Securing the Barracuda Email Security Gateway

Securing the Barracuda Email Security Gateway
1. Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
1.1 Release Notes . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
1.2 Deployment Options . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
1.2.1 Deployment in the DMZ . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
1.2.2 Deployment Behind the Corporate Firewall . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
1.2.3 Clustering the Barracuda Email Security Gateway . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
1.2.3.1 Benefits of Clustering the Barracuda Email Security Gateway . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
1.2.3.2 How to Cluster the Barracuda Email Security Gateway 7.x . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
1.2.3.3 How to Cluster the Barracuda Email Security Gateway 6.x . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
1.2.3.4 How to Cluster the Barracuda Email Security Gateway 5.x . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
1.2.4 Virtual Deployment . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
1.2.4.1 How to Deploy Barracuda Email Security Gateway Vx Images . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
1.2.4.2 Allocating Cores, RAM, and Hard Disk Space for Your Barracuda Email Security Gateway Vx . . . . . . . . . . . . . . . . .
1.2.4.3 Barracuda Email Security Gateway Vx Quick Start Guide . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
1.2.4.4 Route Email to the Barracuda Email Security Gateway Vx . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
1.2.4.5 Backing Up Your Virtual Machine System State . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
1.2.5 Public Cloud Hosting . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
1.2.5.1 Amazon Web Services . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
1.2.5.1.1 How to Deploy the Barracuda Email Security Gateway on Amazon Web Services . . . . . . . . . . . . . . . . . . . . . .
1.2.5.1.2 Disk Expansion on Amazon Web Services . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
1.2.5.2 VMware vCloud Air Deployment . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
1.2.5.2.1 How to Deploy the Barracuda Email Security Gateway in VMware vCloud Air . . . . . . . . . . . . . . . . . . . . . . . . .
1.2.5.2.2 Barracuda Email Security Gateway Quick Start Guide on vCloud Air . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
1.2.5.3 Microsoft Azure . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
1.2.5.3.1 How to Deploy the Barracuda Email Security Gateway on Microsoft Azure . . . . . . . . . . . . . . . . . . . . . . . . . . . .
1.2.5.3.2 Barracuda Email Security Gateway Quick Start Guide on Microsoft Azure . . . . . . . . . . . . . . . . . . . . . . . . . . . .
1.2.5.3.3 How to add Additional Storage to your Azure Deployment . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
1.2.5.3.4 How to Deploy the Barracuda Email Security Gateway in the New Microsoft Azure Management Portal . . . . .
1.2.5.4 Microsoft Azure Restrictions and Limitations . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
1.3 Getting Started . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
1.3.1 Step 1 - Understand the Concepts . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
1.3.2 Step 2 - Install the Barracuda Email Security Gateway . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
1.3.3 Step 3 - Initial Configuration . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
1.3.4 Step 4 - Product Activation and Firmware Update . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
1.3.5 Step 5 - Configure the Web Interface . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
1.3.5.1 How to Enable SSL for Administrators and Users . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
1.3.6 Step 6 - Routing Inbound Mail . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
1.3.6.1 Using MX Records . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
1.3.7 How to Tune and Monitor the Default Spam and Virus Settings . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
1.3.7.1 How to Get and Configure Barracuda Exchange Antivirus Agent 8.x . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
1.3.7.2 How to Get and Configure Barracuda Exchange Antivirus Agent 7.1 and Above . . . . . . . . . . . . . . . . . . . . . . . . . . . .
1.3.7.3 How to Get and Configure the Barracuda Exchange Antivirus Agent 6.0.x . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
1.3.7.4 Virus Checking and Notifications . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
1.3.7.5 How Spam Scoring Works . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
1.3.7.6 Monitoring Inbound and Outbound Email Traffic . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
1.3.7.7 Performance and Email Statistics . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
1.3.8 Cloud Protection Layer . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
1.3.8.1 Advantages of the Cloud Protection Layer . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
1.3.8.2 How to Set Up Your Cloud Protection Layer . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
1.3.9 Quarantine: An Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
1.3.10 Mail Journaling . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
1.3.11 How to Migrate From Postini to the Barracuda Email Security Gateway . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
1.4 Routing Outbound Mail . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
1.4.1 About Scanning of Outbound Mail . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
1.4.2 How to Route Outbound Mail from the Barracuda Email Security Gateway . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
1.4.3 How to Configure Office 365 for Inbound and Outbound Mail . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
1.4.4 How to Configure G Suite for Inbound and Outbound Mail . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
1.4.5 How to Route Outbound Mail from Kerio Connect Mail Server through the Barracuda Email Security Gateway . . . . . . . . .
1.4.6 Encryption of Outbound Mail 6 and Above . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
1.4.6.1 How to Use DLP and Encryption of Outbound Mail . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
1.4.6.1.1 Medical Dictionary Source for DLP HIPAA Compliance . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
1.4.6.2 How to Use DLP Filters With Spreadsheets . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
1.4.6.3 Archiving Encrypted Email Messages . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
1.4.7 Encryption of Outbound Mail 5.x . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
1.5 Securing the Barracuda Email Security Gateway . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
4
5
21
22
23
24
25
27
29
32
35
36
39
41
43
44
45
46
47
59
62
63
65
68
71
74
77
80
90
91
92
96
97
100
101
102
103
104
107
108
110
113
115
116
117
118
119
121
122
125
126
127
128
129
130
132
136
138
139
142
144
145
146
147
150
1.6 Advanced Spam Filtering Inbound . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
1.6.1 Advanced Threat Detection . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
1.6.1.1 How to Use Advanced Threat Detection Reports . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
1.6.2 Anti-Fraud and Anti-Phishing Protection . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
1.6.3 Rate Control Inbound . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
1.6.4 IP Analysis Inbound . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
1.6.4.1 Barracuda Reputation Database . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
1.6.5 Content Analysis Inbound . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
1.6.6 Bayesian Analysis Inbound . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
1.6.7 Bulk Email Detection . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
1.7 Advanced Spam Filtering Outbound . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
1.7.1 Spam Scoring Outbound . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
1.7.2 Rate Control Outbound . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
1.7.3 IP Analysis Outbound . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
1.7.4 Sender and Recipient Filtering Outbound . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
1.7.5 Reverse DNS Blocking . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
1.7.6 Content Analysis Outbound . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
1.7.7 Attachment Filtering Outbound . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
1.7.8 Bayesian Analysis Outbound . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
1.8 Advanced Configuration . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
1.8.1 Sender Authentication . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
1.8.2 Recipient Verification . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
1.8.3 Remote IMAP/POP Accounts . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
1.8.4 Advanced Networking . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
1.8.5 Non-Delivery Reports . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
1.8.6 Remote Administration . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
1.9 Creating and Managing Domains . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
1.10 Managing Inbound Quarantine . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
1.10.1 How Quarantine of Inbound Mail Works . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
1.10.2 Quarantine Options . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
1.10.3 Controlling Access to Account Features . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
1.10.4 How Quarantine Notifications Work . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
1.10.5 Retention Policy and Purging Old Messages . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
1.11 Managing Outbound Quarantine . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
1.12 Creating and Managing Accounts . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
1.12.1 Role-based Administration . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
1.12.1.1 Roles and Navigating the Web Interface . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
1.12.1.2 Role Descriptions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
1.12.1.2.1 Domain Admin Role . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
1.12.1.2.2 Helpdesk Role . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
1.12.1.2.3 User Role . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
1.12.1.2.4 Governance, Risk Management and Compliance (GRC) Account Role . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
1.13 Monitoring the System . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
1.13.1 Basic Monitoring Tools . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
1.13.2 Reporting . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
1.13.3 How to Set Up Alerts and SNMP Monitoring . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
1.13.3.1 How to Use SNMP Monitoring . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
1.13.3.2 Barracuda Email Security Gateway SNMP MIB . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
1.13.3.3 Barracuda Reference MIB . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
1.13.4 Using a Syslog Server to Centrally Monitor System Logs . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
1.13.4.1 Syslog and the Barracuda Email Security Gateway . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
1.13.4.2 How to Parse the Barracuda Email Security Gateway Syslog . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
1.13.5 How to Set Up Barracuda Cloud Control . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
1.13.6 Barracuda Email Security Gateway Panel Indicators and Ports . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
1.13.7 Troubleshooting . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
1.14 Maintenance . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
1.14.1 How to Back Up and Restore System Information . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
1.14.2 Replacing a Failed System . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
1.15 Tools and Add-Ins . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
1.15.1 Barracuda Email Security Gateway API Guide . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
1.15.2 Barracuda Message Center User's Guide . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
1.15.3 Barracuda Email Security Gateway User 's Guide 6 and Above . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
1.15.4 Barracuda Spam Firewall User's Guide 5.x . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
1.15.5 Barracuda Outlook Add-In Overview 6 and Above . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
1.15.6 Barracuda Outlook Add-In Overview 5.x . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
152
153
155
156
157
158
160
161
163
165
166
167
168
169
170
171
172
173
174
175
176
178
179
180
181
182
183
185
186
187
189
190
191
192
193
196
197
201
202
203
205
206
207
208
210
211
212
217
218
219
220
226
231
232
236
238
240
241
242
243
309
311
317
324
326
1.15.7 Barracuda Outlook Add-In Deployment Guide 6.1.2 and Above . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
1.15.8 Barracuda Outlook Add-In Deployment Guide 5.x . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
1.15.9 SMTP Error Codes . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
1.15.9.1 How to Customize SMTP Response Messages . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
1.15.10 Barracuda Outlook Add-In Deployment Guide version 7 and Above . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
1.16 LDAP Error Codes . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
327
332
334
337
338
343
Barracuda Email Security Gateway Administrator's Guide - Page
4
Overview
The Barracuda Email Security Gateway is an integrated hardware and software solution designed to protect your email server from spam, virus,
spoofing, phishing and spyware attacks. Outbound filtering and encryption options also prevent confidential or sensitive information from being
purposely or inadvertently leaked outside the organization (Data Leakage Prevention). The optional cloud protection layer (CPL) shields email
servers from inbound malware and DoS attacks while filtering out normal spam before it ever touches the network’s perimeter.
Where to Start
The selected deployment mode may depend on the email server configuration that currently exists at your site, as well as whether you want to
deploy the Barracuda Email Security Gateway behind your corporate firewall or in front of your corporate firewall in the DMZ. Refer to Deploymen
t Options for more information.
Device Deployment
Go to the Getting Started section, or
Download the Barracuda Email Security Gateway Quick Start Guide.
Virtual Deployment
Go to the Barracuda Email Security Gateway Vx Quick Start Guide.
Key Features
Spam and virus filtering with the optional Barracuda Exchange Antivirus Agent, an add-in that you can install on your Microsoft Exchange
mailbox server(s).
Global or per-user quarantine
Prevents spoofing, phishing and malware
Data leakage prevention (DLP) with outbound email filtering
SMTP/TLS site-to-site encryption – see How to Use DLP and Encryption of Outbound Mail
Invalid bounce suppression
Policy enforcement for compliance and corporate policies
Copyright © 2017, Barracuda Networks Inc.
Barracuda Email Security Gateway Administrator's Guide - Page
5
Release Notes
Before installing any firmware version, back up your configuration and read all release notes that apply to versions more recent than
the one currently running on your system.
Do not manually reboot your system at any time during an update, unless otherwise instructed by Barracuda Networks Technical
Support. Depending on your current firmware version and other system factors, updating can take up to 10 minutes. If the process
takes longer, please contact Barracuda Technical Support for further assistance.
Before upgrading, BE SURE TO TAKE THE BARRACUDA EMAIL SECURITY GATEWAY OFFLINE. This will ensure that the inbound
queue is emptied and all messages are scanned before the update process begins. See the BASIC > Administration page for the Offl
ine button.
Updating to Version 8.x
WARNING: After clicking the Apply Now on the ADVANCED > Firmware Update page, the progress bar may appear to time out and the
administrator may need to manually return to the login screen after 5 minutes if it doesn't load automatically in the browser.
Firmware Version 8.0
What's New in Version 8.0
Web Interface
The Barracuda Spam Firewall has been renamed the Barracuda Email Security Gateway.
Barracuda Exchange Antivirus Agent
The Barracuda Exchange Antivirus Agent no longer supports Microsoft Exchange Server 2007. See How to Get and Configure
Barracuda Exchange Antivirus Agent 8.x for details.
Fixed in Version 8.0
Version 8.0.1.001
Mail Processing
Enhancement: Mail with Microsoft Office attachments that contain macros can be blocked. [BNSF-23786]
Web Interface
Resolved issue which prevented the Dashboard from displaying during update server outages. [BNSF-25934]
Resolved issue preventing access to ADVANCED > Energize Updates and ADVANCED > Firmware Update pages when the
Barracuda Email Security Gateway was offline. [BNSF-25929]
Barracuda Exchange Antivirus Agent
Enhancement: The Barracuda Exchange Antivirus Agent supports Microsoft Exchange Server 2016. [BNSF-25828]
Version 8.0.0.007
Mail Processing
Enhancement: Improved Sender Spoof Protection efficiency. [BNSF-25835]
Resolved issue which could cause excessive system load. [BNSF-25831, BNSF-25884]
Resolved issues with malformed headers causing incorrect parsing. [BNSF-25836, BNSF-25838]
Resolved issue with Multi-Level Intent Analysis. [BNSF-25907]
Clustering
Improved handling of Standby mode in a clustered system. [BNSF-25797]
Version 8.0.0.005
Mail Processing
Copyright © 2017, Barracuda Networks Inc.
Barracuda Email Security Gateway Administrator's Guide - Page
6
Outbound messages from whitelisted IP addresses are now properly checked for encryption if encryption is enabled. [BNSF-25732]
Links in the BASIC > Message Log message view page now work properly. [BNSF-22345]
Version 8.0.0.004
Mail Processing
Outbound messages from whitelisted IP addresses are now properly checked for encryption if encryption is enabled. [BNSF-25732]
Version 8.0.0.003
Mail Processing
Improved attachment filtering/detection. [BNSF-25491]
Version 8.0.0.002
Mail Processing
Downloading a PDF file attached to a message from the Message Log through BAC/BCS works as expected. [BNSF-25536]
Attachment filtering blocks correctly even if MIME type encoding is not formatted correctly. [BNSF-20598]
Messages received by the Barracuda Email Security Gateway which are just under the maximum message size are processed properly
and are not blocked. [BNSF-25500]
When the From header of a message has an unusual format, the unit does not time out when attempting to deliver the message from the
user's quarantine inbox. [BNSF-25254]
SMTP over TLS for outbound mail works as expected, the mail queues and delivers properly and the logs do not indicate errors.
[BNSF-25437]
Outbound quarantine emails with multi-line From headers due to UTF8 are delivered as expected. [BNSF-25309]
Notifications
The Barracuda Email Security Gateway no longer sends out notifications that state "Encrypted email unable to be delivered" for emails
that trigger encryption policies and have a blank sender. [BNSF-17895]
Alert email announcing that Energize Updates subscription is about to expire is now branded correctly as Barracuda Email Security
Gateway. [BNSF-25615]
NDRs are not rejected by some mail servers, including O365, if they don't include a valid From header. [BNSF-25612]
Web Interface
The Configuration Updated message only shows on web interface pages as needed. [BNSF-25566]
Street Address and Driver's License information in emails trigger Privacy policies as expected. [BNSF-24772]
When specifying a filename for an attachment content filter, the pattern specified (filename= <example_filename>) works when there is a
space between the "= " and the filename. [BNSF-25491]
Security
Fix: resolved the following vulnerabilities:
High severity vulnerability: persistent XSS, authenticated [BNSEC-6504 / BNSF-25215, BNSEC-4551 / BNSF-22345]
Version 8.0.0.001
Mail Processing
Enhancement: Improved performance of IP Whitelisted and outbound message scanning. [BNSF-23352, BNSF-24293]
Enhancement: Improved street address and driver's license detection. [BNSF-24388]
Enhancement: Improved error handling for 'full disk' condition. [BNSF-24622]
Enhancement: Added macro support for SPF records with macros. [BNSF-24659]
Enhancement: Improved general performance of mail scoring and attachment scanning. [BNSF-24473]
Enhancement: General improvements in PDF processing capabilities. [BNSF-24846]
Enhancement: Improved HIPAA and Credit Card data detection. [BNSF-25026, BNSF-25028]
Fix: Updated internal scanning processes to improve stability. [BNSF-21928, BNSF-24241, BNSF-25268]
Fix: Resolved intermittent PTR detection issue. [BNSF-24546]
Fix: Users who lack a mail attribute in LDAP are now properly quarantined. [BNSF-25136]
Fix: LDAP Alias re-writing no longer rewrites the "To" header. [BNSF-25141]
Fix: Lines exceeding 990 characters are no longer broken in multiple places. [BNSF-25206]
Web Interface
Copyright © 2017, Barracuda Networks Inc.
Barracuda Email Security Gateway Administrator's Guide - Page
7
Enhancement: Administrative ACLs can be temporarily removed through the Console Administrator with the System > Reset
Administrator IP/Range selection. [BNSF-23352]
Enhancement: Invalid username and password attempts are now logged to the Web Syslog. [BNSF-24629]
Enhancement: Improved performance of bulk classification of Spam/Not Spam. [BNSF-25000]
Enhancement: Messages with unknown character sets are now treated as UTF-8. [BNSF-25086]
Enhancement: Updated Japanese help file translations. [BNSF-25088]
Enhancement: Improved web interface load times in general, and especially for BASIC > IP Configuration. [BNSF-25193, BNSF-25199]
Fix: Message viewer Download and Delivery buttons now show properly for all window sizes. [BNSF-24177]
Fix: Miscellaneous web interface improvements. [BNSF-24300, BNSF-24381]
Fix: New user quarantine email links now work properly. [BNSF-24404]
Fix: Users with an '&' in the name can now view the Quarantine Inbox. [BNSF-24764, BNSF-24961]
Fix: Outbound Quarantine actions no longer result in an error page. [BNSF-24858]
Fix: Invalid users can be removed. [BNSF-24860]
Fix: Randomization has been improved for password generation. [BNSF-24995]
Fix: The details for messages blocked without message bodies can now be viewed on all systems in a cluster. [BNSF-24973,
BNSF-25053]
Reporting
Fix: Fixed display of erroneous 'Permission denied'. [BNSF-24600]
Fix: LDAP Failure Notifications are no longer triggered by outdated logs. [BNSF-25180]
Encryption
Fix: Replies to encrypted emails are now archived. [BNSF-24496]
Virtualization
Enhancement: Tuned database configuration for Microsoft Azure, Amazon AWS, and VMWare vCloud Air. [BNSF-24836]
Barracuda Outlook Add-in
Fix: Resolved issue preventing Add-in authorization for some usernames. [BNSF-23766]
Fix: Resolved issue which could cause the Add-in to appear in the wrong window. [BNSF-24585]
Fix: The Add-in can now be used from an IP address in the Administration ACL IP Range. [BNSF-24759]
Security
Fix: resolved the following vulnerabilities:
High severity vulnerability: authenticated, remotely exploitable, arbitrary command execution [BNSEC-5205 / BNSF-23281]
High severity vulnerability: unauthenticated, remotely exploitable, brute force, [BNSEC-5204 / BNSF-23282]
High severity vulnerability: remotely exploitable, privilege escalation [BNSEC-5203 / BNSF-23285]
Medium severity vulnerability: persistent XSS, unauthenticated, remotely exploitable [BNSEC-4622 / BNSF-24136]
Medium severity vulnerability: non-persistent XSS, authenticated [BNSEC-3880 / BNSF-21745]
Medium severity vulnerability: authenticated, insufficient authorization [BNSEC-2659 / BNSF-22336]
Low severity vulnerability: non-persistent XSS, authenticated [BNSEC-2055 / BNSF-21775]
Low severity vulnerability: Some non-persistent cross-site scripting vulnerabilities have been fixed. [BNSEC-877 / BNCMN-132]
Low severity vulnerability: non-persistent XSS, authenticated [BNSEC-228 / BNSF-18340]
[BNSF-22345], [BNSF-25215]
Firmware Version 7.1
What's New in Version 7.1
Web Interface
The Microsoft IE browser is supported for version 9 and above.
Barracuda Exchange Antivirus Agent
The new Barracuda Exchange Antivirus Agent 7.1 runs as a Windows service on your Microsoft Exchange 2013 server and enables it to
scan email for viruses. From the ADVANCED > Exchange Antivirus page you can download the agent and view associated email
statistics after it is installed and running. You can also click a link on the page to view the Barracuda Exchange Antivirus Agent release
notes.
This version of the agent only supports Microsoft Exchange Server 2013. If you are using versions 2007 or 2010 of Exchange Server,
you can download the Barracuda Exchange Antivirus Agent 6.0.x from the ADVANCED > Exchange Antivirus page.
Copyright © 2017, Barracuda Networks Inc.
Barracuda Email Security Gateway Administrator's Guide - Page
8
The Barracuda Exchange Antivirus Agent no longer supports Microsoft Exchange Server 2003.
See How to Get and Configure Barracuda Exchange Antivirus Agent 7.1 and Above for details.
Cloud Control
Support for Domain Administration and Users management - Barracuda Cloud Control now supports managing domains and users.
Administrators will have the ability to navigate between domains and users within Barracuda Cloud Control.
Fixed in Version 7.1
Version 7.1.1.004
Note: This release removes LED mail determination flash indicators on the front panel to improve performance.
Mail Processing
Enhancement: Improved detection of stuck mail processing. [BNSF-24498]
Enhancement: Removed the SSLv2 protocol and EXPORT and LOW strength ciphers. Improved set of ciphers as specified in ADVANC
ED > Email Protocol > SMTP over TLS/SSL > Allow Weak Ciphers. [BNSF-25283]
Web Interface
Fix: Resolved issue on newer models where messages may not appear in the Message Log. [BNSF-23371]
Fix: Resolved issue in which some Domain Administrators and Helpdesk Users who could not view messages. [BNSF-23920,
BNSF-24892]
Reporting
Fix: LDAP Failure Notification report now includes an attachment with additional information for troubleshooting. [BNSF-17538]
Encryption
Fix: Resolved issue that could sometimes send duplicate emails when replies were sent to encrypted emails through the Barracuda
Message Center. [BNSF-23969]
Security
Fix: resolved the following vulnerabilities:
Medium severity vulnerability: Update OpenSSL to address CVE-2016-0800 (commonly known as "DROWN") and
CVE-2016-2842. [BNSEC-6568 / BNSF-25307]
Version 7.1.1.003
Cloud Control
Fix: Resolved condition which could prevent connection to Barracuda Cloud Control after firmware upgrade or upon the first connection.
[BNSF-24814]
Barracuda Exchange Antivirus Agent
Enhancement: Added support for Microsoft Outlook 2016.
Version 7.1.1.002
Mail Processing
Enhancement: Improved scanning for emails with large attachments. [BNSF-23864]
Enhancement: Improved attachment processing for malformed attachments. [BNSF-24245]
Fix: Resolved rare condition where per-user quarantining would still take affect when disabled. [BNSF-22343]
Web Interface
Enhancement: Use numeric sorting for Size column on Advanced > Queue Managment page. [BNSF-19427]
Enhancement: Updated Japanese help file translations. [BNSF-24598]
Fix: Resolved condition where some Product Tips would not stay hidden. [BNSF-24583]
Barracuda Outlook Add-in
Copyright © 2017, Barracuda Networks Inc.
Barracuda Email Security Gateway Administrator's Guide - Page
9
Enhancement: Support for MS Outlook 2016.
Version 7.1.1.001
Mail Processing
Enhancement: Improved SPF checks for complex records. [BNSF-23979]
Enhancement: Resolved case sensitivity with redirection checks. [BNSF-23979]
Enhancement: Improved DLP detection. [BNSF-24186]
Fix: Resolved case sensitivity issue with SPF and redirection checks. [BNSF-23876, BNSF-24102]
Fix: Messages no longer have the global footer attached if Attach Footer is set to No on the ADVANCED > Outbound Footers page at
the domain level. [BNSF-24148]
Web Interface
Enhancement: Messages that are blocked for intent now contain a link to whitelist the sender. [BNSF-24372]
Enhancement: Updated Japanese translations. [BNSF-23486]
Enhancement: Messages that are allowed for emailreg now contain a link for reporting emailreg abuse. [BNSF-24373]
Enhancement: Improved appearance for popups in Firefox and Internet Explorer. [BNSF-23986]
Enhancement: Improved performance of data entry for pages containg large amounts of data. [BNSF-24152]
Enhancement: Improved display of Exchange Antivirus data with multiple Exchange Servers. [BNSF-24220]
Enhancement: Improved handling of message bodies for Bayesian classification. [BNSF-24368, BNSF-24370]
Fix: Marking messages as Spam/Not Spam in the Message Log is now reflected properly on all units in a cluster. [BNSF-9564,
BNSF-22576]
Fix: Resolved an issue where users sometimes could not deliver or delete quarantine messages. [BNSF-22902]
Fix: Clicking action links on the BASIC > Outbound Quarantine page at the domain level no longer redirects to the Dashboard.
[BNSF-23840]
Fix: Message Log now shows correct Delivery Status for all messages in a cluster. [BNSF-23897]
Fix: The State filter on the ADVANCED > Queue Management page now correctly applies for non-English languages. [BNSF-23917]
Fix: Changes to the BLOCK/ACCEPT > Recipient Filters page now take immediate effect on all units in a cluster. [BNSF-24089]
Fix: Resolved issue where sometimes the Delivery Status in the Message Log would not show correct information. [BNSF-24096]
Fix: Messages can now be viewed on all units in a cluster. [BNSF-24140]
Fix: Fixed issue with taking action on quarantined mail in clusters consisting of 3 or more units. [BNSF-24207]
Fix: Fixed display of usernames with special characters. [BNSF-24253]
Fix: Fixed issue where new units may not show initial messages in the Message Log. [BNSF-24309]
Fix: Attachments are again displayed for the end user quarantine. [BNSF-24367]
Fix: Domain administrators can now view messages in the Message Log. [BNSF-24374]
Fix: Help dialogs now show correct titles for multi-byte/high-ascii encoding. [BNSF-24376]
Backup
Fix: Restoring a backup to a virtual machine no longer overwrites the license token. [BNSF-23846]
Security
Fix: resolved the following vulnerabilities:
BNSEC-877, BNCMN-132: Security fix, low severity. Some non-persistent cross-site scripting attacks have been fixed.
Version 7.1.0.002
Web Interface
Fix: Resolved issue where statistics did not display in Barracuda Appliance Control after Barracuda Email Security Gateway was
rebooted. [BNSF-24079]
Fix: End users can now log in if the Barracuda Email Security Gateway cannot check subscriptions, such as when the internet is
unavailable. [BNSF-24122]
Version 7.1.0.001
Mail Processing
Fix: Messages containing hostnames that are IP addresses in messages are correctly processed. [BNSF-21784, BNSF-23457]
Web Interface
Enhancement: Updated translations. [BNSF-23792, BNSF-223460]
Enhancement: General web interface enhancements in font, color, and styling. [BNSF-23167, BNSF-23169, BNSF-23171]
Copyright © 2017, Barracuda Networks Inc.
Barracuda Email Security Gateway Administrator's Guide - Page
10
Enhancement: Improved display of Barracuda Exchange Antivirus Statistics. [BNSF-23791]
Fix: Resolved issue regarding Single Sign-On with LDAP hosts with IPv4 and IPv6 addresses. [BNSF-21422]
Fix: Online Help Search in Firefox correctly supports the Japanese IME keyboard. [BNSF-23116]
Fix: On the BASIC > Outbound Quarantine page, taking actions with messages such as Delete, Reject or Deliver no longer clear the
search filters. [BNSF-23134]
Fix: Message Log buttons and icons for IE 9 render correctly. [BNSF-23882]
Fix: When using Single Sign-On (SSO) with an LDAP Server Type of Other (see the USERS > LDAP Configuration page for a domain),
the Barracuda Email Security Gateway now only uses the user-provided filter for an LDAP search, preventing a timeout. [BNSF-23996]
Fix: Admin, Domain Admin and Helpdesk roles can now deliver user quarantined messages from the Quarantine inbox when the locale is
Multibyte. [BNSF-24062]
Fix: Report data displayed with the Show Report function now matches the data in the emailed report, as the Show Report function
now uses local time for the Date Range as opposed to UTC time. [BNSF-24004]
Barracuda Exchange Antivirus Agent
Enhancement: Barracuda Exchange Antivirus Agent 7.1 verifies signature integrity prior to loading the signatures. [BNSF-21154]
Security
Fix: resolved the following vulnerabilities:
High severity vulnerability: persistent XSS, unauthenticated, remotely exploitable [BNSEC-4672 / BNSF-22625]
High severity vulnerability: persistent XSS, unauthenticated, remotely exploitable [BNSEC-4670 / BNSF-22626]
High severity vulnerability: persistent XSS, unauthenticated, remotely exploitable [BNSEC-4669 / BNSF-22624]
Firmware Version 7.0
What's New in Version 7.0
Web Interface
Updated the Barracuda Email Security Gateway web interface with a new color scheme to be consistent with the look and feel with other
Barracuda products. There are no navigation changes.
New login security feature: If the user login fails 5 times, there is a 15 minute wait period before making another login attempt.
The BASIC > Status page has been renamed to BASIC > Dashboard.
Improved Performance and Security
Mail delivery now supports connection caching, thereby reducing the amount of network traffic as well as load on destination mail
servers.
TLS support is improved and now provides:
Better fallback negotiation
Wildcard support for requiring TLS to destination domains and sub-domains
Certificate validation
Barracuda Email Security Gateway Vx virtual machines now show the core capacity and usage on the BASIC > Dashboard page.
Fixed in Version 7.0
Mail Processing
Feature: SMTP response codes for rejected messages can now be customized on the ADVANCED > SMTP Responses page.
[BNSF-20867]
Enhancement: Added support for Recipient Addresses which include address tagging. See Recipient Delimiter on the ADVANCED >
Email Protocol page for more information. [BNSF-7518]
Enhancement: Outbound mail now supports connection caching to destination mail servers. [BNSF-18823]
Enhancement: Updating a per-domain recipient whitelist now takes immediate effect, no longer requiring a Reload. [BNSF-19025]
Enhancement: Improved TLS fallback and detection behavior. [BNSF-19178]
Enhancement: The setting for Require Encrypted TLS relaying email to these destination servers now supports domain names, and
wildcards, rather than specific servers. Click the Help button on the domain level ADVANCED > Email Protocol page for more
information. [BNSF-19640]
Enhancement: Requiring TLS to a destination domain now supports certificate validation instead of checking the hostname.
[BNSF-19807]
Fix: Fixed issue where mail could intermittently stop processing. [BNSF-14626]
Fix: Outbound mail delivery no longer attempts to use IPv6 if the system is configured to only use IPv4. [BNSF-19703]
Fix: Mail which bounced (return notification) due to an un-reachable server no longer shows as Deferred in the Message Log.
[BNSF-19347]
Fix: Comma delimiters separating destination mail servers now correctly enable load balancing. [BNSF-19397]
Fix: Load balancing mode now properly handles fail-over if the attempted destination mail server is unreachable. [BNSF-19398]
Copyright © 2017, Barracuda Networks Inc.
Barracuda Email Security Gateway Administrator's Guide - Page
11
Fix: Certain attachment types no longer cause an error when adding footers to emails. [BNSF-21580]
Fix: SPF outbound checks now properly handles private IP addresses and relays between Barracuda Email Security Gateways.
[BNSF-21586, BNSF-22010]
Fix: Barracuda Reputation and RBL IP Exemption Ranges now work as expected with Trusted Forwarders. [BNSF-22623]
Fix: Multiple messages in a single session with invalid recipients no longer works with whitelisting as expected. [BNSF-22478]
Fix: Outbound emails no longer erroneously include footers configured for other domains if a system wide footer is not configured.
[BNSF-22495]
Fix: Inbound mail are no longer incorrectly caught by Predefined credit card filters when the Link Domains feature is used and the
primary domain is not fully configured. [BNSF-22874]
Web Interface
Enhancement: Viewing a message now records the event in Web Syslog (see ADVANCED > Troubleshooting). [BNSF-7402]
Enhancement: The addition of users now verifies that the domain exists on the Barracuda Email Security Gateway before adding a user
for that domain. [BNSF-20188]
Enhancement: Updated translations. [BNSF-22551, BNSF-22707]
Enhancement: Support for recently changed time zone/daylight savings times including Moscow and Fiji. [BNSF-22854]
Fix: Message Log search filter now properly clears OR conditions when removed from the filter. [BNSF-21295]
Fix: Online Search now properly works when HTTPS/SSL Access Only is enabled. [BNSF-21682]
Fix: Deleting all displayed Emails from the Quarantine Summary Digest now properly deletes the quarantined emails from the system.
[BNSF-22742]
Fix: Helpdesk users can now see headers when Helpdesk users are allowed by the administrator to view headers. [BNSF-22791]
Fix: Downloading an attachment from the Outbound Quarantine no longer forces a logout. [BNSF-22817]
Backup
Enhancement: Added support for FTPS. [BNSF-2658]
Enhancement: Added support for NTLMv2 on ADVANCED > Backup. [BNSF-22061]
Enhancement: Improved reliability and compatibility with SMB targets for backup. [BNSF-22270]
Fix: FTP PASV detection works for legacy restores. [BNSF-22678]
Security
Fix: resolved the following vulnerabilities:
Medium severity vulnerability: non-persistent XSS, authenticated [BNSEC-4544 / BNSF-22332]
Medium severity vulnerability: non-persistent XSS, authenticated [BNSEC-4528 / BNSF-22334]
Medium severity vulnerability: authenticated, security control bypass [BNSEC-3246 / BNSF-21595]
Low severity vulnerability: non-persistent XSS, authenticated [BNSEC-4531 / BNSF-22333]
Version 7.0.0.004
Fix: Resolved issue with connecting to recipient servers when Enable SMTP over TLS/SSL is turned on (see the ADVANCED > Email
Protocol page).
Firmware Version 6.1
What's New in Version 6.1
Email Categorization
This feature gives administrators an additional way to decide what to do with various types of emails from senders on the Barracuda
Reputation Whitelist. These emails are separated into different categories such as Transactional, Corporate and Marketing, each of
which can have a different delivery action associated with it.
Extended Malware Protection (Available on model 600 and higher)
An additional layer of deep message scanning is available as Extended Malware Protection leveraging a third-party scanner. This feature
is only available with a subscription. Contact your local Barracuda Networks Sales Reseller to purchase this subscription.
Barracuda Outlook Add-in (Available on some models)
Note: To run version 6.1.4.001 of the Barracuda Spam Firewall firmware, you must update your Barracuda Outlook Add-in to version
6.1.11 or later (see the USERS > User Features page).
Fixed in Version 6.1
Version 6.1.5.008
Copyright © 2017, Barracuda Networks Inc.
Barracuda Email Security Gateway Administrator's Guide - Page
12
Fix: Resolved issue with connecting to recipient servers when Enable SMTP over TLS/SSL is turned on (see the ADVANCED > Email
Protocol page).
Version 6.1.5.006
Web Interface
Fix: Resolved issue with rare cases of some charts on the BASIC > Status page not rendering correctly. [BNSF-22184]
Mail Processing
Fix: TLS 1.1 and 1.2 remain available when SSLv2 and SSLv3 are disabled. [BNSF-22876]
Version 6.1.5.004
Virtualization
Feature: Added support for hourly billing virtual deployment in Microsoft Azure. [BNSF-22841]
Version 6.1.5.003
Web Interface
Fix: SSLv3 is disabled by default in the web interface to mitigate CVE-2014-3566 (SSL POODLE). [BNSF-22788]
Mail Processing
Enhancement: New setting on ADVANCED > Email Protocol page to allow or disallow SSLv2 and SSLv3 for incoming SMTP
connections. Setting to Yes provides for greater compatibility with older mail servers. Set to No to mitigate the recently reported SSL
POODLE [CVE-2014-3566] issue. [BNSF-22788]
Fix: Resolved an issue in the encryption module that affected transmission of outbound messages over a TLS connection to some types
of mail servers. [BNSF-22782]
Version 6.1.5
Mail Processing
Feature: Added support for Perfect Forward Secrecy in the following two scenarios: [BNSF-21503]
When sending SMTP traffic over a TLS connection. To configure SMTP over TLS, see Enable SMTP over TLS/SSL on the AD
VANCED > Email Protocol page.
When using HTTPS access for the Barracuda Spam Firewall web interface. This requires using properly configured SSL
certificates. See the ADVANCED > Secure Administration page to configure certificates.
Barracuda Appliance Control
Fix: From the Barracuda Appliance Control interface, clicking on a message in the Message Log properly renders the Message Details
popup window and message information. [BNSF-22666]
Fixed in Version 6.1.4
Version 6.1.4.001:
Mail Processing
Enhancement: Improved concurrent processing performance of the Barracuda Spam Firewall 900. [BNSF-21877]
Enhancement: Improved message body scanning. [BNSF-21891]
Enhancement: Optimized performance of Barracuda Reputation Blocklist resource utilization, update, and lookup. [BNSF-22036]
Enhancement: Header filters can now be applied to the Received header added by the Barracuda Spam Firewall. [BNSF-22101]
Enhancement: Improved performance of recipient verification lookup when Local Database is not in use. [BNSF-22185]
Enhancement: Improved resource utilization for scoring and attachment scanning. [BNSF-22266]
Enhancement: Valid and Explicit Recipients no longer require the primary email address to be listed twice on the ADVANCED > Explicit
Users page (at the global level) or the USERS > Valid Recipients page (at the domain level). [BNSF-22357]
Enhancement: Improved memory performance with attachment processing. [BNSF-22362]
Fix: In clustered environments, Per-User Quarantine accounts now support special characters such as apostrophes, for example.
[BNSF-16814]
Fix: Archiving of encrypted messages handles TLS-based connections correctly. [BNSF-21150]
Fix: Plain text footers are not duplicated if the footer is multi-line. [BNSF-21376]
Copyright © 2017, Barracuda Networks Inc.
Barracuda Email Security Gateway Administrator's Guide - Page
13
Fix: Resolved issue which could prevent statistics and Message Log from updating. [BNSF-21848]
Fix: Quarantined messages with multi-byte characters in the headers can now be delivered. [BNSF-21964]
Fix: PTR record analysis now properly handles Trusted Forwarders when a connection is made. [BNSF-22196]
Fix: Resolved intermittent logging issue which, at times, used disk space on the firmware partition. [BNSF-22201]
Fix: Now all messages from a whitelisted IP address in a single session are whitelisted. Previously only the first message was
whitelisted. [BNSF-22205]
Fix: Resolved long delay for display of BASIC > Status and ADVANCED > Energize Updates pages when offline updates are used.
[BNSF-22258]
Fix: Improved performance when Energize Updates are applied on a Barracuda Spam Firewall appliance under heavy System Load.
[BNSF-22300, BNSF-22398]
Fix: Outbound quarantine now works on the Barracuda Spam Firewall 100 and 200. [BNSF-22351]
Reporting
Fix: Email Encryption Details report columns are correctly labeled. [BNSF-22095]
Web Interface
Enhancement: Password values changed via the Support Tunnel are now masked from Syslog output. [BNSF-22018]
Enhancement: Added Russian translations to NDR templates. [BNSF-22323]
Enhancement: Included Icelandic translations for end user pages in the web interface. [BNSF-22358]
Fix: Resolved case sensitivity issue when domain names are referenced in various settings. [BNSF-21358]
Fix: Web interface no longer displays "Temporarily Unavailable" if an invalid character set attribute is detected. [BNSF-22180,
BNSF-22240]
Backup
Fix: When restoring a backup to a new Barracuda Spam Firewall, upgraded to the most recent firmware, you are no longer required to do
a Reload to prevent an "Invalid Domain" response. [BNSF-20703]
Fix: Resolved issue which could prevent backup jobs from completing. [BNSF-21915]
Fix: Backups can now be restored if the web browser is configured for Japanese character sets. [BNSF-22364]
Barracuda Outlook Add-in
Fix: The Barracuda Spam Firewall now returns error messages when appropriate from the Barracuda Outlook Add-in and Exchange
Antivirus Add-in. [BNSF-22220]
Fix: The Barracuda Outlook Add-in now properly detects the custom HTTPS port. [BNSF-22382]
Security
Fix: resolved the following vulnerabilities:
Medium - High severity vulnerability: insufficient authorization. [BNSEC-4517 / BNSF-21063]
Medium - High severity vulnerability: non-persistent XSS, unauthenticated. [BNSEC-1251 / BNSF-20597]
Low severity vulnerability: unauthenticated, remotely exploitable, information disclosure. [BNSEC-3421 / BNSF-21649]
Fixed in Version 6.1.2
Version 6.1.2.003:
Mail Processing
Fix: Prevent the Spam Intent Category in Intent Analysis from defaulting to Off on upgrade. If a previous upgrade has occurred, please
see the Intent Categories table for BASIC > Spam Checking page and verify the setting. [BNSF-21927]
Version 6.1.2.002:
Security
Fix: Resolved the following vulnerability:
Medium severity: Updated OpenSSL to address the issues reported in OpenSSL's security advisory dated 2014-06-05
[BNSEC-4499 / BNSF-22245]
Version 6.1.2.001:
Mail Processing
Enhancement: Improved DLP detection algorithms for birth dates. [BNSF-21396]
Enhancement: Improved handling of unusually formatted emails. [BNSF-21407]
Copyright © 2017, Barracuda Networks Inc.
Barracuda Email Security Gateway Administrator's Guide - Page
14
Fix: Messages were erroneously blocked by attachment type when whitelisted by the sender. [BNSF-20505]
Fix: Messages with certain malformed headers now appear correctly in the message log. [BNSF-21305]
Fix: Resolved issues with malformed headers from Trusted Forwarders. [BNSF-21897, BNSF-21906]
Fix: Multiple messages in a single session are no longer encrypted after a message encrypted via the Outlook Add-in. [BNSF-21955]
Fix: Per-User Scoring is no longer used when disabled. [BNSF-21800]
Web Interface
Feature: Added ability to submit Email Categories for incorrect or uncategorized messages. [BNSF-21700]
Feature: Added support for Europe/Busingen timezone. [BNSF-21988]
Enhancement: Improved memory handling and performance of the Web Interface after long periods of time. [BNSF-22142, BNSF-22155]
Fix: Resolved sporadic issue where Basic > Status page would fail to load. [BNSF-21994, BNSF-22184]
Fix: Deprecated timezones are not correctly updated when restored from a backup. [BNSF-21770, BNSF-21836]
Fix: Messages can now be delivered from any box in a cluster. [BNSF-22083]
Backup
Fix: Resolved intermittent scenario in which Restore would fail if a previous backup or restore had failed. [BNSF-21257]
Fix: Scheduled Backups Destination can now be changed from Cloud. [BNSF-21286]
Cloud Control
Fix: The Cloud Control status chart now shows the correct date for the status bars. [BNSF-21842]
Security
High severity vulnerability: unauthenticated, remotely exploitable, HTTP header injection [BNSEC-1168 / BNSF-20796]
Fixed in Version 6.1.1
Version 6.1.1.001:
Virtualization
Feature: Added support for virtual deployment in Amazon Web Services. [BNSF-21875]
Fixed in Version 6.1.0
Version 6.1.0.003:
Mail Processing
Enhancement: Improved processing of attachment filenames. [BNSF-21995]
Web Interface
Fix: Bulk editing the list of domains no longer omits certain domains. [BNSF-21742]
Enhancement: Added support for localized web interface for Email Categorization. [BNSF-22029]
Version 6.1.0.001:
Mail Processing
Feature: Email Categorization. Messages from Barracuda-verified senders (including those on the Barracuda Reputation Whitelist) are
categorized to allow the administrator another way to determine what action to take on various types of emails. Actions for each
Category may be configured from the BLOCK/ACCEPT > IP Reputation page. [BNSF-21615]
Feature: An additional layer of malware detection has been added with the Extended Malware feature. [BNSF-21662]
Enhancement: Per-Domain whitelisting and blocklisting of IP addresses now honors Trusted Forwarder status. [BNSF-13907]
Fix: Improved processing of messages with very long URLs. [BNSF-21779]
Fix: Improved handling of Received headers containing missing IP addresses. [BNSF-21793]
Web Interface
Feature: The Message Log now contains the IP address of the destination server. [BNSF-21404]
Feature: The Message Debug Identifier has been added to the Queue Managment for easier tracing of messages. [BNSF-21405]
Fix: Changing the character set in the Message Viewer now shows the message rather than the login page. [BNSF-21348]
Fix: APIs now properly account for colons in regex values. [BNSF-21522]
Fix: Adding valid recipients is now logged to the GUI syslog. [BNSF-21536]
Copyright © 2017, Barracuda Networks Inc.
