-
8/17/2019 Advanced+Configuration
1/9
Barracuda Spam Firewall
Advanced Configuration
In this Section
Sender Authentication
Recipient Verification
Remote IMAP/POP Accounts
Advanced Networking
Non-Delivery Reports
Remote Administration
https://techlib.barracuda.com/IwA7 1 / 9
https://techlib.barracuda.com/display/BSFV51/Sender%20Authenticationhttps://techlib.barracuda.com/display/BSFV51/Recipient%20Verificationhttps://techlib.barracuda.com/display/BSFV51/3866654https://techlib.barracuda.com/display/BSFV51/Advanced%20Networkinghttps://techlib.barracuda.com/display/BSFV51/Non-Delivery%20Reportshttps://techlib.barracuda.com/display/BSFV51/Remote%20Administrationhttps://techlib.barracuda.com/display/BSFV51/Remote%20Administrationhttps://techlib.barracuda.com/display/BSFV51/Non-Delivery%20Reportshttps://techlib.barracuda.com/display/BSFV51/Advanced%20Networkinghttps://techlib.barracuda.com/display/BSFV51/3866654https://techlib.barracuda.com/display/BSFV51/Recipient%20Verificationhttps://techlib.barracuda.com/display/BSFV51/Sender%20Authentication
-
8/17/2019 Advanced+Configuration
2/9
Sender Authentication This is a key feature of the
Barracuda Spam Firewall for protecting your network and users from
spammers who might
"spoof" a domain or otherwise hide the identity of the true
sender. The following techniques are used to verify the "from"
address of a message.
Mail Protocol (SMTP) Checking
The Barracuda Spam Firewall can perform thorough checks on
incoming email for RFC 821 compliance, require mail clients
to introduce themselves with an SMTP "HELO" or "EHLO" command
before stating a sender, and otherwise manage SMTP
protocol to block spammers. See the ADVANCED > Email
Protocol page for these and other optional SMTP settings.
Sender Spoof Protection
The Barracuda Spam Firewall has the option to prevent
"spoofing" of an organization’s own domain by blocking emails
with
that domain name in the "From" field that are sent from outside
the organization. Note that sender spoof protection should
not be enabled if the organization sends messages from outside
their internal email infrastructure (e.g., in the case of
marketing bulk-mail services).
The Sender Spoof Protection feature can be configured at
the global level from the ADVANCED > Email
Protocol page
or at the per-domain level on the DOMAINS > Manage Domain
> ADVANCED > Email Protocol page. At the domain
level, however, this feature is labeled as Reject messages from
my domain.
Note that if the administrator enables Sender Spoof
Protection at the global level it will supersede any whitelist
entry
created at the per-user level by a User ,
Helpdesk or Domain Admin account
holder.
Invalid Bounce Suppression
The Invalid Bounce Suppression feature is used to
determine whether or not the bounce address specified in a
message
is valid. It is designed to reduce the number of bounce messages
to forged return addresses; i.e., you don’t want to get
bounced messages from spammers who spoof your domain or email
address. Every email sent from the Barracuda Spam
Firewall is tagged with an encrypted password and expiration
time. With Invalid Bounce Suppression enabled, any
bounced email received by the Barracuda Spam Firewall that does
not include that tag is blocked. Each blocked message is
recorded in the Message Log with the reason "Invalid Bounce"
To use the Invalid Bounce Suppression feature, the
Barracuda Spam Firewall must have Outbound Relay configured on
the BASIC > Outbound page. For more details about
Outbound Relay, refer to How to Route Outbound Mail From the
Barracuda Spam Firewall.
