned off for more than a reboot after a firmware update

grouper
grouper

I have a barracuda spam firewall 300 (wish I had known this bastard didnt do single sign on before I bought it) and a web filter 410. My spam filter is tuned so well, my users dont even want a quarantine. Every few months I may have to tweak it but at the moment i'm not even performing any bayesian filtering. I polled my users and they by and large don't want the quarantines. I check the logs daily to see what it's rejecting and accepting and it's doing a great job. I have about 120 users we're filtering for, with exchange 2007.

ebouza
ebouza

I also am using a Barracuda 300 and it using LDAP with Exchange 2003. It has worked great so far.

Dumphrey
Dumphrey

untill it was choked by volume (it was only a model 200). What level of traffic are you receiving ona given day? More or less then 250000?

Justin Fielding
Justin Fielding

Would you mind sharing some of your settings (tag/block levels etc)? I would like to eliminate quarantine as it's an additional complication for users but right now I'm going to leave it enabled as quite a mixture of genuine/spam mails are being caught.

grouper
grouper

We're getting nowhere near 250,000 messages a day. I just looked at the console and we get around 3000 messages per day, although on 2/10/2008 we got around 10,000 messages. Most of which were spam of course. We're using the spam firewall 300 btw.

grouper
grouper

My previous company was tougher to filter for because it was a non profit and our business was related to std and drug research so that was tricky. I'm not at school so it's been a little easier. Here are some of the settings: 1) I'm using the barracuda block lists 2) I turned off the 2 common RBL's preloaded because they've been replaced These are the RBL's i'm using. It's very important to keep this list up to date because 1 bad RBL list can cause lots of trouble with incoming emails: bl.spamcop.net cbl.abuseat.org combined.rbl.msrbl.net dnsbl.njabl.org dnsbl.sorbs.net dsn.rfc-ignorant.org dun.dnsrbl.net list.dsbl.org zen.spamhaus.org Everything else is pretty much set to the defaults. Let me know if you need anything else.