Barracuda Email Security Gateway Administrator's Guide - Page
15
Fix: Explicit users are not supported by the list_valid_recipient_aliases API call. [BNSF-21768]
Reporting
Fix: LDAP Failure notification report now accounts for case changes in domains. [BNSF-17538]
Security
Fix: Resolved the following vulnerabilities:
High severity: Authentication bypass [BNSEC-3188 / BNSF-21585]
Medium - High severity: Requires authentication; security control bypass [BNSEC-3208 / BNSF-21593]
Medium severity: Requires authentication; denial of service [BNSEC-3297 / BNSF-21598]
Medium severity: Unauthenticated; information disclosure [BNSEC-3259 / BNSF-21596]
Medium severity: Requires authentication; security control bypass [BNSEC-3198 / BNSF-21591]
Low severity: Unauthenticated; remotely exploitable; information disclosure [BNSEC-3421 / BNSF-21649]
Low severity: Non-persistent XSS; requires authentication; remotely exploitable [BNSEC-3287 / BNSF-21597]
Firmware Version 6.0
What's New in Version 6.0
Web Interface
Updated Time Zone settings per new 2013 DST settings. - The following time zones have been converted (see the BASIC > Administration
page):
Old Time Zone
New Time Zone
AQ
-9000+00000
Antarctica/South Pole
Amundsen-Scott Station, South
Pole
Antarctica/McMurdo
CA
+4531-07334
America/Montreal Eastern Time
- Quebec - most locations
Toronto
US
+364708-1084111
America/Shiprock Mountain
Time; Navajo
America/Denver
America/Shiprock
Cloud Services
Cloud Backup - New option to back up to the Barracuda Cloud with the same backup features as always, configurable from the ADVAN
CED > Backup page. Use your Barracuda Customer Account credentials to connect. If you don't have an account, you can create one
following instructions in this Barracuda TechLibrary article: Create a Barracuda Cloud Control Account, or see the ADVANCED > Cloud
Control page.
Cloud Protection Layer (CPL) - Now provides an integrated Message Log together with messages processed by the Barracuda Spam
Firewall.
Encryption
More reports detailing number of encrypted emails sent, number of encrypted emails opened by recipients, policies that triggered
encryption action and number of recalled messages.
Ability to archive encrypted email threads to a specified Barracuda Message Archiver. Configured on the BASIC > Administration page,
this feature will archive all encrypted correspondence, including encrypted replies, for all domains that have been validated on the
Barracuda Spam Firewall.
Message Privacy
New Governance, Risk Management and Compliance (GRC) role. The GRC role is used as a way to provide governance, risk
management and compliance to email content. The GRC only has access to Outbound Quarantine logs via the web interface and has
the job of reviewing the messages in the log, determining which ones should be delivered or rejected based on policy. The administrator
can enable or disable the GRC account at any time. Configure on the BASIC > Administration page.
Message Log Privacy - To protect email privacy, you can enable the Secondary Authorization feature to require a password before
the Admin, Domain Admin or Helpdesk roles can view entries or email message contents across the system (including the global
Message Log, per-domain Message Logs, queue management, outbound quarantine and quarantine inboxes). Configure on the BASIC
> Administration page.
SSL Certificates
Copyright © 2017, Barracuda Networks Inc.
Barracuda Email Security Gateway Administrator's Guide - Page
16
SSL Certificate generation and installation process improvement.
Reporting
The Top Count setting upper limit, which is the maximum number of rows returned in a report (e.g. Top 10 Viruses), has been reduced
to 50. See the BASIC > Reports page.
Add-ins
The Barracuda Outlook Add-in supports Outlook 2007, Outlook 2010 and 2013. Support for Outlook XP and 2003 is no longer
available.
Note: If you are running version 6.0.0.028 of the Barracuda Spam Firewall firmware, you must upgrade your Barracuda Outlook Add-in to
version 6.0.x or later (see the USERS > User Features page).
The Lotus Notes Plugin is no longer supported, starting in Firmware Release 6.0.
Fixed in Version 6.0.2
Version 6.0.2.002:
Mail Processing
Enhancement: Multi-level intent analysis consistently handles timeouts. [BNSF-21731]
Fix: PTR record analysis now honors Trusted Forwarder status; i.e. IP addresses are checked until and including the first IP that is not a
trusted forwarder. [BNSF-21559]
Web Interface
Updated Time Zone settings per new 2013 DST settings. - The following time zones have been converted (see the BASIC >
Administration page):
Old Time Zone
New Time Zone
AQ
-9000+00000
Antarctica/South Pole
Amundsen-Scott Station, South
Pole
Antarctica/McMurdo
CA
+4531-07334
America/Montreal Eastern Time
- Quebec - most locations
Toronto
US
+364708-1084111
America/Shiprock Mountain
Time; Navajo
America/Denver
America/Shiprock
Fix: Converted time zones per new 2013 DST settings. [BNSF-21277].
The following time zones have been converted:
Antarctica/South Pole, Amundsen-Scott Station, South Pole. New Time Zone: Antarctica/McMurdo
America/Montreal Eastern Time - Quebec - most locations. New Time Zone: Toronto
America/Shiprock Mountain Time, Navajo. New Time Zone: America/Denver America/Shiprock
Fix: Bulk editing the list of domains no longer omits certain domains. [BNSF-21742].
Version 6.0.2.001:
Mail Processing
Enhancement: Improved Sender Policy Framework (SPF) algorithms for increased accuracy. [BNSF-18114, BNSF-20387, BNSF-20523,
BNSF-20558, BNSF-20883, BNSF-21068, BNSF-21118]
Enhancement: Hard SPF detection failures are now enabled by default. [BNSF-17929]
Enhancement: Inbound mail from a Trusted Relay source is now subject to Recipient Verification (if configured) to prevent sending email
to an invalid user for the domain. [BNSF-20482].
Enhancement: Mail Journaling can now be configured to only journal Quarantined messages on delivery. [BNSF-19388]
Enhancement: Multi-level intent analysis performs better with slow web servers. [BNSF-20003]
Enhancement: Improved disk space management. [BNSF-20543, BNSF-21026, BNSF-21339, BNSF-21308]
Enhancement: Improved recovery of services that are in an inconsistent state. [BNSF-20656, BNSF-20802, BNSF-20898]
Enhancement: Improved real-time detection for multilevel intent analysis. [BNSF-20733]
Enhancement: Improved attachment detection and filtering. [BNSF-19488]
Enhancement: Optimized analysis of messages with compressed files (.tgz, .rar, .zip). [BNSF-21147]
Enhancement: Improved DLP detection algorithms for message contents and attachments, including those for identifying dates, credit
card information, and data in Excel files. [BNSF-21094, BNSF-21354, BNSF-20736, BNSF-21272]
Enhancement: Added default German NDR texts. [BNSF-21058]
Copyright © 2017, Barracuda Networks Inc.
Barracuda Email Security Gateway Administrator's Guide - Page
17
Fix: The Create Password email can now be sent to users with spaces in the UID. [BNSF-14773]
Fix: Block Sender Verify is no longer disabled when Block Empty Sender is enabled. [BNSF-14977]
Fix: PTR record analysis is now performed when mail is received from a Trusted Forwarder. [BNSF-19257]
Fix: All messages in a single SMTP session are now whitelisted when sent from a whitelisted IP address. [BNSF-19779, BNSF-20562]
Fix: Improved whitelist setting interactions between a primary account and its LDAP or Valid Recipient alias. [BNSF-20592, BNSF-21453]
Fix: Improved detection of UPS tracking numbers previously mis-identified as Social Security Numbers. [BNSF-19577]
Fix: Outbound Quarantine messages could be delivered to the Inbound Quarantine address with the Inbound Quarantine tag when using
Global Quarantine. [BNSF-20032]
Fix: Resolved issue processing messages with headers including ports with IP addresses. [BNSF-20524]
Fix: Messages blocked due to file type now report as banned rather than accepted. [BNSF-20525]
Fix: Whitelist properly takes precedence over quarantine rules that are based on EmailReg settings. [BNSF-20934]
Fix: Resolved issue in which, in rare circumstances, per-user quarantine files could be written as zero bytes when in a clustered
environment. [BNSF-20991]
Fix: Spam analysis conditions which could prevent unusual messages from being processed. [BNSF-20994, BNSF-20997]
Web Interface
Enhancement: Improved web interface performance when displaying a large number of users or domains. [BNSF-18336]
Enhancement: Reduced time to reload system configurations when there are a large number of domains. [BNSF-20145]
Enhancement: Single Sign-On now honors Valid Recipient alias linking. [BNSF-19754]
Enhancement: Improved support for Internet Explorer 9 and 10 and Firefox 23 and Safari. [BNSF-19525, BNSF-19837, BNSF-19978,
BNSF-20259, BNSF-21324, BNSF-21244]
Enhancement: Manual Backups now show the correct status without requiring a manual refresh. [BNSF-19836]
Enhancement: Improved detection of malformed character sets when displaying unicode messages. [BNSF-20503]
Enhancement: Added 3 new methods to API to list, add and delete Valid Recipients. [BNSF-20605]
Enhancement: The SMTP port is now excluded from synchronization across systems in a cluster. [BNSF-20561]
Enhancement: Option for the Helpdesk role to view message headers (configured on the BASIC > Administration page).
[BNSF-21204]
Enhancement: Web Syslog contents now include the year, usernames, troubleshooting commands, and configuration changes made by
Barracuda Technical Support. May require a restart of your syslog clients in order to receive the additional data. [BNSF-20990,
BNSF-21206, BNSF-21207, BNSF-21431, BNSF-21504]
Enhancement: Updated translations. [BNSF-19999, BNSF-20000, BNSF-20217, BNSF-20325, BNSF-20862, BNSF-21123,
BNSF-21418]
Fix: Time zone updates for Israel per new 2013 DST settings. [BNSF-21277]
Fix: Journaling to the Barracuda Message Archiver now accepts an IP address. [BNSF-13505]
Fix: Corrected handling of unicode characters in user whitelists. [BNSF-13751]
Fix: Reduced time to log into the web interface when the update server is not reachable. [BNSF-18333]
Fix: Improved handling of special characters such as '$' in the LDAP password for Single Sign-On users. [BNSF-19396]
Fix: All users are now able to view quarantine messages when a device is removed from a cluster. [BNSF-19567]
Fix: Viewing message bodies in a clustered environment no longer results in an error for some messages. [BNSF-21449]
Fix: Searching the outbound quarantine from a user's account no longer forces a logout. [BNSF-19775]
Fix: Repaired erroneous validation of the Message Log's Time Range filters. [BNSF-20218]
Fix: Repaired Time Range searches of Outbound messages in the Message Log. [BNSF-21273]
Fix: Message Log filter errors are now properly encoded. [BNSF-19968]
Fix: The Barracuda Spam & Virus Firewall Vx now displays the correct expiration date for Energize Updates subscriptions. [BNSF-20076]
Fix: The SNMP agent starts correctly on the Barracuda Spam & Virus Firewall Vx. [BNSF-19478]
Fix: Graceful shutdown via the power button now works in all cases. [BNSF-20706]
Fix: The "ping" command works as expected with IPv6. [BNSF-20726]
Fix: Performance statistics are now displayed when viewing the BASIC > Status page in the web interface page for the Chinese locale.
[BNSF-21156]
Backup
Enhancement: FTP backups now supports both active and passive modes. [BNSF-7762]
Fix: SMB shares are now always unmounted after a backup. [BNSF-19249]
Fix: Repaired display of backup files available via FTP. [BNSF-21332]
Cloud Control
Feature: The ADVANCED > Queue Management page is now available from Barracuda Cloud Control. [BNSF-19534]
Fix: Errors restoring backups are now propagated to the top level of the Barracuda Cloud Control tree. [BNSF-19534]
Fix: Repaired of links for running/completed tasks. [BNSF-20186, BNSF-20194]
Barracuda Outlook Add-in
This firmware version requires update of your Barracuda Outlook Add-in (see the USERS > User Features page) to version 6.0.40 or
later.
Copyright © 2017, Barracuda Networks Inc.
Barracuda Email Security Gateway Administrator's Guide - Page
18
Enhancement: Classification buttons are now available for public folders. [BNSF-20670]
Enhancement: The Alternate URL was removed from the ADM configuration in favor of auto-provisioning. [BNSF-20670]
Fix: The property page now shows correctly in Outlook 2007. [BNSF-21300]
Fix: The Add-in no longer fails to start if a localization is unavailable. [BNSF-21492]
Exchange Antivirus
Enhancement: Improved handling of corrupted virus definition updates. [BNSF-20648]
Fix: The Exchange Antivirus Agent now starts for all localized versions of Microsoft Exchange. [BNSF-19315]
Security
Fix: Resolved the following vulnerabilities:
High severity: Persistent XSS; unauthenticated; remotely exploitable. [BNSEC-2590]
High severity: Authentication bypass. [BNSEC-2625]
High severity: Information disclosure. [BNSEC-2816]
Medium severity: Unauthenticated; information disclosure. [BNSEC-1658]
Medium severity: Information disclosure. [BNSEC-2814]
Low - Medium severity: Persistent XSS; unauthenticated; authentication bypass. [BNSEC-2563]
Low severity: Persistent XSS; requires authentication; remotely exploitable. [BNSEC-220]
Low severity: Non-persistent XSS; requires authentication; remotely exploitable. [BNSEC-1052]
Fixed in Version 6.0.0
Version 6.0.0.029:
Mail Processing
Enhancement: Improved real-time detection of malformed attachments. [BNSF-21142].
Security
Fix: Resolved the following vulnerabilities:
High severity: Persistent XSS; unauthenticated; remotely exploitable. [BNSEC-1550 / BNSF-20929]
High severity: Persistent XSS; unauthenticated; remotely exploitable. [BNSEC-1650 / BNSF-20943]
Medium - High severity: Non-persistent XSS; unauthenticated [BNSEC-1251 / BNSF-20597]
Low - High severity: Persistent XSS; requires authentication. [BNSEC-391 / BNSF-19756]
Low - High severity: Non-persistent XSS; requires authentication [BNSEC-1068 / BNSF-20228]
Low - High severity: Requires authentication; information disclosure. [BNSEC-1706 / BNSF-20955]
Medium severity: Information disclosure. [BNSEC-107 / BNSF-17460]
Low - Medium severity: Unauthenticated; information disclosure. [BNSEC-1746 / BNSF-20978]
Low severity: Persistent XSS; requires authentication. [BNSEC-220 / BNSF-18321]
Low severity: Persistent XSS; requires authentication. [BNSEC-1702 / BNSF-20953]
Low severity: Non-persistent XSS; requires authentication. [BNSEC-1152 / BNSF-20394]
Low severity: Requires authentication; information disclosure. [BNSEC-1160 / BNSF-20396]
Low severity: [BNSEC-1383 / BNSF-20817]
Version 6.0.0.028:
Mail Processing
Enhancement: Access to Upgraded Barracuda Real Time Systems (BRTS). The Upgraded BRTS is significantly faster and leverages
additional lookups and faster detection operations. with this BRTS Upgrade, the Barracuda Spam Firewall can adapt to spam faster and
more accurately. [BNSF-20859]
Barracuda Outlook Add-in
This firmware version requires upgrade of your Barracuda Outlook Add-in (see the USERS > User Features page) to version 6.0.21 or later.
Web Interface
Fix: Firmware Upgrades no longer fail to show progress in some cases. [BNSF-20790]
Version 6.0.0.027:
Web Interface
Fix: The Search button returns the correct result set the first time it is clicked when using the 'Time' search filter. [BNSF-20591]
Copyright © 2017, Barracuda Networks Inc.
Barracuda Email Security Gateway Administrator's Guide - Page
19
Fix: Time zone Upgrades for Chile and Paraguay per new 2013 DST settings. [BNSF-20522]
Version 6.0.0.018
Security
Enhancement: Per-User Allow and Block lists now check Envelope From and Header From. [BNSF-17727]
Fix: Reflective cross-site scripting issue in ADVANCED > Troubleshooting page. [BNSEC-1088]
Version 6.0.0.015
Security
Fix: Resolved issue with potential SSH access to unit when not deployed behind a firewall. To completely disable remote support
functionality, contact Barracuda Networks Technical Support. Reported by Stefan Viehck, SEC Consult Vulnerability Lab (https://www.se
c-consult.com). [BNSEC-767]
Version 6.0.0.007:
Backup
Feature: Improved backup user interface. [BNSF-19325]
Enhancement: Backup files are deleted upon successful completion of a backup. [BNSF-18628]
Enhancement: Restoring a backup no longer restores Advanced Network information. [BNSF-18957]
Enhancement: Configuration backups are now encrypted. [BNSF-19496]
Fix: Backup does not fail if there are special characters in the login name or password. [BNSF-14472]
Fix: SMB mounts are now automatically dismounted after a backup. [BNSF-14625]
Fix: Restoring a backup configuration now immediately processes mail for domains without requiring a Reload. [BNSF-19350]
Mail Processing
Enhancement: Disabling SMTP Over TLS at the system level no longer rejects domains which are required by the Domain-level Force
TLS settings. [BNSF-17474]
Enhancement: Spoof Protection now looks at headers in addition to the envelope content. [BNSF-17679, BNSF-15997]
Enhancement: Whitelisted messages are now flagged as whitelisted if Trusted Forwarders are configured on the BASIC > IP
Configuration page. [BNSF-17943]
Enhancement: Active directory default LDAP filter has been modified to reduce AD CPU load. [BNSF-17993]
Enhancement: Improved HIPAA medical term detection in email content. [BNSF-18390]
Enhancement: Malicious URL scanning now correctly scans all HTML attachments. [BNSF-18564]
Enhancement: TNEF files are now scanned for viruses. [BNSF-18921]
Enhancement: Added the ability to exempt email addresses and domains from encryption from the BASIC > Administration page.
[BNSF-18949]
Enhancement: Improved recipient verification performance if no Explicit Users are defined. [BNSF-19048]
Enhancement: Improved false positive detection in XLSX files for DLP settings. [BNSF-18738]
Enhancement: TLS can now be required for all incoming domains from the Domain-level ADVANCED > Email Protocol page.
[BNSF-19738]
Fix: Duplicate X-Barracuda-IPDD header lines are no longer added. [BNSF-15751]
Fix: Duplicate X-Barracuda-Registry header lines are no longer added. [BNSF-19829]
Fix: The Queue Management timestamp now matches the message log timestamp in all cases. [BNSF-19149]
Fix: Improved processing performance for large multipart text emails. [BNSF-19644]
Fix: Attachment filter now correctly detects video file types with altered extensions. [BNSF-18977]
Fix: LDAP routing will now enable alias rewriting if username/password are not set. [BNSF-19114]
Fix: URL inspection now correctly handles UTF-8 characters. [BNSF-19575]
Fix: Improved process monitoring of front end scanning engine. [BNSF-19675]
Fix: Appliance remains offline after a firmware upgrade if it is already in offline mode. [BNSF-18941, BNSF-19705]
Fix: Rate control settings for POP accounts are now applied correctly. [BNSF-19745]
Cloud Control
Enhancement: Added Users and Advanced pages to Barracuda Cloud Control administration. [BNSF-16098, BNSF-16288]
Enhancement: Passwords are masked in syslog output. [BNSF-16498]
Fix: Unicode characters can now be added to tables through the Barracuda Cloud Control. [BNSF-18087]
Reporting
Fix: Report performance has been optimized. [BNSF-16599, BNSF-17853]
Fix: Queue details now include the To address. [BNSF-17127, BNSF-18516]
Copyright © 2017, Barracuda Networks Inc.
Barracuda Email Security Gateway Administrator's Guide - Page
20
Fix: LDAP failures are now sent to all email addresses when addresses include Unicode characters. [BNSF-18491]
Fix: Traffic reports are no longer sorted in reverse order. [BNSF-18673]
Web Interface
Feature: Improved syslog performance [BNSF-18033]
Feature: Destination Mail Servers can now be defined using an MX record. [BNSF-19358]
Enhancement: Syslog now logs 'Guest' logins. [BNSF-18102]
Enhancement: Improved webInterface performance. [BNSF-18378]
Enhancement: Improved search performance of message log in a clustered environment. [BNSF-17385, BNSF-18734]
Fix: Clustering is now removed from Running Tasks when complete. [BNSF-9554]
Fix: Changing the hostname or destination mail server now takes immediate effect. [BNSF-17616, BNSF-19279]
Fix: Adding a new domain now takes effect immediately without requiring a Reload. [BNSF-17673]
Fix: Resolved false notification of "old static routes on your system". [BNSF-17963]
Fix: Domain Admins can now set an end user to the HelpDesk role. [BNSF-18843]
Fix: Message log could fail to display under some circumstances. [BNSF-18921]
Fix: The Troubleshooting Telnet Utilities no longer omits the connection banner when telnetting to a mail server. [BNSF-19163]
Fix: Product tips no longer expand to the entire browser width. [BNSF-19669]
Fix: Message Log is no longer sorted based on the Queue Management sort. [BNSF-16315]
Fix: Product tips now properly expire [BNSF-19661]
Add-in
Feature: Outlook Add-in now supports Outlook 2013. [BNSF-19535]
Fix: Outlook Add-in no longer creates user accounts if quarantine is set to Global. [BNSF-18883]
Copyright © 2017, Barracuda Networks Inc.
Barracuda Email Security Gateway Administrator's Guide - Page
21
Deployment Options
You can deploy your Barracuda Email Security Gateway behind your corporate firewall or in front of your corporate firewall in the DMZ. However,
for maximum security, Barracuda recommends deploying the Barracuda Email Security Gateway behind a corporate firewall as described
in Deployment Behind the Corporate Firewall.
Clustering two or more Barracuda Email Security Gateways makes sense if your organization requires high availability, scalability, data
redundancy and/or fault tolerance. Clustering also provides centralized management of policy because once you configure one of the devices,
configuration settings are synchronized across the cluster almost immediately. Clustered systems can be geographically dispersed and do not
need to be located on the same network.
Barracuda Networks recommends reviewing and determining the best deployment option for your network before continuing with installation.
In this Section
Deployment in the DMZ
Deployment Behind the Corporate Firewall
Clustering the Barracuda Email Security Gateway
Virtual Deployment
Public Cloud Hosting
Copyright © 2017, Barracuda Networks Inc.
Barracuda Email Security Gateway Administrator's Guide - Page
22
Deployment in the DMZ
Barracuda Email Security Gateway in the DMZ
The figure below shows the Barracuda Email Security Gateway in front of your corporate firewall in the DMZ. In this example, the Mail Server has
an IP address of 64.5.5.6 and the Barracuda Email Security Gateway has an internal IP address of 64.5.5.5.
Figure 1: The Barracuda Email Security Gateway in the DMZ.
In this type of setup, perform the following tasks:
1. Assign an available external IP address to the Barracuda Email Security Gateway.
2. Change the MX (Mail Exchange) records on the DNS (Domain Name Server) to direct traffic to the Barracuda Email Security Gateway.
Create an A record and an MX record on your DNS for the Barracuda Email Security Gateway.
The following example shows a DNS entry for a Barracuda Email Security Gateway with a name of barracuda and an IP address of 64.5.5.5.
barracuda.yourdomain.com
IN
A
64.5.5.5
The following example shows the associated MX record with a priority number of 10:
IN MX 10 barracuda.yourdomain.com
Continue with Step 2 - Install the Barracuda Email Security Gateway.
Copyright © 2017, Barracuda Networks Inc.
Barracuda Email Security Gateway Administrator's Guide - Page
23
Deployment Behind the Corporate Firewall
The figure below shows the Barracuda Email Security Gateway behind your corporate firewall. In this example, the Mail Server has an IP address
of 10.10.10.2 and the Barracuda Email Security Gateway has an IP address of 10.10.10.3.
Figure 1: The Barracuda Email Security Gateway behind the corporate firewall.
In this type of setup, perform the following tasks:
1. Forward (port redirection) incoming SMTP traffic on port 25 to the Barracuda Email Security Gateway at 10.10.10.3.
2. Configure the Barracuda Email Security Gateway to forward filtered messages to the destination mail server at 10.10.10.2.
There is no need to modify any MX records for this type of setup.
Continue with Step 2 - Install the Barracuda Email Security Gateway.
Copyright © 2017, Barracuda Networks Inc.
Barracuda Email Security Gateway Administrator's Guide - Page
24
Clustering the Barracuda Email Security Gateway
Clustering two or more Barracuda Email Security Gateways makes sense if your organization requires high availability, scalability, data
redundancy and/or fault tolerance. Clustering also provides centralized management of policy because once you configure one of the devices,
configuration settings are synchronized across the cluster almost immediately. Clustered systems can be geographically dispersed and do not
need to be located on the same network.
For more information about setting up a cluster of Barracuda Email Security Gateways, see:
Benefits of Clustering the Barracuda Email Security Gateway - Explains features and benefits of clustering.
How to Cluster the Barracuda Email Security Gateway 7.x - Steps to deploy and configure a cluster.
How to Cluster the Barracuda Email Security Gateway 6.x - Steps to deploy and configure a cluster.
Copyright © 2017, Barracuda Networks Inc.
Barracuda Email Security Gateway Administrator's Guide - Page
25
Benefits of Clustering the Barracuda Email Security Gateway
Clustering Barracuda Email Security Gateways enables organizations to meet their high availability and fault tolerance requirements while also
providing centralized management of policy, scalability and data redundancy. Linking multiple Barracuda Email Security Gateways is easy to do
with a few parameter settings, and once you configure one of the devices, configuration settings are synchronized across the cluster almost
immediately. Clustered systems can be geographically dispersed and do not need to be located on the same network.
Centralized Policy Management
You can configure your spam, virus, and custom email delivery policies from any Barracuda Email Security Gateway in the cluster – all changes
are immediately replicated to the other Barracuda Email Security Gateways in the cluster.
Alternatively, you can designate one Barracuda Email Security Gateway as the “host” from which to perform administration of the cluster. To do
this, you would simply set that device to be the “Quarantine Host” and not direct any email traffic to it. There are two benefits to this configuration:
Enables you to tighten security by restricting Web interface access to only one Barracuda Email Security Gateway in the cluster
Optimizes performance of the Web interface by isolating it from the impact of spikes in email volume on the network
Figure 1: Centralized policy management.
Data Redundancy and Guaranteed Configuration Updates
Quarantined messages are replicated across the cluster such that each user has a primary quarantine inbox on one Barracuda Email Security
Gateway and a secondary inbox on another Barracuda Email Security Gateway. This redundancy and fault tolerance ensure that all user data
remains available if a single node in the cluster fails.
Barracuda Email Security Gateway clusters are also fault tolerant to temporary network failures or delays because all cluster events and updates
are queued on each node. Each individual Barracuda Email Security Gateways continues to process email independently and automatically
synchronizes quickly as network communications allow.
Federated Search
Clustering Barracuda Email Security Gateways provides you with a centralized view of all messages in a cluster through a distributed database
architecture. With federated search, you can locate any messages across the cluster by issuing a query from any single Barracuda Email Security
Gateway. Unlike centralized database architectures that involve network traffic for all processed messages, this distributed database architecture
restricts network traffic to only messages returned with query results.
Figure 2: Federated search across the cluster.
Scalability
Copyright © 2017, Barracuda Networks Inc.
Barracuda Email Security Gateway Administrator's Guide - Page
26
Because Barracuda Email Security Gateway clustering leverages a distributed database architecture, it is very simple to implement and is easily
scalable. As your email traffic volume grows, you can simply add one or more additional Barracuda Email Security Gateways. Note that clustering
is supported on Barracuda Email Security Gateway models 400 and higher, and each Barracuda Email Security Gateway in the cluster must be
the same model.
Secure Access and Data Transmission
Barracuda Email Security Gateway clustering utilizes encrypted and secure communications for user access, message replication and
configuration synchronization across the cluster.
Limiting User Access
As mentioned above, you can choose to dedicate one Barracuda Email Security Gateway on the cluster as the “Quarantine Host” to limit users’
access to that node when checking their quarantine inboxes. In this configuration, quarantine notifications from all Barracuda Email Security
Gateways in the cluster will direct users to that Quarantine Host, and you would direct all email to the other nodes on the cluster.
Data transmission is always encrypted through SSL communication between Barracuda Email Security Gateways in the cluster. Secure
communication is controlled over defined TCP ports.
Restricted Access to Configuration
Transmission of configuration data between devices on the cluster is secured by a shared password, or “shared secret”, which the administrator
creates and assigns to every Barracuda Email Security Gateway. This prevents access to configuration parameters from other Barracuda Email
Security Gateways outside the cluster or other network devices.
To cluster Barracuda Email Security Gateways
Deploying clustered Barracuda Email Security Gateways is easy with the step-by-step instructions documented in the user interface. Every
Barracuda Email Security Gateway in a cluster must be the same model and have the same version of firmware installed. For complete detailed
instructions in the Barracuda TechLibrary, see How to Cluster the Barracuda Email Security Gateway.
Directing Email to the Cluster: Load Balancing
You can load balance incoming email directed to a cluster of Barracuda Email Security Gateways in one of two ways:
1. Use a Barracuda Load Balancer ADC to direct email into the cluster. The Barracuda Load Balancer ADC can distribute traffic based on
weighted round-robin, weight least connections, or adaptive scheduling methods that query each Barracuda Email Security Gateway for
load and distribute traffic accordingly.
2. Configure multiple DNS MX records. Generally, MX record load balancing will not distribute the traffic as evenly as a dedicated load
balancer.
Copyright © 2017, Barracuda Networks Inc.
Barracuda Email Security Gateway Administrator's Guide - Page
27
How to Cluster the Barracuda Email Security Gateway 7.x
Note that clustered systems can be geographically dispersed and do not need to be located on the same network. Important: Every
Barracuda Email Security Gateway in a cluster must meet the following requirements:
Be the same model (400 and above).
Have the same version of firmware installed.
Be configured for the same time zone.
Have a unique external IP address. This means that every Barracuda Email Security Gateway behind a NAT must have a
unique external IP address and must be reachable by that external IP address.
When replacing a failed system in a cluster, be sure to follow step #3 as described below under Removing a Barracuda Email
Security Gateway From a Cluster.
Set Up Clustered Systems
To cluster two Barracuda Email Security Gateways together, where one system is designated as "Barracuda1" and the other is designated
"Barracuda2", do the following:
1. Complete the installation process for each system as described in Step 2 - Install the Barracuda Email Security Gateway. Each
Barracuda Email Security Gateway in a cluster must be the same model# and be on exactly the same firmware version.
2. From the ADVANCED > Task Manager page on the Barracuda1 system, verify that no processes are running. Complete this step for the
Barracuda2 system as well. No processes should be running when you add a system to a cluster.
3. Configure the Barracuda2 system as you would like Barracuda1, and any other system you might add to the cluster, to be configured.
Make a backup of the configurations of each Barracuda Email Security Gateway.
4. From the ADVANCED > Clustering page on the Barracuda1 system, enter a Cluster Shared Secret password for the cluster, and click
Save.
5. Optional: In the Cluster Hostname field on Barracuda1, enter the DNS/hostname (FQDN) by which other Barracuda Email Security
Gateways in the cluster will attempt to communicate with this one. If this field is left blank, the IP address entered below will be used.
This field is also useful for limiting user access to a cluster - see Limiting Access to a Cluster below.
6. From the ADVANCED > Clustering page on the Barracuda2 system, do the following:
a. Enter the same Cluster Shared Secret password, and click Save.
b. Optionally enter the DNS/hostname (FQDN) in the Cluster Hostname field for Barracuda2.
c. In the Clustered Systems section, enter the IP address of the Barracuda1 system and click Join Cluster. At this point, the
configuration of the Barracuda1 system will automatically propagate to Barracuda2.
7. On each Barracuda system, refresh the ADVANCED > Clustering page, and verify that:
a. Each system’s IP address appears in the Clustered Systems list
b. The Connection Status of each server is green - see Figure 1 below.
8. Distribute the incoming mail traffic to each Barracuda Email Security Gateway using a Barracuda Load Balancer (preferred) or another
load balancing device, or by using multiple DNS MX records of equal priority.
Figure 1: Two servers in a cluster with a 'green' status.
Add a Barracuda Email Security Gateway to a Cluster
Begin by making a backup of the configuration of any system in the cluster, then perform these steps on the Barracuda Email Security Gateway
you want to add to the existing cluster:
1. Complete the installation process and ensure that the new Barracuda Email Security Gateway is the same model# and running the same
firmware version as all systems in the cluster.
2. From the ADVANCED > Task Manager page, verify that no processes are running. Do this on all other systems in the cluster as well.
3. From the ADVANCED > Clustering page, enter the Cluster Shared Secret password for the cluster, and click Save.
4. Optional: In the Cluster Hostname field, enter the DNS/hostname (FQDN) by which other Barracuda Email Security Gateways in the
cluster will attempt to communicate with this one.
5. On a Barracuda Email Security Gateway already in the cluster, change any value in the configuration and click Save. This ensures
proper synchronization of the configuration.
6. On the ADVANCED > Clustering page on the new Barracuda Email Security Gateway to be added to the cluster, enter the IP address
Copyright © 2017, Barracuda Networks Inc.
Barracuda Email Security Gateway Administrator's Guide - Page
28
6.
of any system in the cluster in the Add System field and click the Join Cluster button. At this point, the configuration of the cluster will
automatically propagate to the newly added system.
Limiting End-user Access to the Cluster
You can choose to dedicate a single Barracuda Email Security Gateway as the Quarantine Host to serve up the end-user interface through
which users will access their quarantine inboxes, even though their actual quarantine inbox (primary or secondary) may be hosted by another
Barracuda Email Security Gateway in the cluster. By not directing email to the Quarantine Host, you can:
Enhance network security by limiting end-user access (port 8000 by default) and administration to only one Barracuda Email Security
Gateway on the Internet
Insulate the user interface performance from any peaks in email volume
To configure one Barracuda Email Security Gateway as the Quarantine Host, from the BASIC > Quarantine page, enter that system's hostname
in the Quarantine Host field.
Removing a Barracuda Email Security Gateway From a Cluster
1. Log into the system to be removed and change or clear the Cluster Shared Secret on the ADVANCED > Clustering page. Click Save
Changes. Changing the cluster shared secret prevents the systems in the cluster from communicating with one another.
2. On the same system, delete all other systems from the Clustered Systems list.
3. On any system that remains in the cluster, go to the ADVANCED > Clustering page. In the Clustered Systems list, delete the system
to be removed from the cluster. This step is very important when removing a failed Barracuda Email Security Gateway from a cluster.
Centralized Policy Management With a Quarantine Host
You can optionally designate one Barracuda Email Security Gateway as the "host" of the cluster such that all administration of configuration
settings and access to per-user quarantine for the cluster can only be accessed and set from that node. This option has two advantages: it
provides for additional security by limiting access to administration of the cluster, and it protects the user interface from mail processing load
since, with this configuration, you do not direct any email traffic to the host node.
To assign one Barracuda Email Security Gateway as the host of the cluster, enter the hostname of that device in the Quarantine Host field on the
BASIC > Quarantine page and do not direct any email to that device.
Redundancy of user quarantine data on the cluster
Each user account has a primary and backup server in the cluster. Regardless of how many Barracuda Email Security Gateways there are in the
cluster, there are always two appliances that have the same quarantine information (configuration and quarantine messages).
Data Not Synchronized Across the Cluster
Clustering provides 100% redundant coverage of the propagated data. However, for practical reasons, some data is not propagated to the other
clustered systems when a new system joins. Energize updates do not synchronize across systems in a cluster. The following Barracuda Email
Security Gateway configurations are considered unique and will not sync to match other Barracuda Email Security Gateways in a cluster:
IP Address, Subnet Mask, and Default Gateway (on the BASIC > IP Configuration page)
Primary DNS Server and Secondary DNS Server (on the BASIC > IP Configuration page)
Serial number (this will never change)
Hostname (on the BASIC > IP Configuration page)
Any advanced IP configuration (Barracuda Email Security Gateway 600 and above, on the ADVANCED > Advanced Networking page)
Administrator password
Guest password
Time Zone (on the BASIC > Administration page)
Cluster hostname (on the ADVANCED > Clustering page)
Cluster Shared Secret, though this must be the same for the cluster to work properly (on the ADVANCED > Clustering page)
Local Host Map (on the ADVANCED > Clustering page)
SMTP Welcome Banner (on the ADVANCED > Email Protocol page)
SMTP Port (on the BASIC > Outbound page)
Web Interface HTTP Port (on the BASIC > Administration page)
Web Interface HTTPS/SSL port (on the ADVANCED > Secure Administration page)
Any other secure administration configuration, including saved certificates (on the ADVANCED > Secure Administration page)
Quarantine Host (on the BASIC > Quarantine page)
All SSL/TLS information, including saved certificates (on the ADVANCED > Secure Administration page)
Whether to only display local messages in the message log (Only view local messages on the BASIC > Message Log > Preferences pa
ge)
Whether the latest release notes have been read
All customized branding (Barracuda Email Security Gateway 600 and above, on the ADVANCED > Appearance page)
Copyright © 2017, Barracuda Networks Inc.
Barracuda Email Security Gateway Administrator's Guide - Page
29
How to Cluster the Barracuda Email Security Gateway 6.x
Note that clustered systems can be geographically dispersed and do not need to be located on the same network. Important: Every
Barracuda Email Security Gateway in a cluster must meet the following requirements:
Be the same model (400 and above).
Have the same version of firmware installed.
Be configured for the same time zone.
Have a unique external IP address. This means that every Barracuda Email Security Gateway behind a NAT must have a
unique external IP address and must be reachable by that external IP address.
See also: Benefits of Clustering the Barracuda Email Security Gateway
When replacing a failed system in a cluster, be sure to follow step #3 as described below under Removing a Barracuda Email
Security Gateway From a Cluster.
Set Up Clustered Systems
To cluster two Barracuda Email Security Gateways together, where one system is designated as "Barracuda1" and the other is designated
"Barracuda2", do the following:
1. Complete the installation process for each system as described in Step 2 - Install the Barracuda Email Security Gateway. Each
Barracuda Email Security Gateway in a cluster must be the same model# and be on exactly the same firmware version.
2. From the ADVANCED > Task Manager page on the Barracuda1 system, verify that no processes are running. Complete this step for the
Barracuda2 system as well. No processes should be running when you add a system to a cluster.
3. Configure the Barracuda2 system as you would like Barracuda1, and any other system you might add to the cluster, to be configured.
Make a backup of the configurations of each Barracuda Email Security Gateway.
4. From the ADVANCED > Clustering page on the Barracuda1 system, enter a Cluster Shared Secret password for the cluster, and click
Save Changes.
5. Optional: In the Cluster Hostname field on Barracuda1, enter the DNS/hostname (FQDN) by which other Barracuda Email Security
Gateways in the cluster will attempt to communicate with this one. If this field is left blank, the IP address entered below will be used.
This field is also useful for limiting user access to a cluster - see Limiting Access to a Cluster below.
6. From the ADVANCED > Clustering page on the Barracuda2 system, do the following:
a. Enter the same Cluster Shared Secret password, and click Save Changes.
b. Optionally enter the DNS/hostname (FQDN) in the Cluster Hostname field for Barracuda2.
c. In the Clustered Systems section, enter the IP address of the Barracuda1 system and click Join Cluster. At this point, the
configuration of the Barracuda1 system will automatically propagate to Barracuda2.
7. On each Barracuda system, refresh the ADVANCED > Clustering page, and verify that:
a. Each system’s IP address appears in the Clustered Systems list
b. The Connection Status of each server is green - see Figure 1 below.
8. Distribute the incoming mail traffic to each Barracuda Email Security Gateway using a Barracuda Load Balancer (preferred) or another
load balancing device, or by using multiple DNS MX records of equal priority.
Figure 1: Two servers in a cluster with a 'green' status.
Add a Barracuda Email Security Gateway to a Cluster
Begin by making a backup of the configuration of any system in the cluster, then perform these steps on the Barracuda Email Security Gateway
you want to add to the existing cluster:
1. Complete the installation process and ensure that the new Barracuda Email Security Gateway is the same model# and running the same
firmware version as all systems in the cluster.
2. From the ADVANCED > Task Manager page, verify that no processes are running. Do this on all other systems in the cluster as well.
3.
Copyright © 2017, Barracuda Networks Inc.
Barracuda Email Security Gateway Administrator's Guide - Page
30
3. From the ADVANCED > Clustering page, enter the Cluster Shared Secret password for the cluster, and click Save Changes.
4. Optional: In the Cluster Hostname field, enter the DNS/hostname (FQDN) by which other Barracuda Email Security Gateways in the
cluster will attempt to communicate with this one.
5. On a Barracuda Email Security Gateway already in the cluster, change any value in the configuration and click Save Changes. This
ensures proper synchronization of the configuration.
6. On the ADVANCED > Clustering page on the new Barracuda Email Security Gateway to be added to the cluster, enter the IP address
of any system in the cluster in the Add System field and click the Join Cluster button. At this point, the configuration of the cluster will
automatically propagate to the newly added system.
Limiting End-user Access to the Cluster
You can choose to dedicate a single Barracuda Email Security Gateway as the Quarantine Host to serve up the end-user interface through
which users will access their quarantine inboxes, even though their actual quarantine inbox (primary or secondary) may be hosted by another
Barracuda Email Security Gateway in the cluster. By not directing email to the Quarantine Host, you can:
Enhance network security by limiting end-user access (port 8000 by default) and administration to only one Barracuda Email Security
Gateway on the Internet
Insulate the user interface performance from any peaks in email volume
To configure one Barracuda Email Security Gateway as the Quarantine Host, from the BASIC > Quarantine page, enter that system's hostname
in the Quarantine Host field.
Removing a Barracuda Email Security Gateway From a Cluster
1. Log into the system to be removed and change or clear the Cluster Shared Secret on the ADVANCED > Clustering page. Click Save
Changes. Changing the cluster shared secret prevents the systems in the cluster from communicating with one another.
2. On the same system, delete all other systems from the Clustered Systems list.
3. On any system that remains in the cluster, go to the ADVANCED > Clustering page. In the Clustered Systems list, delete the system
to be removed from the cluster. This step is very important when removing a failed Barracuda Email Security Gateway from a cluster.
Centralized Policy Management With a Quarantine Host
You can optionally designate one Barracuda Email Security Gateway as the "host" of the cluster such that all administration of configuration
settings and access to per-user quarantine for the cluster can only be accessed and set from that node. This option has two advantages: it
provides for additional security by limiting access to administration of the cluster, and it protects the user interface from mail processing load
since, with this configuration, you do not direct any email traffic to the host node.
To assign one Barracuda Email Security Gateway as the host of the cluster, enter the hostname of that device in the Quarantine Host field on the
BASIC > Quarantine page and do not direct any email to that device.
Redundancy of user quarantine data on the cluster
Each user account has a primary and backup server in the cluster. Regardless of how many Barracuda Email Security Gateways there are in the
cluster, there are always two appliances that have the same quarantine information (configuration and quarantine messages).
Data Not Synchronized Across the Cluster
Clustering provides 100% redundant coverage of the propagated data. However, for practical reasons, some data is not propagated to the other
clustered systems when a new system joins. Energize updates do not synchronize across systems in a cluster. The following Barracuda Email
Security Gateway configurations are considered unique and will not sync to match other Barracuda Email Security Gateways in a cluster:
IP Address, Subnet Mask, and Default Gateway (on the BASIC > IP Configuration page)
Primary DNS Server and Secondary DNS Server (on the BASIC > IP Configuration page)
Serial number (this will never change)
Hostname (on the BASIC > IP Configuration page)
Any advanced IP configuration (Barracuda Email Security Gateway 600 and above, on the ADVANCED > Advanced Networking page)
Administrator password
Guest password
Time Zone (on the BASIC > Administration page)
Cluster hostname (on the ADVANCED > Clustering page)
Cluster Shared Secret, though this must be the same for the cluster to work properly (on the ADVANCED > Clustering page)
Local Host Map (on the ADVANCED > Clustering page)
SMTP Welcome Banner (on the ADVANCED > Email Protocol page)
SMTP Port (on the BASIC > Outbound page)
Web Interface HTTP Port (on the BASIC > Administration page)
Web Interface HTTPS/SSL port (on the ADVANCED > Secure Administration page)
Any other secure administration configuration, including saved certificates (on the ADVANCED > Secure Administration page)
Quarantine Host (on the BASIC > Quarantine page)
All SSL/TLS information, including saved certificates (on the ADVANCED > Secure Administration page)
Copyright © 2017, Barracuda Networks Inc.