Configure Invalid Bounce Suppression on the BLOCK/ACCEPT >
Sender Authentication page and enter a Bounce
Suppression Shared Secret as a non-null password which will
be included in the headers of valid emails sent from and
bounced back to the Barracuda Spam Firewall. Email bounces that
don’t include the password will be blocked if this feature
is enabled. In a clustered environment, the Bounce Suppression
Shared Secret will be synchronized across all Barracuda
Spam Firewalls in the cluster.
https://techlib.barracuda.com/IwA7 2 / 9
http://0.0.0.0/http://0.0.0.0/http://0.0.0.0/http://0.0.0.0/
-
8/17/2019 Advanced+Configuration
3/9
Sender Policy Framework (SPF)
Sender Policy Framework (SPF) is an open standard specifying a
method to prevent sender address forgery. The current
version of SPF protects the envelope sender address, which is
used for the delivery of messages. SPF works by having
domains publish reverse MX records to display which machines (IP
addresses) are designated as valid mail sending
machines for that domain. When receiving a message from a
domain, the recipient can check those records to make sure
mail is coming from a designated sending machine. If the message
fails the SFP check, it may be spam. Enabling this feature
does create more performance overhead for the system due to the
multiple DNS queries needed to retrieve a domain's SPF
record; for this reason, the default setting for the Enable
SPF feature on the BLOCK/ACCEPT > Sender Authentication
page is No (off). For more information on SPF, please visit
http://www.openspf.org.
Messages that fail SPF check can be tagged or blocked and will
be logged as such. Messages that pass SPF checks will still
be scanned for spam. The recommended setting is to Tag
messages identified by SPF as spam so that if there is
any possibility that a message is legitimate, it will be allowed
to go on to the next stage of processing.
Exemptions from SPF Checking - Trusted Forwarders
You may specify a list of Trusted Forwarder IP addresses,
on the BASIC > IP Configuration page, which will be
ignored
when performing SPF checks, as well as rate control and IP
Reputation checks. Trusted Forwarders are mail servers that are
set up specifically to forward email to the Barracuda Spam
Firewall from outside sources. The Barracuda Spam Firewall
scans
the IP addresses in the Received From headers list of each
email and performs an SPF check on the first IP address that is
not in the list of Trusted Forwarders.
Domain Keys (DKIM) Inspection
DomainKeys is a method of email authentication that enables a
sending domain to cryptographically sign outgoingmessages, allowing
the sending domain to assert responsibility for a message. When
receiving a message from a domain,
the Barracuda Spam Firewall can check the signature of the
message to verify that the message is, indeed, from the sending
domain and that the message has not been tampered with. Because
most spam messages contain spoofed addresses,
DomainKeys can help greatly in the reduction of spam.
DomainKeys uses a public and private key-pairs system. An
encrypted public key is published to the sending server's DNS
records and then each outgoing message is signed by the server
using the corresponding encrypted private key. For
incoming messages, when the Barracuda Spam Firewall sees that a
message has been signed, it will retrieve the public key
from the sending server's DNS records and then compare that key
with the message's DomainKeys signature to determine
its validity. If the incoming message cannot be verified, the
Barracuda Spam Firewall knows it contains a spoofed address or
has been tampered with or changed.
The benefits of enabling this feature include:
Email sender is validated
Email body is validated
Validation through DNS is difficult to foil
DomainKeys works well with email forwarding because it doesn’t
deal with the relay server IP address
You can choose to tag, block or quarantine both DKIM
signed messages that fail the DKIM database check as well as
unsigned messages, depending on how you configure DomainKeys
Inspection on the BLOCK/ACCEPT > Sender
Authentication page. You can also exempt domains from being
tagged, quarantined or blocked if they fail this check. As
stated elsewhere in this guide, it is safest to NOT exempt
domain names from any kind of spam filtering due to the
possibility of domain name spoofing by spammers.
DomainKeys inspection does require more CPU resources to encrypt
& decrypt the key and is turned off by default.Messages that
pass DKIM checks will still be scanned for spam.
https://techlib.barracuda.com/IwA7 3 / 9
http://www.openspf.org/http://www.openspf.org/
-
8/17/2019 Advanced+Configuration
4/9
Custom policies
Organizations can define their own allowed sender domains or
email addresses for sender authentication using the
BLOCK/ACCEPT > Sender Filters page, but the safest way
to indicate valid senders on the Barracuda Spam Firewall is to
whitelist (allow) the IP addresses of trusted email servers on
the BLOCK/ACCEPT > IP Filters page, then blocklist
(block,
quarantine or tag) their domain names on the BLOCK/ACCEPT >
Sender Filters page to prevent domain name spoofing.
https://techlib.barracuda.com/IwA7 4 / 9
-
8/17/2019 Advanced+Configuration
5/9
Recipient Verification
LDAP Lookup
On the Barracuda Spam Firewall 300 and higher, email recipients
can be validated with your existing LDAP server.
