Barracuda Spam Firewall with Microsoft Exchange

Last week I took a first look at the Barracuda Spam Firewall and went through the quick-start setup. Within an hour, I had the basic configuration covered and had tested it by temporarily rerouting some live traffic to the Barracuda box. It seemed to work well, but before putting it into production, there were a few of the more advanced options that I wanted to configure.

Single Sign-on

Available on the Model 400 and upwards, single sign-on will allow the Barracuda to hook in to LDAP (including Active Directory), Radius, or POP3 services to authorise users logging in to manage their spam. This makes life easier for both the users and your administrators as authentication is against a single source.

Configuring single sign-on is relatively easy. First of all, set the ‘Login Realm Selector' to ‘Enabled' and enter a realm name for local logons; I used the default of Barracuda as I couldn't think of anything better to call it. To have the Barracuda authenticate against Active Directory, use the following settings substituting the realm name and auth host with those relevant to your domain:

Realm Name: MYDOMAIN

Auth. Type: LDAP

Auth. Host: exchange.mydomain.local

Auth. Port: 389

Username Template: __USERNAME__@mydomain.local

Auth. Default: Yes

Assuming the quarantine type is set to per-user, the Barracuda's login page should now show your domain as the default logon realm and allow access using domain credentials.

MS Exchange Accelerator

The second advanced feature I want to make use of is the MS Exchange accelerator; this hooks in to Active Directory and checks the validity of an address before accepting the e-mail. This is required because Exchange accepts messages for all recipients regardless of whether or not they actually exist. Why would it do that? The idea is that if mail were rejected for non-existent addresses, then dictionary spammers could probe mail servers and produce an inventory of valid e-mail addresses. The problem is that transporting and processing all of that mail destined for non-existent users puts a massive strain on servers and has a negative impact on services. So long as spam filtering is working properly, it doesn't really matter whether or not dictionary attackers could reverse engineer a list of your users' e-mail addresses; in reality, most of the users have signed up for newsletters and all sorts of other things, which has most likely seen their address passed around spamming circles.

Setup is again relatively straightforward:

LDAP Server: dc1.mydomain.local dc2.mydomain.local

LDAP Port: 389

Exchange Accelerator/LDAP Verification: Yes

Unify Email Aliases: Yes (uses a single account for all aliases a user may have)

SSL/TLS Mode: StartTLS

Require SSL/TLS: No

Bind DN: rouser (user that has read access to all user information in AD)

Bind Password: password123

LDAP Filter: (|(othermailbox=smtp$${recipient_email})(othermailbox=smtp:${recipient_email})(proxyaddresses=smtp$${recipient_email})(proxyaddresses=smtp:${recipient_email})(mail=${recipient_email})(userPrincipalName=${recipient_email}))

LDAP Search Base: ${defaultNamingContext}

LDAP UID: sAMAccountName

LDAP Primary Email Attribute: mail

Canary Email:

Valid Email (for testing):

Clicking on the Test LDAP button will pop-up a small window and you will see something like:

Found address in 1.24 seconds.

Uniquely identifying attribute 'sAMAccountName' has value of my.user.

Primary e-mail alias attribute 'mail' has value of

A neat way to test this is to open up a command window and type:

C:> telnet 25
250 Hello [], pleased to meet you
250 OK
550 No such user (
221 Bye

You can see that e-mail to non-existent addresses is being rejected.

With these last few features configured, tested, and a valid SSL certificate installed, I'm confident that I can put the Barracuda Spam Firewall into production without any serious issues springing up. Once users have been trained to use the quarantine site and Outlook plug-in, I'll expect the amount of time required for dealing with spam and managing spam-related issues to significantly decrease.

I noticed quite a bit of positive feedback on the Barracuda Spam Firewall last week. If you've been using a Barracuda I'd appreciate your tips on acclimatising users to the quarantine system and your opinion on the Outlook plug-in.