Barracuda Email Security Gateway Administrator's Guide - Page
31
Whether to only display local messages in the message log (Only view local messages on the BASIC > Message Log > Preferences pa
ge)
Whether the latest release notes have been read
All customized branding (Barracuda Email Security Gateway 600 and above, on the ADVANCED > Appearance page)
Copyright © 2017, Barracuda Networks Inc.
Barracuda Email Security Gateway Administrator's Guide - Page
32
How to Cluster the Barracuda Email Security Gateway 5.x
Note that clustered systems can be geographically dispersed and do not need to be located on the same network. Important: Every
Barracuda Email Security Gateway in a cluster must meet the following requirements:
Be the same model (400 and above).
Have the same version of firmware installed.
Be configured for the same time zone.
Have a unique external IP address. This means that every Barracuda Email Security Gateway behind a NAT must have a
unique external IP address and must be reachable by that external IP address.
See also: Benefits of Clustering the Barracuda Email Security Gateway
Important
When replacing a failed system in a cluster, be sure to follow step #3 as described below under How to Remove a Barracuda Email
Security Gateway From a Cluster.
Set Up Clustered Systems
To cluster two Barracuda Email Security Gateways together, where one system is designated as "Barracuda1" and the other is designated
"Barracuda2", do the following:
1. Complete the installation process for each system as described in Step 2 - Install the Barracuda Email Security Gateway. Each
Barracuda Email Security Gateway in a cluster must be the same model# and be on exactly the same firmware version.
2. From the ADVANCED > Task Manager page on the Barracuda1 system, verify that no processes are running. Complete this step for the
Barracuda2 system as well. No processes should be running when you add a system to a cluster.
3. Configure the Barracuda2 system as you would like Barracuda1, and any other system you might add to the cluster, to be configured.
Make a backup of the configurations of each Barracuda Email Security Gateway.
4. From the ADVANCED > Clustering page on the Barracuda1 system, enter a Shared Secret password for the cluster, and click Save
Changes.
5. Optional: In the Cluster Hostname field on Barracuda1, enter the DNS/hostname (FQDN) by which other Barracuda Email Security
Gateways in the cluster will attempt to communicate with this one. If this field is left blank, the IP address entered below will be used.
This field is also useful for limiting user access to a cluster - see Limiting Access to a Cluster below.
6. From the ADVANCED > Clustering page on the Barracuda2 system, do the following:
a. Enter the same Shared Secret password, and click Save Changes.
b. Optionally enter the DNS/hostname (FQDN) in the Cluster Hostname field for Barracuda2.
c. In the Clustered Systems section, enter the IP address of the Barracuda1 system and click Join Cluster. At this point, the
configuration of the Barracuda1 system will automatically propagate to Barracuda2.
7. On each Barracuda system, refresh the ADVANCED > Clustering page, and verify that:
a. Each system’s IP address appears in the Clustered Systems list
b. The Connection Status of each server is green - see Figure 1 below.
8. Distribute the incoming mail traffic to each Barracuda Email Security Gateway using a Barracuda Load Balancer (preferred) or another
load balancing device, or by using multiple DNS MX records of equal priority.
Figure 1: Two servers in a cluster with a 'green' status.
Add a Barracuda Email Security Gateway to a Cluster
Begin by making a backup of the configuration of any system in the cluster, then perform these steps on the Barracuda Email Security Gateway
you want to add to the existing cluster:
1. Complete the installation process and ensure that the new Barracuda Email Security Gateway is the same model# and running the same
firmware version as all systems in the cluster.
2. From the ADVANCED > Task Manager page, verify that no processes are running. Do this on all other systems in the cluster as well.
3. From the ADVANCED > Clustering page, enter the Cluster Shared Secret password for the cluster, and click Save Changes.
4.
Copyright © 2017, Barracuda Networks Inc.
Barracuda Email Security Gateway Administrator's Guide - Page
33
4. Optional: In the Cluster Hostname field, enter the DNS/hostname (FQDN) by which other Barracuda Email Security Gateways in the
cluster will attempt to communicate with this one.
5. On a Barracuda Email Security Gateway already in the cluster, change any value in the configuration and click Save Changes. This
ensures proper synchronization of the configuration.
6. On the ADVANCED > Clustering page on the new Barracuda Email Security Gateway to be added to the cluster, enter the IP address
of any system in the cluster in the Add System field and click the Join Cluster button. At this point, the configuration of the cluster will
automatically propagate to the newly added system.
Secure the Cluster by Limiting End-user Access
You can choose to dedicate a single Barracuda Email Security Gateway as the Quarantine Host to serve up the end-user interface through
which users will access their quarantine inboxes, even though their actual quarantine inbox (primary or secondary) may be hosted by another
Barracuda Email Security Gateway in the cluster. By not directing email to the Quarantine Host, you can:
Enhance network security by limiting end-user access (port 8000 by default) and administration to only one Barracuda Email Security
Gateway on the Internet
Insulate the user interface performance from any peaks in email volume
To configure one Barracuda Email Security Gateway as the Quarantine Host, from the BASIC > Quarantine page, enter that system's hostname
in the Quarantine Host field.
How to Remove a Barracuda Email Security Gateway From a Cluster
1. Log into the system to be removed and change or clear the Cluster Shared Secret on the ADVANCED > Clustering page. Click Save
Changes. Changing the cluster shared secret prevents the systems in the cluster from communicating with one another.
2. On the same system, delete all other systems from the Clustered Systems list.
3. On any system that remains in the cluster, go to the ADVANCED > Clustering page. In the Clustered Systems list, delete the system to
be removed from the cluster. This step is very important when removing a failed Barracuda Email Security Gateway from a cluster.
Centralized Policy Management With a Quarantine Host
You can optionally designate one Barracuda Email Security Gateway as the "host" of the cluster such that all administration of configuration
settings and access to per-user quarantine for the cluster can only be accessed and set from that node. This option has two advantages: it
provides for additional security by limiting access to administration of the cluster, and it protects the user interface from mail processing load
since, with this configuration, you do not direct any email traffic to the host node.
To assign one Barracuda Email Security Gateway as the host of the cluster, enter the hostname of that device in the Quarantine Host field on the
BASIC > Quarantine page and do not direct any email to that device.
Redundancy of user quarantine data on the cluster
Each user account has a primary and backup server in the cluster. Regardless of how many Barracuda Email Security Gateways there are in the
cluster, there are always two appliances that have the same quarantine information (configuration and quarantine messages).
Data Not Synchronized Across the Cluster
Clustering provides 100% redundant coverage of the propagated data. However, for practical reasons, some data is not propagated to the other
clustered systems when a new system joins. Energize updates do not synchronize across systems in a cluster. The following Barracuda Email
Security Gateway configurations are considered unique and will not sync to match other Barracuda Email Security Gateways in a cluster:
IP Address, Subnet Mask, and Default Gateway (on the BASIC > IP Configuration page)
Primary DNS Server and Secondary DNS Server (on the BASIC > IP Configuration page)
Serial number (this will never change)
Hostname (on the BASIC > IP Configuration page)
Any advanced IP configuration (Barracuda Email Security Gateway 600 and above, on the ADVANCED > Advanced Networking page)
Administrator password
Guest password
Time Zone (on the BASIC > Administration page)
Cluster hostname (on the ADVANCED > Clustering page)
Cluster Shared Secret, though this must be the same for the cluster to work properly (on the ADVANCED > Clustering page)
Local Host Map (on the ADVANCED > Clustering page)
SMTP Welcome Banner (on the ADVANCED > Email Protocol page)
Web Interface HTTP Port (on the BASIC > Administration page)
Web Interface HTTPS/SSL port (on the ADVANCED > Secure Administration page)
Any other secure administration configuration, including saved certificates (on the ADVANCED > Secure Administration page)
Quarantine Host (on the BASIC > Quarantine page)
All SSL/TLS information, including saved certificates (on the ADVANCED > Secure Administration page)
Whether to only display local messages in the message log (Only view local messages on the BASIC > Message Log > Preferences pa
ge)
Copyright © 2017, Barracuda Networks Inc.
Barracuda Email Security Gateway Administrator's Guide - Page
34
Whether the latest release notes have been read
All customized branding (Barracuda Email Security Gateway 600 and above, on the ADVANCED > Appearance page)
The Explicit Users To Accept For list, if enabled and used, on the ADVANCED > Explicit Users page. This is a global setting.
The Valid Recipients list on the DOMAINS > Manage Domain > USERS > Valid Recipients page. This is a per-domain setting.
Copyright © 2017, Barracuda Networks Inc.
Barracuda Email Security Gateway Administrator's Guide - Page
35
Virtual Deployment
Requirement
This virtual appliance requires a 64-bit capable host.
The Barracuda Email Security Gateway manages all inbound and outbound email traffic to protect organizations from email-borne threats and
data leaks. It includes the following features:
Secures inbound email traffic against inbound malware, spam, phishing, and Denial of Service attacks.
Offloads compute-intensive tasks to the cloud, like antivirus and DDoS filtering, to reduce processing load on the appliance and ensure
threats never reach the network perimeter.
Spools email for up to 96 hours using the Cloud Protection Layer, with an option to redirect traffic to a secondary server.
Ensures that every outbound email complies with corporate DLP policies using outbound filtering and quarantine capabilities.
Barracuda recommends reading Understand the Concepts before continuing with deployment.
Deploying Your Barracuda Email Security Gateway Vx
Complete the following steps to deploy your Barracuda Email Security Gateway Vx:
1.
2.
3.
4.
Deploy the Barracuda Email Security Gateway Vx image.
Allocate the cores, RAM, and hard disk space for your Barracuda Email Security Gateway Vx.
Set up the Barracuda Email Security Gateway Vx with the Vx Quick Start Guide.
Route email to the Barracuda Email Security Gateway Vx.
Managing Your Virtual Machine
Backing Up Your Virtual Machine System State
VMware Tools
Copyright © 2017, Barracuda Networks Inc.
Barracuda Email Security Gateway Administrator's Guide - Page
36
How to Deploy Barracuda Email Security Gateway Vx Images
Barracuda offers the following types of images for the Barracuda Email Security Gateway Vx deployment. Follow the instructions for your hypervi
sor to deploy the Barracuda Email Security Gateway Vx appliance.
Image Type
Supported Hypervisors
OVF
VMware ESX and ESXi (vSphere Hypervisor) versions 4.x
VMWare ESX and ESXi (vSphere Hypervisor) versions 5.x and
6.x
Sun/Oracle VirtualBox and VirtualBox OSE version 3.2
VMX
VMware Server 2.x
VMWare Workstation 6.x, Player 3.x, and Fusion 3.x
XVA
Citrix XenServer 5.5+
VHD
Microsoft Hyper-V 2008 R2, 2012, 2012 R2, and 10
30 Day Evaluation
1. Visit https://www.barracuda.com/purchase/evaluation.
2. Choose the Barracuda Email Security Gateway Vx.
3. Download the image for your hypervisor from the Barracuda Virtual Appliance Download page. After the download is complete,
extract the files from the ZIP folder.
4. Deploy the virtual appliance image as described below. The procedure varies depending on your hypervisor.
Deploy OVF Images
VMware ESX and ESXi 4.x
Use the OVF file ending in -4x. ovf for this hypervisor .
1.
2.
3.
4.
5.
6.
7.
8.
9.
Download and expand the Barracuda Email Security Gateway Vx ZIP folder.
From the File menu in the vSphere Client, select Deploy OVF Template.
Select Import from file, navigate to the extracted folder, and locate the Barracuda Email Security Gateway Vx OVF file. Click Next.
Enter a name for the virtual appliance. Click Next.
Select the resource pool for your virtual appliance. Click Next.
Select a datastore and disk formats. Click Next.
Click Finish.
Follow the recommendations in Allocating Cores, RAM, and Hard Disk Space for Your Barracuda Email Security Gateway Vx.
On the Virtual Machines tab, right-click the Barracuda Email Security Gateway VM that you created. Select Power > Power On to run
it.
10. Follow the Barracuda Email Security Gateway Vx Quick Start Guide instructions to set up your virtual appliance.
VMware ESX and ESXi 5.x and 6.x
Use the OVF file ending in -5x.ovf or in -6x.ovf for this hypervisor .
1.
2.
3.
4.
5.
6.
7.
8.
9.
10.
11.
12.
13.
14.
Download and expand the Barracuda Email Security Gateway Vx ZIP folder.
Launch vSphere Client and select the appropriate host and resource pool.
From the File menu in the vSphere Client, select Deploy OVF Template.
Click Browse, navigate to the extracted folder, and select the Barracuda Email Security Gateway Vx OVF file. Click Next.
Verify that you are installing the correct Barracuda virtual appliance. Click Next.
Enter a name for the virtual appliance. Click Next.
Select the destination storage for the virtual machine. Click Next.
Select a disk format. To ensure maximum stability when deploying your Barracuda Vx appliance, specify the disk format as Thick
Provision Eager Zeroed. Click Next.
Map the network to the target network for this virtual appliance. Click Next.
Review the deployment options. Click Finish to deploy the virtual appliance.
Follow the recommendations in Allocating Cores, RAM, and Hard Disk Space for Your Barracuda Email Security Gateway Vx.
Locate the appliance within the appropriate virtual machine and resource pool. Select it and power it on by clicking the green arrow.
Click the Console tab. You can monitor the appliance as it is prepared for use.
Follow the Barracuda Email Security Gateway Vx Quick Start Guide instructions to set up your virtual appliance.
Sun/Oracle VirtualBox and VirtualBox OSE 3.2
Use the OVF file ending in -4x. ovf for this hypervisor .
1.
Copyright © 2017, Barracuda Networks Inc.
Barracuda Email Security Gateway Administrator's Guide - Page
37
1.
2.
3.
4.
5.
Download and expand the Barracuda Email Security Gateway Vx ZIP folder.
From the File menu in the VirtualBox client, select Import Appliance.
Navigate to the extracted folder and locate the Barracuda Email Security Gateway Vx OVF file.
Select the file and click Next.
On the Import Settings screen, follow the recommendations in Allocating Cores, RAM, and Hard Disk Space for Your Barracuda Email
Security Gateway Vx. Click Finish.
6. Start the appliance.
7. Follow the Barracuda Email Security Gateway Vx Quick Start Guide instructions to set up your virtual appliance.
Deploy VMX Images
VMware Server 2.x
Use the .vmx and .vmdk files for this hypervisor .
1. Download and expand the Barracuda Email Security Gateway Vx ZIP folder.
2. Navigate to the extracted folder and move the files ending in .vmx and .vmdk into a folder in your datastore (which you can locate from
the Datastores list on your server's summary page).
3. From the VMware Infrastructure Web Access client's Virtual Machine menu, select Add Virtual Machine to Inventory.
4. Navigate to the folder in your datastore used in step 2 and select the file ending in .vmx. Click OK.
5. Follow the recommendations in Allocating Cores, RAM, and Hard Disk Space for Your Barracuda Email Security Gateway Vx.
6. Start the appliance.
7. Follow the Barracuda Email Security Gateway Vx Quick Start Guide instructions to set up your virtual appliance.
VMware Workstation 6.x, Player 3.x, and Fusion 3.x
Use the .vmx file for this hypervisor.
1.
2.
3.
4.
5.
6.
7.
Download and expand the Barracuda Email Security Gateway Vx ZIP folder.
From the File menu, select Open a Virtual Machine.
Navigate to the extracted folder and select the file ending in .vmx.
Use the default settings and click Finish.
Follow the recommendations in Allocating Cores, RAM, and Hard Disk Space for Your Barracuda Email Security Gateway Vx.
Start the appliance.
Follow the Barracuda Email Security Gateway Vx Quick Start Guide instructions to set up your virtual appliance.
Deploy XVA Images
Citrix XEN Server 5.5+
Use the .xva file for this hypervisor. For XEN Server, you first import the virtual appliance template and then create a new virtual appliance based
on that template.
Step 1. Import the virtual appliance template:
1. Download and expand the Barracuda Email Security Gateway Vx ZIP folder.
2. From the File menu in the XenCenter client, select Import.
3. Click Browse, navigate to the extracted folder, and select the file ending in .xva. Click Next.
4. Select a server for the template. Click Next.
5. Select a storage repository for the template. Click Import.
6. Select a virtual network interface for the template. Click Next.
7. Review the template settings. Click Finish to import the template.
Step 2. Create a new virtual appliance:
1.
2.
3.
4.
5.
6.
7.
8.
9.
10.
11.
Right-click the virtual appliance template and select New VM wizard.
Select the virtual appliance template. Click Next.
Enter a name for the virtual appliance. Click Next.
For the DVD drive, select <empty>. Click Next.
Select a home server. Click Next.
Specify the number of virtual CPUs and memory for the virtual appliance. Follow the recommendations in Allocating Cores, RAM, and
Hard Disk Space for Your Barracuda Email Security Gateway Vx. Click Next.
Select a virtual disk. Click Next.
Select a virtual network interface. Click Next.
Review the virtual appliance settings. Click Create Now.
When the virtual appliance is ready, right-click it and then click Start.
Follow the Barracuda Email Security Gateway Vx Quick Start Guide instructions to set up your virtual appliance.
Deploy VHD Images
Microsoft Hyper-V 2008 R2, 2012, 2012 R2, and 10
Copyright © 2017, Barracuda Networks Inc.
Barracuda Email Security Gateway Administrator's Guide - Page
38
Use the .vhd file for this hypervisor.
1. Download and expand the Barracuda Email Security Gateway Vx ZIP folder.
2. Launch the WinServerSetup.bat file located in the extracted folder. This batch file corrects a compatibility issue and takes less than a
minute to run.
3. Navigate to the extracted folder and verify that the HyperV folder contains the following subfolders:
Virtual Machines
Virtual Hard Disks
Snapshots
4. In Hyper-V Manager, right-click your VM host and select Import Virtual Machine.
5. On the Before You Begin page of the Import Virtual Machine wizard, click Next.
6. On the Locate Folder page:
a. Click Browse, navigate to the extracted folder, and select the HyperV folder. Click Select Folder.
b. Click Next.
7. On the Select Virtual Machine page, click Next.
8. On the Choose Import Type page, select Copy the virtual machine (created a new unique ID). Click Next.
9. On the Choose Destination: Choose Folders for Virtual Machine Files page, click Browse to search for the location where you want
to store the VM files. Click Next.
10. On the Choose Storage Folders: Choose Folders to Store Virtual Hard Disks page, click Browse to search for the location where
you want to store the virtual hard disks for the VM. Click Next.
11. For Microsoft Windows 10, you can modify the RAM and Hard Disk space allocations after completing step 12.
On the Configure Memory page, enter a size for the Startup RAM that meets the requirements at Allocating Cores, RAM, and Hard
Disk Space for Your Barracuda Email Security Gateway Vx. Keep the default settings for the other fields. Click Next.
12. On the Connect Network page, select the network interface that you want to use for management access of the VM. Click Next.
13. On the Summary page, verify that all the settings are correct. Click Finish.
14. For Microsoft Windows 10, go to the Actions pane and click on Settings under Barracuda Email Security Gateway. Under Hardware,
ensure that their is enough memory and hard disk space as specified in Allocating Cores, RAM, and Hard Disk Space for Your
Barracuda Email Security Gateway Vx.
15. Start your virtual appliance.
16. Follow the Barracuda Email Security Gateway Vx Quick Start Guide instructions to set up your virtual appliance.
To take advantage of Microsoft's VHDX support on Hyper-V 2012, 2012 R2, and 10, follow the instructions in How to Convert and
Replace a Barracuda Virtual Appliance VHD File with a VHDX Format File.
Copyright © 2017, Barracuda Networks Inc.
Barracuda Email Security Gateway Administrator's Guide - Page
39
Allocating Cores, RAM, and Hard Disk Space for Your Barracuda Email Security Gateway
Vx
Barracuda recommends the following settings for the initial deployment of your virtual appliance or when upgrading existing
installations.
Cores, RAM, and Hard Disk Space for the Barracuda Email Security Gateway Vx
Model
Cores
RAM - Recommended
Minimum
Hard Disk - Recommended
Minimum
100 Vx
1
2.5 GB
50 GB
300 Vx
2
5 GB
50 GB
400 Vx
4
10 GB
50 GB
600 Vx
6 (1)
15 GB
200 GB
800 Vx
12
24 GB
400 GB
900 Vx
24
48 GB
1 TB
1000 Vx
48(2)
96 GB
2 TB
Note:
(1)
To increase the performance of this model, you should plan on adding 2.5 GB of RAM for each additional core. Also plan to add
additional hard disk space. To purchase licenses for additional cores, contact your Barracuda sales representative.
(2)
Recommended value; can increase to an unlimited number of cores.
Allocating Cores
In your hypervisor, specify the number of cores to be used by the Barracuda Email Security Gateway Vx. Each Barracuda Email Security
Gateway Vx model can use only the number of cores specified in the table above. For example, if you assign 6 cores to the Barracuda Email
Security Gateway 300 Vx (which supports only 2 cores), the hypervisor disables the 4 extra cores that cannot be used.
To add cores to your appliance:
1. Shut down the Barracuda Email Security Gateway Vx in your hypervisor.
2. In the virtual machine CPU settings, add cores.
Your hypervisor license and version might limit the number of cores that you can specify for your appliance. In some cases, you must
add cores in multiples of two.
Allocating Hard Disk Space
Barracuda requires a minimum of 50 GB of hard disk space to run your Barracuda Email Security Gateway Vx. From your hypervisor, you can
specify the size of the hard disk or add a hard disk.
To specify the allocated hard disk space or add a hard disk to your appliance:
1.
2.
3.
4.
Shut down the Barracuda Email Security Gateway Vx in your hypervisor.
Take a snapshot of the virtual machine.
In the virtual machine settings, specify the new size for the hard disk or add a new hard disk.
Restart the virtual machine. As the appliance is booting up, view the console for Barracuda Email Security Gateway Vx. When the blue
Barracuda console screen appears and asks if you want to use the additional hard disk space, enter Yes.
Copyright © 2017, Barracuda Networks Inc.
Barracuda Email Security Gateway Administrator's Guide - Page
40
If you do not respond to the prompt in 30 seconds, the answer defaults to No . Resizing can take several minutes, depending on the
amount of hard disk space specified.
Next Step
For instructions on how to set up the Barracuda Email Security Gateway Vx, see the Barracuda Email Security Gateway Vx Quick Start Guide.
Copyright © 2017, Barracuda Networks Inc.
Barracuda Email Security Gateway Administrator's Guide - Page
41
Barracuda Email Security Gateway Vx Quick Start Guide
Before You Begin
Deploy the Barracuda Email Security Gateway Vx on your hypervisor. You only need a single virtual NIC on your virtual appliance.
Step 1. Open Network Address Ranges and Ports on Firewall
If your Barracuda Email Security Gateway Vx is located behind a firewall, open the following Barracuda network address ranges for the ports
shown in the table below on your firewall to ensure proper operation:
64.235.144.0/20
198.207.200.0/22
209.222.80.0/21
Port
Direction
TCP
UDP
Usage
25
In/Out
Yes
No
Email and email bounces
53
Out
Yes
Yes
Domain Name Service
(DNS). Verify that the
DNS servers can resolve
updates.cudasvc.com
.
80
Out
Yes
No
Virus, firmware, and
spam rule updates
123
Out
No
Yes
Network Time Protocol
(NTP)
443
Out
Yes
No
HTTPS/SSL port used for
initial VM provisioning
and access to updates.
cudasvc.com*
*You can disable the initial provisioning port after the initial provisioning process is complete.
When deploying the Barracuda Email Security Gateway Vx, you must also configure your firewall to allow ICMP traffic from the Barracuda Email
Security Gateway Vx to outside servers.
Step 2. Start Your Virtual Appliance, Configure the Network Settings, and Enter the License
You should have received your Barracuda Vx license token via email or from the website when you downloaded the Barracuda Email Security
Gateway Vx package. If not, you can request an evaluation on the Barracuda website at https://www.barracuda.com/purchase/evaluation or
purchase one from https://www.barracuda.com/purchase/index. The license token looks similar to the following: 01234-56789-ACEFG.
1. Log in to the console as admin with the password admin.
2. Navigate to TCP/IP Configuration.
3. Enter the following IP information (you can edit these fields later on the BASIC > IP Configuration page in the product web interface):
IP Address - This IP address identifies the Barracuda Email Security Gateway Vx to your organization's network.
Netmask - The sub-network mask (subnet mask or netmask) provides a simple way to limit which other devices on the network
can access the Barracuda Email Security Gateway Vx directly.
Default Gateway - The default gateway is the internal network device the Barracuda Email Security Gateway Vx connects to to
reach the parts of the internal network it cannot access directly within its subnet.
Primary DNS Server - The primary domain name system (DNS) server contains a database of network device names and their
corresponding Internet address hosts. DNS servers allow you to identify devices by name instead of by address.
Secondary DNS Server - The secondary DNS server acts as a backup to the primary.
4. Under Licensing enter your Barracuda License Token and Default Domain to complete provisioning. The appliance will reboot as a
part of the provisioning process.
Step 3. Accept the End User License Agreement and Verify Configuration
1. Go to http://<configured IP address for the Barracuda Email Security Gateway>:8000 to access the web interface.
2. Read through the End User License Agreement. Scroll down to the end of the agreement.
3. Enter the required information: Name, Email Address, and Company (if applicable). Click Accept. You are redirected to the Login
page.
4. Log into the Barracuda Email Security Gateway Vx web interface as the administrator:
Username: admin Password: admin
5.
Copyright © 2017, Barracuda Networks Inc.
Barracuda Email Security Gateway Administrator's Guide - Page
42
5. Go to the BASIC > IP Configuration page and verify that the following settings are correct:
IP Address
Subnet Mask
Default Gateway
Primary DNS Server
Secondary DNS Server
6. Enter the Server Name/IP of the destination email server where you want the Barracuda Email Security Gateway Vx to deliver mail.
For example: type: mail.<yourdomainname>.com
7. Enter the Default Hostname.
For example: <yourhost>
The host name is added to bounce messages.
8. Enter the Default Domain.
For example: <yourcompanydomain.com>
The domain is added to bounce messages and reports.
9. Under Allowed Email Recipient Domain(s), enter each domain for which you want the Barracuda Email Security Gateway Vx to
receive email.
The Barracuda Email Security Gateway Vx rejects all incoming email that is addressed to domains that are not specified here.
Step 4. Update the Firmware
The product Firmware is the software running all of the features and functions on the Barracuda Email Security Gateway Vx.
Firware Update
Firmware updates always require a reboot of the Barracuda Email Security Gateway Vx. To minimize interruptions, Barracuda
Networks recommends updating the firmware after peak business hours.
Go to the ADVANCED > Firmware Update page. Compare the Current Installed Version to the Latest General Release. If there is a new Late
st General Release available, perform the following steps to update the system firmware:
1. Click Download Now next to the firmware version that you want to install. To view the download progress, click Refresh. When the
download is complete, the Refresh button is replaced by the Apply Now button.
2. Click Apply Now to install the firmware. The firmware installation takes several minutes to complete.
After the firmware is applied, the Barracuda Email Security Gateway Vx automatically reboots. The login page is displayed when the
system comes back up.
3. Log back into the web interface and read the Release Notes to learn about enhancements and new features. It is also good practice to
verify settings that you have already entered, because new features might have been included with the firmware update.
For more information, see Product Activation and Update Firmware.
Step 5. Change the Administrator Password
To prevent unauthorized use, change the default administrator password to a more secure password. Go to the BASIC > Administration page,
enter your old and new passwords, and click Save Password. This changes the administrator password for the web interface.There is also a
separate administrator account for the console. This password can be changed as well by navigating to System and entering the old and new
passwords.
Step 6. Verify the Barracuda Email Security Gateway Vx Configuration
After you install your Barracuda Email Security Gateway Vx and configure your firewall, you can test the configuration. Go to the ADVANCED >
Troubleshooting page. In the Network Connectivity Tests section, enter updates.cudasvc.com in the Ping Device box and click Begin
Ping. The Barracuda Email Security Gateway sends ping packets to the updates.cudasvc.com server. The results are displayed in a popup
window. If your Vx is able to transmit and receive all of the ping packets without packet loss, your virtual appliance is configured correctly to
access the Internet.
Next Step
Your Barracuda Email Security Gateway Vx is now activated, able to send and receive network traffic, and is running the latest firmware. You're
ready to begin setting up the Vx to filter spam, viruses, malware, and spyware from incoming email. To begin this configuration, go to Configure
the Web Interface .
Copyright © 2017, Barracuda Networks Inc.
Barracuda Email Security Gateway Administrator's Guide - Page
43
Route Email to the Barracuda Email Security Gateway Vx
There are two common options for routing email to the Barracuda Email Security GatewayVx:
Port Forwarding: Change the port forwarding settings on your corporate firewall to route incoming email to your Barracuda Email Security
GatewayVx.
MX Records: Create a DNS entry for your Barracuda Email Security GatewayVx and change your DNS MX record to route incoming
email to the Barracuda. Typically, this is done at your DNS server or through your DNS service.
Example: DNS Entry for Barracuda Email Security Gatewaybarracuda.barracudanetworks.com IN A 66.233.233.88
Example: Modified MX Record IN MX 10 barracuda.barracudanetworks.com
Note: some DNS servers cache information for up to 7 days, so it may take time for your email to be routed to the new MX record. To route
OUTGOING mail through the Barracuda Email Security GatewayVx, you must configure Outbound Relay operation on the ADVANCED >
Outbound page.
Copyright © 2017, Barracuda Networks Inc.
Barracuda Email Security Gateway Administrator's Guide - Page
44
Backing Up Your Virtual Machine System State
Virtual machine environments generally provide a snapshot capability, which captures the state of a system as it's running. Once a snapshot is
created, you can perform additional operations on the system and revert to the snapshot in the case of disaster recovery (or for any other
reason). Because this feature is so powerful, Barracuda strongly recommends performing a snapshot at certain points in time:
Before upgrading the Barracuda product firmware.
Before making major changes to your configuration (this makes taking a snapshot a convenient undo mechanism).
After completing and confirming a large set of changes, such as initial configuration.
As a periodic backup mechanism.
Before taking a snapshot, Barracuda strongly recommends powering off the virtual machine. This step is particularly important if you
are using Microsoft Hyper-V as your virtual machine environment.
Barracuda Networks recommends that you review your virtual environment documentation regarding the snapshot capabilities and be familiar
with their features and limitations.
Copyright © 2017, Barracuda Networks Inc.
Barracuda Email Security Gateway Administrator's Guide - Page
45
Public Cloud Hosting
The Barracuda Email Security Gateway manages all inbound and outbound email traffic to protect organizations from email-borne threats and
data leaks. As a complete email management solution, organizations can encrypt messages and leverage the cloud to spool email if mail servers
become unavailable. For more information about the Barracuda Email Security Gateway, see Barracuda Email Security Gateway - Overview.
Cloud hosting of the Barracuda Email Security Gateway virtual machine is currently supported on:
Amazon Web Services (AWS)
Microsoft Azure
VMware vCloud Air Deployment
Copyright © 2017, Barracuda Networks Inc.
Barracuda Email Security Gateway Administrator's Guide - Page
46
Amazon Web Services
Follow instructions below to purchase or get an evaluation of the Barracuda Email Security Gateway on Amazon Web Services. After purchasing
or obtaining an evaluation through Amazon, continue with How to Deploy the Barracuda Email Security Gateway on Amazon Web Services.
Before you begin
1. Create an Amazon Web Services account.
2. Create a Virtual Private Cloud (VPC) on Amazon Web Services. See Creating a VPC, Internet Gateway and Subnet.
3. Choose either the BYOL or Hourly/Metered licensing option:
Bring Your Own License (BYOL) – This option involves first obtaining a Barracuda Email Security Gateway license token, either by:
Providing the required information for a free evaluation at https://www.barracuda.com/purchase/evaluation OR
Purchasing online at https://www.barracuda.com/purchase/ . With this license option, there will be no Barracuda Email Security
Gateway Software charges, but Amazon Elastic Compute Cloud (Amazon EC2) usage charges on Amazon will be
applicable.
Barracuda offers the same three models for both the Hourly/Metered and BYOL options as shown below. After obtaining your license
token, visit the AWS Marketplace to continue the process.
Hourly / Metered – In this licensing option, you complete the purchase/evaluation of the Barracuda Email Security Gateway entirely
within the AWS Marketplace. Once the instance is launched, it will be provisioned automatically. In this option, you will be charged hourly
for both the Barracuda Email Security Gateway Software and Amazon Elastic Compute Cloud (Amazon EC2) usage on Amazon.
For pricing information, see the AWS Marketplace. Barracuda offers the same three models for both the Hourly/Metered and BYOL
options as shown below.
Barracuda Email Security Gateway Virtual Appliance Instance Types on AWS
The table below lists the available Barracuda Email Security Gateway virtual appliance models, the corresponding Instance Type to be used in
Amazon Web Services and the default CPU and Memory for the instance. You'll select the Instance Type in the next step in How to Deploy the
Barracuda Email Security Gateway on Amazon Web Services.
Barracuda Email
Security Gateway
Model
Old Instance Types
BSF Cloud Edition –
Level 3
m1.medium, m3.medium
BSF Cloud Edition –
Level 4
m1.large, m3.large
BSF Cloud Edition –
Level 6
m1.xlarge, m3.xlarge
New Instance Types
vCPU
Memory
t2.small
1
3.7 GB
t2.medium, t2.large,
m4.large, c4.large
2
7.5 GB
m4.xlarge, m4.2xlarge,
c4.xlarge, c4.2xlarge
4
15 GB
Important
If you need to add additional storage space after deployment, due to the Amazon Web Services (AWS) structure, the only current
option is to redeploy and restore the configuration on a larger instance.
Next Step
Continue with How to Deploy the Barracuda Email Security Gateway on Amazon Web Services for instructions on installation and configuration.
Copyright © 2017, Barracuda Networks Inc.
Barracuda Email Security Gateway Administrator's Guide - Page
47
How to Deploy the Barracuda Email Security Gateway on Amazon Web Services
The Barracuda Email Security Gateway can be deployed as a virtual appliance in the Amazon cloud. To launch a Barracuda Email
Security Gateway using Amazon Web Services, follow the steps in this guide to upload the Barracuda Email Security Gateway
virtual appliance using your existing Amazon Web Services account. Then, continue with the Barracuda Email Security Gateway
Quick Start Guide for Amazon Web Services for licensing and initial configuration of your virtual appliance. Amazon Web Services
charges apply. For more information, see Amazon's monthly pricing calculator at http://calculator.s3.amazonaws.com/calc5.html.
Create a Persistent Public IP Address for Your Barracuda Email Security Gateway
When an instance of your Barracuda Email Security Gateway appliance is created, a public IP address is associated with the instance. However,
this IP address can change if the instance is stopped. To create a persistent IP address, see Configuring an Elastic IP Address for an Instance.
Launch the Barracuda Email Security Gateway Instance on Amazon Web Services
1. From the Amazon Web Services (AWS) Management Console:
a. Log into the AWS Management Console and open the Amazon EC2 console at https://console.aws.amazon.com/ec2/.
b. From the top right corner of the page, select the region for the instance. This is important because some Amazon EC2 resources
can be shared between regions.
2. Click Launch Instance.
3. In Step 1: Choose an Amazon Machine Image (AMI) page, select AWS Marketplace and search for the Barracuda Email Security
Gateway AMI. Click Select next to the Barracuda Email Security Gateway AMI.
4. In Step 2: Choose an Instance Type page, select an instance type from the All Instance types or General purpose table. Click Next:
Configure Instance Details to continue.
See the Amazon Web Services article to verify the recommended instance type for your Barracuda Email Security Gateway
sizing. Select the recommended instance type. Important: If you need to add additional storage space after deployment, due
to the Amazon Web Services (AWS) structure, the only current option is to redeploy and restore the configuration on a larger
instance.
Copyright © 2017, Barracuda Networks Inc.
Barracuda Email Security Gateway Administrator's Guide - Page
48
5. In Step 3: Configure Instance Details page:
a. Enter the Number of instances you want to launch.
b. Select the appropriate Network from the list.
c. Select the appropriate Subnet from the list, or keep the default subnet.
d. In the Advanced Details pane, keep the default setting for all parameters and click Next: Add Storage.
6. In Step 4: Add Storage page, the table displays the storage device settings for the instance. Modify the values if required and click Next
: Tag Instance.
Copyright © 2017, Barracuda Networks Inc.
Barracuda Email Security Gateway Administrator's Guide - Page
49
7. In Step 5: Tag Instance page, add/remove the tags for the instance (if required).
8. In Step 6: Configure Security Group page, choose Select an existing security group to select and assign the security group(s) from
the existing list, or choose Create a new security group to create a new group (refer to Creating a Security Group on Amazon Web
Services for more information). Click Review and Launch.
By default, the Barracuda Email Security Gateway web interface listens on port 8000 for HTTP and port 443 for HTTPS. Make
sure these ports (8000 and 443) are added to the Inbound Rule of the security group associated with the Barracuda Email
Security Gateway. Also add the port(s) through which you configure the Service(s) for this instance.
Copyright © 2017, Barracuda Networks Inc.
Barracuda Email Security Gateway Administrator's Guide - Page
50
9. In Step 7: Review Instance Launch page, review your settings before launching the instance, and then click Launch.
Amazon Web Services now provisions the Barracuda Email Security Gateway. Allow a few minutes for the Amazon Web Services Agent and the
Barracuda Email Security Gateway virtual machine to boot up.
DO NOT restart the Barracuda Email Security Gateway while it is launching.
Continue with Barracuda Email Security Gateway Quick Start Guide for Amazon Web Services to license and configure your virtual appliance.
Copyright © 2017, Barracuda Networks Inc.
Barracuda Email Security Gateway Administrator's Guide - Page
51
Barracuda Email Security Gateway Quick Start Guide for Amazon Web Services
Make sure you have completed the steps in the article How to Deploy the Barracuda Email Security Gateway on Amazon Web
Services before continuing with the instructions below.
The Licensing of the Barracuda Email Security Gateway after launching on Amazon Web Services (AWS) section is not required
when the Barracuda Email Security Gateway is deployed using Hourly / Metered licensing option. You can skip to the Verify
Configuration and Change the Password section.
Licensing of the Barracuda Email Security Gateway after launching on Amazon Web Services (AWS)
After launching the Barracuda Email Security Gateway on the Amazon Web Services, the next step is licensing. To complete the licensing and
provisioning of your Barracuda Email Security Gateway:
1. Sign in to the Amazon Web Services Portal.
2. Open the EC2 Management Console, and then click Instances.
3. In the Instances table, select the Barracuda Email Security Gateway instance you created and note the Public DNS address.
4. Open the browser and enter the copied Public DNS (from step 3) with port 8000 for HTTP. No port is required for HTTPS. For example:
For HTTP:
http://<Public DNS>:8000 (Unsecured)
For HTTPS:
https://<Public DNS> (Secured)
The Barracuda Email Security Gateway virtual machine is not accessible via HTTPS port when it is booting up. Therefore, it is
recommended to use ONLY HTTP port to access the unit when booting. This displays the status of the unit i.e., System
Booting. Once the boot process is complete, the user will be redirected to the login page.
If you deployed the Barracuda Email Security Gateway with the Hourly/Metered option, you do not need to license the system;
skip ahead to the Verify Configuration and Change the Password section below.
5. After the boot process is complete, the Licensing page displays with the following options:
Copyright © 2017, Barracuda Networks Inc.
Barracuda Email Security Gateway Administrator's Guide - Page
52
I Already Have a License Token – Use this option to provision your Barracuda Email Security Gateway with the license token
obtained from Barracuda Networks. Enter your Barracuda Networks Token and Default Domain to complete licensing, and then
click Provision.
The Barracuda Email Security Gateway connects to the Barracuda Update Server to get the required information based on your
license, and reboots automatically. Allow a few minutes for the reboot process. Once the instance is provisioned, you are
redirected to the login page.
I Would Like to Purchase a License – Use this option to purchase the license token for the Barracuda Email Security
Gateway. Provide the required information in the form, accept the terms and conditions, and click Purchase.
The Barracuda Email Security Gateway connects to the Barracuda Update Server to get the required information based on your
license, and reboots automatically. Allow a few minutes for the reboot process. Once the instance is provisioned, you are
redirected to the login page.
I Would Like to Request a Free Evaluation – Use this option to get 30 days free evaluation of the Barracuda Email Security
Gateway. Provide the required information in the form, accept the terms and conditions, and click Evaluate.
The Barracuda Email Security Gateway connects to the Barracuda Update Server to get the required information based on your
license, and reboots automatically. Allow a few minutes for the reboot process. Once the instance is provisioned, you are
redirected to the login page.
Verify Configuration and Change the Password
1. Log into the Barracuda Email Security Gateway appliance web interface as the administrator using the IP address and port as described
in step 4 of Licensing of the Barracuda Email Security Gateway after deploying on Amazon Web Services above. Log in with:
a. Username: admin
b. Password: Instance ID of your Barracuda Email Security Gateway in Amazon Web Services.
2. Navigate to the BASIC > Administration page and enter your old password, new password, and re-enter the new password. Click Save
Password.
3. Navigate to the BASIC > IP Configuration page and complete the following:
a. Verify that the IP Address, Subnet Mask, and Default Gateway are correct.
b. Enter the Server Name/IP of your destination email server where you want the Barracuda Email Security Gateway to deliver
mail. For example,
type: mail.<yourdomainname>.com
c. Verify that the Primary and Secondary DNS Server are correct.
d. Enter Default Hostname and, if you are using Hourly/Metered licensing option, Default Domain. The Host Name appears in
reports, alerts, notifications and messages sent by the Barracuda Email Security Gateway. The Default Domain is the domain for
the system and is appended to the Host Name. For example,
<yourcompanydomain.com>
This is the name that will be associated with bounced messages.
e. Under Allowed Email Recipient Domain(s), enter each domain for which the Barracuda Email Security Gateway will receive
email. Note that the Barracuda Email Security Gateway will reject all incoming email addressed to domains not specified here.
Continue with Configure the Web Interface.
Copyright © 2017, Barracuda Networks Inc.
Barracuda Email Security Gateway Administrator's Guide - Page
53
Configuring an Elastic IP Address for an Instance
When an instance of your Barracuda Email Security Gateway virtual appliance is created, a public IP address is associated with the instance.
That public IP address changes if the instance is stopped or terminated. However, you can assign a persistent public IP address to the instance
using Elastic IP addressing, resolving this issue. For more information, see the Amazon Web Services article Elastic IP Addresses.
Allocating an Elastic IP Address to the Barracuda Email Security Gateway Instance
1. Log into the Amazon EC2 Management Console.
2. From the EC2 dashboard, select Elastic IPs under NETWORK & SECURITY.
3. Click Allocate New Address. Click Yes, Allocate to confirm and allocate a new IP address. A random Public IP gets generated and
displayed in the Allocate New Address table.
Associating the Elastic IP Address with the Barracuda Email Security Gateway Instance
1. In the Allocate New Address table, right click on the new IP address and select Associate.
2. In the Associate Address window, do the following:
a. Select the Instance and the Private IP Address of the instance from the respective lists.
OR
b. Select a Network Interface and the Private IP Address from the respective lists.
c. Select the Allow Reassociation check box.
3. Click Yes, Associate.
Copyright © 2017, Barracuda Networks Inc.
Barracuda Email Security Gateway Administrator's Guide - Page
54
Creating a Security Group on Amazon Web Services
Security groups control the access to an instance by enabling you to make rules specifying the protocols, ports and source IP ranges permitted to
reach the instance. Multiple security groups can be created with different rules, and assigned to each instance. For more information on security
groups, see the AWS article Amazon EC2 Security Groups.
1. From the EC2 dashboard, select Security Groups under NETWORK & SECURITY.
2. Click Create Security Group.
3. In the Create Security Group window, do the following:
a. Enter a name to identify the security group.
b. Specify the description for the security group.
c. Select a VPC ID from the list and click Yes, Create.
4. The created group appears in the security group table.
5. Select the security group from the table, and specify the inbound and outbound traffic to be allowed for the instance.
By default, the Barracuda Email Security Gateway web interface listens on port 8000 for HTTP and port 443 for HTTPS. Make sure
these ports (8000 and 443) are added in the Inbound rule of the security group associated with the Barracuda Email Security Gateway.
Also, add the port(s) through which you configure the Service(s) for this instance.
Copyright © 2017, Barracuda Networks Inc.
Barracuda Email Security Gateway Administrator's Guide - Page
55
Creating a VPC, Internet Gateway and Subnet
Follow the steps below to create an Amazon Virtual Private Cloud (VPC), an Internet Gateway and a Subnet on Amazon Web Services (AWS).