Configuration of LDAP lookup is done at the domain level. From
the DOMAINS > Domain Manager page, after clicking
Manage Domain for the selected domain, you’ll configure
LDAP on the USERS > LDAP Configuration page. click the
Help button on that page for details about entering your server
details. If LDAP is not configured, the Barracuda Spam
Firewall will do SMTP recipient verification through RCPT TO
commands.
LDAP server types supported include Active Directory, Novell
eDirectory, Domino Directory and OpenLDAP.
Explicit Users to Accept For (Valid Recipients)
If LDAP lookup is not being used for recipient verification, the
Barracuda Spam Firewall provides a local database with which
email recipients can be compared for validation. Valid
Recipients (Explicitly Accepted Users) can be specified either
at
the global level from the ADVANCED > Explicit Users page
or at the per-domain level from the DOMAINS > Domain
Manager > USERS > Valid Recipients page. Note that
the number of entries in the text box for Explicitly Accepted
Users and Alias Linking is limited by model: on the
Barracuda Spam Firewall 600 and lower, the maximum is 1000 per
domain, and on the Barracuda Spam Firewall 800 and above, the
limit is 5000 per domain.
To administer the local database, either at the global or
domain level, fill in the text box in the Explicit Users to
Accept
For section of the page, entering each email address for
which the Barracuda Spam Firewall should accept email. If you
select Yes for the Only accept email for these
recipients feature, email will REJECTED for any email
recipients not in the
list. Note that domain-specific lists override the global
list.
Alias Linking
Alias linking allows quarantined email from multiple accounts to
be directed to one account when using per-user quarantine.
In the ADVANCED > Explicit Users page you can specify
the email addresses to be linked together in the Explicit Users
to Accept For and Alias Linking text box. click the Help
button on that page for more details.The quarantine account for
all of the linked email addresses will be associated with the
first email address. Make sure to also enter the first email
address on a separate line as well. In this way, a "catchall"
account can be created to receive all quarantined emails from a
particular domain.
https://techlib.barracuda.com/IwA7 5 / 9
-
8/17/2019 Advanced+Configuration
6/9
Remote IMAP/POP Accounts The Barracuda Spam Firewall
provides an email-retrieval and forwarding utility which fetches
email from remote mail servers
and forwards it to your local machine's delivery system. You can
repeatedly poll each account at a specified interval. This
utility can gather mail from servers supporting POP3 and IMAP
and is configured from the ADVANCED > Remote
IMAP/POP page.
Note that all email will be DELETED from the remote mail server
after retrieval by the Barracuda Spam Firewall.
There are two types of operations for each account from
which the Remote Accounts utility retrieves mail:
Global and
User . With the User type, it is assumed that
all messages in the user's account are intended for a single
recipient. The Global
type is used when multiple recipients under the same domain are
specified for a particular server account.
From the ADVANCED > Remote IMAP/POP page you can
specify polling interval, SSL (yes/no), user account passwords
and email addresses.
https://techlib.barracuda.com/IwA7 6 / 9
-
8/17/2019 Advanced+Configuration
7/9
Advanced Networking
Port Forwarding
If your organization has a single public IP address, when you
install the Barracuda Spam Firewall between the Internet and
your mail server, you can forward incoming SMTP traffic (port
25) from port 80 on the Barracuda to your mail server using
the Port Forwarding feature from the ADVANCED > Advanced
Networking page.
Configuring the Network Interfaces
With the Barracuda Spam Firewall 600 and higher, you can
configure each of the two Ethernet (NICS) interfaces directly
from
the ADVANCED > Advanced Networking page to accept email
on both interfaces or to route ingress email to one NIC and
egress through the other NIC. Benefits of this feature include
redundancy, filtering email for domains on separate networks
and improving throughput. Up to 250 IP addresses can be
configured per NIC.
Static Routes
With the Barracuda Spam Firewall 600 (and 600Vx) and higher, you
can specify a default gateway between the Barracuda
Spam Firewall and a mail server on another subnet in your
organization using the Static Routes feature on the
ADVANCED
> Advanced Networking page. This will guarantee that
return traffic is routed back to the Barracuda Spam Firewall
from
the unassociated network. If you have problems with static route
configuration, please contact Barracuda Networks
Technical Support.