Step 1 – Create the Amazon VPC Cloud
A Virtual Private Cloud (VPC) is an isolated virtual network on Amazon Web Services (AWS) Cloud where you can launch AWS resources, such
as Amazon EC2 instances. When creating a VPC, the IP address(es) should be in the form of Classless Inter-Domain Routing (CIDR) block (for
example, 10.0.0.0/16). In a VPC, you can select your own IP address range, create subnets, configure routing tables and network gateways.
The VPC cannot be larger than /16.
For more information about CIDR notation, refer to Classless Inter-Domain Routing on Wikipedia. For information about the number of VPCs that
you can create, refer to Amazon VPC Limits.
Perform the steps below to create a VPC:
1. Go to the AWS Management Console.
2. In the Compute & Networking section, click VPC.
3. From the VPC Dashboard, select Your VPCs under VIRTUAL PRIVATE CLOUDS.
4. Click Create VPC.
5. In the Create VPC dialog box, do the following:
a. Enter the IP address in the CIDR Block field.
b. Select Default from the Tenancy drop-down list.
6. Click Yes, Create.
Step 2 - Add an Internet Gateway to the VPC
Copyright © 2017, Barracuda Networks Inc.
Barracuda Email Security Gateway Administrator's Guide - Page
56
By default, the instances launched on the Virtual Private Cloud (VPC) cannot communicate with the internet until an Internet Gateway is created
and attached to the VPC.
Perform the following steps to add an internet gateway to your VPC:
1. From the VPC Dashboard, select Internet Gateways under VIRTUAL PRIVATE CLOUDS.
2. Click Create Internet Gateway.
3. In the Create Internet Gateway dialog box, click Yes, Create.
4. Select the internet gateway created in the above step, and then click Attach to VPC.
5. Select the VPC that you created in Step 1, and then click Yes, Attach.
Step 3 - Add a Subnet to the VPC
Perform the following steps to add a subnet to your VPC:
1. From the VPC Dashboard, select Subnets under VIRTUAL PRIVATE CLOUDS.
2. Click Create Subnet.
3. In the Create Subnet dialog box, do the following:
a. Select the created VPC from the VPC drop-down list.
b. Select the availability zone that your VPC resides from the Availability Zone drop-down list.
c. Specify the IP address(es) in the CIDR Block field.
Copyright © 2017, Barracuda Networks Inc.
Barracuda Email Security Gateway Administrator's Guide - Page
4. Click Yes, Create.
Continue with the licensing process on Amazon Web Services.
Copyright © 2017, Barracuda Networks Inc.
57
Barracuda Email Security Gateway Administrator's Guide - Page
58
Routing Mail Through Amazon Web Services
In order to preserve the quality of the Amazon Web Services environment for sending email, Amazon Web Services enforces default limits on the
amount of email that can be sent from EC2 accounts. Before you put your Barracuda Email Security Gateway into production, you need to
request Amazon Web Services to remove the default email sending limits.
To do so, visit https://portal.aws.amazon.com/gp/aws/html-forms-controller/contactus/ec2-email-limit-rdns-request, sign into your Amazon Web
Services account and fill in the three required fields on the form, as shown in Figure 1 below. While you await a response to the request, you can
send small amounts of test email through the Barracuda Email Security Gateway.
Important
If you do not take this step, you may experience large queues of mail and/or deferred mail that will eventually be delivered, but may be
delayed.
Here is a recommended, generic Use Case Description that you might use in the form:
We are putting the Barracuda Email Security Gateway into a production environment and, as such, require consistent mail delivery.
Figure 1. Amazon Web Services form to request removal of email sending limitations
Copyright © 2017, Barracuda Networks Inc.
Barracuda Email Security Gateway Administrator's Guide - Page
59
Disk Expansion on Amazon Web Services
Virtual machines (VMs) deployed from Amazon Marketplace prior to April 28, 2015 do not support Disk Expansion. If you deployed
prior to this date and want to expand the disk, you must re-deploy using the latest VM AMI available in the Amazon Marketplace.
Perform the steps below to expand the disk of the deployed Barracuda Email Security Gateway on Amazon Web Services.
Step 1: Note the disk size of the Barracuda Email Security Gateway and stop the instance
1. Log into the AWS EC2 Management Console.
2. From the EC2 dashboard, select Instance under INSTANCES.
3. In the Instances table, select the Barracuda Email Security Gateway for which you want to increase the disk size and note the following:
a. Instance ID
b. Availability Zone
c. EBS ID by clicking on the Root device value.
4. If the instance is running, ensure you shut down the instance by following the steps below:
a. Right click on the instance, select Instance Settings and then select Change Shutdown Behavior.
b. In the Change Shutdown Behavior window, select Stop from the Shutdown behavior list and click Apply.
5. If the Shutdown behavior is already set to Stop, then choose Cancel.
Step 2: Create a Snapshot of the Volume
1. From the EC2 dashboard, select Volumes under ELASTIC BLOCK STORE.
2. In the search filter, enter the EBS ID noted in step 3.c under Step.1: Note the disk size of the Barracuda Email Security Gateway and
stop the instance.
3. Right click on the volume, and select Create Snapshot.
4. In the Create Snapshot window, enter a name and description, and click Create.
5. Note the snapshot ID.
Copyright © 2017, Barracuda Networks Inc.
Barracuda Email Security Gateway Administrator's Guide - Page
60
5.
Step 3: Create a New Volume for the Snapshot
1.
2.
3.
4.
From the EC2 dashboard, select Snapshots under ELASTIC BLOCK STORE.
In the search filter, enter the snapshot ID noted in step 5 under Step.2: Create a Snapshot of the Volume.
Right click on the snapshot when Status displays completed, and click Create Volume.
In the Create Volume window, do the following:
a. Select the desired volume type and enter a new volume size.
b. Ensure the Availability Zone matches the instance Availability Zone noted in step 3.b under Step.1: Note the disk size of the
Barracuda Email Security Gateway and stop the instance.
c. Click Create.
5. Note the volume ID.
Step 4: Detach the Old Volume from the Instance
1. From the EC2 dashboard, select Volumes under ELASTIC BLOCK STORE.
2. In the search filter, enter the EBS ID noted in step 3.c under Step.1: Note the disk size of the Barracuda Email Security Gateway and
stop the instance.
3. Right click on the volume, and select Detach Volume.
4. In the Detach Volume window, click Yes, Detach to confirm.
Step 5: Attach the New Volume to the Instance
1.
2.
3.
4.
From the EC2 dashboard, select Volumes under ELASTIC BLOCK STORE.
In the search filter, enter the volume ID noted in step 5 under Step.3: Create a New Volume for the Snapshot.
Right click on the volume, and select Attach Volume.
In the Attach Volume window, do the following:
a. Enter the name or instance ID in the Instance field, and select the instance noted in step 3.a under Step.1: Note the disk size of
Copyright © 2017, Barracuda Networks Inc.
4.
Barracuda Email Security Gateway Administrator's Guide - Page
61
a.
the Barracuda Email Security Gateway and stop the instance.
b. Ensure the device name is /dev/xvda.
c. Click Attach.
Step 6: Restart the Instance to Apply the New Volume
1. From the EC2 dashboard, select Instance under INSTANCES.
2. In the Instances table, select the Barracuda Email Security Gateway instance to which the new volume was attached in step 4 under Ste
p.5: Attach the New Volume to the Instance.
3. Right click on the instance, select Instance State and then select Start.
4. In the Start Instances window, choose Yes, Start. If the instance fails to start, and the volume being expanded is a root volume, verify
that you attached the expanded volume using the same device name as the original volume, i.e /dev/xvda.
Copyright © 2017, Barracuda Networks Inc.
Barracuda Email Security Gateway Administrator's Guide - Page
62
VMware vCloud Air Deployment
vCloud® Air™ is a public cloud platform built on the trusted foundation of vSphere, compatible with your on-premises data center, that includes
infrastructure, disaster recovery, and various applications as service offerings. You can migrate your existing onsite Barracuda Email Security
Gateway Vx virtual machine(s) to the public cloud or start up a new Barracuda Email Security Gateway Vx directly in the cloud. For more
information about the Barracuda Email Security Gateway, see Barracuda Email Security Gateway - Overview.
Follow instructions below to purchase or get an evaluation of the Barracuda Email Security Gateway on vCloudAir. After purchasing or obtaining
an evaluation, continue with How to Deploy the Barracuda Email Security Gateway in VMware vCloud Air.
BYOL Licensing
The Barracuda Email Security Gateway Vx is available on vCloud Air through the Bring Your Own License (BYOL) option only.
To get started, you must first acquire a Barracuda Email Security Gateway license token either by:
Free evaluation:
1. Go to https://www.barracuda.com/purchase/evaluation, and select Barracuda Email Security Gateway from the Select a Product drop-d
own menu.
2. Enter the number of email users (employees).
3. Enter your contact information and corporate details, and then click Submit Request.
4. You will be contacted and supplied the free evaluation license token.
5. Download and extract the Barracuda Email Security Gateway vCloud Air package from the Barracuda Download Portal.
Online Purchase
1.
2.
3.
4.
5.
6.
Go to https://www.barracuda.com/purchase, and select Barracuda Email Security Gateway from the Product drop-down menu.
Select the model and configuration options.
Enter your contact, billing, and shipping information.
Verify your order and read and accept the Terms & Conditions, and then click Submit Request.
You will be contacted and supplied the purchased Barracuda Email Security Gateway Vx license token.
Download and extract the Barracuda Email Security Gateway vCloud package from the Barracuda Download Portal.
Barracuda Email Security Gateway Vx Models Supported
The Barracuda Email Security Gateway Vx 100, 300, 400 and 600 are available to deploy on VMWare vCloud Air. To ensure proper sizing of your
Barracuda Email Security Gateway instance, see Allocating Cores, RAM, and Hard Disk Space for Your Barracuda Email Security Gateway Vx.
Continue with How to Deploy the Barracuda Email Security Gateway in VMware vCloud Air.
Copyright © 2017, Barracuda Networks Inc.
Barracuda Email Security Gateway Administrator's Guide - Page
63
How to Deploy the Barracuda Email Security Gateway in VMware vCloud Air
This article applies to new Barracuda Email Security Gateway installations in VMware vCloud Air. For more information on vCloud
Air, refer to VMware vCloud Suite.
Upload the Barracuda Email Security Gateway Package as a vApp Template
You must install the VMware OVF tool to complete the steps in this section. The VMware OVF tool is available for Windows 32-bit and
64-bit, Linux 32-bit and 64-bit, and Mac OS X. This article describes how to install the tool on Linux and upload the Barracuda OVA
package. For details on installing the tool on other supported platforms, refer to the VMware OVF Tool Documentation.
Use the following steps to install the VMware OVF tool on Linux and upload the Barracuda OVA package:
1. Log in to https://my.vmware.com/web/vmware/login, and go to the Product Download page.
2. Download and install the latest Linux version of OVF Tool to your Linux host.
3. On your Linux system, open a terminal window and run the following command:
ovftool --sourceType="OVA" --vCloudTemplate="false" "Source_Location"
"vcloud://@vCloud_Director_Hostname?vdc=Org_vDC&org=Organization_Name&vappTemplate=Name_For_Uploaded
_File&catalog=Organization_Catalog_Name"
Where:
Parameter
Description
Example
sourceType
Source file type; OVA is the required
Barracuda package source file type
OVA
vCloudTemplate
Set to false to create a vApp template
only; must be set to false for Barracuda
packages
false
Source_Location
Barracuda OVA package source file
download location
/home/user1/Downloads/Barracuda
BSF-vm4.2.6-fw2.6.2.1-20160105.
ova
vCloud_Director_Hostname
vCloud Air region URL
uk-slough-1-6.vchs.vmware.com
vdc
Target Virtual Data Center (vDC) where
you want to upload the package
Platform_Team
org
Organization name; available from your
vCloud Director URL
aa66669c-d35b-444d-b570-23aase5
eag5f
vappTemplate
Name for uploaded Barracuda OVA
package
BarracudaBSF-vm4.2.6-fw2.6.2.120160105
catalog
vCloud Air catalog name where you want
to upload the Barracuda package
Test1_catalog
For example:
ovftool --sourceType="OVA" --vCloudTemplate="false"
"/home/user1/Downloads/BarracudaBSF-vm4.2.6-fw2.6.2.1-20160105.ova"
"vcloud://@uk-slough-1-6.vchs.vmware.com?vdc=Platform_Team&org=aa66669c-d35b-444d-b570-23aase5eag5f&
vappTemplate=BarracudaBSF-vm4.2.6-fw2.6.2.1-20160105&catalog=Test1_catalog"
4. When prompted, enter your vCloud account Username and Password, and press Enter.
5. In the Barracuda End User License Agreement (EULA) page, read the agreement and scroll to the end of the page. Type yes to
accept the license agreement, and press Enter to begin uploading the package.
6. Allow the upload to complete.
Deploy the Barracuda Email Security Gateway Package to vCloud
1.
2.
3.
4.
In VMware vCloud Director, click the Home tab, and then click the Select vApp from Catalog sub-tab.
In the Select vApp Template page, click the All Templates tab, and click on the uploaded template.
Click Next .
In the Accept Licenses page, review the license agreement, select I agree and accept the above license agreements, and then
click Next.
5. In the Select Name and Location page, enter a name and description to identify your vApp; note that a vApp is a cloud computer
system that contains multiple virtual machines.
6.
Copyright © 2017, Barracuda Networks Inc.
Barracuda Email Security Gateway Administrator's Guide - Page
64
6. Select the virtual datacenter where you want to deploy your virtual machine, and then click Next.
7. In the Configure Resources page, select the Storage Policy, and then click Next.
8. In the Configure Networking page, select Switch to the advanced networking workflow , and configure the following settings:
a. Verify the Computer Name.
b. Verify VMXNET 3 is selected as the Network Adapter type .
c. Select the Internet access network adapter under Network.
The IP address must be assigned statically through the console as described in the Barracuda Email Security
Gateway Quick Start Guide on vCloud Air.
9. Click Next.
10. In the Advanced Networking page, click Next to accept the settings.
11. In the Customize Hardware page, select the Number of virtual CPUs, Cores per socket, Total memory, and Hard Disks based on
your Barracuda Email Security Gateway license.
12. Click Next.
13. In the Ready to Complete page, review your vApp settings, and then click Finish.
14. VMware vCloud Director displays the Home tab with the new vApp. Once the vApp status changes from Creating to Stopped you can
set up the Barracuda Email Security Gateway Vx.
Copyright © 2017, Barracuda Networks Inc.
Barracuda Email Security Gateway Administrator's Guide - Page
65
Barracuda Email Security Gateway Quick Start Guide on vCloud Air
This article assumes you have completed the steps in How to Deploy the Barracuda Email Security Gateway in VMware vCloud Air.
Step 1. Configure Network Address Translation and Firewall Rules
1. Open up the virtual machine console to see the private IP address of your instance, You can fetch a public IP address by clicking on Gat
eways> Public IPs. The next step is to map the public (external) IP address to the private IP address of your instance by creating a NAT
rule.
2. Create a NAT rule to reach your Barracuda Email Security Gateway from the Internet (e.g. map it to the public IP address). To do this, go
to Administration > Cloud Resources > Virtual Data Centers > VDC1 > Edge Gateways and right-click on the gateway. Select Edge
Gateway Services and click the NAT tab.
Note that in the initial setup, you need to edit the Firewall tab to enable all ports (or at least the critical ones) and to enable
DHCP on the edge gateway.
3. Go to the vCloud Air console and enter both the license token you received when you purchased your Barracuda Email Security
Gateway, and your default domain, to provision the Barracuda Email Security Gateway:
Copyright © 2017, Barracuda Networks Inc.
Barracuda Email Security Gateway Administrator's Guide - Page
66
4. To access your Barracuda Email Security Gateway, enter the public IP address and port in a browser, like this: <IP address>:<port>.
Example: 10.1.2.3:8000. Log in as admin / admin:
Step 2. Accept the End User License Agreement, Verify Configuration, and Change Password
1. Read through the End User License Agreement and scroll to the bottom.
2. Enter the required information: Name, Email Address, and Company (if applicable). Click Accept. You will be redirected to the login
page.
3. To prevent unauthorized use, change the default administrator password to a more secure password. You can only change the
administrator password for the web interface. Go to the BASIC > Administration page and enter your old password, new password, and
re-enter the new password.
4. Enter the Server Name/IP of the destination email server where you want the Barracuda Email Security Gateway to deliver mail.
For example: type: mail.<yourdomainname>.com
5. Enter Default Host Name in the Domain Configuration section of the page. The Host Name will be used in reporting and displays in
alerts, notifications and messages sent by the Barracuda Email Security Gateway. The Default Domain is the domain for the system
and is appended to the Host Name.
For example: <yourhost>
6. Enter the Default Domain.
For example: <yourcompanydomain.com>
7. Under Allowed Email Recipient Domain(s), enter each domain for which you want the Barracuda Email Security Gateway to receive
email.
Copyright © 2017, Barracuda Networks Inc.
Barracuda Email Security Gateway Administrator's Guide - Page
67
The Barracuda Email Security Gateway rejects all incoming email that is addressed to domains that are not specified here.
Step 3. Verify the Barracuda Email Security Gateway Configuration
After you install your Barracuda Email Security Gateway, test the configuration by going to the ADVANCED > Troubleshooting page and
pinging updates.barracudacentral.com.
Continue with the Configure the Barracuda Email Security Gateway From the Web Interface section of Step 5 - Configure the Web Interface.
Copyright © 2017, Barracuda Networks Inc.
Barracuda Email Security Gateway Administrator's Guide - Page
68
Microsoft Azure
Virtual machines (VMs) deployed through Azure Gallery prior to mid February, 2015 do not support Disk Expansion. If you
deployed prior to this time period and want to expand the disk, you must re-deploy the VM using the latest VM image available in A
zure Gallery.
See also: Microsoft Azure Restrictions and Limitations
Microsoft Azure is a public cloud service, with instances that use one virtual network interface with a dynamic IP address per virtual appliance. Th
e Barracuda Email Security Gateway can be deployed as a virtual appliance in the Microsoft Azure cloud to protect your email server from spam,
virus, spoofing, phishing and spyware attacks. Outbound filtering and encryption options also prevent confidential or sensitive information from
being purposely or inadvertently leaked outside the organization.
Licensing Options
The Barracuda Email Security Gateway is available on Microsoft Azure with the Bring Your Own License (BYOL) and Hourly / Metered options
.
Bring Your Own License (BYOL)
With the Bring Your Own License (BYOL) option, you are required to get the Barracuda Email Security Gateway license token, either by:
Providing the required information for a free evaluation at https://www.barracuda.com/purchase/evaluation OR
Purchasing online at https://www.barracuda.com/purchase.
With this license option, there will be no Barracuda Email Security Gateway Software charges, but Microsoft Azure usage charges
on Microsoft will be applicable.
You can either begin with the free evaluation OR purchase the Barracuda Email Security Gateway license directly after deploying the VM
or when accessing the VM web interface for the first time.
BYOL Models and Instance Types
For BYOL, the Barracuda Email Security Gateway virtual appliance is available in three sizes on Microsoft Azure. The following table lists each
size level with their corresponding instance type, cores, and memory allocated to each instance type. You'll select the Instance Type in the next
step in How to Deploy the Barracuda Email Security Gateway on Microsoft Azure. If you want to increase the performance of a license that you
have already purchased, you can buy additional cores from Barracuda and reconfigure for a larger instance type.
Supported Instance Type
in Microsoft Azure
Cores
Memory
Level 3 - (A1)
1
1.7 GB
Level 4 - (A2)
2
3.5 GB
Level 6 - (A3)
4
7 GB
You are limited to 1.7 GB of memory when deploying a Level 3 (A1) instance in Microsoft Azure. This limitation should not affect the
operation of the Barracuda Email Security Gateway when deployed in this environment. Also note that, if you need to add additional
storage:
For Barracuda virtual machines purchased through the Microsoft Azure Marketplace as of February 2015, you must create a
new attached drive. See How to add Additional Storage to your Azure Deployment.
For earlier deployments, you cannot attach new storage.
Hourly / Metered
With the Hourly/Metered licensing option, you complete the purchase or evaluation of the Barracuda Email Security Gateway entirely within the
Microsoft Azure gallery. After the instance is launched, it is provisioned automatically. You are charged hourly for both the Barracuda Spam
Software and Microsoft Azure usage on Microsoft.
Hourly / Metered Model and Instance Types
For more information on supported instance types, Default vCPU, Default Memory and Hourly pricing, refer to Barracuda Email Security Gateway
Pricing Details.
If you want to increase the performance of an existing VM, configure it with a larger instance type on Microsoft Azure and you will be charged
accordingly by Microsoft. The VM will automatically be reconfigured by Microsoft with the resources and capabilities of the larger instance type.
Copyright © 2017, Barracuda Networks Inc.
Barracuda Email Security Gateway Administrator's Guide - Page
69
Before You Begin
If your organization does not have an Azure account, go to the Microsoft Azure purchase options page, and follow the onscreen instructions.
Create an Azure Virtual Network
1. Log into your Microsoft Azure Management Portal.
2. In the left pane, click NETWORKS, and then click NEW at the bottom of the screen.
3. Click NETWORK SERVICES > VIRTUAL NETWORK > CUSTOM CREATE. The CREATE A VIRTUAL NETWORK window appears.
4. On the Virtual Network Details page:
a. Enter a unique name in the Name field. For example, AzureVirtualNet
b. Select a location from the LOCATION drop-down list. The virtual network can only be used for Azure instances in this
geographic region. E.g., South Central US
c. Click Next
5. (Optional) On the DNS Servers and VPN Connectivity page, select or enter your DNS SERVERS.
6. Click Next
7. On the Virtual Network Address Spaces page, configure the ADDRESS SPACE:
a. STARTING IP: Enter the first IP address of the address space you want to use.
b. CIDR: Select the subnet mask for the virtual network. The maximum number of instances for a virtual network are listed in
parentheses.
8. Add a SUBNET:
a. STARTING IP: Enter the first IP address of the subnet.
b. CIDR: Select the subnet mask for the subnet.
Copyright © 2017, Barracuda Networks Inc.
Barracuda Email Security Gateway Administrator's Guide - Page
70
9. Click Next
The created virtual network gets displayed in the VIRTUAL NETWORKS lists.
Next Step
Continue with How to Deploy the Barracuda Email Security Gateway in the New Microsoft Azure Management Portal for instructions on
installation and configuration.
Copyright © 2017, Barracuda Networks Inc.
Barracuda Email Security Gateway Administrator's Guide - Page
71
How to Deploy the Barracuda Email Security Gateway on Microsoft Azure
This guide walks you through the steps to deploy and provision the Barracuda Email Security Gateway on Microsoft Azure.
Microsoft Azure charges apply. For more information, see the Microsoft Azure Pricing Calculator. Important: If you need to add
additional storage after deployment:
For Barracuda virtual machines purchased through the Microsoft Azure Marketplace as of February 2015, you must create a
new attached drive.
For earlier deployments, you cannot attach new storage.
In this article
Before You Begin
Deploy and Provision the Barracuda Email Security Gateway
Next Step
Before You Begin
If your organization does not have an Azure account, go to the Microsoft Azure purchase options page, and follow the onscreen instructions to
create an account.
Deploy and Provision the Barracuda Email Security Gateway
1. Log into the Microsoft Azure Management Portal.
2. Click Marketplace at the bottom of the screen.
3. In the Marketplace window, select Virtual Machines and enter Barracuda Email Security Gateway in the text field.
4. Mouse over the search result and select Barracuda Email Security Gateway (BYOL or Hourly/Metered as per your requirement). Read
the product overview, and then click Create.
Copyright © 2017, Barracuda Networks Inc.
4.
Barracuda Email Security Gateway Administrator's Guide - Page
72
If you want to deploy a BYOL image, select the Barracuda Email Security Gateway (BYOL) image.
5. On the Create VM page:
a. Enter the host name in the HOST NAME field.
b. Enter a username in the USER NAME field . This entry is not used by the Barracuda Email Security Gateway.
c. Under Authentication Type, choose SSH Public Key or Password based on your selection. Note that this entry will not be used
by the Barracuda Email Security Gateway.
d. Select the PRICING TIER based on your requirement.
e. In the OPTIONAL CONFIGURATION section, do the following:
i. AVAILABILITY SET - Configure as per your requirement.
ii. NETWORK - Configure the network in which you want to deploy the Barracuda Email Security Gateway. Ensure it is in
the same network as your web servers.
iii. STORAGE ACCOUNT - Select an existing storage account or create a storage account
iv. ENDPOINTS - By default, port 8000 (TCP) and port 443 (TCP) will be opened as endpoints to access the web interface
of the Barracuda Email Security Gateway. Port 25 (TCP) is also opened by default. Configure additional endpoints if
needed on the Barracuda Email Security Gateway.
v. EXTENSIONS - Do not add any extension, as the Barracuda Email Security Gateway does not support extensions.
f. Select a group in RESOURCE GROUP.
g. Choose the subscription for the instance and click Create.
h.
Read the legal terms in the Buy page and click Buy to complete the deployment.
Copyright © 2017, Barracuda Networks Inc.
Barracuda Email Security Gateway Administrator's Guide - Page
73
After clicking Buy, Microsoft Azure begins provisioning the Barracuda Email Security Gateway. You can check the status of provisioning from the
Microsoft Azure Portal. Allow a few minutes before taking any further actions in the Portal. During this time, the Microsoft Azure Linux Agent and
Barracuda Email Security Gateway image boot up.
Make sure you do not restart the Barracuda Email Security Gateway while it is provisioning.
Next Step
Continue with the Barracuda Email Security Gateway Quick Start Guide on Microsoft Azure.
Copyright © 2017, Barracuda Networks Inc.
Barracuda Email Security Gateway Administrator's Guide - Page
74
Barracuda Email Security Gateway Quick Start Guide on Microsoft Azure
Virtual machines (VMs) deployed through Azure Gallery prior to mid February, 2015 do not support Disk Expansion. If you
deployed prior to this time period and want to expand the disk, you must re-deploy the VM using the latest VM image available in
Azure Gallery. See How to add Additional Storage to your Azure Deployment .
Make sure you have completed the steps in the article How to Deploy the Barracuda Email Security Gateway in the New Microsoft
Azure Management Portal before continuing with the instructions below.
Licensing of Barracuda Email Security Gateway after deploying on Microsoft Azure
If you deployed the Barracuda Email Security Gateway with the Hourly/Metered option, you do not need to license the system; skip
ahead to Verify Configuration and Change the Password.
After provisioning the Barracuda Email Security Gateway on Microsoft Azure, the next step is licensing. After you deploy the Barracuda Email
Security Gateway image on the Microsoft Azure environment, do the following:
1. Sign in to the Microsoft Azure Portal.
2. Go to the VIRTUAL MACHINES and click on the Barracuda Email Security Gateway instance you created, noting down the DNS.
3. Open the browser and enter the copied DNS (from step 2) with port 8000 for HTTP. No port is required for HTTPS. For example:
For HTTP
For HTTPS
: http://<DNS>:8000
: https://<DNS>
The Barracuda Email Security Gateway virtual machine is not accessible via HTTPS port when it is booting up. Therefore, it is
recommended to use ONLY HTTP port to access the unit when booting. This displays the status of the unit i.e., System
Booting. Once the boot process is complete, the user will be redirected to the login page.
4. After the boot process is complete, the Licensing page displays with the following options:
If you already have a license token, click on that option and enter your Token and Default Domain, and then click Provision.
The Barracuda Email Security Gateway connects to the Barracuda Update Server to get the required information based on your
license, then reboots automatically. Allow 5 or more minutes for the reboot process.
a. I Already Have a License Token – Use this option to provision your Barracuda Email Security Gateway with the license token
you have already obtained from Barracuda Networks. Enter your Barracuda Networks Token and Default Domain to complete
licensing, and then click Provision.
The Barracuda Email Security Gateway connects to the Barracuda Update Server to get the required information based on your
license, and then reboots automatically. Allow a few minutes for the reboot process. Once the instance is provisioned, you are
redirected to the login page.
b. I Would Like to Purchase a License – Use this option to purchase the license token for the Barracuda Email Security
Gateway. Provide the required information in the form, accept the terms and conditions, and click Purchase. The Barracuda
Copyright © 2017, Barracuda Networks Inc.
Barracuda Email Security Gateway Administrator's Guide - Page
75
Email Security Gateway connects to the Barracuda Update Server to get the required information based on your license, and
then reboots automatically. Allow a few minutes for the reboot process. Once the instance is provisioned, you are redirected to
the login page.
c. I Would Like to Request a Free Evaluation – Use this option to get 30 days free evaluation of the Barracuda Email Security
Gateway. Provide the required information in the form, accept the terms and conditions, and click Evaluate. The Barracuda
Email Security Gateway connects to the Barracuda Update Server to get the required information based on your license, and
then reboots automatically. Allow a few minutes for the reboot process. Once the instance is provisioned, you are redirected to
the login page.
Verify Configuration and Change Password
After provisioning of the Barracuda Email Security Gateway is complete, you will see the login page:
1. Log into the Barracuda Email Security Gateway appliance web interface as the administrator:
Username: admin Password: admin
2. To prevent unauthorized use, change the default administrator password to a more secure password. You can only change the
administrator password for the web interface. Go to the BASIC > Administration page and enter your old password, new password, and
re-enter the new password.
3. Enter the Server Name/IP of the destination email server where you want the Barracuda Email Security Gateway to deliver mail.
For example: type: mail.<yourdomainname>.com
4. Enter Default Host Name in the Domain Configuration section of the page. The Host Name will be used in reporting and displays in
alerts, notifications and messages sent by the Barracuda Email Security Gateway. The Default Domain is the domain for the system
and is appended to the Host Name.
For example: <yourhost>
5. Enter the Default Domain.
For example: <yourcompanydomain.com>
6. Under Allowed Email Recipient Domain(s), enter each domain for which you want the Barracuda Email Security Gateway to receive
email.
The Barracuda Email Security Gateway rejects all incoming email that is addressed to domains that are not specified here.
Update the Firmware
Go to the ADVANCED > Firmware Update page. If there is a new Latest General Release available, perform the following steps to update the
system firmware:
1. Click Download Now next to the firmware version that you want to install. To view the download progress, click Refresh. When the
download is complete, the Refresh button is replaced by the Apply Now button.
2. Click Apply Now to install the firmware. The firmware installation takes several minutes to complete.
After the firmware is applied, the Barracuda Email Security Gateway virtual machine automatically reboots. The login page is displayed
when the system comes back up.
3.
Copyright © 2017, Barracuda Networks Inc.
Barracuda Email Security Gateway Administrator's Guide - Page
76
3. Log back into the web interface and read the Release Notes to learn about enhancements and new features. It is also good practice to
verify settings that you have already entered, because new features might have been included with the firmware update.
For more information, see Product Activation and Update Firmware.
Verify the Barracuda Email Security Gateway Configuration
After you install your Barracuda Email Security Gateway virtual machine and configure your firewall, you can test the configuration. Go to the AD
VANCED > Troubleshooting page and ping updates.barracudacentral.com.
Next Step
Continue with the Configure the Barracuda Email Security Gateway From the Web Interface section of Step 5 - Configure the Web Interface.
Copyright © 2017, Barracuda Networks Inc.
Barracuda Email Security Gateway Administrator's Guide - Page
77
How to add Additional Storage to your Azure Deployment
Virtual machines (VMs) deployed through Azure Gallery prior to mid February, 2015 do not support Disk Expansion. If you
deployed prior to this time period and want to expand the disk, you must re-deploy the VM using the latest VM image available in
Azure Gallery.
1. Log in to the Microsoft Azure Portal.
2. Click Browse, and then click Virtual Machines:
3. Click on the Instance where you want to increase storage:
4. At the top of the pane, click Settings:
5. Click Disks:
6. click Attach New:
Copyright © 2017, Barracuda Networks Inc.
Barracuda Email Security Gateway Administrator's Guide - Page
78
7. Enter the disk size as per your requirement.
8. Set Host Caching to None:
9. Click OK:
10. Once the task is complete, go to Settings of the selected Instance, and then click Restart:
During the reboot process, the Barracuda VM provisions the additional storage. This can take some time depending on the
region where your virtual machine is located and the amount of provisioned storage.
Copyright © 2017, Barracuda Networks Inc.
Barracuda Email Security Gateway Administrator's Guide - Page
Copyright © 2017, Barracuda Networks Inc.
79
Barracuda Email Security Gateway Administrator's Guide - Page
80
How to Deploy the Barracuda Email Security Gateway in the New Microsoft Azure Management Portal
This guide walks you through the steps to deploy and provision the Barracuda Email Security Gateway on Microsoft Azure using either the Azure
Resource Manager Model or the Classic Model.
Deploying and Provisioning the Barracuda Email Security Gateway Using the Azure Resource Manager Model
Perform the following steps to deploy and provision the Barracuda Email Security Gateway using Resource Manager in the new Microsoft Azure
portal:
1.
2.
3.
4.
Log into the Microsoft Azure Management Portal.
Click Marketplace at the bottom of the screen.
In the Everything page, enter Barracuda Email Security Gateway in the text field.
In the search results, select Barracuda Email Security Gateway (BYOL or PAYG as per your requirement).
5. In the Bring Your Own License enabled/Free Trial enabled page:
a. Read the product overview.
b. Select Resource Manager as a deployment model from the Select a deployment model drop-down list.
c. Click Create.
Copyright © 2017, Barracuda Networks Inc.
Barracuda Email Security Gateway Administrator's Guide - Page
81
6. In the Create virtual machine > 1 Basics page:
a. Name: Enter a name for the virtual machine.
b. User name: Enter a username. Note: This entry is not used by the Barracuda Email Security Gateway.
c. Authentication Type: Choose Password and enter a password for the authentication. Note that this will be your password to
access the Barracuda Email Security Gateway web interface.
d. Resource Group: Create a new resource group or select a resource group from the existing Resource group list.
e. Location: Select a location for the resource group.
f. Click OK.
Copyright © 2017, Barracuda Networks Inc.
Barracuda Email Security Gateway Administrator's Guide - Page
82
7. In the Create virtual machine > 2 Size page:
a. Select a size for the instance and click Select.
8. In the Create virtual machine > 3 Settings page:
a. Storage
i. Data type: Select Standard/Premium (SSD) as per your requirement.
ii. Storage account: Create a new storage account or select a storage account from the existing Storage account list.
b. Network
i. Virtual network: Configure or select the network in which you want to deploy the Barracuda Email Security Gateway.
ii. Subnet: Configure or select the subnet in which you want to deploy the Barracuda Email Security Gateway.
iii. Public IP address: Configure or select the public IP address to the Barracuda Email Security Gateway.
iv. Network security group: By default, port 8000 (TCP), port 443 (TCP) and port 25 (TCP) will be opened as in your Sec
urity Group. Configure additional rules if required.
c.
Copyright © 2017, Barracuda Networks Inc.
Barracuda Email Security Gateway Administrator's Guide - Page
83
c. Extensions
i. Extensions: Do not add any extension, as the Barracuda Email Security Gateway does not support extensions.
d. Availability
i. Availability set: Create an availability set or select an availability set from the existing Availability set list. Note: If you
intend to use this virtual machine in cluster, ensure all virtual machines in cluster is configured with same availability set.
9. In the 4 Summary page, review the configuration settings and click OK.
10. In the 5 Buy page, read the legal terms and click Purchase to complete the deployment.
Copyright © 2017, Barracuda Networks Inc.
Barracuda Email Security Gateway Administrator's Guide - Page
84
10.
After clicking Purchase, Microsoft Azure begins provisioning the Barracuda Email Security Gateway. You can check the status of the provisioned
Barracuda Email Security Gateway from the Microsoft Azure Portal. Allow a few minutes before taking any further actions in the Portal. During
this time, the Microsoft Azure Linux Agent and Barracuda Email Security Gateway image boots up.
Make sure you do not restart the Barracuda Email Security Gateway while it is provisioning.
Monitoring is not supported by the Barracuda virtual machines/instances. Enabling Monitoring Diagnostics can cause the
deployment to fail or timeout. It is recommended to contact Barracuda Networks Technical Support before enabling Monitoring
Diagnostics.
Deploying and Provisioning the Barracuda Email Security Gateway Using the Classic Model
Perform the following steps to deploy and provision the Barracuda Email Security Gateway using the classic deployment model in the new
Microsoft Azure portal:
1. Log into the Microsoft Azure Management Portal.
2. Click Marketplace at the bottom of the screen.
3. In the Everything page, enter Barracuda Email Security Gateway in the text field.
In the search results, select Barracuda Email Security Gateway (BYOL or PAYG as per your requirement).
4. In the Bring Your Own License enabled/Free Trial enabled page:
a. Read the product overview.
b. Select Classic as a deployment model from the Select a deployment model drop-down list.
c. Click Create.
Copyright © 2017, Barracuda Networks Inc.
c.
Barracuda Email Security Gateway Administrator's Guide - Page
85
5. In the Create virtual machine > 1 Basics page:
a. Name: Enter a name for the virtual machine.
b. User name: Enter a username. Note: This entry is not used by the Barracuda Email Security Gateway.
c. Authentication type: Choose Password and enter a password for the authentication. Note that this will be your password to
access the Barracuda Email Security Gateway web interface.
d. Confirm password: Re-enter the password to confirm.
e. Subscription: Select the subscription from the drop-down list.
f. Resource group: Create a new resource group or select a resource group from the existing Resource group list.
g. Location: Select a location for the resource group.
Copyright © 2017, Barracuda Networks Inc.
Barracuda Email Security Gateway Administrator's Guide - Page
6. In the Create virtual machine > 2 Size page:
a. Select a size for the instance and click Select.
7. In the Create virtual machine > 3 Settings page:
8. Storage
a. Data type: Select Standard/Premium (SSD) as per your requirement.
b.
Copyright © 2017, Barracuda Networks Inc.
86
8.
Barracuda Email Security Gateway Administrator's Guide - Page
87
b. Storage account: Create a new storage account or select a storage account from the existing Storage account list.
9. Network
a. Domain name: Enter the domain name for the Barracuda Email Security Gateway VM.
b. Virtual network: Configure or select the network in which you want to deploy the Barracuda Email Security Gateway.
c. Subnet: Configure or select the subnet in which you want to deploy the Barracuda Email Security Gateway.
d. Private IP address: Select Dynamic/Static.
i. Dynamic to auto assign the private IP address to the Barracuda Email Security Gateway.
ii. Static to configure the static private IP address to the Barracuda Email Security Gateway.
e. Virtual IP address: Select Assign a new reserved IP address/Dynamic IP address. The instance can be accessed from
outside the virtual network using this virtual IP address. Ensure that at least one endpoint is configured.
i. Assign a new reserved IP address: Specify a name for the virtual IP address assigned by the Microsoft Azure.
ii. Dynamic IP address: Select to auto assign the virtual IP address for the Barracuda Email Security Gateway.
f. Endpoints: Add the port 8000 (TCP), port 443 (TCP) and port 25 (TCP) as your endpoints.
10. Extensions
a. Extensions: Do not add any extension, as the Barracuda Email Security Gateway does not support extensions.
11. Availability
a. Availability set: Create an availability set or select an availability set from the existing Availability set list. Note: If you intend to
use this virtual machine in cluster, ensure all virtual machines in cluster is configured with same availability set.
12. In the 4 Summary page, review the configuration settings and click OK.
Copyright © 2017, Barracuda Networks Inc.
Barracuda Email Security Gateway Administrator's Guide - Page
88
13. In the 5 Buy page, read the legal terms and click Purchase to complete the deployment.
After clicking Create, Microsoft Azure begins provisioning the Barracuda Email Security Gateway. You can check the status of the provisioned
Barracuda Email Security Gateway from the Microsoft Azure Portal. Allow a few minutes before taking any further actions in the Portal. During
this time, the Microsoft Azure Linux Agent and Barracuda Email Security Gateway image boots up.
Make sure you do not restart the Barracuda Email Security Gateway while it is provisioning.
Monitoring is not supported by Barracuda virtual machines/instances. Enabling Monitoring Diagnostics can cause the deployment to
fail or time out. Barracuda recommends contacting Barracuda Networks Technical Support before enabling Monitoring Diagnostics.
Next Step
Continue with the Barracuda Email Security Gateway Quick Start Guide on Microsoft Azure for licensing and initial configuration of your virtual
Copyright © 2017, Barracuda Networks Inc.
Barracuda Email Security Gateway Administrator's Guide - Page
machine
Copyright © 2017, Barracuda Networks Inc.
89
Barracuda Email Security Gateway Administrator's Guide - Page
90
Microsoft Azure Restrictions and Limitations
If you are running Barracuda Email Security Gateway on Microsoft Azure, Microsoft imposes certain restrictions and limitations, as described in
the Microsoft Support article Microsoft server software support for Microsoft Azure virtual machines.
If these restrictions interfere with your mail delivery, you can select to deploy Barracuda Email Security Gateway on Amazon Web Services (AWS
), use the Cloud Protection Layer (CPL) with your Barracuda Email Security Gateway, or migrate to the Barracuda Email Security Service.
Copyright © 2017, Barracuda Networks Inc.
Barracuda Email Security Gateway Administrator's Guide - Page
91
Getting Started
Recommended Steps
Barracuda Networks recommends first reviewing Deployment Options and choosing the best deployment for your network before following these
steps to install and configure the Barracuda Email Security Gateway:
Step 1 - Understand the Concepts
Step 2 - Install the Barracuda Email Security Gateway
Step 3 - Initial Configuration
Step 4 - Product Activation and Firmware Update
Step 5 - Configure the Web Interface
Step 6 - Routing Inbound Mail
How to Tune and Monitor the Default Spam and Virus Settings
Cloud Protection Layer
Quarantine: An Overview
Mail Journaling
How to Migrate From Postini to the Barracuda Email Security Gateway
The articles linked above cover the entire installation and deployment process. However, if you are installing the Barracuda Email Security
Gateway in a server room or other location without access to a web browser, you can also download the Quick Start Guide (shipped with each
appliance) as a PDF:
Barracuda Email Security Gateway Quick Start Guide (English)
Barracuda Email Security Gateway Quick Start Guide (Japanese)
Copyright © 2017, Barracuda Networks Inc.
Barracuda Email Security Gateway Administrator's Guide - Page
92
Step 1 - Understand the Concepts
The Barracuda Email Security Gateway takes a configured action when it identifies a message as spam or otherwise in violation of configured
Block and Accept policies. Inbound messages may be Blocked, Quarantined, Tagged or Allowed, while outbound messages may be Blocked,
Quarantined, Encrypted or Sent. Note that using the Quarantine or Tag actions with some scanning layers described below may use more
system resources than Block or Allow actions.
Cloud Protection Layer
In addition to the built-in layers of protection described in this article, the optional Cloud Protection Layer feature provides an additional layer of
cloud-based protection that blocks threats before they reach your network, prevents phishing and zero day attacks, and provides email continuity.
Once email passes through the Cloud Protection Layer, the Barracuda Email Security Gateway filters email according to the more granular
policies, further recipient verification, quarantining, and other features you configure on the appliance or virtual machine. You’ll use Barracuda
Cloud Control for central management of your Cloud Protection Layer and your Barracuda Email Security Gateway(s). See Cloud Protection
Layer and How to Set Up Your Cloud Protection Layer.
Twelve Layers of Defense
Understanding each of the 12 layers of defense available, as described below, prepares you to make decisions about which - if not all - of the
connection and mail scanning features to enable and tune for the best combination of performance and accuracy of the Barracuda Email Security
Gateway.
Maximizing Efficiency and Performance of Spam Scanning
Using Rate Control, Barracuda Reputation (realtime RBLs) and Recipient Verification, as described below, can maximize filtering performance of
the Barracuda Email Security Gateway for inbound mail. These layers have the greatest impact on filtering speed and performance relative to all
the other layers such that any inappropriate incoming mail connections are dropped even before receiving the message.
Connection Management Layers
These layers provide the most value in your Barracuda Email Security Gateway deployment for inbound mail as they identify and block unwanted
email messages before accepting the message body for further processing. The Connection Management layers generally require less
processing time than the seven content scanning layers that follow. For the average small or medium business, more than half of the total
email volume can be blocked using Connection Management techniques. Extremely large Internet Service Providers (ISPs) or even small
Web hosts, while under attack, may observe block rates at the Connection Management layers exceeding 99 percent of total email volume.
Denial of Service Protection
Built on a hardened and secure Linux operating system, the Barracuda Email Security Gateway receives inbound email on behalf of the
organization, insulating your organization’s mail server from receiving direct Internet connections and associated threats. This layer does not
apply to outbound mail.
Rate Control
Automated spam software can be used to send large amounts of email to a single mail server. To protect the email infrastructure from these
flood-based attacks, the Barracuda Email Security Gateway counts the number of incoming connections from a particular IP address (inbound
mail) or sender email address (outbound mail) during a 30 minute interval and throttles the connections once a particular threshold is exceeded.
See Rate Control Inbound for more on configuring this feature.
IP Analysis
After applying rate controls based on IP address, the Barracuda Email Security Gateway performs analysis on the IP address of inbound mail
based on the following:
Barracuda Reputation - This feature leverages data on network addresses and domain names collected from spam traps and
throughout other systems on the Internet. The sending histories associated with the IP addresses of all sending mail servers are
analyzed to determine the likelihood of legitimate messages arriving from those addresses. IP addresses of incoming connections are
compared to the Barracuda Reputation Blocklist and the Barracuda Reputation Whitelist, if enabled, and suspicious incoming messages
are either blocked, tagged or quarantined.
External blocklists - Also known as real-time blocklists (RBLs) or DNS blocklists (DNSBLs). Several organizations maintain external
blocklists of known spammers.
Allowed and blocked IP address lists - Customer-defined policy for allowed and blocked IP addresses. By listing trusted mail servers
by IP address, administrators can avoid spam scanning of good email, both reducing processing requirements and eliminating the
chances of false positives. Likewise, administrators can define a list of bad email senders for blocking. In some cases, administrators
may choose to utilize the IP blocklists to restrict specific mail servers as a matter of policy rather than as a matter of spam protection.
Sender Authentication
Copyright © 2017, Barracuda Networks Inc.
Barracuda Email Security Gateway Administrator's Guide - Page
93
Declaring an invalid “from” address is a common practice by spammers. The Barracuda Email Security Gateway Sender Authentication layer
uses a number of techniques on inbound mail to both validate the sender of an email message and apply policy, including domain name spoof
protection, performing a DNS lookup of domain names and enforcing RFC 821 compliance.
Sender Policy Framework (SPF) tracks sender authentication by having domains publish reverse MX records to display which machines are
designated as mail sending machines for that domain. The recipient can check those records to make sure mail is coming from a designated
sending machine.
DomainKeys (DKIM) dictates that a sending domain cryptographically signs outgoing messages, allowing the sending domain to assert
responsibility for a message. When receiving a message from a domain, the recipient can check the signature of the message to verify that the
message is, indeed, from the sending domain and that the message has not been tampered with.
See Advanced Configuration for details on configuring this layer.
Recipient Verification
The Barracuda Email Security Gateway verifies the validity of recipient email addresses for inbound messages (not outbound) through multiple
techniques to prevent invalid bounce messages. See Advanced Configuration to learn about LDAP integration, SMTP recipient verification and
using a local database for recipient verification.
Mail Scanning Layers
Virus Scanning
The most basic level of Mail Scanning is virus scanning. The Barracuda Email Security Gateway utilizes three layers of virus scanning and
automatically decompresses archives for comprehensive protection. By utilizing virus definitions, Barracuda Email Security Gateway customers
receive the best and most comprehensive virus and malware protection available. The three layers of virus scanning of inbound and outbound
mail include:
Powerful open source virus definitions from the open source community help monitor and block the latest virus threats.
Proprietary virus definitions, gathered and maintained by Barracuda Central, our advanced 24/7 security operations center that works to
continuously monitor and block the latest Internet threats.
Barracuda Real-Time Protection (BRTS), a set of advanced technologies that enables each Barracuda Email Security Gateway to
immediately block the latest virus, spyware, and other malware attacks as they emerge. This feature provides fingerprint analysis, virus
protection and intent analysis. When BRTS is enabled, any new virus or spam outbreak can be stopped in real-time for industry-leading
response times to email-borne threats. BRTS allows customers the ability to report virus and spam propagation activity at an early stage
to Barracuda Central.
Virus Scanning takes precedence over all other Mail Scanning techniques and is applied even when mail passes through the Connection
Management layers. As such, even email coming from “whitelisted” IP addresses, sender domains, sender email addresses or recipients are still
scanned for viruses and blocked if a virus is detected.
The Barracuda Exchange Antivirus Agent for the Microsoft Exchange Server is an add-in that empowers your mail server to do virus
scanning of internal mail and of previously stored mail using constantly updated virus signatures detected by Barracuda Central. See How to Get
and Configure the Barracuda Exchange Antivirus Agent 6.0.x for details about getting and installing the add-in from the Barracuda Email Security
Gateway Web interface.
User-specified rules (custom policy)
Administrators can choose to define their own policies, perhaps for compliance or governance reasons, which take precedence over spam
blocking rules delivered to the system automatically through Barracuda Energize Updates. Administrators can set custom content filters for
inbound and/or outbound mail based on the subject, message headers, message bodies and attachment file type.
Fingerprint Analysis
A message “fingerprint” is based on commonly used message components (e.g., an image) across many instances of spam. Fingerprint analysis
is often a useful mechanism for blocking future instances of spam once an early outbreak is identified. Engineers at Barracuda Central work
around the clock to identify new spam fingerprints which are then updated on all Barracuda Email Security Gateways through hourly Barracuda
Energize Updates. Both inbound and outbound email messages are subject to Fingerprint Analysis
Intent Analysis
All spam messages have an “intent” – to get a user to reply to an email, to visit a Web site or to call a phone number. Intent analysis involves
researching email addresses, Web links and phone numbers embedded in email messages to determine whether they are associated with
legitimate entities. Frequently, Intent Analysis is the defense layer that catches phishing attacks. The Barracuda Email Security Gateway applies
various forms of Intent Analysis to both inbound and outbound mail, including real-time and multi-level intent analysis.
Image Analysis
While Fingerprint Analysis captures a significant percentage of images after they have been seen, the Barracuda Email Security Gateway also
Copyright © 2017, Barracuda Networks Inc.
Barracuda Email Security Gateway Administrator's Guide - Page
94
uses Image Analysis techniques on both inbound and outbound mail which protect against new image variants. These techniques include:
Optical character recognition (OCR) - Enables the Barracuda Email Security Gateway to analyze the text rendered inside embedded
images.
Image processing - To mitigate attempts by spammers to foil OCR through speckling, shading or color manipulation, the Barracuda
Email Security Gateway also utilizes a number of lightweight image processing technologies to normalize the images prior to the OCR
phase. More heavyweight image processing algorithms are utilized at Barracuda Central to quickly generate fingerprints that can be used
by the Barracuda Email Security Gateway to block messages.
Animated GIF analysis - The Barracuda Email Security Gateway contains specialized algorithms for analyzing animated GIFs for
suspect content.
Bayesian Analysis
Bayesian Analysis applies only to inbound mail and is a linguistic algorithm that profiles language used in both spam messages and legitimate
email for any particular user or organization. To determine the likelihood that a new email message is spam, Bayesian Analysis compares the
words and phrases used in the new email against the corpus of previously identified email. The Barracuda Email Security Gateway only uses
Bayesian Analysis after administrators or users profile a corpus of at least 200 legitimate (not spam) messages and 200 spam messages.
Bayesian Analysis does not apply to outbound mail.
Spam Scoring
Once an inbound or outbound message has passed the initial Barracuda Email Security Gateway block/accept filters, it receives a score for its
spam probability. This score ranges from 0 (definitely not spam) to 9 or greater (definitely spam). Based on this score, the Barracuda Email
Security Gateway can take one of the following actions:
Block
Quarantine
Tag (inbound mail only)
Allow (inbound mail only)
Send (outbound mail only)
Domain Level Spam Scoring: The Barracuda Email Security Gateway 400 and higher allows for setting spam score levels for inbound mail at
the domain level. The administrator or the Domain admin role can set the spam scoring levels on the BASIC > Spam Checking page.
Per-User Spam Scoring: The Barracuda Email Security Gateway 600 and higher allows the administrator to enable users to set their own spam
score levels for inbound mail if per-user quarantine is enabled. If per-user spam scoring is enabled, when the user logs into their account, they
will see the PREFERENCES > Spam Settings page from which they can set tag, quarantine and block scoring levels for that account.
Predictive Sender Profiling
When spammers try to hide their identities, the Barracuda Email Security Gateway can use Predictive Sender Profiling to identify behaviors of all
senders and apply the applicable Barracuda Email Security Gateway defense tactic to reject connections and/or messages from spammers. This
involves looking beyond the reputation of the apparent sender of a message, just like a bank needs to look beyond the reputation of a valid credit
card holder of a card that is lost or stolen and used for fraud.
Some examples of spammer behavior that attempts to hide behind a valid domain, and the Barracuda Email Security Gateway features that
address them, include the following:
Sending too many emails from a single network address
Automated spam software can be used to send large amounts of email from a single mail server. The Rate Control feature on the
Barracuda Email Security Gateway can be set to limit the number of connections made from any IP address within a 30 minute time
period. Violations are logged to identify spammers. Rate Control is configured from the BLOCK/ACCEPT > Rate Control page.
The Messages Per SMTP Session setting limits the number of messages allowed in one SMTP session. If the number of messages in
one session exceeds this threshold, the rest of the messages are temporarily blocked and are displayed in the message log as being
"Deferred" with "Per-Connection Message Limit Exceeded" as the reason for the postponement. The sender is required to make a new
connection to continue sending messages, which may ultimately trigger a Rate Control deferral. For this and other SMTP security
settings, see the ADVANCED > Email Protocol page.
Attempting to send to too many invalid recipients
Many spammers attack email infrastructures by harvesting email addresses. Recipient Verification on the Barracuda Email Security
Gateway enables the system to automatically reject SMTP connection attempts from email senders that attempt to send to too many
invalid recipients, a behavior indicative of directory harvest or dictionary attacks.
Using LDAP lookup or a local database to verify valid recipients as well as Sender Spoof Protection, which blocks email with "From"
addresses which use an allowed recipient domain on the Barracuda Email Security Gateway, protects against receiving mail targeted to
invalid recipients.
Registering new domains for spam campaigns
Copyright © 2017, Barracuda Networks Inc.
Barracuda Email Security Gateway Administrator's Guide - Page
95
Because registering new domain names is fast and inexpensive, many spammers switch domain names used in a campaign and send
blast emails on the first day of domain registration. Real-time Intent Analysis on the Barracuda Email Security Gateway is typically used
for new domain names and involves performing DNS lookups and comparing DNS configuration of new domains against the DNS
configurations of known spammer domains.
Using free Internet services to redirect to known spam domains
Use of free Web sites to redirect to known spammer Web sites is a growing practice used by spammers to hide or obfuscate their identity
from mail scanning techniques such as Intent Analysis. With Multilevel Intent Analysis, the Barracuda Email Security Gateway
inspects the results of Web queries to URIs of well-known free Web sites for redirections to known spammer sites.
Journaling
The Barracuda Email Security Gateway provides an avenue for recording a copy of, or journaling, email communications in your organization and
sending them to a dedicated email address that you specify. The process of journaling is different from archiving; journaling is simply a means of
recording your users’ messages. Archiving, on the other hand, is a means of storing those copies in a separate environment for the purpose of
regulatory compliance, data retention, or server maintenance. For archiving, consider also deploying the Barracuda Message Archiver.
Continue with Deployment Options.
Copyright © 2017, Barracuda Networks Inc.
Barracuda Email Security Gateway Administrator's Guide - Page
96
Step 2 - Install the Barracuda Email Security Gateway
Virtual Machine Installation
If you are using the Barracuda Email Security Gateway Vx, see the Virtual Deployment page to get and install your Barracuda Email Security
Gateway Vx virtual machine.
Checklist for Unpacking
Before installing your Barracuda Email Security Gateway, match the items on this list with the items in the box. If any item is missing or damaged,
please contact your Barracuda Networks Sales representative.
Barracuda Email Security Gateway (check that you have received the correct model)
AC power cord
Mounting rails (Barracuda Email Security Gateway 600, 800, and 900 only)
Also required for installation:
VGA monitor
PS2 keyboard
Ethernet cables
To physically install the Barracuda Email Security Gateway:
1. Fasten the Barracuda Email Security Gateway to a standard 19-inch rack or other stable location.
Important: Do not block the cooling vents located on the front and rear of the unit.
2. Connect a CAT5 Ethernet cable from your network switch to the Ethernet port on the back of your Barracuda Email Security Gateway.
The Barracuda Email Security Gateway supports both 10BaseT and 100BaseT Ethernet. Barracuda Networks recommends using a
100BaseT connection for best performance.
The Barracuda Email Security Gateway 600 and higher supports Gigabit Ethernet and has two usable LAN ports. On these
models, plug the Ethernet cable into the LAN 2 port.
Do not connect any other cables to the other connectors on the unit. These connectors are for diagnostic purposes.
3. Connect the following to your Barracuda Email Security Gateway:
Power cord
VGA monitor
PS2 keyboard
After you connect the AC power cord the Barracuda Email Security Gateway may power on for a few seconds and then power off. This is
standard behavior.
4. Press the Power button located on the front of the unit. The login prompt for the administrative console is displayed on the monitor, and
the light on the front of the system turns on. For a description of each indicator light, refer to Barracuda Email Security Gateway Panel
Indicators, Ports, and Connectors.
APC UPS Support
An APC (American Power Conversion) UPS (Uninterruptible Power Supply) device with a USB interface is supported with the Barracuda Email
Security Gateway. No configuration changes are needed on the Barracuda Email Security Gateway to use one. When the APC UPS device is on
battery power, the web interface will display an alert, and the Barracuda Email Security Gateway will shut down safely when there is an estimated
time of 3 minutes of battery power remaining.
Continue with Step 3 - Initial Configuration.
Copyright © 2017, Barracuda Networks Inc.
Barracuda Email Security Gateway Administrator's Guide - Page
97
Step 3 - Initial Configuration
Configure IP Address and Network Settings
The Barracuda Email Security Gateway is given a default IP address of 192.168.200.200. You can change this address by doing either of the
following:
Connect directly to the Barracuda Email Security Gateway with a keyboard and monitor and specify a new IP address through the
console interface.
Applies only to the Barracuda Email Security Gateway 200, 300, 400, and 600: Push and hold the Reset button on the front panel.
Holding the Reset button for 5 seconds changes the IP address to the default of 192.168.200.200. Holding the Reset button for 8
seconds changes the IP address to 192.168.1.200. Holding the Reset button for 12 seconds changes the IP address to 10.1.1.200.
To connect directly to the Barracuda Email Security Gateway to set a new IP address:
1. At the barracuda login prompt, enter admin for the login and admin for the password. The User Confirmation Requested window will
display the current IP configuration of the system.
2. Using the Tab key, select Yes to change the IP configuration.
3. Enter the new IP address, netmask, and default gateway for your Barracuda Email Security Gateway, and select OK when finished.
4. Select No when prompted if you want to change the IP configuration. Upon exiting the screen, the new IP address and network settings
will be applied to the Barracuda Email Security Gateway.
Configure Your Corporate Firewall
If your Barracuda Email Security Gateway is located behind a corporate firewall, you need to open specific ports to allow communication between
the Barracuda Email Security Gateway and remote servers.
To configure your corporate firewall:
1. Using the following table as a reference, open the specified ports on your corporate firewall:
Port
Direction
Protocol
Used for
22
Out
TCP
Remote diagnostics and
technical support services
(recommended)
25
In/Out
TCP
SMTP
53
Out
TCP/UDP
Domain Name Server (DNS)
80(1)
Out
TCP
Virus, firmware, security and
spam rule definitions
123
Out
UDP
NTP (Network Time Protocol)
8000(2) (default)
Out
TCP
Virus, firmware, security and
spam rule definitions
Copyright © 2017, Barracuda Networks Inc.
Barracuda Email Security Gateway Administrator's Guide - Page
98
Notes:
(1)
If your firewall allows unrestricted outbound traffic on port 80, then no further action is necessary. If there are restrictions on
outbound traffic on this port, you must configure your firewall as described in Ports for Firmware and Definition Updates to allow the
Barracuda Email Security Gateway access to firmware and definition updates.
(2)
If your firewall allows unrestricted outbound traffic on port 8000, then no further action is necessary.
2. If appropriate, change the NAT routing of your corporate firewall to route incoming email to the Barracuda Email Security Gateway.
Consult your firewall documentation or your corporate firewall administrator to make the necessary changes.
After specifying the IP address of the system and opening the necessary ports on your firewall, you need to configure the Barracuda Email
Security Gateway from the web interface. Make sure the computer from which you configure the Barracuda Email Security Gateway is connected
to the same network, and the appropriate routing is in place to allow connection to the Barracuda Email Security Gateway’s IP address from a
web browser.
Configure the Barracuda Email Security Gateway From the Web Interface
1. From a web browser, enter the IP address of the Barracuda Email Security Gateway followed by port 8000.
Example: http://192.168.200.200:8000
2. Log in to the web interface by entering admin for the username and admin for the password. For maximum security, Barracuda
recommends changing the administrator password on the BASIC > Administration page.
3. On the BASIC > IP Configuration page, enter the required information in the fields as described in the following table:
Fields
Description
TCP/IP Configuration
The IP address, subnet mask, and default gateway of your
Barracuda Email Security Gateway. The TCP port is the port on
which the Barracuda Email Security Gateway receives incoming
email. This is usually port 25.
Destination Mail Server TCP/IP Configuration
The hostname or IP address of your destination mail server; for
example mail.yourdomain.com. This is the mail server that
receives email after it has been checked for spam and viruses.
You should specify your mail server’s hostname rather than its IP
address so that the destination mail server can be moved and
DNS updated at any time without any changes needed to the
Barracuda Email Security Gateway.
TCP port is the port on which the destination mail server receives
all SMTP traffic such as inbound email. This is usually port 25.
If you need to set up more than one domain or mail server, refer
to Creating and Managing Domains.
DNS Configuration
The primary and secondary DNS servers you use on your
network.
It is strongly recommended that you specify a primary and
secondary DNS server. Certain features of the Barracuda Email
Security Gateway rely on DNS availability.
Domain Configuration
Default Host Name is the host name to be used in the reply
address for email messages (non-delivery receipts, virus alert
notifications, etc.) sent from the Barracuda Email Security
Gateway. The Default Host Name is appended to the default
domain.
Default Domain is a required field and indicates the domain
name to be used in the reply address for email messages
(non-delivery receipts, virus alert notifications, etc.) sent from the
Barracuda Email Security Gateway.
Copyright © 2017, Barracuda Networks Inc.
Barracuda Email Security Gateway Administrator's Guide - Page
Accepted Email Recipients Domains
99
The domains managed by the Barracuda Email Security
Gateway. Make sure this list is complete. The Barracuda Email
Security Gateway rejects all incoming messages addressed to
domains not in this list. See Creating and Managing Domains.
Note: One Barracuda Email Security Gateway can support
multiple domains and mail servers. If you have multiple mail
servers, go to the DOMAINS tab and enter the mail server
associated with each domain
4. Click Save.
If you changed the IP address of your Barracuda Email Security Gateway, you are disconnected from the web interface and will need to
log in again using the new IP address.
If You Have a Model 100
Go to the Users page and perform at least one of the following:
Enter the email address(es) on which the Barracuda Email Security Gateway is to perform spam and virus scanning under Use
r Configuration, one entry per line.
To have email addresses automatically added to the Barracuda Email Security Gateway as mail arrives, make sure the Enable
User Addition option is turned on.
Note: If no users are specified, AND the Enable User Addition option is set to No, then no scanning of ANY incoming email
will be performed.
Continue with Step 4 - Product Activation and Firmware Update
Copyright © 2017, Barracuda Networks Inc.
Barracuda Email Security Gateway Administrator's Guide - Page
100
Step 4 - Product Activation and Firmware Update
Online Activation and Update
The Barracuda Email Security Gateway can automatically update its activation status. Complete the following steps to initiate the online activation
process and update the system.
1. Log into the Barracuda Email Security Gateway as the administrator. In a web browser, enter the Barracuda Email Security Gateway
management IP address and default HTTP port (for example, http://192.168.200.200:8000/). Use the default admin credentials:
Username: admin
Password: admin
2. Go to the BASIC > Dashboard page. Under Subscription Status, make sure the Energize Updates subscription displays Current. If
the Barracuda Email Security Gateway can access the activation servers, your Energize Update and Instant Replacement subscriptions
are most likely active. If not, a warning displays at the top of every page and you must activate your subscriptions before continuing.
3. If the Energize Updates displays Not Activated:
a. Click the activation link at the top of the page to go to the Barracuda Networks Product Activation page and complete activation
of your subscriptions.
b. Go back to the Subscription Status section of the BASIC > Dashboard page, and click Refresh to automatically update the
activation status of the Energize Updates subscription.
Update the Firmware
Go to the ADVANCED > Firmware Update page. If there is a new Latest General Release available, do the following to update the system
firmware:
1. Click the Download Now button located next to the firmware version that you wish to install.
2. Click the Apply Now button to install the firmware. This will take a few minutes to complete. To avoid damaging the Barracuda Email
Security Gateway, do not manually power OFF the system during an update or download.
3. After the firmware has been applied, the Barracuda Email Security Gateway will automatically reboot and display the login page.
4. Log back into the web interface and read the Release Notes to learn about enhancements and new features. Verify settings you may
have already entered, as new features may have been included with the firmware update.
Copyright © 2017, Barracuda Networks Inc.
Barracuda Email Security Gateway Administrator's Guide - Page
101
Step 5 - Configure the Web Interface
Controlling Access to the Web Interface
The BASIC > Administration page allows you to perform the following tasks for initial setup:
Required: Provide email addresses in the Email Notifications section of the page so the Barracuda Email Security Gateway and
Barracuda Networks can send out important alerts and informative notifications if needed.
Change the HTTP port used to access the web interface. For security, HTTPS access is recommended - see Securing the Barracuda
Email Security Gateway. To enable SSL-access only, see How to Enable SSL for Administrators and Users.
Change the length of time users can be logged into the web interface after a period of no activity ( Session Expiration Length - default
is 20 minutes).
Specify the IP addresses and netmask of the systems that can access the web interface. All other systems will be denied access. This is
configurable in the section.
Customizing the Appearance of the Web interface
The ADVANCED > Appearance page allows you to customize the default images used on the web interface. This tab is only displayed on the
Barracuda Email Security Gateway 600 and higher.
Changing the Language of the Web Interface
You can change the language of the web interface by selecting a language from the drop-down menu in the upper right corner of the page near
the Log Off link. Supported languages include Chinese, Japanese, Spanish, French, and others. The language you select is only applied to your
individual web interface. No other user’s web interface is affected.
Setting the Time Zone of the System
You can set the time zone of your Barracuda Email Security Gateway from the BASIC > Administration page. The current time on the system is
automatically updated via Network Time Protocol (NTP). When the Barracuda Email Security Gateway resides behind a firewall, NTP requires
port 123 to be opened for outbound UDP traffic. You can specify one or more NTP servers to use on the ADVANCED > Advanced Networking
page. Each server will be tried in order until one successfully connects. The default server is ntp.barracudacentral.com.
It is important that the time zone is set correctly because this information is used in all logs and reports.
Note: The Barracuda Email Security Gateway automatically reboots when you change the time zone.
Continue with Step 6: Routing Inbound Mail.
Copyright © 2017, Barracuda Networks Inc.
Barracuda Email Security Gateway Administrator's Guide - Page
102
How to Enable SSL for Administrators and Users
SSL (Secure Socket Layer) ensures that your passwords are encrypted and that all data transmitted to and received from the web interface is
encrypted as well. All Barracuda Email Security Gateways support SSL access without any additional configuration. However, some sites may
wish to enforce using a secured connection to access the web interface, or prefer to use their own trusted certificates. For more information about
and best practices for securing your Barracuda Email Security Gateway on your network, see Securing the Barracuda Email Security Gateway.
The SSL configuration referred to here is related only to the web interface. There is no need to explicitly configure SSL for traffic between the
Barracuda Email Security Gateway and your mail servers.
How to Enforce SSL-only Access (recommended)
1. On the ADVANCED > Secure Administration page, select Yes to enable HTTPS/SSL access only to the web interface. Setting this to
No will still allow the Barracuda Email Security Gateway to accept non-SSL connections.
2. Select Yes to Use HTTPS links in emails for per-user quarantine messages sent from the Barracuda Email Security Gateway.
3. Enter your desired web Interface HTTPS/SSL port for the web interface. The default is 443.
4. Click Save.
If you wish to change the certificate that is used, you must first create and upload it to the Barracuda Email Security Gateway before changing the
Certificate Type in the SSL Certificate Configuration section of the ADVANCED > Secure Administration page. See the online help for
instructions. The Barracuda Email Security Gateway supports the following types of certificates:
Default (Barracuda Networks) certificates are signed by Barracuda Networks. On some browsers, these may generate some benign
warnings which can be safely ignored. No additional configuration is required to use these certificates, and are provided free of charge as
the default type of certificate.
Private (self-signed) certificates provide strong encryption without the cost of purchasing a certificate from a trusted Certificate Authority
(CA). These certificates are created by providing the information requested in the Private (self-signed) section of the page. You may also
want to download the Private Root Certificate and import it into your browser, to allow it to verify the authenticity of the certificate and
prevent any warnings that may come up when accessing the web interface.
Copyright © 2017, Barracuda Networks Inc.
Barracuda Email Security Gateway Administrator's Guide - Page
103
Step 6 - Routing Inbound Mail
The next step in setting up your Barracuda Email Security Gateway is to route incoming email to the system so it can scan incoming messages
for spam and viruses. Note that inbound mail will be blocked if the domain receiving the mail has not been configured on the Email
Security Gateway. To configure domains, see Creating and Managing Domains.
Important: In addition to this article, if you are using:
G Suite Business and Education editions with the Barracuda Email Security Gateway as your inbound mail gateway,
please see How to Configure G Suite for Inbound and Outbound Mail in addition to reading this article.
Amazon Web Services, see Routing Mail Through Amazon Web Services
You can use either of the following methods to route messages to your Barracuda Email Security Gateway:
Use port forwarding to redirect incoming SMTP traffic (port 25) to the Barracuda Email Security Gateway if it is installed behind a
corporate firewall running NAT (Network Address Translation). For more information about port forwarding, refer to your firewall
documentation or network administrator.
MX records are used when your Barracuda Email Security Gateway is located in a DMZ with a routeable public IP address. If your
Barracuda Email Security Gateway is in the DMZ (not protected by your corporate firewall), do the following to route incoming messages
to the system:
1. Create a DNS entry for your Barracuda Email Security Gateway. The following example shows a DNS entry for a Barracuda Email
Security Gateway with a name of barracuda and an IP address of 66.233.233.88:
barracuda.yourdomain.com
IN
A
66.233.233.88
2. Change your DNS MX Records. The following example shows the associated MX record with a priority number of 10:
IN MX 10 barracuda.yourdomain.com
You can configure specific SMTP settings from the ADVANCED > Email Protocol page. After you route incoming email to the
Barracuda Email Security Gateway, it will begin filtering all email it receives and routing good email to your mail server.
Testing Spam and Virus Scanning With a Local User Set
With the Barracuda Email Security Gateway 400 and higher, you have the option to use the Explicit Users to Scan For feature to test a subset
of locally defined users before fully deploying the Barracuda Email Security Gateway. See the ADVANCED > Explicit Users page.
To tune your spam settings, continue with How to Tune and Monitor the Default Spam and Virus Settings.
If you will be routing outbound mail through the Barracuda Email Security Gateway, continue with Routing Outbound Mail.
Copyright © 2017, Barracuda Networks Inc.
Barracuda Email Security Gateway Administrator's Guide - Page
104
Using MX Records
This article defines MX records and provides information about effectively using MX records in conjunction with Email Security
Gateways.
MX Records
MX records are DNS entries that are used by sending mail servers to locate destination mail servers. An mail server sending an email to a
particular domain will look up the MX record for that destination domain. The MX record provides a machine name or an IP address for the
destination domain. For example, if an mail server wants to send an email to bob@mydomain.com, it would perform an MX record look up on
mydomain.com to determine the destination IP address. Once the sending mail server has the destination IP address, it would then be able to
contact the destination machine to deliver the email.
Figure 1: Basic MX record setup.
Multiple MX Records
Some domains have several MX records associated with it. Each MX record has a different priority associated with it and each one points to a
different server as illustrated in Figure 2:
Figure 2: Domain with multiple MX records.
When a sending mail server performs an MX record lookup on a destination domain, it obtains the complete list of MX records and their
associated priorities. Under normal circumstances, the sending mail server will attempt to send the email to the highest priority destination first
Copyright © 2017, Barracuda Networks Inc.
Barracuda Email Security Gateway Administrator's Guide - Page
105
and only proceed down the list if the higher priority machine is down, overloaded or cannot take the email for some reason. This is particularly
useful when building robust and high availability systems. The email is delivered according to the highest priority MX record. If the mail server
specified in that record is down, then the email is routed according to the next highest priority MX record.
Using a Email Security Gateway
To help block spam and viruses, some organizations may have their mail server’s highest priority MX record point to a Email Security Gateway
rather than the mail server itself. This way the first machine to receive the email would be the Email Security Gateway. The Email Security
Gateway would then process the email and determine if the email is legitimate. If it is, then it would forward the email to the destination mail
server.
Figure 3: MX Record and the Barracuda Email Security Gateway.
To protect against the case of the Email Security Gateway going down, some organizations have a lower priority or backup MX record that points
directly to the mail server.
Figure 4: Wrong method for obtaining high availability.
This, however, is not a recommended way to protect against a Email Security Gateway failing. Why? Spammers know about this method and will
take advantage of the lower priority MX record that bypasses the Email Security Gateway. Spammers will send Spames directly to the lower
priority MX record so that they will always bypass the Email Security Gateway and get through to the mail server.
For organizations who wish to protect against a Email Security Gateway failing, Barracuda Networks recommends having both the first and
second priority MX records point to a Email Security Gateway and the Email Security Gateway pointing to an mail server. This way all email,
regardless of which MX record is being used, is always processed by a Email Security Gateway first.
Figure 5: Correct method for obtaining high availability.
Copyright © 2017, Barracuda Networks Inc.
Barracuda Email Security Gateway Administrator's Guide - Page
106
Summary
To effectively use MX records with Email Security Gateways, Barracuda Networks recommends having the highest priority MX record point to the
Email Security Gateway and the Email Security Gateway point to the mail server.
To have a high availability environment, Barracuda Networks recommends having a lower priority MX record point to another Email Security
Gateway and the Email Security Gateway point to an mail server. It is not effective to have the lower priority MX record point directly to an mail
server since spam and viruses will simply bypass the higher priority MX record and use the lower priority MX record to send spam and viruses
directly to the mail server.
To use MX records with the Barracuda Email Security Gateway when configuring the destination mail server, set the Use MX Records option on
the BASIC > IP Configuration page in the web interface. This setting is available globally (applied for all domains) and also can be specified at
the domain level.
Copyright © 2017, Barracuda Networks Inc.
Barracuda Email Security Gateway Administrator's Guide - Page
107
How to Tune and Monitor the Default Spam and Virus Settings
After you install the Barracuda Email Security Gateway, the system begins filtering incoming email based on the default settings. The system
automatically checks incoming email for viruses and uses the Barracuda Reputation service to identify spam. See the articles below to tune your
Barracuda Email Security Gateway appliance or virtual machine.
See also Cloud Protection Layer, an optional feature of the Barracuda Email Security Gateway which provides an additional layer of cloud-based
protection that blocks threats before they reach your network, prevents phishing and zero day attacks, and provides email continuity. Once email
passes through the Cloud Protection Layer, the Barracuda Email Security Gateway filters email according to the more granular policies, further
recipient verification, quarantining, and other features you configure on the appliance or virtual machine. To configure, see How to Set Up Your
Cloud Protection Layer.You’ll use Barracuda Cloud Control for central management of your Cloud Protection Layer and your Barracuda Email
Security Gateway(s).
In This Section:
How to Get and Configure Barracuda Exchange Antivirus Agent 8.x
How to Get and Configure Barracuda Exchange Antivirus Agent 7.1 and Above
How to Get and Configure the Barracuda Exchange Antivirus Agent 6.0.x
Virus Checking and Notifications
How Spam Scoring Works
Monitoring Inbound and Outbound Email Traffic
Performance and Email Statistics
Copyright © 2017, Barracuda Networks Inc.
Barracuda Email Security Gateway Administrator's Guide - Page
108
How to Get and Configure Barracuda Exchange Antivirus Agent 8.x
This article refers to the Barracuda Email Security Gateway version 8.0 and above. This version of the Barracuda Exchange
Antivirus Agent supports Microsoft Exchange Server versions 2010, 2013 and 2016.
What is the Barracuda Exchange Antivirus Agent?
The Barracuda Exchange Antivirus Agent is a Microsoft Exchange Server transport agent that works with the Barracuda Email Security Gateway
to scan internally generated mail, as well as external mail traffic, for viruses, thereby limiting the inadvertent spread of infected attachments. The
Barracuda Exchange Antivirus Agent only scans messages with attachments, including embedded messages with attachments. It does not scan
text-only attachments (such as HTML), message headers, bodies, or in-line attachments. Mail that has already been scanned by the Barracuda
Email Security Gateway is also scanned by the Barracuda Exchange Antivirus Agent.
Important Notes
With this version of the Barracuda Exchange Antivirus Agent, messages that are deemed malicious are deleted and will not be
quarantined.
You cannot run multiple Barracuda Exchange Antivirus Agent engines at the same time on the same server. You can,
however, have a file-level antivirus engine and one Barracuda Exchange Antivirus Agent engine running on the same server.
If you have a file-level antivirus antivirus engine running with the Barracuda Exchange Antivirus Agent engine, then you need
to exempt the following directories and files from the file-level antivirus scan:
C:\Program Files\Barracuda
C:\Windows\Temp\BAR*.*
You can download the transport agent as described below from your Barracuda Email Security Gateway and install it on all Exchange servers
with the Hub Transport role. If you want to scan outbound mail for viruses, you also need to install the agent on Exchange servers with the Edge
Transport role. The Barracuda Exchange Antivirus Agent updates virus signatures hourly and scans messages:
between local mailboxes
between the Internet and local mailboxes
Microsoft Exchange Server does not support the Barracuda Email Security Gateway quarantine tool for viewing infected messages,
information on false positives, or other infected message details. All threat statistics that Microsoft Exchange Server provides to
the Barracuda Exchange Antivirus Agent are listed in the Exchange Antivirus Statistics section of the ADVANCED > Exchange
Antivirus page on the Barracuda Email Security Gateway web interface.
Download the Agent
1. Log into the Barracuda Email Security Gateway as admin and go to the ADVANCED > Exchange Antivirus page.
2. Click the Download button and, when prompted, save the file.
Install the Agent
To install the Barracuda Exchange Antivirus Agent on Exchange Server 2013 or higher, you must be a member of an Exchange Server
Organization Management security group. If you have recently added yourself to this group, please log out before re-running the installer. Before
installing the Barracuda Exchange Antivirus Agent, set the Automatic Update option to On for Virus Definitions on the ADVANCED > Energize
Updates page on the Barracuda Email Security Gateway.
For either version of Exchange Server, perform the following steps:
1.
2.
3.
4.
Log into Microsoft Exchange Server as an administrator.
Use the browser on your Microsoft Exchange Server to connect to the Barracuda Email Security Gateway web interface.
Log into Barracuda Email Security Gateway as admin and navigate to the ADVANCED > Exchange Antivirus page.
In the Exchange Antivirus Agent section, click Download for the Barracuda Exchange Antivirus Agent that works with your version of
Exchange Server.
5. Run the Windows Installer. Follow the setup wizard instructions.
6. Click Finish when the wizard completes installing the agent. Once installed, the Barracuda Exchange Antivirus Agent is active and
begins providing virus protection.
Copyright © 2017, Barracuda Networks Inc.
Barracuda Email Security Gateway Administrator's Guide - Page
109
View Exchange Servers in the Barracuda Email Security Gateway web interface
After you have installed the Barracuda Exchange Antivirus Agent, refresh the ADVANCED > Exchange Antivirus page to view a list of
Exchange Servers in a table in the Exchange Antivirus Configuration section. The table will look something like this:
Field
Description
Hostname
The names of Exchange Servers on which the Barracuda Exchange
Antivirus Agent is installed.
Agent Version
The version of the Barracuda Exchange Antivirus Agent installed on
the Exchange Server.
Updated
This field does not apply to the currently installed version of the
Barracuda Exchange Antivirus Agent. For earlier versions, a value of
Yes indicates that the Barracuda Exchange Antivirus Agent is
communicating with the Barracuda Email Security Gateway. If this
field shows No for an earlier version, it might indicate a brief period of
non-communication. Typically, the field refreshes to Yes as the
Barracuda Email Security Gateway updates the Barracuda Exchange
Antivirus Agent. If the value remains No, check network connectivity
between your Exchange Server and the Barracuda Email Security
Gateway.
Exchange Antivirus Agent Statistics
The Barracuda Exchange Antivirus Agent 8.x collects and reports the following statistics:
Statistic
Description
Items Scanned
Total number of messages scanned, including infected messages.
Attachments Scanned
Number of files scanned, including those attached to infected
messages.
If an earlier version of the Barracuda Exchange Antivirus Agent is enabled to scan mail on an Exchange Server, the antivirus agent reports
statistics:
Statistic
Description
Messages Processed
Number of messages scanned by the Barracuda Exchange Antivirus
Agent.
Messages Quarantined
Number of messages that the Barracuda Exchange Antivirus Agent
quarantined, whether or not the message was delivered.
Files Scanned
Number of attachments scanned.
Files Quarantined
Number of attachments quarantined.
Queue Length
Number of messages waiting to be scanned.
Folders Scanned in Background
Number of folders processed by background scanning (versus
proactive scanning).
Messages Scanned in Background
Number of messages processed by background scanning (versus
proactive scanning).
Copyright © 2017, Barracuda Networks Inc.
Barracuda Email Security Gateway Administrator's Guide - Page
110
How to Get and Configure Barracuda Exchange Antivirus Agent 7.1 and Above
This article refers to Barracuda Email Security Gateway version 7.1 and above and the 7.1 version of the Barracuda Exchange
Antivirus Agent. This version of the agent supports Microsoft Exchange Server versions 2007, 2010 and 2013*. The Barracuda
Exchange Antivirus Agent no longer supports Microsoft Exchange Server version 2003.
What is the Barracuda Exchange Antivirus Agent?
The Barracuda Exchange Antivirus Agent is a Microsoft Exchange Server transport agent that works with the Barracuda Email Security Gateway
to scan internally generated mail, as well as external mail traffic, for viruses, thereby limiting the inadvertent spread of infected attachments. The
Barracuda Exchange Antivirus Agent only scans messages with attachments, including embedded messages with attachments. It does not scan
text-only attachments (such as HTML), message headers, bodies, or in-line attachments. Mail that has already been scanned by the Barracuda
Email Security Gateway is also scanned by the Barracuda Exchange Antivirus Agent.
Important Notes
With this version of the Barracuda Exchange Antivirus Agent, messages that are deemed malicious are deleted and will not be
quarantined.
You cannot run multiple Barracuda Exchange Antivirus Agent engines at the same time on the same server. You can,
however, have a Microsoft Server Antivirus engine and one Barracuda Exchange Antivirus Agent engine running on the same
server.
If you have a Microsoft Server Antivirus engine running with the Barracuda Exchange Antivirus Agent engine, then you need to
exempt the following directories and files from the Microsoft Server Antivirus scan:
C:\Program Files\Barracuda
C:\Windows\Temp\BAR*.*
You can download the transport agent as described below from your Barracuda Email Security Gateway and install it on all Exchange servers
with the Hub Transport role. If you want to scan outbound mail for viruses, you also need to install the agent on Exchange servers with the Edge
Transport role. The Barracuda Exchange Antivirus Agent updates virus signatures hourly and scans messages:
between local mailboxes
between the Internet and local mailboxes
Microsoft Exchange Server does not support the Barracuda Email Security Gateway quarantine tool for viewing infected messages,
information on false positives, or other infected message details. All threat statistics that Microsoft Exchange Server provides to
the Barracuda Exchange Antivirus Agent are listed in the Exchange Antivirus Statistics section of the ADVANCED > Exchange
Antivirus page on the Barracuda Email Security Gateway web interface.
Download and Install the Agent
Barracuda Exchange Antivirus Agent 2013 supports versions 2007, 2010 and 2013 of Microsoft Exchange Server. If you have not previously
installed a version of the Barracuda Exchange Antivirus Agent, you will not see the option to update an earlier version of the agent. The following
image shows how the selections might appear when there is a previous version of the Barracuda Exchange Antivirus Agent installed.
Installation on Microsoft Exchange 2013
To install the Barracuda Exchange Antivirus Agent on Exchange Server 2013, you must be a member of an Exchange Server Organization
Management security group. If you have recently added yourself to this group, please log out before re-running the installer. Before installing the
Barracuda Exchange Antivirus Agent, set the Automatic Update option to On for Virus Definitions on the ADVANCED > Energize Updates pa
ge on the Barracuda Email Security Gateway. Next, perform the following steps:
For Microsoft Exchange 2013 running SP1 without update CU5:
Exchange 2013 running SP1 before update CU5 contains a formatting error in the configuration files that govern the Transport Extensibility that is
built into Exchange Server 2013. Because third-party transport agents currently do not load correctly in Exchange Server 2013 running SP1
unless some additional steps are completed, if you have not applied update CU5, you need to choose a resolution as documented in step 3.
1. Log into Microsoft Exchange Server as an administrator.
2.
Copyright © 2017, Barracuda Networks Inc.
Barracuda Email Security Gateway Administrator's Guide - Page
111
2. Use the browser on your Microsoft Exchange Server to connect to the Barracuda Email Security Gateway web interface.
3. If you are running Exchange 2013 SP1 before CU5, you can run a Microsoft PowerShell script that corrects the error. You can either
request that Microsoft apply this script, or do it yourself as described in the Resolution section of this Microsoft article: https://support.mi
crosoft.com/en-us/kb/2938053.
4. Log into Barracuda Email Security Gateway as admin and navigate to the ADVANCED > Exchange Antivirus page.
5. In the Exchange Antivirus Agent section, click Download for the Barracuda Exchange Antivirus Agent that works with your version of
Exchange Server.
6. Run the Windows Installer. Follow the setup wizard instructions.
7. Click Finish when the wizard completes installing the agent. Once installed, the Barracuda Exchange Antivirus Agent is active and
begins providing virus protection.
For Microsoft Exchange 2013 running SP1 with update CU5:
1.
2.
3.
4.
Log into Microsoft Exchange Server as an administrator.
Use the browser on your Microsoft Exchange Server to connect to the Barracuda Email Security Gateway web interface.
Log into Barracuda Email Security Gateway as admin and navigate to the ADVANCED > Exchange Antivirus page.
In the Exchange Antivirus Agent section, click Download for the Barracuda Exchange Antivirus Agent that works with your version of
Exchange Server.
5. Run the Windows Installer. Follow the setup wizard instructions.
6. Click Finish when the wizard completes installing the agent. Once installed, the Barracuda Exchange Antivirus Agent is active and
begins providing virus protection.
Installation on Microsoft Exchange 2007 and 2010
1.
2.
3.
4.
Log into Microsoft Exchange Server as an administrator.
Use the browser on your Microsoft Exchange Server to connect to the Barracuda Email Security Gateway web interface.
Log into Barracuda Email Security Gateway as admin and navigate to the ADVANCED > Exchange Antivirus page.
In the Exchange Antivirus Agent section, click Download for the Barracuda Exchange Antivirus Agent that works with your version of
Exchange Server.
5. Run the Windows Installer. Follow the setup wizard instructions.
6. Click Finish when the wizard completes installing the agent. Once installed, the Barracuda Exchange Antivirus Agent is active and
begins providing virus protection.
View Exchange Servers in the Barracuda Email Security Gateway web interface
After you have installed the Barracuda Exchange Antivirus Agent, refresh the ADVANCED > Exchange Antivirus page to view a list of
Exchange Servers in a table in the Exchange Antivirus Configuration section. The table will look something like this:
Field
Description
Hostname
The names of Exchange Servers on which the Barracuda Exchange
Antivirus Agent is installed.
Agent Version
The version of the Barracuda Exchange Antivirus Agent installed on
the Exchange Server.
Updated
This field does not apply to the currently installed version of the
Barracuda Exchange Antivirus Agent. For earlier versions, a value of
Yes indicates that the Barracuda Exchange Antivirus Agent is
communicating with the Barracuda Email Security Gateway. If this
field shows No for an earlier version, it might indicate a brief period of
non-communication. Typically, the field refreshes to Yes as the
Barracuda Email Security Gateway updates the Barracuda Exchange
Antivirus Agent. If the value remains No, check network connectivity
between your Exchange Server and the Barracuda Email Security
Gateway.
Exchange Antivirus Agent Statistics
Copyright © 2017, Barracuda Networks Inc.