Loopback Adapter
If you want to use this Barracuda Spam Firewall with a Barracuda
Load Balancer in Direct Server Return mode, you must
enable a non-ARPing loopback adapter. If you are using any other
mode you do not need to make any changes to the
Barracuda Spam Firewall configuration.
Each Virtual IP address supported by the Real Server (the
Barracuda Spam Firewall in this case) requires its own loopback
adapter. For each loopback adapter, enter a Virtual IP address
in the Loopback Adapter Configuration field on the
ADVANCED > Advanced Networking page.
https://techlib.barracuda.com/IwA7 7 / 9
http://0.0.0.0/http://0.0.0.0/http://0.0.0.0/http://0.0.0.0/
-
8/17/2019 Advanced+Configuration
8/9
Non-Delivery Reports
Spam Bounce Non-Delivery Reports (NDRs)
The Barracuda Spam Firewall sends NDRs to email recipients
and senders when one of their messages is blocked. The NDR
contains a brief explanation of why the Barracuda Spam Firewall
blocked the message. Information that you may want to
add to an NDR includes the contact information of the Barracuda
Spam Firewall administrator so that internal users know
who to contact if they have questions about a blocked
message.
The ADVANCED > Bounce/NDR Messages page in the
Barracuda Spam Firewall web interface allows for customizing
the
information in an NDR and for selecting the default language to
use in the message.
Reducing Backscatter
By default, your Barracuda Spam Firewall is configured to NOT
send an NDR to a sender when the Barracuda Spam Firewall
blocks their email (see the NDR on Block setting on
the ADVANCED > Bounce/NDR Settings page). You may want
to
enable NDRs to alert legitimate senders that their message has
not been delivered to the recipient. However, if the email
came from an illegitimate source such as a spammer, then sending
a bounce notification is not necessary.
Additionally, many spammers spoof valid domains, and you don’t
want to send bounce messages to your domain if it is
being spoofed. Sending bounce messages to illegitimate senders,
or to senders who were spoofed and did not actually send
the offending message, is known as “backscatter”. Backscatter
can increase the load on your Barracuda Spam Firewall and
may generate a lot of email to fake addresses or to senders
whose email addresses were spoofed by a spammer. Your
domain could also end up on a real-time blocklist as a
consequence.
If your Barracuda Spam Firewall rarely blocks a legitimate
email, consider setting NDR on Block to No for
Inbound and/or
Outbound mail to reduce backscatter.
https://techlib.barracuda.com/IwA7 8 / 9
-
8/17/2019 Advanced+Configuration
9/9
Remote AdministrationBarracuda Networks provides a set of APIs
for remote administration and configuration of the Barracuda Spam
Firewall. The
APIs work through manipulation of variables inside of the system
configuration database, and anything that can be declared
in that database can be set or checked with the APIs. This
includes most things that you can set by clicking the Save
Changes button in the Barracuda Spam Firewall web
interface. For example, from the BASIC > Spam
Checking page, you
can set global Spam Scoring Limit values for the actions Block,
Tag or Quarantine, then click the Save Changes button.
These values can be set remotely using the APIs.
The framework of the API provides for the programmer to
get or set variables inside an XML-RPC request that correspond
to
field values in the configuration database in the Barracuda Spam
Firewall. Some languages such as Perl, for example,
provide wrappers for XML-RPC requests, providing an interface to
form the request. To view the variables and current
settings of the Barracuda Spam & Firewall configuration
database, on the ADVANCED > Backup page, select System
Configuration for Backup Type and click the
Backup button.
To prepare the Barracuda Spam Firewall for use with the
APIs, you must first enter the IP addresses that are allowed to
communicate with the APIs in the Allowed SNMP and API
IP/Range field on the BASIC > Administration page, and
you
must create an API Password that will be included with all calls
to the APIs. For more information on using the APIs, see the
Barracuda Spam Firewall API Guide.
https://techlib.barracuda.com/IwA7 9 / 9
http://0.0.0.0/http://0.0.0.0/