Barracuda Email Security Gateway Administrator's Guide - Page
112
The Barracuda Exchange Antivirus Agent 7.1.x collects and reports the following statistics:
Statistic
Description
Items Scanned
Total number of messages scanned, including infected messages.
Attachments Scanned
Number of files scanned, including those attached to infected
messages.
If an earlier version of the Barracuda Exchange Antivirus Agent is enabled to scan mail on an Exchange Server, the antivirus agent reports the
following statistics:
Statistic
Description
Messages Processed
Number of messages scanned by the Barracuda Exchange Antivirus
Agent.
Messages Quarantined
Number of messages that the Barracuda Exchange Antivirus Agent
quarantined, whether or not the message was delivered.
Files Scanned
Number of attachments scanned.
Files Quarantined
Number of attachments quarantined.
Queue Length
Number of messages waiting to be scanned.
Folders Scanned in Background
Number of folders processed by background scanning (versus
proactive scanning).
Messages Scanned in Background
Number of messages processed by background scanning (versus
proactive scanning).
Copyright © 2017, Barracuda Networks Inc.
Barracuda Email Security Gateway Administrator's Guide - Page
113
How to Get and Configure the Barracuda Exchange Antivirus Agent 6.0.x
This article refers to Barracuda Email Security Gateway firmware 6.1.x through 7.0.x. Before installing the Barracuda Exchange
Antivirus Agent, it is recommended that you review all settings and options as shown below in Exchange Antivirus Settings. The
Barracuda Exchange Antivirus Agent 6.0.x supports Microsoft Exchange Server versions 2007 and 2010. Note that the Barracuda
Exchange Antivirus Agent no longer supports Microsoft Exchange Server version 2003.
What is the Barracuda Exchange Antivirus Agent?
The Barracuda Exchange Antivirus Agent is an add-in that you can download from your Barracuda Email Security Gateway and install on your
Microsoft Exchange mailbox server(s). The add-in works together with Microsoft Exchange Server to scan messages for viruses and only provide
s data about infected messages that is made available by the Exchange Server. The Barracuda Exchange Antivirus Agent provides constantly
updated virus signatures and does the scanning. Exchange does not provide a quarantine tool for viewing infected messages, information on
false positives or other infected message details. All threat statistics provided to the Barracuda Exchange Antivirus Agent by Exchange are listed
in the Exchange Antivirus Add-in Statistics section on the ADVANCED > Exchange Antivirus page of the Barracuda Email Security Gateway
web interface. For infected file name information, see the MS Windows Event Log. To view performance of virus scanning on your Exchange
server, use the MS Windows Performance Monitor.
Download and Install the Agent
You must be a member of an Exchange Server Organization Management security group in order to install the Barracuda Exchange Antivirus
Agent on Exchange Server 2010. To install the Barracuda Exchange Antivirus Agent on Exchange Server 2007, you must be a member of an
Exchange Organization Administrator security group. Before installing the Barracuda Exchange Antivirus Agent on Exchange Server 2007 or
2010:
Barracuda Networks recommends that you review all settings and options as shown below in the Exchange Antivirus Settings section.
Set the Automatic Update option to On for Virus Definitions on the ADVANCED > Energize Updates page on the Barracuda Email
Security Gateway.
To install the Barracuda Exchange Antivirus Agent on Exchange Server 2007 or 2010:
1.
2.
3.
4.
5.
6.
7.
8.
9.
Log into Exchange Server as an administrator.
Use the browser on your Exchange Server to connect to the Barracuda Email Security Gateway web interface.
Log into Barracuda Email Security Gateway and navigate to the ADVANCED > Exchange Antivirus page.
In the Exchange Antivirus Agent section, click Download for the Barracuda Exchange Antivirus Agent that works with your version of
Exchange Server.
Run the Windows Installer and follow the setup wizard instructions.
Click Finish when the wizard completes installing the agent. After it is installed, the Barracuda Exchange Antivirus Agent is active and
begins providing virus protection.
Click Next. The Virus Definitions will now be installed on your Exchange Server by the Barracuda Email Security Gateway.
When the progress bar shows complete, click Next The Barracuda Email Security Gateway installs the configuration on your Exchange
Server.
Click Finish when the progress bar shows complete. The agent is now configured. At this point, the Barracuda Exchange Antivirus Agent
has been loaded by the Exchange Server and scanning has begun according to the configured settings.
Configure the Agent on Microsoft Exchange
Note that if the configuration process is interrupted and does not complete, it can be rerun from the Start Menu, or it will reopen each time
Windows is restarted until configuration is completed (or the product is uninstalled).
1. When prompted on Exchange Server, enter the URI (must be https) of your Barracuda Email Security Gateway, along with the Passtoke
n shown on the ADVANCED > Exchange Antivirus page in the Exchange Antivirus Agent section.
2. Click Next. The Virus Definitions will now be installed on your Exchange Server by the Barracuda Email Security Gateway.
3. Click Next when the progress bar shows complete. The Barracuda Email Security Gateway will install the configuration on your
Exchange Server.
4. Click Finish when the progress bar shows complete. The Barracuda Exchange Antivirus Agent is now configured. At this point, the
Barracuda Exchange Antivirus Agent has been loaded by the Exchange Server and scanning has begun according to the configured
settings.
Exchange Antivirus Settings
After you have installed and configured the Barracuda Exchange Antivirus Agent per the above steps, you'll see your Exchange Server listed in
the table in the Exchange Antivirus Settings section of the ADVANCED > Exchange Antivirus page on the Barracuda Email Security
Gateway listing the following:
Hostname - The hostname of your Exchange Server.
Version - The version of the installed Barracuda Exchange Antivirus Agent.
Updated - A value of Yes indicates that the Barracuda Exchange Antivirus Agent is communicating with the Barracuda Email Security
Gateway. If this field shows No, it might indicate a brief period of non-communication. Typically the field will refresh to Yes as the
Copyright © 2017, Barracuda Networks Inc.
Barracuda Email Security Gateway Administrator's Guide - Page
114
Barracuda Email Security Gateway sends the Barracuda Exchange Antivirus Agent an update. If the value remains No, check network
connectivity between your Exchange Server and the Barracuda Email Security Gateway.
Configuring Exchange Antivirus Settings for Exchange Server 2007/2010
Barracuda Networks considers that the default configuration settings, managed from the ADVANCED > Exchange Antivirus page of the
Barracuda Email Security Gateway, are acceptable for most environments and recommends that they only be changed with caution.
Setting
Description
Enabled
Yes enables the Barracuda Exchange Antivirus Agent to scan mail
on the Exchange Server after the agent has been successfully
installed. Disabling the scanner (setting Enabled to No) does not
disable all related Windows services. To permanently remove the
Barracuda Exchange Antivirus Agent, you must uninstall it on
Exchange Server.
Scan RTF Message Bodies
Rich Text Format (RTF) is used primarily by Microsoft Outlook for
internal messages. Set to Yes to scan these types of messages. If
you select No, only HTML and plain text message bodies will be
scanned, while RTF messages will not.
On-Access Scanning
This type of scan occurs when a client requests data that has not yet
been scanned (i.e. on-demand). Select Yes to enable.
Scan Outbound Messages
If your outbound message traffic is scanned by another service (e.g.
the Barracuda Email Security Gateway), then this feature can be
disabled to reduce load on your Exchange Server.
Timeout
Number of seconds to wait for a scan before Exchange Server times
out and returns an error to the mail client.
Proactive Scanning
This type of scan occurs in the background and applies to new
messages that have arrived in the message queue but have not yet
been read.
Background Scanning
Background scanning occurs on a low-priority basis and applies to
older data that has not yet been scanned using the newest virus
definitions. Set to No to reduce load on your Exchange Server, but
infected messages that are delivered before the newer virus
definitions are able to detect them won't be later rescanned and
quarantined.
Scanning Cutoff
Maximum age of message, in hours, to re-scan messages when virus
definitions are updated. Lowering this value can reduce the load on
your Exchange Server, but it can also increase the risk of failing to
quarantine late-breaking infections.
Infected Messages Retention
Time period, in hours, that the Barracuda Exchange Antivirus Agent
waits after an infected message is quarantined before deleting it.
Consider the longest time period that users would not check their
email, but also consider that a higher value could impact
performance on the Exchange Server. If the value is too low (shorter
time), the system may not deliver false positives (i.e., 'good' mail) that
the user might want to receive.
Only Scan Attachments
This setting applies to background scanning of messages. Setting to
Yes indicates to scan only attachments, not message bodies.
Only Scan Unscanned Messages
When set to Yes, Exchange Server scans messages in the
background that have never been scanned before rather than
rescanning messages when virus definitions are updated.
Removing the Barracuda Exchange Antivirus Agent
To remove the Barracuda Exchange Antivirus Agent for a particular Exchange server, you must first uninstall the add-in from that Exchange
Server. Next, log into the Barracuda Email Security Gateway web interface as admin. From the ADVANCED > Exchange Antivirus page, click
the trash can icon for the Exchange Server hostname in the table in the Exchange Antivirus Agent Settings section. This will remove the
Exchange Server from the statistics and threats reports on the page.
Copyright © 2017, Barracuda Networks Inc.
Barracuda Email Security Gateway Administrator's Guide - Page
115
Virus Checking and Notifications
Virus scanning is automatically enabled on the Barracuda Email Security Gateway and the system checks for definition updates on a regular
basis (hourly by default). Virus Scanning takes precedence over all other mail scanning techniques and is applied even when mail passes
through the Connection Management layers. As such, even email coming from “whitelisted” IP addresses, sender domains, sender email
addresses or recipients are scanned for viruses and blocked if a virus is detected.
Use the BASIC > Virus Checking page in the web interface to enable or disable virus checking. If you enable Barracuda Real-Time Protection,
the Barracuda Email Security Gateway will check unrecognized spam and virus fingerprints against the latest virus threats logged at Barracuda
Central that have not yet been downloaded by the Barracuda Email Security Gateway Energize Updates. See the online help on the BASIC >
Virus Checking page for more details about this setting.
Extended Malware Protection (Available on model 600 and higher)
With version 6.1 and higher, Barracuda offers a subscription to provide additional anti-malware scanning with the Avira virus scan engine. To
subscribe, see the Subscription Status section of the BASIC > Dashboard page.
Internal Virus Scanning For Your Microsoft Exchange Mail Server
The Barracuda Email Security Gateway offers an add-in that you can download from the web interface and install on your Microsoft Exchange
Server to provide internal virus scanning within your network. The Barracuda Exchange Antivirus Agent runs as a Windows service on your
2003, 2007 or 2010 MS Exchange Server and works together with MS Exchange to scan internal mail traffic for viruses. Scanning is based on
constantly updated virus signatures from the Barracuda Email Security Gateway.
Any time a new virus signature is released, the Barracuda Exchange Antivirus Agent will scan all internal mail traffic for that virus as well as mail
previously stored on the server, depending on how you configure settings for the agent. See the ADVANCED > Exchange Antivirus page on the
Barracuda Email Security Gateway web interface or see How to Get and Configure the Barracuda Exchange Antivirus Agent 6.0.x for instructions
on downloading and configuring the add-in for your organization’s needs.
Attachment Block Notifications
You can enable or disable notification emails to senders of messages that are blocked due to file attachment content filters. Configure these
notifications for inbound and outbound mail from the ADVANCED > Bounce/NDR Settings page in the web interface. From this page you can
also enter custom message text to insert in the notifications. Attachment content filters are configured in the Attachment Content Filters section of
the BLOCK/ACCEPT > Content Filters page.
Spam and Quarantine Notifications
Separate non-delivery notifications (NDR) can be configured to alert the sender when a message is blocked or quarantined due to spam scoring
or policy (content filtering). See Non-Delivery Reports (NDRs) for more information.
Copyright © 2017, Barracuda Networks Inc.
Barracuda Email Security Gateway Administrator's Guide - Page
116
How Spam Scoring Works
As a message passes through the last of all of the defense layers, it is scored for spam probability. This score ranges from 0 (definitely not spam)
to 10 or higher (definitely spam). Based on this score, the Barracuda Email Security Gateway either tags (inbound messages only), quarantines,
blocks or allows (or sends, for outbound) the message.
Once you have more experience with the Barracuda Email Security Gateway, you can adjust how aggressively the system deals with spam. For
example, you may decide to tag (inbound only) or quarantine spam instead of blocking it. Details of spam scoring limits for your Barracuda Email
Security Gateway are discussed in the Help file on the BASIC > Spam Checking page.
On the Barracuda Email Security Gateway 400 or higher you can set the spam scoring values on a per-domain basis, and these
scoring values take precedence over the global spam scoring settings. On the Barracuda Email Security Gateway 600 and higher,
spam scoring can be set on a per-user basis (inbound only), from the DOMAINS tab. For more information about per-domain settings,
see Creating and Managing Domains. For more about per-user settings, see Creating and Managing Accounts.
Copyright © 2017, Barracuda Networks Inc.
Barracuda Email Security Gateway Administrator's Guide - Page
117
Monitoring Inbound and Outbound Email Traffic
Monitor and Classify Incoming Emails
Once email is flowing through the Barracuda Email Security Gateway, the administrator can view the BASIC > Message Log page to get an idea
of how many messages are being blocked, quarantined, tagged or allowed, with reasons for each of those actions. Reviewing this log will give an
idea of how current settings are filtering messages, and the page enables adding or removing message senders to or from the whitelist. See the
Message Log for more information, and, for details on filtering messages in the log, click the Help button on the BASIC > Message Log page.
If you enable Bayesian filtering on the BASIC > Spam Checking page, you will then see Spam and Not Spam buttons on the BASIC > Message
Log page in the tool bar. Use these actions to train the Bayesian database. Bayesian training works only on messages with 11 words or more.
With Bayesian filtering enabled, if a message is not classified as spam by the Barracuda Email Security Gateway, but it appears to be spam, you
can elect to submit that message to Barracuda Central from the BASIC > Message Log page. For best Bayesian accuracy, it is recommended
that you reset your Bayesian database every 6 months. Note that Bayesian filtering is turned off by default.
See Advanced Inbound Email Filtering Policy for more details on using the Message Log with Bayesian filtering, and creating custom whitelists
and blocklists to allow or block messages from specific IP addresses, domains or email accounts.
Monitor and Classify Outgoing Emails
If you have configured the Barracuda Email Security Gateway to filter outbound mail, watch the log on the BASIC > Outbound Quarantine page.
Based on Outbound Spam Scoring Limits you specify on the BASIC > Spam Checking page, as well as any Block/Accept filters you
configure, outbound messages will be quarantined or blocked as needed and listed on the BASIC > Outbound Quarantine page. Look for false
positives and adjust spam scoring accordingly. Any message listed in the outbound quarantine can be delivered, whitelisted, deleted, or rejected
by an administrator.
Copyright © 2017, Barracuda Networks Inc.
Barracuda Email Security Gateway Administrator's Guide - Page
118
Performance and Email Statistics
The BASIC > Dashboard page provides an overview of the health and performance of your Barracuda Email Security Gateway, including:
Hourly and daily email statistics that display the number of inbound and outbound messages blocked, tagged (inbound messages only),
quarantined, sent (outbound messages only), redirected (outbound messages only), encrypted (outbound only), rate controlled and
allowed (inbound only) for the last 24 hours and 28 days.
The subscription status of Energize Updates.
Performance statistics, including CPU temperature and system load. Performance statistics displayed in red signify that the value
exceeds the normal threshold. These values will fluctuate based on the amount of traffic that is being handled, but if any setting remains
consistently in the red for a long period of time, please contact Barracuda Networks Technical Support.
Product Tips
At the top of the BASIC > Dashboard page you’ll see the Product Tips bubble. This space is populated with usage tips, new programs and
features from Barracuda Networks specific to your product, and with a link to the release notes for the latest firmware update. These tips are
updated frequently from Barracuda Central.You have the following options in managing this feature:
To hide a particular message permanently, click the Hide link.
To hide the Product Tips section of the page, set Show Product Tips in the Product Tips section of the BASIC > Administration page
to No.
Email Statistics - Inbound
This section of the BASIC > Dashboard page summarizes how inbound mail traffic is handled by the Barracuda Email Security Gateway based
on how you have configured the system. Actions reported include Blocked, Blocked:Virus, Rate Controlled, Quarantined, Allowed:Tagged and
Allowed. Statistics are tallied by hour, by current calendar day starting at midnight, and total since installation (or since the last reset).
If you have not configured any domains for receiving inbound mail on the DOMAINS page, and you configure the Barracuda Email Security
Gateway only for processing outbound mail, it is possible to see some messages logged as inbound mail traffic. For example, if a message is
received addressed to the default domain configured under BASIC > IP Configuration page, then the email will be counted as an inbound
message.
Email Statistics - Outbound
Outbound mail traffic is summarized in this table on the BASIC > Dashboard page much the same way as inbound traffic, except that a count of
outbound message Blocked due to custom policy or spam are reported separately, outbound messages are not tagged, and messages counted
as Sent are the counterpart of inbound Allowed messages.
If you have not configured the Barracuda Email Security Gateway for outbound mail and only expect inbound mail, it is still possible to see some
messages logged as outbound traffic. If a spammer tries to relay a message through the Barracuda Email Security Gateway by spoofing a valid
domain as the sender to an invalid recipient, the Barracuda Email Security Gateway will block the message and it will appear in the outbound
email statistics table as Blocked.
As an example, consider that mydomain.com is configured as a valid domain on the DOMAINS page and badomain.com is not. A spammer
sends a message from sender@mydomain.com to the IP address of the Barracuda Email Security Gateway, addressed to recipient@badomai
n.com. The message will show as Blocked with a reason of ‘invalid domain’ in the Message Log and will be included in the outbound mail
Blocked statistics.
Copyright © 2017, Barracuda Networks Inc.
Barracuda Email Security Gateway Administrator's Guide - Page
119
Cloud Protection Layer
The optional Cloud Protection Layer feature of the Barracuda Email Security Gateway is an additional layer of cloud-based protection that blocks
threats before they reach your network, prevents phishing and zero day attacks, and provides email continuity. Once email passes through the
Cloud Protection Layer, the Barracuda Email Security Gateway filters email according to the more granular policies, further recipient verification,
quarantining, and other features you configure on the appliance or virtual machine. You’ll use Barracuda Cloud Control for central management of
your Cloud Protection Layer and your Barracuda Email Security Gateway(s). See Advantages of the Cloud Protection Layer.
To set up and use the Cloud Protection Layer:
1.
2.
3.
4.
Set up your Barracuda Email Security Gateway.
Continue with How to Set Up Barracuda Cloud Control, if you have not already configured your free account.
Follow instructions for initial setup of the Cloud Protection Layer with How to Set Up Your Cloud Protection Layer.
Use this article to configure filtering policies for the Cloud Protection Layer to apply to inbound mail before it reaches your Barracuda
Email Security Gateway.
Policies Configurable in the Cloud Protection Layer
Some of the policies that are available on the Barracuda Email Security Gateway are also configurable in the Cloud Protection Layer, offloading
policy enforcement from your Barracuda Email Security Gateway and further protecting your network from threats. These policies, as well as
some additional protections, include:
Advanced Threat Detection (ATD)
The subscription-based ATD service analyzes inbound email attachments in a separate, secured cloud environment, detecting new threats and
determining whether to block such messages. ATD offers protection against advanced malware, zero-day exploits, and targeted attacks not
detected by the Barracuda Email Security Gateway virus scanning features. See Advanced Threat Detection for details.
Anti-phishing, antivirus, anti-spam protection
Anti-phishing, configurable on the Cloud Protection Layer INBOUND SETTINGS > Anti-Phishing page:
Intent analysis
Link protection
Typosquatting protection
Anti-fraud intelligence, which uses a special Bayesian database that is constantly learning for the detection of phishing scams.
Anti-spam, antivirus, configurable on the Cloud Protection Layer INBOUND SETTINGS > Anti-Spam/Antivirus page:
Barracuda Reputation Block List (BRBL)
Virus scanning
Barracuda Real-Time System (BRTS) – An advanced service to detect zero-hour spam and virus outbreaks even where
traditional heuristics and signatures to detect such messages do not yet exist.
CloudScan – A cloud-based spam scanning engine, which assigns a score to each message processed ranging from 0 (unlikely
spam) to 10 (definitely spam). Setting a score of 1 will likely block legitimate messages while setting a score of 10 will allow more
messages through the system.
Bulk email detection
IP analysis
Custom RBLs – On the INBOUND SETTINGS > Custom RBLs page, you can add any additional free or subscription blocklists. External
IP blocklists, also known as DNSBLs or RBLs, are lists of Internet addresses that have been identified as potential originators of spam.
These lists can be used to block potential spammers.
Rate Control – This feature protects your mail server from spammers or spam-programs (also known as "spam-bots") that send large
amounts of email to the server in a small amount of time. You can exempt known and trusted IP addresses or IP ranges from IP based
Rate Control. Email messages are still scanned for spam and virus content. Configure on the INBOUND SETTINGS > Rate Control pag
e.
IP address block/accept policies – Add IP addresses or networks to always block or always exempt (whitelist). Whitelisted IP
addresses/networks bypass spam scoring as well as all other blocklists. Virus scanning still applies. This list of IP addresses that you
choose to block takes precedence over the Barracuda Reputation Block List and Custom RBL entries. Configure on the INBOUND
SETTINGS > IP Address Policies page.
Recipient and sender policies
Recipient Policies – Recipient email addresses you specifically want to always scan or always exempt (whitelist). Or you can apply a
default behavior to all recipients, by selecting either Scan or Exempt from the Default policy for all users drop-down. Exempt
(whitelisted) recipients bypass spam scoring as well as all other blocklists. Virus scanning still applies. Configure on the INBOUND
SETTINGS >Recipient Policies page.
Sender Policies – Sender policies allow you to exempt or block messages by username in a sender email address, domain name, or
Copyright © 2017, Barracuda Networks Inc.
Barracuda Email Security Gateway Administrator's Guide - Page
120
both. For details, see the INBOUND SETTINGS > Sender Policies page.
Sender Authentication – Configure reverse DNS lookups for sender domain verification, domain-spoofing protection, DomainKeys
Identified Mail (DKIM), and Sender Policy Framework (SPF) for sender authentication. See the INBOUND SETTINGS > Sender
Authentication. For more details about these methods, see Sender Authentication.
Note that the Cloud Protection Layer can be configured with many of the same block/accept policies you would apply to the Barracuda
Email Security Gateway, but only provides the Block (or Scan) and Allow (exempt) actions. The Cloud Protection Layer does not
support tagging or quarantine of email.
Copyright © 2017, Barracuda Networks Inc.
Barracuda Email Security Gateway Administrator's Guide - Page
121
Advantages of the Cloud Protection Layer
The optional Cloud Protection Layer feature of the Barracuda Email Security Gateway is an additional layer of cloud-based protection that blocks
threats before they reach your network, prevents phishing and zero day attacks, and provides email continuity.
Advantages of Using Cloud-Based Protection
The Cloud Protection Layer receives inbound email on behalf of the organization, insulating your organization's mail server from receiving direct
Internet connections and associated threats. This layer does not apply to outbound mail. Here are some of the benefits of using the Cloud
Protection Layer together with your Barracuda Email Security Gateway:
Email Continuity – The Cloud Protection Layer polls your inbound mail server regularly and, if the mail server goes down, the Cloud
Protection Layer spools your inbound mail for up to 4 days. As soon as the mail server comes back up, email is released in a steady
stream, resuming consistent inbound mail flow.
Advanced Threat Detection (ATD) – The optional, subscription-based ATD service analyzes inbound email attachments in a separate,
secured cloud environment, detecting new threats and determining whether to block such messages. ATD offers protection against
advanced malware, zero-day exploits, and targeted attacks not detected by the Barracuda Email Security Gateway virus scanning
features. See Advanced Threat Detection for details.
Link Protection – Rewrites a deceptive URL in an email message to a safe Barracuda URL, and delivers that message to the user. See A
nti-Fraud and Anti-Phishing Protection for details.
Typosquatting protection – Checks for common typos in the URL domain name in an email message and, if found, rewrites the URL to
the correct domain name so that the user visits the intended website. See Anti-Fraud and Anti-Phishing Protection for details.
Dual Protection Points – Comprehensive onsite and cloud-based threat protection including the Barracuda Anti-Virus Super Computing
Grid and Barracuda Advanced Anti-Fraud Intelligence.
Email Burst Handling – Email surge suppression during peak traffic and spam spikes, which offloads a significant volume of spam email
from your Barracuda Email Security Gateway to be filtered via the cloud.
Immediate Response – Automatic updates in real time, leveraging threat intelligence from Barracuda Labs and Barracuda Central to
continuously stay ahead of quickly morphing threats.
Copyright © 2017, Barracuda Networks Inc.
Barracuda Email Security Gateway Administrator's Guide - Page
122
How to Set Up Your Cloud Protection Layer
To use the Cloud Protection Layer, you must have a current Energize Updates (EU) subscription for your Barracuda Email Security
Gateway. After setting up your Cloud Protection Layer, see Cloud Protection Layer for how to configure policies at the Cloud
Protection Layer level.
Create or Log Into Your Barracuda Cloud Control Account
Begin setup of your Cloud Protection Layer by either creating a Barracuda Cloud Control account or logging in with your existing account. If you
already have an account, skip to Configure Cloud Control below.
To create a Barracuda Cloud Control account:
1. Visit https://login.barracudanetworks.com/ and click the Create a user link.
2. Enter your name and email address, and click Create User. Follow the instructions emailed to the entered email account to log in and
create your Barracuda Cloud Control account.
3. After submitting your new account information, the Account page displays your account name, associated privileges, username, and
Barracuda Networks products you associate with your Barracuda Cloud Control account.
Configure Cloud Control
1. Log into your account at https://login.barracudanetworks.com/ by entering your email address and password.
2. Click Sign In. Once logged in, you can create users in your Barracuda Cloud Control account (see How to Add Users) and assign
various permissions to each user for access to Barracuda Cloud Control.
3. Click on the Appliance Control link on the left side of the page. If you have not yet connected any appliances or services to your
account, click the Set up your Barracuda Cloud Control button. You’ll see the Barracuda Cloud Control Dashboard page and a
message indicating that no products have yet been connected.
4. In another browser tab or window, log into your Barracuda Email Security Gateway. From the product ADVANCED > Firmware Upgrade
page, check to make sure you have the latest firmware installed. If not, download and install it now.
5. From the ADVANCED > Cloud Control page, enter the username and password you created for your Barracuda Cloud Control account.
Click Yes for Connect to Barracuda Cloud Control to connect your Barracuda Email Security Gateway to the Barracuda Cloud Control,
and then click the Save Changes button. Note that your Barracuda Email Security Gateway can connect with only one Barracuda Cloud
Control account at a time.
6. In the Barracuda Cloud Control window, refresh your browser page. In the Products column on the left side of the page, you should see
the Email Security Gateway group with two components, or ‘nodes’ listed:
The Cloud Protection Layer node
Each Barracuda Email Security Gateway you have connected, with its serial number
7. Click on the Cloud Protection Layer link and navigate to the DOMAINS page.
Important
The MX record for each domain should point to the Barracuda Email Security Gateway so that the Cloud Protection Layer can
establish a connection to the system.
Complete the following steps for each domain for which you want the Cloud Protection Layer to filter email:
a. For each domain you have configured on the Barracuda Email Security Gateway, enter the Domain Name. In the Mail Server fie
ld, enter the external facing (public) IP address of your Barracuda Email Security Gateway. This is typically, but not always, the
IP Address from the BASIC > IP Configuration page. The Cloud Protection Layer must be able to establish and confirm a
connection to the Barracuda Email Security Gateway in order to receive the required MX records.
b. Click Add.
c. Each of the domains for which you want to filter email must be verified by the Cloud Protection Layer for proof of ownership. To
verify the domain, click Verify in the Status column. If you do not verify a domain you add, the Cloud Protection Layer does not
process email for that domain.
Important: If your Barracuda Email Security Gateway is behind a relay or mail proxy, the Cloud Protection Layer may
not be able to validate your domains.
Copyright © 2017, Barracuda Networks Inc.
Barracuda Email Security Gateway Administrator's Guide - Page
123
d. After adding and verifying the domain, in the Actions column, click Settings to add/configure mail servers, SMTP over TLS, and
spooling of mail (in case the Barracuda Email Security Gateway is temporarily unavailable).
e. The Cloud Protection Layer will verify domain ownership, and, if the Cloud Protection Layer can communicate with
the Barracuda Email Security Gateway, the Status of the domain in the table will change from Not Verified to Verified, and you
will see a Recommended MX record for that domain on the DOMAINS page. The Cloud Protection Layer must be able to
establish and confirm a connection to the Barracuda Email Security Gateway in order to receive the required MX records. If
ownership of the domain cannot be verified, the Cloud Protection Layer will not receive email for that domain.
8. Add the Recommended MX record on the DOMAINS page for each domain to your external DNS through your ISP or domain hosting
provider. Once the DNS entries have propagated, the Cloud Protection Layer will begin receiving mail immediately.
Configure Cloud Protection Layer Filtering Policies
Important: Initially, most of the configuration on your Barracuda Email Security Gateway will automatically be copied to your Cloud
Protection Layer so you do not have to re-configure policy for your existing domains. You can then edit policies in the Cloud Protection
Layer if needed.
You can configure most of the same filtering policies and SMTP settings in the Cloud Protection Layer web interface that you can on your
Barracuda Email Security Gateway using the INBOUND SETTINGS pages. See Cloud Protection Layer for details.
For greatest security, it is highly recommended that you set Scan Email For Viruses and Use Barracuda Real-Time System (BRTS)
to Yes on the INBOUND SETTINGS > Anti-Spam/Antivirus page in the Cloud Protection Layer.
View Email Statistics
When you click on the top level of the Barracuda Cloud Control products list, you will see statistics for ALL of your products, including the Cloud
Protection Layer for your Barracuda Email Security Gateway.
Click on the Barracuda Email Security Gateway group to view combined statistics for all connected Barracuda Email Security
Gateways. You can then click on each individual appliance to see individual statistics.
Click on Cloud Protection Layer to view statistics for all inbound mail through the Cloud Protection Layer.
To see how many messages were blocked by the Cloud Protection Layer:
1. Click on the Cloud Protection Layer.
2. On the DASHBOARD page, for Inbound Email Statistics, select Blocked.
The Dashboard page shows you ONLY statistics for inbound traffic through the Cloud Protection Layer. Use these traffic profiles along
with the MESSAGE LOG page to determine how to best tune your spam policies.
To see how many messages were blocked by one or more of your Barracuda Email Security Gateways:
1.
Copyright © 2017, Barracuda Networks Inc.
Barracuda Email Security Gateway Administrator's Guide - Page
124
1. Expand the Email Security Gateway link and click on the system you want to view.
2. Navigate to the BASIC > Dashboard page.
Monitor Incoming Emails
Once email is flowing through the Cloud Protection Layer, the administrator can view the MESSAGE LOG page of the service to get an idea of
how many messages are being blocked by the Cloud Protection Layer, with reasons for each of those actions. Reviewing the log will give an idea
of how current Cloud Protection Layer (as well as Barracuda Email Security Gateway) settings are filtering messages.
Integration With the Barracuda Email Security Gateway
The Cloud Protection Layer MESSAGE LOG fully integrates inbound email activity processed by the Cloud Protection Layer with inbound email
activity processed by the Barracuda Email Security Gateway. The Delivery and Reason columns in the Cloud Protection Layer MESSAGE LOG
are the key to seeing how the Cloud Protection Layer blocks spam and virus threats before they reach your network.
The Delivery column indicates the following:
Not Delivered For messages blocked in the Cloud Protection Layer that never reach the Barracuda Email Security Gateway.
Rejected For messages passed through the Cloud Protection Layer to the Barracuda Email Security Gateway, which blocked the
message.
Delivered For messages allowed by the Cloud Protection Layer and the Barracuda Email Security Gateway.
Messages allowed by the Cloud Protection Layer may be quarantined, redirected, or encrypted by the Barracuda Email Security
Gateway.
The Reason column in the log indicates why Cloud Protection Layer blocked the message. Click the ? on the Message Log page for details.
The Status column to the left of the From column indicates the following:
Green – Allowed by the Cloud Protection Layer
Red – Blocked by the Cloud Protection Layer
White – Deferred by the Cloud Protection Layer
Remember that only the Barracuda Email Security Gateway can tag or quarantine messages. Messages that are Delivered passed through
filters in both the Cloud Protection Layer and the Barracuda Email Security Gateway.
Copyright © 2017, Barracuda Networks Inc.
Barracuda Email Security Gateway Administrator's Guide - Page
125
Quarantine: An Overview
Using Quarantine is Optional
By default, the Barracuda Email Security Gateway does not quarantine incoming or outgoing messages, but you may want to enable quarantine
for inbound mail, at least, because it offloads storage of potential spam from the mail server and backups. It also keeps potential spam messages
out of the user’s inbox. While some organizations require quarantine behavior, tagging inbound messages that might be spam is recommended
over quarantining them for several reasons:
With tagging of inbound messages, the user doesn’t need an additional inbox for storing quarantined messages because the potential
spam message is delivered to their regular inbox with a special word or phrase prepended to the Subject line to indicate that it has been
tagged as potential spam. These messages can be filtered to a special mailbox if the user desires, or can be viewed or deleted from their
regular inbox.
Tagging inbound messages on the Barracuda Email Security Gateway saves system resources because the message is not stored on
the appliance itself; it’s sent on to the user’s mailbox or to an administrator’s mailbox to manage.
Note that, by enabling quarantine of incoming messages identified as possible spam, either the user or the administrator is required to
maintain the quarantine inbox and settings.
Quarantine of inbound mail can be enabled or disabled in the Spam Scoring Limits section on the BASIC > Spam Checking page as well as on
various BLOCK/ACCEPT pages. If enabled, you can select either Global quarantine or Per-User quarantine.
For more information on using inbound quarantine, see Managing Inbound Quarantine.
Quarantine of Outbound Mail
Enable or disable in the Outbound Spam Scoring Limits section on the BASIC > Spam Checking page and set up filtering criteria for
outbound quarantine on various BLOCK/ACCEPT pages. Outbound quarantined mail can be logged and managed at the per-domain level as
well as at the global level.
For more information on using outbound quarantine, see Managing Outbound Quarantine.
Copyright © 2017, Barracuda Networks Inc.
Barracuda Email Security Gateway Administrator's Guide - Page
126
Mail Journaling
Journaling allows you to record a copy of, or journal of, email communications in your organization and send them to a dedicated mailbox on your
Barracuda Message Archiver, Microsoft Exchange Server or other archiving solution. The process of journaling is different from archiving.
Journaling is simply a means of recording your users’ messages. Archiving, on the other hand, is a means of storing those copies in a separate
environment for the purpose of regulatory compliance, data retention, or server maintenance.
Enable Journaling on the Barracuda Email Security Gateway
To enable simple journaling of every non-blocked inbound or outbound message that is delivered by the Barracuda Email Security Gateway,
configure the following in the Mail Journaling section of the BASIC > Administration page:
1. Enter a Destination Email Address. This address should be reserved only to receive these journaled email copies and not for receiving
other types of emails. Note that no message body is available for outbound messages that are encrypted by the Barracuda Email
Security Gateway. If you are using a Barracuda Message Archiver, see Journaling to the Barracuda Message Archiver below.
2. Enter a Bounce Address to which email messages will be sent that the Barracuda Email Security Gateway could not deliver to the
journal account - either because the receiving server for the Destination Email Address was unavailable or because the server refused
the message. In no event will a bounce message be sent to the original sender.
3. Decide whether or not to journal all messages processed by the Barracuda Email Security Gateway, including potential spam. If you
have enabled Per User Quarantine and do not want to journal messages that are quarantined, then set Do Not Journal Per-User
Quarantined Email to Yes. This means that messages arriving in user quarantine inboxes will not be journaled at that time. If, however,
the quarantined message is then manually delivered from the global Message Log, the domain Message Log, the Outbound Quarantine
or the user's quarantine inbox, the message will be journaled. Setting this option to No means that ALL messages processed by the
Barracuda Email Security Gateway will be journaled if you provide a Destination Email Address in this section.
Journaling to the Barracuda Message Archiver
1. Enable mail journaling as described above.
2. On the Barracuda Message Archiver, configure the IP address and TCP Port of your destination mail server on the ADVANCED > SMTP
Configuration page so that incoming messages will be forwarded to your email server.
See also:
How to Configure Your Barracuda Message Archiver to Act as an SMTP Proxy to Your Email Server
Understanding Email Encryption and Archival
Understanding Microsoft Exchange 2013 and 2016 Journaling
Microsoft Exchange Server 2007 and 2010 Journaling
Copyright © 2017, Barracuda Networks Inc.
Barracuda Email Security Gateway Administrator's Guide - Page
127
How to Migrate From Postini to the Barracuda Email Security Gateway
Barracuda strongly recommends consulting with your reseller or a Barracuda sales representative prior to migration. To migrate your list of users
and domains from Postini to the Barracuda Email Security Gateway:
Add Domains
Add Users
Add Policies
Add Domains
1. Export your domains from Postini to a CSV file.
2. Add the domains. You can either manually add each domain or add multiple domains at one time.
To manually add each domain, go to the DOMAINS > Domain Manager page.
To add all of your domains at one time from the CSV file, use the Barracuda Email Security Gateway API. For more information,
see the Use Case – Adding and Configuring Multiple Domains section in the Barracuda Email Security Gateway API Guide.
3. Configure the per-domain and per-user settings for each domain. On the DOMAINS > Domain Manager page, click Manage Domain f
or each domain that you are configuring. The default destination server for the domains is configured in the Server Name/IP field on
the BASIC > IP Configuration page.
Add Users
1. Export your list of user email accounts from Postini to a CSV file, with one address per line.
2. Add users. You can add all of your users at one time from the CSV file with either the Barracuda Email Security Gateway web interface
or the Barracuda Email Security Gateway API.
In the Barracuda Email Security Gateway web interface, go to the USERS > User Add/Update page, paste the contents of your
CSV file into the User Account(s) text box, and then click Save Changes.
If you prefer to use the Barracuda Email Security Gateway API, use the user.create method in a loop with a Java, Perl, or
similar type of script. For details, see the Barracuda Email Security Gateway API Guide.
3. On the USERS > User Add/Update page, configure the following settings for all of the users that you have created:
Enable User(s) Quarantine – Select Yes to create a quarantine account for users, or No to disable specified quarantine
accounts. Disabled quarantine accounts will not quarantine any new messages, but any pre-existing quarantined messages will
still be accessible. Any user preferences (such as Whitelist/Blocklist) allowed to users by the administrator will also be available.
Email New User(s) – Email new account login information to users when their users accounts are created. For details, click He
lp on the USERS > User Add/Update page.
Managing Multiple Quarantine Inboxes with One Primary Account
Users can only be added as the primary address (no aliases). To manage multiple quarantine inboxes with one primary account if you
are using per-user quarantine, use the Alias Linking feature. You can enter multiple email addresses to be linked (aliased) to that
primary account. Create aliases on the ADVANCED > Explicit Users page. For more information about the Alias Linking feature, see
Quarantine Options. For more details about adding and managing users, see Creating and Managing Accounts.
Add Policies
To configure policies for the users and domains that you have added, go to the pages under the BLOCK/ACCEPT tab. To add multiple policies at
one time (e.g., add multiple blocked domains), click Bulk Edit on these pages.
Copyright © 2017, Barracuda Networks Inc.
Barracuda Email Security Gateway Administrator's Guide - Page
128
Routing Outbound Mail
In this Section
About Scanning of Outbound Mail
How to Route Outbound Mail from the Barracuda Email Security Gateway
How to Configure Office 365 for Inbound and Outbound Mail
How to Configure G Suite for Inbound and Outbound Mail
How to Route Outbound Mail from Kerio Connect Mail Server through the Barracuda Email Security Gateway
Encryption of Outbound Mail 6 and Above
Encryption of Outbound Mail 5.x
See also SMTP Error Codes.
Copyright © 2017, Barracuda Networks Inc.
Barracuda Email Security Gateway Administrator's Guide - Page
129
About Scanning of Outbound Mail
The Barracuda Email Security Gateway may be configured to scan outgoing mail simultaneously with scanning inbound mail. Virus Scanning and
Rate Control are applied to outbound mail as well as the following filters, if specifically enabled, which are configurable from the BASIC > Spam
Checking and BLOCK/ACCEPT pages:
Spam Scoring, with Block or Quarantine actions
IP Address Filtering
Sender Domain Filtering
Sender Email Address Filtering
Recipient Filtering
Content Filtering (Subject, Header and Body)
Attachment Filtering
Fingerprint Analysis
Image Analysis
Intent Analysis
The following scanning tools are not applied to outbound mail:
SPF (Sender Policy Framework), a sender authentication mechanism
DKIM (DomainKeys), an email authentication system designed to verify the DNS domain of an email sender
Regional Settings, the application of special spam analysis rules for particular languages
Per-user Whitelist/Blocklist
Per-domain Whitelist/Blocklist
IP Reputation checks
These are the policies that can be applied to outbound mail using the BLOCK/ACCEPT pages:
Encryption (see Encryption of Outbound Mail 6 and Above)
Quarantine (see Managing Outbound Quarantine)
Block
Redirection
To scan outgoing mail with the Barracuda Email Security Gateway, you must configure outbound operation on the BASIC > Outbound page (see
How to Route Outbound Mail from the Barracuda Email Security Gateway). There you’ll specify your trusted outbound mail server IP address or
domain name (either your mail server or another trusted relay), identify a Smart host if you have one, and, optionally, an authentication type. The
Barracuda Email Security Gateway supports SMTP/SASL authentication and LDAP. If you are relaying though a Smart host, you must also
configure the Smart host to send to the Internet.
Be aware that configuring the Barracuda Email Security Gateway to scan outbound as well as inbound mail will increase the load on the system.
You may find that you need to upgrade your Barracuda Email Security Gateway to another model.
Note:
When configuring outbound mail, ensure that your network firewall blocks all port 25 traffic that doesn't originate from your Barracuda
Email Security Gateway.
Copyright © 2017, Barracuda Networks Inc.
Barracuda Email Security Gateway Administrator's Guide - Page
130
How to Route Outbound Mail from the Barracuda Email Security Gateway
It is recommended that you see About Scanning of Outbound Mail before proceeding.
If you are using G Suite Business and Education editions with the Barracuda Email Security Gateway as your outbound
mail gateway, see How to Configure G Suite for Inbound and Outbound Mail in addition to reading this article.
If you are deploying the Barracuda Email Security Gateway on Amazon Web Services, see Routing Mail Through AWS in
addition to this article.
You can relay outbound mail through the Barracuda Email Security Gateway simultaneously with scanning inbound mail, where outbound mail
will be subject to the same spam and virus scanning and, for the most part, the same custom policy as inbound mail with some exceptions.
The following scanning tools are not applied to outbound mail:
IP Reputation, a sender authentication mechanism
SPF (Sender Policy Framework), a sender authentication mechanism
DKIM (DomainKeys), an email authentication system designed to verify the DNS domain of an email sender
Per-user Whitelist/Blocklist
Per-domain Whitelist/Blocklist
To relay outbound mail to the Barracuda Email Security Gateway:
In most cases, the only thing that needs to be done is to enter the IP address of the outgoing mail server or other trusted relay server in the Relay
Using Trusted IP/Range field on the BASIC > Outbound page, as described in Simple configuration of outbound relay of mail below. Outb
ound mail is scanned for spam, as is inbound mail, as well as filtered for policies you create from the BLOCK/ACCEPT filtering pages.
If you need to configure additional options for outbound relay, click the Help button on the BASIC > Outbound page.
Simple configuration of outbound relay of mail
1. Configure your mail server to relay outbound mail to the Barracuda Email Security Gateway. If you have a Microsoft Exchange Server,
enter your Smart host IP address in the next step and configure the Smart host on your mail server to relay outgoing mail to the
Barracuda Email Security Gateway.
2. Enter the IP address or host/domain name of your default mail server or another trusted relay server that can relay outbound mail
through the Barracuda Email Security Gateway to the Internet. Use the Relay Using Trusted IP/Range and/or the Relay Using Trusted
Host/Domain fields.
Warning
To protect your system against domain spoofing, it is strongly recommended to use IP addresses and NOT domain names for
specifying Trusted Relays. As such, it is recommended to specify your mail server and/or trusted outbound relay servers in the
Relay Using Trusted IP/Range field as opposed to specifying a host/domain name
However, if you are using the Relay Using Trusted Host/Domain field, it is recommended to configure either SMTP AUTH or LDAP
authentication on this page as well.
Note that LDAP Routing is available on the Barracuda Email Security Gateway 600 and higher, configurable on the ADVANCED > LDAP
Routing page.
If using your default mail server to relay outbound mail through the Barracuda Email Security Gateway, enter the IP address of your Dest
ination Mail Server as specified on the BASIC > IP Configuration page or in the DOMAINS > Manage Domain > BASIC > IP
Configuration page per-domain setting.
The following steps cover additional options for outbound relay:
3. To configure the Barracuda Email Security Gateway to relay outgoing mail through your normal outbound SMTP host or Smart host to
the Internet, enter the IP address or hostname and TCP port in the Outbound SMTP Host/Smart Host fields. This is the destination
server through which outbound email will be sent from the Barracuda Email Security Gateway for routing to the Internet, and whose IP
address will appear in the outgoing mail headers.
4. To enforce using a secure TLS connection to send mail through the Barracuda Email Security Gateway (inbound and outbound) for all
domains, set Force TLS to Yes. SMTP over TLS/SSL defines the SMTP command STARTTLS. This command advertises and
negotiates an encrypted channel with the peer for this SMTP connection. This encrypted channel is only used when the peer also
supports it.
5. To authenticate senders of outbound email, specify the authentication type in the Enable SASL/SMTP Authentication field. (SASL is
the Simple Authentication and Security Layer, a method for adding authentication support to connection-based protocols. To use SASL,
a protocol includes a command for identifying and authenticating a user to a server and for optionally negotiating protection of
subsequent protocol interactions.)
Copyright © 2017, Barracuda Networks Inc.
Barracuda Email Security Gateway Administrator's Guide - Page
131
SMTP AUTH Proxy - SMTP AUTH/SASL authentication enables the SMTP "AUTH" command to authenticate users before
allowing them to relay outgoing mail through this Barracuda Email Security Gateway. Either set Use Destination Mail Server as
SMTP AUTH Proxy to Yes or fill in the IP address of another proxy server that is set up to support the SMTP AUTH
authentication command (e.g. MS-Exchange or Sendmail) to authenticate senders of outbound mail. To use this authentication
method, you must also enable 'Use name and password' or a similar option in your email client. Also, since the password
transmits in cleartext, it is recommended to secure transmission by enabling SMTP over TLS on the ADVANCED > Email
Protocol page on the Barracuda Email Security Gateway.
LDAP - Use your LDAP directory to authenticate senders. Fill in the LDAP settings as described in the Relay Using
Authentication on the LDAP tab. See also LDAP Error Codes.
6. To limit outbound relay capability to certain users or domain names, enter them in the Senders With Relay Permission field. To prevent
against domain spoofing, it is recommended not to specify sender email address or domain names that can relay outbound mail through
the Barracuda Email Security Gateway. Please use this setting only for trusted senders, and note that it is recommended to use one of
the sender authentication methods described above as well for added security.
Basic Outbound/Relay Settings
Outbound SMTP Host (Smart host) - The IP address or host name of the destination server through which outbound email will be sent
from the Barracuda Email Security Gateway for routing to the Internet, and whose IP address will appear in the outgoing mail headers.
Port - The TCP port of your SMTP host or Smart host through which you want to relay outbound mail.
Username - Only necessary if required for authentication with the SMTP host or Smart host.
Password - Only necessary if required for authentication with the SMTP host or Smart host.
Force TLS - (Optional): Set to Yes if you want to enforce using a secure TLS connection for all mail leaving the Barracuda Email
Security Gateway (inbound and outbound). SMTP over TLS/SSL defines the SMTP command STARTTLS. This command advertises
and negotiates an encrypted channel with the peer for this SMTP connection. This encrypted channel is only used when the peer also
supports it.
To configure relay using authentication and other relay options, click the Help button on the BASIC > Outbound page.
Advanced Routing of Outbound Mail
If you want outbound email go to through a specific host before final routing to the Internet and/or default MX records, you can specify that SMTP
server on the DOMAINS > Smart Hosts page.
Example: You might want all emails to gmail.com to go through an additional virus scanning service or cloud-hosted relay service.
Copyright © 2017, Barracuda Networks Inc.
Barracuda Email Security Gateway Administrator's Guide - Page
132
How to Configure Office 365 for Inbound and Outbound Mail
This article addresses configuring Office 365 with the Barracuda Email Security Gateway as your inbound and/or outbound mail
gateway.
See also: Step 3 - Initial Configuration
Important
Office 365 addresses and user interfaces can change, so please refer to Microsoft documentation for details on configuration. To
prepare your Barracuda Email Security Gateway deployment to connect with Office 365, see Prerequisites for your email server
environment in Set up connectors to route mail between Office 365 and your own email servers.
You can specify the Barracuda Email Security Gateway as an inbound mail gateway through which all incoming mail for your domain passes
before reaching your Office 365 account. The Barracuda Email Security Gateway filters out spam and viruses, and then passes the mail on to
the Office 365 mail servers. Use the Inbound Configuration instructions below to configure.
You can likewise specify the Barracuda Email Security Gateway as the outbound mail gateway through which all mail is sent from your domain
via your Office 365 account to the recipient. As the outbound gateway, the Barracuda Email Security Gateway processes the mail by filtering out
spam and viruses and applying any outbound policies (blocking, encrypting, etc.) before final delivery. By using the configuration described in Out
bound Configuration below, you instruct the Office 365 mail servers to pass all outgoing mail from your domain to the Barracuda Email Security
Gateway.
Inbound Configuration
To restrict all mail sent to your organization to only that which is sent from the Barracuda Email Security Gateway:
1. Create a connector for MS Exchange in Office 365. You will need the IP address of the Barracuda Email Security Gateway. Once you
configure the connector, any Internet mail that does not originate from this IP address range will be rejected by Office 365.
2. Optionally add the requirement for TLS encryption. If you do so, then all mail from your partner organization sent from the IP address or
address range you specify must be sent using TLS. Any mail that does not meet this restriction will be rejected.
For further details about configuring Office 365 with connectors, see Set up connectors for secure mail flow with a partner organization in
Microsoft documentation.
Outbound Configuration
To restrict all mail leaving your organization to only that which is sent from the Barracuda Email Security Gateway:
1. Create a connector for MS Exchange in Office 365 for outbound mail. You will need the IP address of the Barracuda Email Security
Gateway. Before you set up a new connector, check any connectors that are already listed here for your organization. For more
information, see Set up connectors to route mail between Office 365 and your own email servers in Microsoft documentation. The
outbound mail gateway will be the IP address of the Barracuda Email Security Gateway.
2. Log into the Barracuda Email Security Gateway web interface as admin. Go to the BASIC > Outbound page and follow instructions
under Simple configuration of outbound relay of mail to configure outbound mail, or follow the same instructions in How to Route
Outbound Mail from the Barracuda Email Security Gateway.65
ja
Barracuda Spam & Virus Firewall Plus/Office 365
Barracuda Spam & Virus Firewall PlusOffice 365Office 365
Barracuda Spam & Virus Firewall PlusOffice 365Barracuda Spam & Virus Firewall
PlusOffice 365
Related Articles
How to Route Outbound Mail from
the Barracuda Email Security
Gateway
Step 3 - Initial Configuration
Office 365
1.
Copyright © 2017, Barracuda Networks Inc.
Barracuda Email Security Gateway Administrator's Guide - Page
1.
2.
3.
4.
Office 365
> Exchange
Set Up Domain
add dns records
1. Barracuda Spam & Virus Firewall PlusOffice 365
1ourdomain.com.mail.protection.outlook.comPoints To AddressOffice 365
5. Barracuda Spam & Virus Firewall PlusWeb > IP
6. 2TCP/IP/IPBarracuda Spam & Virus Firewall PlusOffice 365Exchange Server
Barracuda Spam & Virus Firewall PlusDNSIP
ourdomain.mail.protection.outlook.com
2. Barracuda Spam & Virus Firewall Plus > IP
7. ourdomain.com
8. Office 365Barracuda Spam & Virus Firewall PlusOffice 365Exchange Server
1.
a. Exchange
b.
c. +...
3. Barracuda Spam & Virus Firewall Plus
d.
Copyright © 2017, Barracuda Networks Inc.
133
Barracuda Email Security Gateway Administrator's Guide - Page
d.
e.
f.
g.
h.
i.
j.
...
*...... > IP
IPBarracuda Spam & Virus Firewall PlusIP > IP
+OK
*...... > SCLSpam Confidence LevelSCL
OK
1. Office 365
2. > Exchange
3.
4.
5. Barracuda Spam & Virus Firewall PlusIP
5: Office 365Barracuda Spam & Virus Firewall Plus
6. Barracuda Spam & Virus Firewall Plus
6: Barracuda Spam & Virus Firewall Plus
Copyright © 2017, Barracuda Networks Inc.
134
Barracuda Email Security Gateway Administrator's Guide - Page
135
7. Barracuda Spam & Virus Firewall Plus > Simple configuration of outbound relay of mailHow to Route Outbound Mail from the Barracuda
Email Security Gateway
Copyright © 2017, Barracuda Networks Inc.
Barracuda Email Security Gateway Administrator's Guide - Page
136
How to Configure G Suite for Inbound and Outbound Mail
This article addresses configuring G Suite Business and Education editions with the Barracuda Email Security Gateway as your
inbound and/or outbound mail gateway.
Inbound Configuration
1. Log into the G Suite Domain Management Portal.
2. Navigate to the Settings tab and then select Email under the Services section.
3. Navigate to Inbound Gateway and enter the public IP addresses of the Barracuda Spam Email Security Gateway(s), specifying either
the block of addresses or individual IP addresses.
Figure 1: G Suite - Inbound Gateway Settings
Make sure to check the box: Only let users receive email from the email gateways listed above. All other mail will be rejected. More info
on inbound gateways can be found here.
Outbound Configuration
1. Navigate to the Settings tab and then select Email under the Services section.
2. Navigate to Outbound Gateway and enter the IP address of the Barracuda Email Security Gateway that is the outbound mail gateway.
Figure 2: G Suite - Outbound Gateway Settings
More information about outbound gateways can be found here.
G Suite IP Addresses can change so please refer to this Google documentation.
Additional settings:
nslookup -q=TXT _netblocks.google.com 8.8.8.8
server: google-public-dns-a.google.com
address: 8.8.8.8
Non-authoritative answer:
_netblocks.google.com text ="v=spf1 ip4:216.239.32.0/19ip4:64.233.160.0/19ip4:66.249.80.0/20
ip4:72.14.192.0/18ip4:209.85.128.0/17ip4:66.102.0.0/20ip4:74.125.0.0/16
ip4:64.18.0.0/20ip4:207.126.144.0/20ip4:173.194.0.0/16 ?all"
Copyright © 2017, Barracuda Networks Inc.
Barracuda Email Security Gateway Administrator's Guide - Page
137
Configuring the Barracuda Email Security Gateway
1. Navigate to DOMAINS > Domain Manager and specify your domain in New Domain Name, then click Add Domain.
2. Click the Manage Domain link and then BASIC > IP Configuration. Add the G Suite destination mail servers as follows:
G Suite Destination Mail Server
ASPMX.L.GOOGLE.COM
ALT1.ASPMX.L.GOOGLE.COM
ALT2.ASPMX.L.GOOGLE.COM
ASPMX2.GOOGLEMAIL.COM
ASPMX3.GOOGLEMAIL.COM
Also add the Destination Server name/IP address or hostname that receives email after spam and virus scans. It is usually best to use a
hostname rather than an IP address so that the destination mail server can be moved and DNS updated at any time without having to
make changes to the Barracuda Email Security Gateway configuration.
If you set Use MX Records (on the same page) to Yes, you must enter a domain name for this field. If multiple servers are specified,
then the delimiter used determines the behavior (see below). Note that you can either configure Use MX Records for all domains from
the BASIC > IP Configuration page, or you can configure it per-domain from DOMAINS > Domain Manager > Manage Domains, the
n using the BASIC > IP Configuration page for the domain you choose to manage. It is NOT recommended to set Use MX Records t
o Yes to avoid a potential mail loop.
1. Comma (",") or semi-colon (";") - Each entry in the list will used in round-robin fashion, with relative weights determined by the
number of times a particular entry is listed.
2. Space (" ") - Each entry in the list will be treated as a failover list, with an entry being used only if all entries preceding it in the
list are unreachable.
For more information about what it means to use MX records, please see Using MX Records.
Copyright © 2017, Barracuda Networks Inc.
Barracuda Email Security Gateway Administrator's Guide - Page
138
How to Route Outbound Mail from Kerio Connect Mail Server through the
Barracuda Email Security Gateway
Use the following steps to route outbound mail from the Kerio Connect Mail Server through the Barracuda Email Security Gateway.
1.
2.
3.
4.
Navigate to the Kerio Connect directory, expand Configuration, and click SMTP Server.
In the SMTP Delivery tab, select Use relay SMTP server, and enter the Barracuda Email Security Gateway IP address.
Enter the Relay server port number.
Turn on Use SSL/TLS if supported by remote SMTP server.
Copyright © 2017, Barracuda Networks Inc.
Barracuda Email Security Gateway Administrator's Guide - Page
139
Encryption of Outbound Mail 6 and Above
Overview
For health care providers, governmental agencies and other entities who need to protect private, sensitive and valuable information
communicated via email, the Barracuda Email Security Gateway allows creating multiple policies to specify exactly which outbound emails to
encrypt. Emails that match policy are securely (via TLS) sent to the Barracuda Message Center.
Encryption is configured at the per-domain level, but actual encryption policy (by sender domain, email address, recipient, etc.) is only
configurable at the global level using the BLOCK/ACCEPT pages. These global encryption policies will apply to all domains from which
encrypted email messages are sent.
Figure 1: The sender's email is encrypted by the Barracuda Email Encryption Service, then stored at the Barracuda Message Center for
retrieval.
Encrypting Messages From the MS Outlook Client
You can download the Barracuda Outlook Add-In for your Microsoft Exchange Server to enable users to choose encryption from the New
Message window in their MS Outlook client. See the Barracuda Email Security Gateway Outlook Add-In Deployment Guide 6.0 or the USERS >
User Features page in the Barracuda Email Security Gateway web interface for information on deploying the Outlook Add-In. For details about
sending and retrieving encrypted messages as applies to this add-in, see steps 4-6 of Sending and Receiving Encrypted Messages below.
Secured Message Contents
When the Barracuda Email Security Gateway encrypts the contents of a message, the message body will not be displayed on the BASIC >
Message Log, BASIC > Outbound Quarantine, or the ADVANCED > Queue Management pages.
Encryption Privacy
Only the sender of the encrypted message(s) and the recipient can view the body of a message encrypted by the Barracuda Email
Encryption Service. For Mail Journaling and the download features in the Message Viewer, the message body will not be sent to the
Mail Journaling account and cannot be downloaded to the Desktop.
If you already have an email encryption server or service, you can specify a hostname (FQDN) or IP address and port in the Redirection Mail
Server TCP/IP Configuration section of the BASIC > IP Configuration page to which the Barracuda Email Security Gateway should redirect
outbound mail for encryption. You can then select the Redirect action for outbound filtering policies in the BLOCK/ACCEPT pages. Redirection of
outbound mail per policy is only available at the global (not per-domain) level.
Configuring and Using Encryption
To get started enabling and configuring encryption and encryption policies, please see How to Use DLP and Encryption of Outbound Mail.
Archiving Encrypted Emails
If you have a Barracuda Message Archiver, you can choose to archive encrypted emails and replies to those emails. From the BASIC >
Administration page, enter the IP address of the Barracuda Message Archiver in the Email Encryption Service section. Note that encrypted
messages are not sent in encrypted format to the Barracuda Message Archiver. It is recommended that this email traffic from the Barracuda
Email Security Gateway to the Barracuda Message Archiver be sent over internal networks.
Requirements for Using Encryption
Before applying encryption policy, make sure of the following:
Your Energize Updates subscription is current. See the Subscription Status section on the BASIC > Dashboard page of the Barracuda
Email Security Gateway.
Copyright © 2017, Barracuda Networks Inc.
Barracuda Email Security Gateway Administrator's Guide - Page
140
You validate all sending domains that are allowed to send encrypted messages, using the DOMAINS > Manage Domain > ADVANCED
> Encryption page. Several validation methods are available from this page.
Setting Encryption Policy for Outbound Mail
From the BLOCK/ACCEPT pages you can create global custom encryption policy for secure transmission of outbound mail based on:
Sender email address and/or domain
Recipient email address and/or domain
Attachment Filename pattern and/or type as well as attachment content
Content and content type (such as, for example, secured credit card info.)
These policies will apply for ALL domains from which you send encrypted email.
Branding
You can brand encryption notification emails (see Sending and Receiving Encrypted Messages below) as well as encrypted messages with an
image and a domain name to be displayed with the image. Once you have validated a domain through the Barracuda Email Security Gateway,
branding is configured at the per-domain level on the ADVANCED > Encryption page where you can upload an image from your local drive or
network. You can optionally create custom text or html notification message content and subject from the same page.
Encryption and Quarantine, Blocking and Queuing
If an encrypted message is quarantined, the administrator will not see the message contents, but can view the message header information and
the reason the message was encrypted as well as the reason it was quarantined on the BASIC > Message Log page. From either the BASIC >
Message Log page or the BASIC > Outbound Quarantine page, the message can be delivered, rejected, deleted or forwarded.
If an encrypted message is blocked due to policy, the administrator will not see the message contents, but can view the message header
information and the reason the message was encrypted as well as the reason it was blocked on the BASIC > Message Log page. The
administrator can then deliver the message if desired.
For encrypted messages in the queue, the administrator will not see the message contents but can view the message header information and
why the message was encrypted. From the ADVANCED > Queue Management page, the administrator can deliver, re-queue or delete the
message.
Sending and Receiving Encrypted Messages
The Barracuda Message Center provides a web-based email client for recipients to manage email messages encrypted and sent via the
Barracuda Email Security Gateway. The email client looks and behaves much like any web-based email program. See Barracuda Message
Center User's Guide for details on the user experience.
For organizations such as credit card companies, for example, that do not wish recipients to reply to encrypted messages, the Allow Replies opti
on can be set to No on the ADVANCED > Encryption page.
The workflow for email encryption is as follows:
1. The administrator creates a filter from one or more of the BLOCK/ACCEPT pages to encrypt certain types of outbound messages.
2. Outbound messages that meet this filtering criteria are sent over a secure TLS channel to the Barracuda Message Center for encryption.
3. The outbound message information appears in the Barracuda Email Security Gateway Message Log, but the message body does not, as
it is encrypted for security purposes.
4. The Barracuda Message Center sends a notification to the recipient of the email message that includes a link the recipient can click to
view and retrieve the message from the Barracuda Message Center. Notifications can be branded as described above.
5. The first time the recipient clicks this link, the Barracuda Message Center will prompt for creation of a password. Thereafter the recipient
can re-use that password to pick up subsequent encrypted messages.
6. The recipient logs into the Barracuda Message Center and is presented with a list of email messages, much like any web-based email
program. All encrypted messages received will appear in this list for a finite retention period or until deleted by the recipient.
When the recipient replies to the encrypted email message, the response will also be encrypted and the sender will receive a notification that
includes a link to view and retrieve the message from the Barracuda Message Center.
Recalling Encrypted Messages
The Admin or Domain Admin roles can choose to recall an encrypted message before it is read by the recipient. From the BASIC > Message
Log page, clicking on the message brings up the Message Viewer, which includes a Recall button if the message has been encrypted. Clicking
this button recalls the message from the Barracuda Message Center under the following conditions:
The recipient has not yet read the message.
The Remove Barracuda Headers feature is set to No on the ADVANCED > Email Protocol page.
If the message is recalled, the Delivery Status for the message in the log will change to Recalled.
Copyright © 2017, Barracuda Networks Inc.
Barracuda Email Security Gateway Administrator's Guide - Page
Copyright © 2017, Barracuda Networks Inc.
141
Barracuda Email Security Gateway Administrator's Guide - Page
142
How to Use DLP and Encryption of Outbound Mail
For health care providers, governmental agencies and other entities who need to protect private, sensitive and valuable information
communicated via email, the Barracuda Email Security Gateway includes DLP (Data Leak Prevention) features. DLP enables your organization
to satisfy email compliance filtering for corporate policies and government regulations such as HIPAA and Sarbanes-Oxley.
Advanced content scanning is applied for keywords inside commonly used text attachments, as well as email encryption.Configure email
encryption per domain on the DOMAINS > Manage Domain > ADVANCED > Encryption page. DLP/Encryption is included with your Energize
Updates subscription.
Encryption is configured at the per-domain level, but actual encryption policy (by sender domain, email address, recipient, etc.) is only
configurable at the global level using the BLOCK/ACCEPT pages. These global encryption policies will apply to all domains from which
encrypted email messages are sent.
Encryption is performed by the Barracuda Email Encryption Service, which also provides a web interface, the Barracuda Message Center, for
recipients to retrieve encrypted messages.
Encryption Privacy
When the Barracuda Email Encryption Service encrypts the contents of a message, the message body will not be displayed in the Mes
sage Log. Only the sender of the encrypted message(s) and the recipient can view the body of an encrypted message. For more
information about privacy, please see the Barracuda Networks Privacy Policy.
Workflow for Creating, Sending and Receiving Encrypted Messages
Step 1: Configure Encryption for Selected Domains
a. Begin by confirming that you Barracuda Email Security Gateway can communicate with the Barracuda Email Encryption Service.
If you are running version 6.0 or higher, from the BASIC > Administration page, enter a valid test email address in the Email
Encryption Service section and use the Test Encryption Connection button. If you are running 5.1.x, navigate to the BASIC >
IP Configuration page and, in the Encryption Service Test section, enter a valid test email address and use the Test
Encryption Connection button.
b. If you are running version 6.0 or higher, and if you have a Barracuda Message Archiver, you can choose to archive encrypted
emails and replies to those emails. From the BASIC > Administration page, enter the IP address of the Barracuda Message
Archiver in the Email Encryption Service section.
c. Make sure that your Energize Updates subscription is current. See the Subscription Status section on the BASIC >
Dashboard page of the Barracuda Email Security Gateway.
d. Validate all sending domains that are allowed to send encrypted messages, using the DOMAINS > Manage Domain >
ADVANCED > Encryption page. Several validation methods are available from this page and are detailed in the Help page.
Step 2: Create Policies for DLP/Encryption of Outbound Messages
The administrator creates one or more filters for outbound mail from the BLOCK/ACCEPT pages, selecting Encrypt as the Action. Note that,
though encryption is configured at the per-domain level, actual encryption policy (by sender domain, email address, recipient address, attachment
filename patterns, message content, etc.) is only configurable at the global level. These global encryption policies will apply to all domains from
which encrypted email messages are sent. In addition to criteria mentioned above, you can select the Encrypt action for outbound email
messages that contain matches to pre-made patterns in the subject line, message body or attachment. Use the Predefined Filters on the BLOC
K/ACCEPT > Content Filtering page to configure the following pre-defined data leakage patterns (specific to U.S. - see Note below) to meet
HIPAA and other email security regulations:
Credit Cards - Messages sent through the Barracuda Email Security Service containing recognizable Master Card, Visa, American
Express, Diners Club or Discover card numbers will be subject to the action you choose.
Social Security - Messages sent with valid social security numbers will be subject to the action you choose. U.S. Social Security
Numbers (SSN) must be entered in the format nnn-nn-nnnn.
Privacy - Messages will be subject to the action you choose if they contain two or more of the following data types, using common U.S.
data patterns only: credit cards (including Japanese Credit Bureau), expiration date, date of birth, Social Security number, driver's license
number, street address, or phone number. Phone numbers must be entered in the format nnn-nnn-nnnn or (nnn)nnn-nnnn or nnn.n
nn.nnnn .
HIPAA - Messages will be subject to the action you choose if they contain TWO of the types of items as described in Privacy above and
Copyright © 2017, Barracuda Networks Inc.
Barracuda Email Security Gateway Administrator's Guide - Page
143
ONE medical term, or ONE Privacy item, ONE Address and ONE medical term. A street address can take the place of Privacy patterns.
So, for example, a U.S. Social Security Number (SSN), an address, and one medical term is enough to trigger the HIPAA filter.
The format of this data varies depending on the country, and these filters are more commonly used in the U.S.; they do not
apply to other locales. Because of the millions of ways that any of the above information can be formatted, a determined person will
likely be able to find a way to defeat the patterns used. These filter options are no match for educating employees about what is and is
not permissible to transmit via unencrypted email.
If you use the Predefined Filters on the BLOCK/ACCEPT > Content Filtering page of the Barracuda Email Security Gateway, and you have a
problem with the credit card filter taking action with spreadsheet files that do NOT contain credit card numbers, please see How to Use DLP
Filters With Spreadsheets.
Archiving Encrypted Messages
You can choose to archive all encrypted correspondence for your validated domains on the Barrracuda Email Security Gateway to your
Barracuda Message Archiver. Enable this feature by entering the IP address of your Barracuda Message Archiver in the Email Encryption
Service section of the BASIC > Adminstration page of the Barracuda Email Security Gateway. For more information, see Archiving Encrypted
Email Messages.
Port 4234 should be open for transmission of encrypted mail to the Barracuda Message Archiver.
Step 3: Sending and Receiving Encrypted Messages
The Barracuda Message Center is a web-based email client for receiving and managing encrypted email sent by the Barracuda Email Security
Service or the Barracuda Email Security Gateway. The email client looks and behaves much like any web-based email program. For a user's
guide, please see Barracuda Message Center User's Guide. The workflow for sending and receiving encrypted messages is as follows:
1. Outbound messages that meet this filtering criteria and policies configured as described above are encrypted and appear in the Messag
e Log, but the message body does not appear in the log for security purposes.
2. The Barracuda Message Center sends a notification to the recipient of the email message that includes a link the recipient can click to
view and retrieve the message from the Barracuda Message Center.
3. The first time the recipient clicks this link, the Barracuda Message Center will prompt for creation of a password. Thereafter the recipient
can re-use that password to pick up subsequent encrypted messages.
4. The recipient logs into the Barracuda Message Center and is presented with a list of email messages, much like any web-based email
program. All encrypted messages received will appear in this list for a finite retention period or until deleted by the recipient.
When the recipient replies to the encrypted email message, the response will also be encrypted and the sender will receive a notification that
includes a link to view and retrieve the message from the Barracuda Message Center.
Copyright © 2017, Barracuda Networks Inc.
Barracuda Email Security Gateway Administrator's Guide - Page
144
Medical Dictionary Source for DLP HIPAA Compliance
The DLP/HIPAA compliance engine is powered by the UMLS Metathesaurus, version 2013AA, created by the U.S. National Library of Medicine,
National Institutes of Health. Within the UMLS Metathesaurus, it uses medical vocabulary from:
COSTAR, by Massachusetts General Hospital, Harvard Medical School
DXplain, by Massachusetts General Hospital, Harvard Medical School
FMA*, by Structural Informatics Group, University of Washington
HCPCS, by Centers for Medicare and Medicaid Services
ICD-9-CM, by U.S. Department of Health and Human Services
MTHICD0, by U.S. National Library of Medicine, National Institutes of Health
NCI Thesaurus, by National Cancer Institute, National Institutes of Health
VANDF, by U.S. Department of Veteran's Affairs
The compliance engine uses only portions of each of the above vocabularies. It also uses vocabulary which is not a part of the UMLS
Metathesaurus, developed by the Barracuda Networks research team.
Some material in the UMLS Metathesaurus is from copyrighted sources of the respective copyright holders. Users of the UMLS Metathesaurus
are solely responsible for compliance with any copyright, patent or trademark restrictions and are referred to the copyright, patent or trademark
notices appearing in the original sources, all of which are hereby incorporated by reference.
*FMA is the intellectual property of the University of Washington and was developed at the University of Washington by the Structural Informatics
Group.
Copyright © 2017, Barracuda Networks Inc.
Barracuda Email Security Gateway Administrator's Guide - Page
145
How to Use DLP Filters With Spreadsheets
If you use Predefined Filters for Data Leakage Prevention (DLP) and have a problem with the credit card filter taking action (false positives) with
spreadsheet files that do NOT contain credit card numbers, this article gives a simple solution. Predefined Filters are configured on the BLOCK
/ACCEPT > Content Filtering page in the Predefined Filters section.
Spreadsheets can store numbers to 16 decimal places which can match a valid Credit Card number check. The Barracuda Email Security
Gateway checks all 16 digit numbers that have a leading period or space and end with a period or space or <CR>, so this number, for example:
254.4012888888881881
...results in checking the number 4012888888881881 against the credit card filter. When tested, this number verifies as a number pattern Visa
supports as a credit card number. This does not mean it is a credit card number currently in use, but that it passes what is known as the Luhn10
test.
If you are sending spreadsheets as attachments, you should set your program to save numbers to 10 or fewer places, or save your document in a
password protected archive so it cannot be scanned by the Barracuda Email Security Gateway for content.
Copyright © 2017, Barracuda Networks Inc.
Barracuda Email Security Gateway Administrator's Guide - Page
146
Archiving Encrypted Email Messages
This feature applies to the Barracuda Email Security Gateway running version 6.x and higher.
If you have a Barracuda Message Archiver, you can choose to archive encrypted emails that pass through the Barracuda Email Security
Gateway, as well as replies to those emails. From the BASIC > Administration page, enter the IP address of the Barracuda Message Archiver in
the Email Encryption Service section.
Archiving Replies to Encrypted Emails
Any replies to encrypted message go, as usual, to the Barracuda Message Center. The Barracuda Email Security Gateway then collects the reply
from the Barracuda Message center and proxies it to the Barracuda Message Archiver. For an illustration of encrypted mail flow (not including the
archiving feature), see the diagram in How to Use DLP and Encryption of Outbound Mail.
Note that encrypted messages are not sent in encrypted format to the Barracuda Message Archiver. Therefore, to protect sensitive mail, it is
recommended that:
This email traffic from the Barracuda Email Security Gateway to the Barracuda Message Archiver be sent over internal networks. The
Barracuda Message Archiver will support SMTP/TLS for encrypted transmission of the emails if both the Barracuda Email Security
Gateway and the Barracuda Message Archiver are configured to use this protocol:
On the Barracuda Email Security Gateway, set Enable SMTP over TLS/SSL to Yes on the ADVANCED > Email Protocol page
.
For configuring the Barracuda Message Archiver to receive messages via SMTP over TLS, please contact Barracuda Networks
Technical Support.
You enable the Secondary Authentication feature on the Barracuda Message Archiver from the BASIC > Administration page. Secon
dary Authorization allows an additional password to be required of both Admins and Auditors before executing any action that could
expose message data, including messages that were originally sent encrypted. You can assign the secondary password to a 2nd
administrator, which must be used before the content of these email messages can be viewed. Note that the Secondary Authorization
feature is not limited for use with managing encrypted mail - if you enable it, it will apply to managing all archived mail.
Copyright © 2017, Barracuda Networks Inc.
Barracuda Email Security Gateway Administrator's Guide - Page
147
Encryption of Outbound Mail 5.x
For health care providers, governmental agencies and other entities who need to protect private, sensitive and valuable information
communicated via email, the Barracuda Spam Firewall provides the option of email encryption based on policy you set for outbound mail in the B
LOCK/ACCEPT pages.
Actual encryption of outbound mail is performed by the Barracuda Email Encryption Service, so system performance is never affected. Encryption
is configured at the per-domain level, but actual encryption policy (by sender domain, email address, recipient, etc.) is only configurable at the
global level using the BLOCK/ACCEPT pages. These global encryption policies will apply to all domains from which encrypted email messages
are sent.
Email encryption can be performed by the Barracuda Spam Firewall on outbound mail as described in this article, OR you can download the
Barracuda Outlook Add-In for your Microsoft Exchange Server to enable users to choose encryption from the New Message window in their MS
Outlook client. See Barracuda Outlook Add-In Deployment Guide 5.x or the USERS > User Features page in the Barracuda Spam Firewall web
interface for information on deploying the Outlook Add-In. For details about sending and retrieving encrypted messages as applies to this add-in,
see steps 4-6 of Sending and Receiving Encrypted Messages.
Secured Message Contents
When the Barracuda Spam Firewall encrypts the contents of a message, the message body will not be displayed on the BASIC > Message Log,
BASIC > Outbound Quarantine, or the ADVANCED > Queue Management pages. For Mail Journaling and the download features in the
Message Viewer, the message body will not be sent to the Mail Journaling account and cannot be downloaded to the Desktop.
If you already have an email encryption server or service, you can specify a hostname (FQDN) or IP address and port in the Redirection Mail
Server TCP/IP Configuration section of the BASIC > IP Configuration page to which the Barracuda Spam Firewall should redirect outbound mail
for encryption. You can then select the Redirect action for outbound filtering policies in the BLOCK/ACCEPT pages. Redirection of outbound mail
per policy is only available at the global (not per-domain) level.
Configuring and Using Encryption
Begin by confirming that the Barracuda Spam Firewall can communicate with the Barracuda Email Encryption Service. From the BASIC >
Administration page, enter a valid test email address in the Email Encryption Service section and use the Test Encryption Connection button.
Archiving Encrypted Emails
If you have a Barracuda Message Archiver, you can choose to archive encrypted emails and replies to those emails. From the BASIC >
Administration page, enter the IP address of the Barracuda Message Archiver in the Email Encryption Service section .
Requirements for Using Encryption
Before applying encryption policy, make sure of the following:
Your Energize Updates subscription is current. See the Subscription Status section on the BASIC > Dashboard page of the Barracuda
Spam Firewall.
You validate all sending domains that are allowed to send encrypted messages, using the DOMAINS > Manage Domain > ADVANCED
> Encryption page. Several validation methods are available from this page.
Setting Encryption Policy for Outbound Mail
From the BLOCK/ACCEPT pages you can select the Encrypt action to create global custom encryption policy for secure transmission of
outbound mail based on:
Sender email address and/or domain
Recipient email address and/or domain
Attachment Filename pattern and/or type as well as attachment content
Content and content type (such as, for example, secured credit card info.)
These policies will apply for ALL domains from which you send encrypted email.
Predefined Filters for Data Leakage Prevention (DLP)
DLP enables your organization to satisfy email compliance filtering for corporate policies and government regulations such as HIPAA and
Sarbanes-Oxley. You can select the Encrypt action for outbound email messages that contain matches to pre-made patterns in the subject line,
message body or attachment. Use the following pre-defined data leakage patterns (specific to U.S. – see Note below):
Credit Cards – Messages sent through the Barracuda Email Security Service containing recognizable Master Card, Visa, American
Express, Diners Club or Discover card numbers will be subject to the action you choose.
Social Security – Messages sent with valid social security numbers will be subject to the action you choose. U.S. Social Security
Copyright © 2017, Barracuda Networks Inc.
Barracuda Email Security Gateway Administrator's Guide - Page
148
Numbers (SSN) must be entered in the format nnn-nn-nnnn.
Privacy – Messages will be subject to the action you choose if they contain two or more of the following data types, using common U.S.
data patterns only: credit cards (including Japanese Credit Bureau), expiration date, date of birth, Social Security number, driver's license
number, or phone number. Phone numbers must be entered in the format nnn-nnn-nnnn or (nnn)nnn-nnnn or nnn.nnn.nnnn .
HIPAA – Messages will be subject to the action you choose if they contain TWO of the types of items as described in Privacy above and
ONE medical term.
The format of this data varies depending on the country, and these filters are more commonly used in the U.S.; they do not
apply to other locales. Because of the millions of ways that any of the above information can be formatted, a determined person will
likely be able to find a way to defeat the patterns used. These filter options are no match for educating employees about what is and is
not permissible to transmit via unencrypted email.
Branding
You can brand encryption notification emails (see Sending and Receiving Encrypted Messages below) as well as encrypted messages with an
image and a domain name to be displayed with the image. Once you have validated a domain through the Barracuda Spam Firewall, branding is
configured at the per-domain level on the ADVANCED > Encryption page where you can upload an image from your local drive or network. You
can optionally create custom text or html notification message content and subject from the same page.
Encryption and Quarantine, Blocking and Queuing
If an encrypted message is quarantined, the administrator will not see the message contents, but can view the message header information and
the reason the message was encrypted as well as the reason it was quarantined on the BASIC > Message Log page. From either the BASIC >
Message Log page or the BASIC > Outbound Quarantine page, the message can be delivered, rejected, deleted or forwarded.
If an encrypted message is blocked due to policy, the administrator will not see the message contents, but can view the message header
information and the reason the message was encrypted as well as the reason it was blocked on the BASIC > Message Log page. The
administrator can then deliver the message if desired.
For encrypted messages in the queue, the administrator will not see the message contents but can view the message header information and
why the message was encrypted. From the ADVANCED > Queue Management page, the administrator can deliver, re-queue or delete the
message.
Sending and Receiving Encrypted Messages
The Barracuda Message Center provides a web-based email client for recipients to manage email messages encrypted and sent via the
Barracuda Spam Firewall. The email client looks and behaves much like any web-based email program. See Barracuda Message Center User's
Guide for details on the user experience.
For organizations such as credit card companies, for example, that do not wish recipients to reply to encrypted messages, the Allow Replies opti
on can be set to No on the ADVANCED > Encryption page.
The workflow for email encryption is as follows:
1. The administrator creates a filter from one or more of the BLOCK/ACCEPT pages to encrypt certain types of outbound messages.
2. Outbound messages that meet this filtering criteria are sent over a secure TLS channel to the Barracuda Message Center for encryption.
3. The outbound message information appears in the Barracuda Spam Firewall Message Log, but the message body does not, as it is
encrypted for security purposes.
4. The Barracuda Message Center sends a notification to the recipient of the email message that includes a link the recipient can click to
view and retrieve the message from the Barracuda Message Center. Notifications can be branded as described above.
5. The first time the recipient clicks this link, the Barracuda Message Center will prompt for creation of a password. Thereafter the recipient
can re-use that password to pick up subsequent encrypted messages.
6. The recipient logs into the Barracuda Message Center and is presented with a list of email messages, much like any web-based email
program. All encrypted messages received will appear in this list for a finite retention period or until deleted by the recipient.
When the recipient replies to the encrypted email message, the response will also be encrypted and the sender will receive a notification that
includes a link to view and retrieve the message from the Barracuda Message Center.
Recalling Encrypted Messages
The Admin or Domain Admin roles can choose to recall an encrypted message before it is read by the recipient. From the BASIC > Message
Log page, clicking on the message brings up the Message Viewer, which includes a Recall button if the message has been encrypted. Clicking
this button recalls the message from the Barracuda Message Center under the following conditions:
The recipient has not yet read the message.
The Remove Barracuda Headers feature is set to No on the ADVANCED > Email Protocol page.
If the message is recalled, the Delivery Status for the message in the log will change to Recalled.
Copyright © 2017, Barracuda Networks Inc.
Barracuda Email Security Gateway Administrator's Guide - Page
Copyright © 2017, Barracuda Networks Inc.
149
Barracuda Email Security Gateway Administrator's Guide - Page
150
Securing the Barracuda Email Security Gateway
Secure Deployment
You can deploy your Barracuda Email Security Gateway behind your corporate firewall or in front of your corporate firewall in the DMZ. However,
for maximum security, Barracuda recommends deploying the Barracuda Email Security Gateway behind a corporate firewall as described in Depl
oyment Behind the Corporate Firewall.
Securing Network Access
To secure your Barracuda Email Security Gateway on your network, begin by locking down the user interface ports. Barracuda Networks
recommends using the non-standard port 8000 for internal access to the web interface, which is configured on the BASIC > Administration pag
e. From that page you can also further limit access to the web interface by IP address with the Administrator/IP Range setting. If no IP address
is specified in this field, then all systems are granted access with the correct administrator password.
You can secure external access to the Barracuda Email Security Gateway with the Web Interface HTTPS/SSL Port setting on the ADVANCED
> Secure Administration page. The recommended port is 443 because it is a standard HTTPS/SSL port that is used for secure web browser
communication, and the identity of the remotely connected server can be verified with significant confidence. To configure SSL-only access to the
web interface, see How to Enable SSL for Administrators and Users.
If per-user quarantine is enabled as well as HTTPS, users will be redirected to HTTPS access if they are trying to access their
quarantine inbox.
SSL Certificates
As described above, limiting user interface access to HTTPS provides further security and can also be configured on the ADVANCED > Secure
Administration page along with the use of SSL certificates. There are three types of SSL certificates to choose from:
Default (Barracuda Networks)
Private (self-signed)
Trusted certificate - a certificate signed by a trusted certificate authority (CA)
Configuring SSL certificates is described in this guide in the How to Enable SSL for Administrators and Users as well as in the online help of the
ADVANCED > Secure Administration page.
Secure Links in Notification Emails
If Per-User quarantine (as opposed to Global) is configured on the BASIC > Quarantine page, you might want to secure hyperlinks in
quarantine correspondence emails that are sent from the Barracuda Email Security Gateway to users and administrators. Setting Use HTTPS
Links in Emails to Yes on the ADVANCED > Secure Administration page ensures that these emails sent from the Barracuda Email Security
Gateway contain only HTTPS links.
Use the Cloud Protection Layer
Using the Cloud Protection Layer feature means that all email going into your organization will be pre-filtered for spam and viruses before it
reaches your network. This feature requires using Barracuda Cloud Control and validating your domain ownership with the cloud service. To use
this feature, please see Cloud Protection Layer for details on configuration.
Limiting Access to the API
The Barracuda set of APIs provides for remote administration and configuration of the Barracuda Email Security Gateway. More detailed
information regarding the API can be found in the Barracuda Email Security Gateway API Guide. Common settings, such as IP addresses and
spam scoring levels, that you can set by clicking the Save Changes button in the web interface, can be configured via the API.
To limit access to the API, use the Allowed SNMP and API IP/Range setting on the BASIC > Administration page. The IP addresses you enter
in that field can also establish an SNMP connection to the system.To secure use of the API, you must also create an API password which can be
entered on the same page.
Tracking Changes to the Configuration and User Login Activities
The syslog function of the Barracuda Email Security Gateway provides two kinds of logs, capturing:
User login activities and any configuration changes made on the device.
Data related to mail flow. This data is the same information as that used to build the Message Log in the Barracuda Email Security
Gateway.
From the ADVANCED > Troubleshooting page, use the Monitor Web Syslog button view the web syslog output. You can also configure a
Copyright © 2017, Barracuda Networks Inc.
Barracuda Email Security Gateway Administrator's Guide - Page
151
syslog server as described in Using a Syslog Server to Centrally Monitor System Logs.
Limiting User Access
Securing User Access With Single Sign-On
Single Sign-On is a per-domain setting available on the Barracuda Email Security Gateway 400 and higher.
With Single Sign-On (SSO), users can log into their quarantine inbox via the web interface using their domain passwords instead of a password
managed separately by the Barracuda Email Security Gateway. Single Sign-On is configured at the domain level by either the Administrator or a
Domain Admin. See Roles and Navigating the Web Interface for more detail about how roles work.
Note that, if you are using LDAP authentication for single sign-on, you can either use the same LDAP server and settings for user authentication
as the one you’re using for recipient verification (configured on the USERS > LDAP Configuration page), or you can configure a separate LDAP
server for single sign-on from the USERS > Single Sign-On page. Please see the help on that page for specifics about LDAP server settings to
understand how they affect user logins and access to their quarantine inbox.
Important
If enabling Single Sign-On for a domain, you should also configure HTTPS/SSL Access Only at the global level on the ADVANCED >
Secure Administration page to protect the transmission of network passwords. See How to Enable SSL for Administrators and Users
to configure SSL access only to the web interface of the Barracuda Email Security Gateway.
User Account Authentication
You can configure the Barracuda Email Security Gateway to authenticate user accounts using an LDAP, POP, or RADIUS server. This feature is
available on the Barracuda Email Security Gateway 400 and higher and is configured at the domain level, not as a global setting. These user
account authentication mechanisms are configured from the DOMAINS tab by selecting the Domains page and clicking the Manage Domain link
for a particular domain.
To configure authentication, navigate to the USERS > Single Sign-On page for the selected domain and select the Authentication Type. For
RADIUS and POP, fill in the server settings on the page. To require users to log in to the Barracuda Email Security Gateway web interface (as
opposed to single sign on) to view and manage their account, select Local for Authentication Type.
LDAP and User Account Authentication
Configure LDAP settings on the USERS > LDAP Configuration page. LDAP server types supported include Active Directory, Open LDAP,
Novell eDirectory and Domino Directory. You can configure LDAPS (SSL/TLS) for encryption of LDAP queries between the Barracuda Email
Security Gateway and your LDAP server. LDAPS can optionally be required. As stated above, these settings are domain-specific.
If you select LDAP authentication, you can configure the Exchange Accelerator/LDAP Verification feature on the USERS > LDAP
Configuration page as follows:
Setting to Yes means that LDAP lookups for recipient verification for the domain will be performed based on settings on the page.
Setting to No means that the Barracuda Email Security Gateway will default to SMTP verification through RCPT TO commands.
See also: Roles and Navigating the Web Interface
Copyright © 2017, Barracuda Networks Inc.
Barracuda Email Security Gateway Administrator's Guide - Page
152
Advanced Spam Filtering Inbound
The goal in configuring a Barracuda Email Security Gateway is to identify spam without blocking valid messages. These articles address using
custom spam filtering policy on inbound mail as well as optional, more sophisticated spam identification methods. For information about Spam
scoring for inbound mail, see How Spam Scoring Works.
In this Section
Advanced Threat Detection
Anti-Fraud and Anti-Phishing Protection
Rate Control Inbound
IP Analysis Inbound
Content Analysis Inbound
Bayesian Analysis Inbound
Bulk Email Detection
Copyright © 2017, Barracuda Networks Inc.
Barracuda Email Security Gateway Administrator's Guide - Page
153
Advanced Threat Detection
The Barracuda Email Security Gateway provides access to the subscription-based Advanced Threat Detection (ATD) service when you use the
Cloud Protection Layer. For information about setting up the Cloud Protection Layer, see Cloud Protection Layer and How to Set Up Your Cloud
Protection Layer.
The ATD service analyzes inbound email attachments in a separate, secured cloud environment, detecting new threats and determining whether
to block such messages. ATD offers protection against advanced malware, zero-day exploits, and targeted attacks not detected by the Barracuda
Email Security Gateway virus scanning features. To subscribe to the ATD service, see the Subscriptions section of the DASHBOARD page in
the Cloud Protection Layer.
When ATD determines an attachment contains a threat and blocks the message, review the ATD Report before determining whether to
deliver the message. See How to Use Advanced Threat Detection Reports for more information.
Advanced Threat Detection Options
In the Cloud Protection Layer, configure how and when attachments are scanned on the INBOUND SETTINGS > ATD page:
Deliver First, Then Scan – When selected, the ATD service attempts to scan the mail in real time. If the ATD scan completes in real
time and a virus is detected, the message is blocked and is not delivered. If the ATD scan does not complete in real time, the message is
delivered; if the ATD service determines the attachment to be suspicious or virus-infected upon completion, the recipient is notified, and
if Notify Admin is set to Yes, an email alert is sent to the specified admin address.
This option does not delay email processing, however, the email recipient can potentially open an infected attachment.
Scan First, Then Deliver – When selected, the ATD service scans messages with attachments before delivery. If a virus is detected in
an attachment, the message is blocked, otherwise, the message is delivered to the recipient.
This option provides more security and prevents the email recipient from opening infected attachments. Note that messages
with attachments may be temporarily deferred while queued for scanning. These messages appear in the Message log and Pe
nding Scan displays in the Reason column. The mail server retries until the scan is complete and no virus is detected in the
attachment, at which point the message is delivered.
No – When selected, ATD is disabled.
Advanced Threat Detection Exemptions
When ATD is set to either Deliver First, then Scan or Scan First, then Deliver, you can exempt sender email addresses, sender domains,
recipient email addresses, recipient domains, or sender IP addresses from ATD scanning in the ATD Exemptions section on the INBOUND
SETTINGS > ATD page of the Cloud Protection Layer.
Attachments from exempted entries are not sent to the ATD cloud. Note that these exemptions apply to ATD scanning only and do not
apply to Barracuda Email Security Gateway virus scanning.
Scanned File Types
Table 1 lists the file types scanned by the ATD service.
Table 1. Scanned File Types.
MIME Type
File Extension
application/pdf
.pdf
application/msword
.doc
application/vnd.ms-powerpoint
.ppt
application/vnd.ms-excel
.xls
application/x-msaccess
.mdb
application/vnd.openxmlformats-officedocument.presentationml.pres
entation
.pptx
Copyright © 2017, Barracuda Networks Inc.
Barracuda Email Security Gateway Administrator's Guide - Page
application/x-dosexec
.exe
application/vnd.openxmlformats-officedocument.spreadsheetml.sheet
.xlsx
application/vnd.microsoft.portable-executable
.exe
application/x-executable
.exe
application/vnd.ms-cab-compressed
.cab
text/x-msdos-batch
.bat
application/rtf
.rtf
application/vnd.android.package-archive
.apk
application/zip
.zip
application/x-tar
.tar
application/java-archive
.jar
application/javascript
.js
application/vnd.openxmlformats-officedocument.wordprocessingml.d
ocument
.docx
154
Administrator Notification
When Deliver First, Then Scan is selected, select Yes for Notify Admin to notify the administrator when a virus is detected by the ATD service
in a scanned attachment. The email notification includes the sender, recipient, attachment type, and detected virus. Enter the admin email
address in the ATD Notification Email field address. Infected attachments are listed in the ATD Log.
ATD Exemptions
When ATD is set to either Deliver First, then Scan or Scan First, then Deliver, you can exempt sender email addresses, sender domains,
recipient email addresses, recipient domains, or sender IP addresses from ATD scanning. Attachments from exempted entries are not sent to the
ATD cloud. Note that these exemptions apply to ATD scanning only and do not apply to Barracuda Email Security Gateway virus scanning.
Message Log
Messages blocked or deferred by the ATD service are listed in the Cloud Protection Layer Message Log with the following codes listed in the Re
ason column:
Advanced Threat Detection – Message is blocked by the ATD service due to an infected attachment.
Pending Scan (Scan First, Then Deliver enabled) – Message is deferred while the attachment is scanned. The mail server retries until
the scan is complete. Once complete, if no virus is detected, the message is delivered.
ATD Service Unavailable – Message is deferred because the ATD service is temporarily unavailable. The message is retried and, when
the scan is complete and if no virus is detected, the message is delivered.
View ATD Statistics
The DASHBOARD page in the Cloud Protection Layer displays statistics of scanned attachments determined to be infected by the ATD service.
Copyright © 2017, Barracuda Networks Inc.
Barracuda Email Security Gateway Administrator's Guide - Page
155
How to Use Advanced Threat Detection Reports
When ATD determines an attachment contains a threat and blocks the message, Barracuda recommends that you review each infected ATD
Report before determining whether to deliver the message.
Determine Whether to Deliver Message
1.
2.
3.
4.
5.
6.
7.
8.
9.
Log in to Cloud Protection Layer as the administrator, and go to MESSAGE LOG.
Set message filters and search criteria as needed, and click Search.
Messages blocked by ATD display as Not Delivered.
Click on the message, and in the reading pane, click ATD Reports.
The Email Delivery Warning dialog box displays a list of attachments, one or more of which is suspected of being Infected. If you want
to deliver the email and the associated attachments, first review the report for each attachment.
Click View Report for the suspicious attachment, and review the report details.
Repeat step 6 for each attachment.
Once you review all attachments, and if you determine you want to deliver the email and the associated attachments, review and accept
the disclaimer, and click Deliver in the Email Delivery Warning dialog box.
If the message is delivered successfully, the Delivery Status changes to Delivered. If the mail cannot be delivered, this is reflected as a
notice in your browser window and the Delivery Status does not change.
ATD Classifications
Malicious – File classified as high risk. File is highly likely to be malware.
Suspicious – File classified as medium risk. File may pose a potential risk.
Clean – File classified as low risk. No malicious indicators were detected.
Exercise caution even with files marked CLEAN as malware authors are continually finding new ways to evade detection.
Terminology
Determination versus Verdict – When a scan is complete and the risk potential is classified, that scan displays a Determination. For
example, if the file is determined to have medium risk, the determination is Suspicious. After all scans are complete, a Verdict displays
based on the determination of all scans.
Reclassified – If a scan determination is Malicious or Suspicious, but the file is reviewed by the Barracuda Analyst Team and
determined to be Clean, the Verdict displays as Clean and Reclassified by Analyst displays.
ATD Report Sections
The ATD report is divided into the following sections:
Scan Description
This section provides a short description of the ATD report and how the scan verdict is reached.
Overall Determination
This section displays the scan verdict and reason for this file. The verdict is based on the outcome, or determination, of each scan.
File Metadata
This section lists file-specific details including file extension, file size, meta-data, and when the file was first submitted.
Threat Analysis
This section lists the outcome of each scan:
Enhanced Antivirus detection scans the file through a comprehensive system of traditional antivirus signatures.
Behavioral Heuristics analyzes through a heuristics engine utilizing behavioral indicators.
Sandboxing executes the file in an isolated environment where its behavior is analyzed and assigned a risk level.
Copyright © 2017, Barracuda Networks Inc.
Barracuda Email Security Gateway Administrator's Guide - Page
156
Anti-Fraud and Anti-Phishing Protection
Phishing scams are typically fraudulent email messages that appear to come from legitimate senders, for example, a university, an Internet
service provider, or a financial institution. These messages usually contain a URL that, when clicked, directs the user to a spoofed website or
otherwise tricks the user to reveal private information such as login, password, or other sensitive data. This information is then used to commit
identity and/or monetary theft.
Using the features described in this article require that you first set up the free Cloud Protection Layer service with your Barracuda Email Security
Gateway. You can configure the Cloud Protection Layer to evaluate and rewrite fraudulent URLs so that, when clicked, the user is safely
redirected to a valid domain or to a Barracuda domain warning of the fraud. See Cloud Protection Layer for more information about the service.
To configure, log in to the Cloud Protection Layer, and go to the INBOUND SETTINGS > Anti-Phishing page:
Barracuda Anti-Fraud Intelligence – This Barracuda Networks anti-phishing detection feature uses a special Bayesian database for
detecting Phishing scams.
Link Protection – When set to Yes, the service automatically rewrites a deceptive URL in an email message to a safe Barracuda URL,
and delivers that message to the user.
When Link Protection is enabled, URLs are not rewritten if:
The URL is exempt
The URL is contained in an encrypted or protected message
The URL is within an attachment
When the user clicks the URL, the service evaluates it for validity and reputation. If the domain is determined to be valid, the user is
directed to that website. If the URL is suspicious, the user is directed to the Barracuda Link Protection Service warning page which
displays details about the blocked URL, for example:
To minimize false positives and page load delays, Barracuda maintains a list of domains considered safe. Because of this,
some links detected in messages are wrapped while others are not. For example, Barracuda does not currently wrap
google.com, but does wrap googlegroups.com because it provides user-generated content.
Typosquatting Protection – Typosquatting is a common trick used by hackers to fool users into thinking they are visiting a valid domain
but the domain name is misspelled. Typosquatting is detected only if the URL is rewritten, that is, if it is not exempt. When clicked, the
user is taken to a different domain that may be spoofing the expected domain. The Typosquatting Protection feature checks for
common typos in the URL domain name and, if found, rewrites the URL to the correct domain name so that the user visits the intended
website. For example, if the URL https://www.tripadivsor.com (where the 'i' and 'v' positions are switched in the domain name) appears
in an email message, the service detects the typo and rewrites the URL to the valid domain https://www.tripadivsor.com. Note that Lin
k Protection must be set to Yes before you can enable Typosquatting Protection.
Barracuda typosquatting works with tools such as Desvio to determine misspelled domain names. To protect your misspelled
domains, contact providers such as Desvio to add your misspelled domain name variations to their list.
Copyright © 2017, Barracuda Networks Inc.
Barracuda Email Security Gateway Administrator's Guide - Page
157
Rate Control Inbound
The Barracuda Email Security Gateway Rate Control feature protects the system from spammers or spam-programs (also known as "spam-bots")
that send large amounts of email to the server in a small amount of time. Rate Control is configured on the BLOCK/ACCEPT > Rate Control pag
e.
As part of the Connection Management Layer, the Rate Control mechanism counts the number of connections to the Barracuda Email Security
Gateway in a half hour period and compares that number to the Rate Control threshold, which is the maximum number of connections allowed
from any one IP address in this half-hour time frame. If the number of connections from a single IP address exceeds the Rate Control threshold
within the half hour period, the Barracuda Email Security Gateway will defer any further connection attempts from that particular IP address until
the next half hour time frame and log each attempt as deferred in the Message Log with a Reason of Rate Control.
In this case, for each message deferred, the sender will receive a 4xx level error message instructing the mail server to retry after a predefined
time interval. Well-behaving mail servers act upon the defer message and will try sending the message again later, while email from large volume
spammers will not retry sending the email again.
When Rate Control Takes Effect
When Rate Control is first enabled on the Barracuda Email Security Gateway, or after a change is made to the Rate Control threshold, five (5)
unique IP addresses must connect before Rate Control is invoked. This is to take into account that you may have another appliance receiving
email (i.e., a front-end Mail Transfer Agent (MTA) or a trusted forwarder) before the Barracuda Email Security Gateway. Once 5 or more IP
addresses have made connections to the Barracuda Email Security Gateway, it indicates that mail is also coming in from other outside sources
and rate control should be applied.
Exemptions from Rate Control
You can exempt trusted IP addresses from Rate Control by adding a trusted IP address to the Rate Control Exemption/IP range list. Also, any
IP address that you enter as a trusted forwarder on the BASIC > IP Configuration page will be exempted from Rate Control.
When configuring Rate Control, keep in mind the following
A rate of 50 is conservative
Some customers can lower this safely
Caution – False positives can be hard to diagnose
Common setting is for 20-30 emails/ half hour
High volume recipients may need to either set the Rate Control Threshold above 50 and/or list IP addresses from which they expect to
receive a high volume of email in the Rate Control Exemption/IP Range list.
Organizations that relay email through known servers or communicate frequently with known partners can and should add the IP
addresses of those trusted relays and good mail servers to the Rate Control Exemption/IP Range list.
Copyright © 2017, Barracuda Networks Inc.
Barracuda Email Security Gateway Administrator's Guide - Page
158
IP Analysis Inbound
About IP Analysis
After applying rate controls, the Barracuda Email Security Gateway then performs analysis on the IP address, applying tag, quarantine or block
policies that you configure in the BLOCK/ACCEPT pages.
Once the true sender of an email message is identified, the reputation and intent of that sender should be determined before accepting the
message as valid, or "not spam". The best way to address both issues is to know the IP addresses of trusted senders and forwarders of email
and define those on the Barracuda Email Security Gateway as "Allowed" by adding them to a whitelist of known good senders. Various methods
for discerning "good" senders of email versus spammers are described in this section to help you to quickly configure your Barracuda Email
Security Gateway per the needs of your organization.
Barracuda Networks does NOT recommend whitelisting domains because spammers will spoof domain names. When possible, it is
recommended to whitelist (Allow) by IP address only.
Trusted Forwarders
On the BASIC > IP Configuration page you can specify the IP addresses of any machines that are set up specifically to forward mail to the
Barracuda Email Security Gateway from outside sources. These are called Trusted Forwarders and will bypass SPF, Rate Control and IP
Reputation checks. In the IP Analysis layer, the Barracuda Email Security Gateway examines the Received headers and evaluates the first
non-trusted IP address when applying the above filters and other block and accept policies.
IP Reputation
The Barracuda Email Security Gateway enables administrators to define a list of trusted mail servers by IP address. By adding IP addresses to
this list, administrators can avoid spam scanning of good email, thereby both reducing processing load and eliminating the chances of false
positives. Note that virus scanning and blocked attachment checks are still enforced.
Likewise you can define a list of bad email senders. In some cases, you may choose to utilize IP blocklists on the BLOCK/ACCEPT > IP Filters p
age to restrict specific mail servers as a matter of policy rather than as a matter of spam.
Barracuda Reputation (BRBL)
Barracuda Reputation is a database maintained by Barracuda Central and includes a list of IP addresses of known good senders as well as
known spammers, or IP addresses with a "poor" reputation. This data is collected from spam traps and other systems throughout the Internet.
The sending history associated with the IP addresses of all sending mail servers is analyzed to determine the likelihood of legitimate messages
arriving from those addresses. Updates to Barracuda Reputation are made continuously by Barracuda Central engineering.
On the BLOCK/ACCEPT > IP Reputation page, it is strongly recommended that the Barracuda Reputation Blocklist (BRBL) option be set to
"Block".
Email Categorization
(Available in version 6.1 and higher) This feature replaces the Barracuda Reputation Whitelist feature in version 6.1 and higher. Email
Categorization gives administrators more control over what they believe to be spam, even though those messages may not meet the technical
definition of spam. Most users do not realize that newsletters and other subscription-based emails, while they are considered to be bulk email, are
not technically unsolicited - which means that they can not be blocked by default as spam.
The senders of these emails may have a good reputation, but the user may no longer want to receive, for example, a mass mailing from a club or
vendor membership. The Email Categorization feature assigns these kinds of emails to categories that display on the BLOCK/ACCEPT > IP
Reputation page, and the administrator can then create Block, Quarantine, Tag or Whitelist (allow) policies by category. Or the action can be
Off, in which messages are not scanned for Email Categorization. If the message action is Tag, the message subject will indicate the category
name.
Categories supported are:
Transactional Emails - Emails related to order confirmation, bills, bank statements, invoices, monthly bills, UPS shipping notices,
surveys relating to services rendered and or where transactions took place. The default action is Whitelist (allow).
Barracuda recommends setting Whitelist for the Transactional Emails category to prevent overlooking potentially important billing,
bank statements and other time sensitive information.
Corporate Emails - Email sent from MS Exchange Server that involves general corporate communications. Does not include marketing
newsletters. The default action is Whitelist (allow).
Copyright © 2017, Barracuda Networks Inc.
Barracuda Email Security Gateway Administrator's Guide - Page
159
Marketing Materials and Newsletters - Promotional emails from companies such as Constant Contact. The default action is Off (no
action taken).
Mailing Lists - Emails from mailing lists, newsgroups, and other subscription-based services such as Google and Yahoo! Groups. The
default action is Off.
Social Media - Social media notifications from sites such as Facebook, LinkedIn and Twitter. The default action is Off.
Other - On the Message Log page, the administrator has the opportunity to assign selected messages in the log to a custom category
that is 'written in' when clicking the Categorize button in the log. See the BASIC > Message Log page for details.
Exempting IP Addresses from the BRBL and Other Blocklists
The BRBL and other blocklists that you specify on the BLOCK/ACCEPT > IP Reputation page can be overridden by listing the IP addresses or
email addresses:
In the Barracuda Reputation, External RBL IP Exemption Range section of the BLOCK/ACCEPT > IP Reputation page. Here, you
can exempt particular IP addresses from RBL checks, including from the Barracuda Reputation Blocklist. Messages from these IP
addresses will be subject to all other spam and virus checks.
In the Allowed IP/Range section or Blocked IP/Range section of the BLOCK/ACCEPT > IP Filters page.
In the Allowed Email Addresses and Domains section or Blocked Email Addresses and Domains section of the BLOCK/ACCEPT >
Sender Filters or BLOCK/ACCEPT > Recipients pages.
Subscribing to External Blocklist Services
The BLOCK/ACCEPT > IP Reputation page allows you to use various blocklist services. Several organizations maintain external blocklists, such
as spamhaus.org. External blocklists, sometimes called DNSBLs or RBLs, are lists of IP addresses from which potential spam originates. In
conjunction with Barracuda Reputation, the Barracuda Email Security Gateway uses these lists to verify the authenticity of the messages you
receive.
Be aware that blocklists can generate false-positives (legitimate messages that are blocked). However, because the Barracuda Email Security
Gateway sends notifications when it rejects such messages, the sender will be notified and legitimate senders will therefore know to try
re-sending their message or otherwise notify the recipient that their messages are being blocked.
Subscribing to blocklist services does not hinder the performance of the Barracuda Email Security Gateway. Query response time is typically in
milliseconds, so delays are negligible. Once the Barracuda Email Security Gateway queries a blocklist service, that query is cached on your own
local DNS for a period of time, making further queries very fast.
Sender Whitelisting - Precedence
The users' sender whitelists (if the whitelist/blocklist setting is enabled for user accounts) can be overridden by global settings. For example, if the
administrator turns on Spoof Protection, which is a global setting, it will supersede any user’s whitelist entry. If a user needs to supercede an
global IP address block, that user should communicate to the administrator and request that the email or IP address be added to a global whitelist
on the Barracuda Email Security Gateway.
Reverse DNS Blocking
The Barracuda Email Security Gateway can do a reverse DNS lookup on inbound and outbound IP connections and finds the hostname
associated with the IP address of the sender. By configuring rules on the BLOCK/ACCEPT > Reverse DNS page, you can choose to apply Com
mon Reverse DNS Rules by country, Custom Reverse DNS Rules that you define, or both to block, quarantine, tag (inbound only) or whitelist
(Custom Reverse DNS Rules only).
The last part of a hostname is known as the top level domain, or TLD. Most TLDs include a country identifier, such as .ca for Canada, .ru for
Russia, etc. If most or all of the mail that you receive from a particular country is spam, you can use the Common Reverse DNS Rules to tag
(inbound only), block or quarantine any any message that has an associated hostname that includes that country's TLD. Email which is not
blocked is subject to all of the usual spam and virus checks. Use the Custom Reverse DNS Rules to tag, quarantine or block messages from
hostnames ending with values that you specify. List the sending domains or subdomains you want to whitelist on the BLOCK/ACCEPT > Sender
Filters page.
Copyright © 2017, Barracuda Networks Inc.
Barracuda Email Security Gateway Administrator's Guide - Page
160
Barracuda Reputation Database
Barracuda Reputation is a database maintained by Barracuda Central and includes a list of IP addresses of known good senders as well as
known spammers, or IP addresses with a "poor" reputation. This data is collected from spam traps and other systems throughout the Internet.
The sending history associated with the IP addresses of all sending mail servers is analyzed to determine the likelihood of legitimate messages
arriving from those addresses. Updates to Barracuda Reputation are made continuously by Barracuda Central engineering.
Copyright © 2017, Barracuda Networks Inc.
Barracuda Email Security Gateway Administrator's Guide - Page
161
Content Analysis Inbound
Custom Content Filters
The Barracuda Email Security Gateway enables administrators to set custom content filters based on the subject line, message headers,
message body and attachment file content. In general, administrators do not need to set their own filters for the purposes of blocking spam, as
these forms of rules are delivered to the Barracuda Email Security Gateway automatically through Barracuda Energize Updates. The online help
for the BLOCK/ACCEPT > Content Filtering page includes a link to a Regular Expressions help page that covers expressions you can use for
advanced filtering. HTML comments and tags imbedded between characters in the HTML source of a message are also filtered.
You can specify actions to take with messages based on pre-made patterns in the subject line or message body. Credit card, Social Security
numbers, privacy information such as driver’s license numbers, phone numbers or expiration dates and HIPAA data can be automatically
checked and acted upon by blocking, tagging or quarantining inbound messages.
Attachment Filtering
All messages, except those from whitelisted senders, go through attachment filtering. From the BLOCK/ACCEPT > Attachment Filters page
you can choose to take certain actions with inbound and/or outbound messages if they contain attachments with certain filename patterns, file
types, MIME types, or password protected archives. Actions you can take with inbound messages include block or quarantine. Actions you can
take with outbound messages include block, quarantine, encrypt or redirect. You can elect to have a notification sent to the sender when an
inbound or outbound message is blocked due to attachment content filtering. See the ADVANCED > Bounce/NDR Settings page to configure
notifications.
The BLOCK/ACCEPT > Attachment Filters page provides a table of patterns you can use for specifying the above actions based on attachment
filenames, or you can create your own filters.
The Check Archives feature can be selected along with any filter to search the contents of attached archives (zip, tar, etc.) and take one of the
above actions with inbound or outbound messages based on filenames or types.\
Password Protected Archive Filtering
Use the Password Protected Archive Filtering feature to take action with messages with attachments that contain password protected
(encrypted) archives.
Blocking attachments with macros
For MS Office documents, you can set Block Macros (MS Office Attachments) to Yes if you want to block all attachments that include macros.
This feature applies to both inbound and outbound mail.
Attachment Filtering and the Message Log
Messages that are blocked due to attachment filtering will appear in the Message Log with the word Attachment and the filename in the Reason
column. For example, if you created a filter on the BLOCK/ACCEPT > Attachment Filters page to block messages with attachments whose
filenames match a pattern of word*, the entry in the Message Log for such a blocked message would contain something like this in the Reason
column:
Attachment (word_2010_xml.tgz)
where word_2010_xml.tgz is the attachment filename that caused the message to be blocked.
The default maximum attachment size allowed by your Barracuda Email Security Gateway is 100 megabytes. If a message
exceeds this size, the Barracuda Email Security Gateway rejects the message and the sending server notifies the sender that their
message did not go through. Contact Barracuda Networks Technical Support to change this maximum.
Blocking Email by Country
Set tag, quarantine and block policies for specific character sets or regional spam settings using the BLOCK/ACCEPT > Regional Settings page
. Here you can also choose to specifically allow messages based on valid Chinese or Japanese language content and enable compliance with
PRC (People’s Republic of China) requirements if your Barracuda Email Security Gateway resides in the PRC.
Fingerprint Analysis
A message "fingerprint" is based on commonly used message components (e.g., an image) across many instances of spam. Fingerprint analysis
is often as a useful mechanism to block future instances of spam once an early outbreak is identified. Spam fingerprints blocked based on a
real-time check will display an '*' before "Fingerprint" in the Message Log. In order to detect real-time spam fingerprints, Barracuda Real-Time
Protection must be enabled on the BASIC > Virus Checking page.
Copyright © 2017, Barracuda Networks Inc.
Barracuda Email Security Gateway Administrator's Guide - Page
162
Engineers at Barracuda Central work around the clock to identify new spam fingerprints which are then updated on all Barracuda Email Security
Gateways through hourly Barracuda Energize Updates. Fingerprint Analysis is configured on the BASIC > Spam Checking page.
Intent Analysis
All spam messages have an "intent" to get a user to reply to an email, visit a web site or call a phone number. Intent analysis involves
researching email addresses, web links and phone numbers embedded in email messages to determine whether they are associated with
legitimate entities. Frequently, Intent Analysis is the defense layer that catches phishing attacks. The Barracuda Email Security Gateway features
multiple forms of Intent Analysis:
Intent analysis – Markers of intent, such as URLs, are extracted and compared against a database maintained by Barracuda Central,
and then delivered to the Barracuda Email Security Gateway via hourly Barracuda Energize Updates. Intent can also be associated with
general content categories, several of which are provided for Intent filtering.
Real-time intent analysis – For new domain names that may come into use, Real-Time Intent Analysis involves performing DNS
lookups against known URL blocklists.
Multilevel intent analysis – Use of free web sites to redirect to known spammer web sites is a growing practice used by spammers to
hide or obfuscate their identity from mail scanning techniques such as Intent Analysis. Multilevel Intent Analysis involves inspecting the
results of web queries to URLs of well-known free web sites for redirections to known spammer sites.
Intent Analysis is configured on the BASIC > Spam Checking page.
Image Analysis
Image spam represents about one third of all traffic on the Internet. While Fingerprint Analysis captures a significant percentage of images after
they have been seen, the Barracuda Email Security Gateway also uses Image Analysis techniques which protect against new image variants.
These techniques include:
Optical character recognition (OCR) – Embedding text in images is a popular spamming practice to avoid text processing in anti-spam
engines. OCR enables the Barracuda Email Security Gateway to analyze the text rendered inside the images.
Image processing – To mitigate attempts by spammers to foil OCR through speckling, shading or color manipulation, the Barracuda
Email Security Gateway also utilizes a number of lightweight image processing technologies to normalize the images prior to the OCR
phase. More heavyweight image processing algorithms are utilized at Barracuda Central to quickly generate fingerprints that can be used
by Barracuda Email Security Gateways to block messages.
Animated GIF analysis – The Barracuda Email Security Gateway contains specialized algorithms for analyzing animated GIFs for
suspect content.
Image Analysis is configured on the BASIC > Spam Checking page.
Copyright © 2017, Barracuda Networks Inc.
Barracuda Email Security Gateway Administrator's Guide - Page
163
Bayesian Analysis Inbound
How Bayesian Analysis Works
Bayesian Analysis is a linguistic algorithm that profiles language used in both spam messages and legitimate email for any particular user or
organization. To determine the likelihood that a new email is spam, Bayesian Analysis compares the words and phrases used in the new email
against the corpus of previously identified email. Note that Bayesian training works only on messages with 11 words or more. The Barracuda
Email Security Gateway only uses Bayesian Analysis after administrators or users classify at least 200 legitimate messages and 200 spam
messages.
Global Bayesian Filtering Versus Per-User
The administrator can configure a global Bayesian database, per-user Bayesian databases or disable Bayesian altogether. With the global
setting, which is configured on the BASIC > Spam Checking page, the administrator trains and maintains one Bayesian database for all users.
With the per-user configuration, users must train and manage their own Bayesian databases, which they access from their PREFERENCES >
Spam Checking page. There are pros and cons to each configuration.
A global Bayesian database is typically more effective than per-user databases because the administrator can maintain and reset it for all to use,
thereby providing a more reliable source of Bayesian management. If, however, the Barracuda Email Security Gateway is filtering mail for many
domains, the users of which expect to receive different types of email, it could be either difficult or impossible to train the global Bayesian
database to identify spam for all users. For example, if one domain for a medical organization typically receives email regarding medical topics,
while another domain for a political organization tends to receive political emails and yet another domain is an entertainment site, then what is
spam to one domain may be valid email for another on the same Barracuda Email Security Gateway. In this case, per-user Bayesian filtering
would make more sense than global.
In most cases, however, it is not practical to enable Bayesian at the user level because maintaining an accurate Bayesian database requires that
users to understand the concept of how Bayesian analysis works and how to use it as an effective tool. That said, while sophisticated users may
be trained and savvy enough to initially train their own Bayesian database, they may not have the time to spend in their regular work schedule to
effectively maintain their Bayesian databases.
Because spammers frequently change tactics and content, Bayesian data can quickly become "stale" if the database is not reset from
time to time and new messages consistently classified as spam or not spam in equal numbers. Without this maintenance the users may
see false positives resulting in the blocking of good email.
Getting the Best Accuracy From the Bayesian Database
All Bayesian systems rely on the fact that messages classified are not much different than new messages arriving. Over time however, spam
messages change drastically and the Bayesian system – while initially able to compensate for the new format – gradually declines in its
effectiveness. When this happens new classifications are needed to update the Bayesian database. To keep a Bayesian database accurate:
For a global Bayesian database, the administrator should periodically (every 6 months or so) clear it out by resetting it from the BASIC >
Spam Checking page, then, from the BASIC > Message Log page, marking at least 200 messages as either Spam or Not spam using
the buttons on the page. Bayesian filtering will NOT take effect until 200 or more of each spam and not-spam messages are marked as
such.
For each per-user database, the user should reset their own Bayesian database and follow up with marking 200 or more messages as
spam or not spam, either in their quarantine inbox (QUARANTINE > Quarantine Inbox page) or from their regular email client if they
have installed the Barracuda Outlook add-in (see below).
When to Use Bayesian Analysis
Barracuda Networks does not recommend using Bayesian filtering in most circumstances. With Energize Updates constantly updating the
Barracuda Email Security Gateway with protection against the latest spam and virus threats, spam accuracy should not be an issue for most
organizations.
A case for using Bayesian Analysis would depend on the following:
You are using global Bayesian as opposed to per-user, and the users in the organization tend to be a homogenous population with
regard to the kind of content considered to be ‘valid’ email versus spam. This situation would make it easier for an administrator to "train"
the global Bayesian database as to what is spam and what is not spam for the organization.
Your organization requires a very high granularity of accuracy for identifying spam.
If enabling Bayesian at the per-user level, users are sophisticated and can be trained to properly identify ‘valid’ messages versus spam
so as to train the Bayesian database, and are willing to consistently mark BOTH ‘valid’ messages and spam messages in equal numbers
so as to maintain the Bayesian database.
The administrator and/or users are disciplined about resetting the Bayesian database(s) on a regular basis and re-initializing with 200
each of marked spam and not spam messages to ‘keep current’ with new spam techniques over time.
Copyright © 2017, Barracuda Networks Inc.
Barracuda Email Security Gateway Administrator's Guide - Page
164
Barracuda Outlook Add-in
If both per-user quarantine and per-user Bayesian are enabled, on the Barracuda Email Security Gateway 300 and higher, the administrator can
choose to allow users to download an add-in that allows messages to be classified as Spam or Not Spam directly from their email client. Users
must have a quarantine account on the Barracuda Email Security Gateway to use the add-in. For information about automatically or manually
creating quarantine accounts for users, see Creating and Managing Accounts. For more information about the Barracuda Outlook Add-in, see
the Barracuda Outlook Add-In Deployment Guide.
Bayesian Poisoning
Some spammers will insert content in messages intended to bypass spam rules, such as excerpts of text from books or other content that may
look "legitimate" in order to fool spam filtering algorithms. This tactic is called Bayesian Poisoning and could reduce the effectiveness of a
Bayesian database if many of these messages are marked as either spam or not spam. The Barracuda Networks Bayesian engine is, however,
very sophisticated and protects against Bayesian Poisoning if administrators or users consistently maintain their databases.
Copyright © 2017, Barracuda Networks Inc.
Barracuda Email Security Gateway Administrator's Guide - Page
165
Bulk Email Detection
Many users subscribe to websites and lists and later forget that they subscribed, or subscribed unknowingly. Email messages containing anything
that looks like an unsubscribe link or instruction may or may not be considered spam by the recipient. To provide users the opportunity to decide,
you can quarantine bulk email messages that contain unsubscribe links or instructions, or you can choose to block them all, thereby reducing the
load on your mail server. Configure Bulk Email Detection on the INBOUND SETTINGS > Anti-Spam/Antivirus page.
To allow all such emails that are not otherwise detected as spam, set this feature to Off.
Copyright © 2017, Barracuda Networks Inc.
Barracuda Email Security Gateway Administrator's Guide - Page
166
Advanced Spam Filtering Outbound
Outbound mail shares some of the same block / accept mechanisms available for inbound mail, with a few differences, which are described here.
Additionally, outbound messages can be encrypted based on filtering criteria you configure on the BLOCK/ACCEPT pages.
In this Section
Spam Scoring Outbound
Rate Control Outbound
IP Analysis Outbound
Sender and Recipient Filtering Outbound
Reverse DNS Blocking
Content Analysis Outbound
Attachment Filtering Outbound
Bayesian Analysis Outbound
Copyright © 2017, Barracuda Networks Inc.
Barracuda Email Security Gateway Administrator's Guide - Page
167
Spam Scoring Outbound
The last filtering event applied to an outbound email message is assignment of a score based on the probability that it is spam. The administrator
can decide how to deal with outbound messages suspected be spam based on the Outbound Spam Scoring Limits as configured on the BASI
C > Spam Checking page. For more information, see How Spam Scoring Works.
Spam scoring limits (from 0 to 9.9) can determine whether to send, quarantine or block outbound messages:
Quarantining the message means that the message is suspected to be spam or in violation of policy, and will be stored on the Barracuda
Email Security Gateway for the administrator to review. The message can then be whitelisted, rejected, deleted or delivered by the
administrator. See Managing Outbound Quarantine for more information.
Blocking the message means it will not be delivered. If a message is blocked due to its spam score, and if the Send Bounce option for
Outbound is set to Yes in the Spam Bounce (NDR) Configuration section of the ADVANCED > Bounce/NDR Settings page, a
non-delivery receipt (NDR/bounce message) is also sent to the sender by the Barracuda Email Security Gateway.
Note that, unlike with inbound mail, the Barracuda Email Security Gateway does not offer tagging of outbound messages.
Copyright © 2017, Barracuda Networks Inc.
Barracuda Email Security Gateway Administrator's Guide - Page
168
Rate Control Outbound
Outbound mail is rate controlled based on IP address by the Barracuda Email Security Gateway as described in Rate Control Inbound. Rate
Control for outbound email, however, can also be applied based on sender email address. If the number of recipients from a sender email
address exceeds the specified Maximum Recipients per Sender over a 30 minute time period, the Barracuda Email Security Gateway will defer
any further connection attempts from that particular sender until the next time frame. Deferred outbound messages will be logged as Rate
Controlled in the Message Log.
Sender Based Rate Control, including specifying email addresses you wish to exempt, is configured on the BLOCK/ACCEPT > Rate Control p
age.
Copyright © 2017, Barracuda Networks Inc.
Barracuda Email Security Gateway Administrator's Guide - Page
169
IP Analysis Outbound
After applying rate controls, the Barracuda Email Security Gateway performs analysis on the IP address, applying quarantine, block, encrypt or
redirect policies that you configure in the BLOCK/ACCEPT pages.
BLOCK/ACCEPT policies created at the per-domain level do NOT apply to outbound messages. So, for example, navigating to the DOMAINS pa
ge, then clicking Manage Domain for a particular domain, then configuring policies on the BLOCK/ACCEPT pages ONLY applies to inbound
messages for that domain.
Once the true sender of an outbound email message is identified, the intent of that sender should be determined before accepting the message
as valid, or "not spam". The best practice is to know the IP addresses of trusted senders and forwarders of email and define those on the
Barracuda Email Security Gateway as "Allowed" by adding them to a whitelist of known good senders. Various methods for discerning "good"
senders of email versus spammers are described in this section to help you to quickly configure your Barracuda Email Security Gateway per the
needs of your organization.
Barracuda Networks does NOT recommend whitelisting domains because spammers will spoof domain names. When possible, it is
recommended to whitelist (Allow) by IP address only.
Copyright © 2017, Barracuda Networks Inc.
Barracuda Email Security Gateway Administrator's Guide - Page
170
Sender and Recipient Filtering Outbound
If any of the computers in your organization get infected with a botnet or other malware, it can send out spam emails, thereby possibly landing
your domain(s) or IP address(es) on a blocklist, not to mention spreading the malware. Use the BLOCK/ACCEPT > Sender Filters page to
control which domains and email addresses can send email out through the Barracuda Email Security Gateway. Note that both inbound and
outbound email messages from whitelisted ("allowed") domains/subdomains bypass spam scoring as well as all other blocklists, but do go
through virus checks.
Adding your own domain to the sender whitelist is not allowed because spoofing the domain of the recipient is a frequently used
spamming technique. Instead, add the IP address of your mail server(s) to the Allowed IP/Range list using the BLOCK/ACCEPT > IP
Filters page.
Email addressed from specified email addresses and domains/subdomains can also be encrypted or redirected from the BLOCK/ACCEPT >
Sender Filters page.
Outbound email addressed to specified email addresses (recipients) or domains/subdomains can also be allowed, blocked, encrypted or
redirected from the BLOCK/ACCEPT > Recipient Filters page.
For more information about email encryption and redirection, see Encryption of Outbound Mail 6 and Above.
Copyright © 2017, Barracuda Networks Inc.
Barracuda Email Security Gateway Administrator's Guide - Page
171
Reverse DNS Blocking
The Barracuda Email Security Gateway does a reverse DNS lookup on inbound and outbound IP connections and finds the hostname associated
with the IP address of the sender. By configuring rules on the BLOCK/ACCEPT > Reverse DNS page, you can choose to apply Common
Reverse DNS Rules by country or create Custom Reverse DNS Rules to quarantine or block outbound messages from those domains.
Blocking by Top Level Domain (TLD)
The last part of a hostname is known as the top level domain, or TLD. Most TLDs include a country identifier, such as .ca for Canada, .ru for
Russia, etc. If most or all of the mail that you receive from a particular country is spam, you can use the Common Reverse DNS Rules to tag
(inbound only), block or quarantine any message that has an associated hostname that includes that country's TLD. Email which is not blocked is
subject to all of the usual spam and virus checks.
Whitelist Override for TLDs
Use the Custom Reverse DNS Rules to quarantine or block outbound messages from hostnames ending with values that you specify. List the
sending domains or subdomains you want to whitelist on the BLOCK/ACCEPT > Sender Filters page. You can use the Custom Reverse DNS
Rules to whitelist all or part of a hostname from which you want to always allow mail, both inbound and outbound. With the whitelist option you
can thereby override the Common Reverse DNS Rules settings for TLDs. If you have blocked any TLDs in Common Reverse DNS Rules, for
example, you can use the Custom Reverse DNS Rules whitelist option to allow mail from one or more hostnames within that TLD.
Messages With a Missing PTR record
Use the Block Missing PTR Records setting to enable blocking mail from IP addresses with no PTR (reverse DNS) record defined.
Caution
Many mail servers do not have their reverse DNS configured properly, which may cause legitimate mail to be blocked when Block
Missing PTR Records is set to Yes.
Copyright © 2017, Barracuda Networks Inc.
Barracuda Email Security Gateway Administrator's Guide - Page
172
Content Analysis Outbound
Custom Content Filters
Custom content filtering based on the subject line, message headers, message body and attachment file type can be applied to outbound mail
just as it can be to inbound mail. See the filtering pages on the BLOCK/ACCEPT tab for details on settings. Note that, in addition to block and qu
arantine, filter actions for outbound mail include encrypt and redirect.
See Regular Expressions for text patterns you can use for advanced filtering. Note that HTML comments and tags imbedded between characters
in the HTML source of a message are filtered out so content filtering applies to the actual words as they appear when viewed in a web browser.
Attachment Content Filtering
All outbound messages, including those from whitelisted senders, go through attachment filtering. You can block, quarantine, encrypt or redirect
outbound messages that contain attachments which include text matching the patterns you enter here. Attachment Content Filtering is limited to
text type files such as MS Office files, html, pdf files and other document files. A notification will be sent to the sender when an outbound
message is blocked due to attachment content filtering.
Blocking attachments with macros
For MS Office documents, you can set Block Macros (MS Office Attachments) to Yes if you want to block all attachments that include macros.
This feature applies to both inbound and outbound mail.
DLP and HIPAA Compliance
You can also take actions with outbound messages that contain matches to pre-made patterns in the subject line, message body or attachment.
With information types such as:
Credit card patterns,
Social security numbers (USA only),
Combinations of privacy information such as birthday and driver’s license, and
Diagnosis/prognosis as defined under HIPAA
...the Barracuda Email Security Gateway can filter attachment content and encrypt, block, quarantine, allow or redirect messages as configured
on the BLOCK/ACCEPT > Content Filters page. Note that the format of this data varies depending on the country, and these filters are more
commonly used in the U.S.; they do not apply to other locales.
Fingerprint Analysis
Outbound messages can undergo Fingerprint Analysis if you enable this feature for both inbound and outbound mail on the BASIC > Spam
Checking page. In order to detect real-time spam fingerprints, Barracuda Real-Time Protection must be enabled on the BASIC > Virus
Checking page.
Engineers at Barracuda Central work around the clock to identify new spam fingerprints which are then updated on all Barracuda Email Security
Gateways through hourly Barracuda Energize Updates.
Intent Analysis
As for inbound mail, this feature is applicable for outbound mail, and block or quarantine actions can be specified accordingly on the BASIC >
Spam Checking page.
Image Analysis
Fingerprint Analysis captures a significant percentage of images after they have been seen, while Image Analysis techniques protect against new
image variants. The techniques detailed in Image Analysis (Inbound Mail) also apply to outbound messages. Image Analysis is configured on the
BASIC > Spam Checking page.
Copyright © 2017, Barracuda Networks Inc.
Barracuda Email Security Gateway Administrator's Guide - Page
173
Attachment Filtering Outbound
Attachment filtering based on filename patterns you specify, common text attachment file types and attachment MIME types can be applied to
outbound mail just as it can be to inbound mail. See the BLOCK/ACCEPT > Attachment Filters page for details on settings.See also Content
Analysis Inbound for details on attachment filtering features that also apply to outbound mail.
In addition to Block and Quarantine, filter actions for outbound mail include Encrypt and Redirect.
See Regular Expressions for text patterns you can use for advanced filtering. You can also specify one of the actions listed above to take with
outbound messages if attached archive files (zip,tar, etc.) require a password to unpack.
Copyright © 2017, Barracuda Networks Inc.
Barracuda Email Security Gateway Administrator's Guide - Page
174
Bayesian Analysis Outbound
Outbound mail traffic from the Barracuda Email Security Gateway undergoes Bayesian scoring just as inbound mail does. For details on how
Bayesian scoring works, see Bayesian Analysis Inbound. Note that to 'train' your Bayesian database to most accurately determine what you or
your user(s) consider to be spam or 'not spam', at least 200 messages of each kind of inbound mail (spam and 'not spam') must be identified.
Users can use the Barracuda Outlook Add-in with their MS Outlook client which provides convenient buttons to click for identifying selected
messages as either spam or 'not spam'. See the Barracuda Outlook Add-In Overview for details.
Copyright © 2017, Barracuda Networks Inc.
Barracuda Email Security Gateway Administrator's Guide - Page
Advanced Configuration
In this Section
Sender Authentication
Recipient Verification
Remote IMAP/POP Accounts
Advanced Networking
Non-Delivery Reports
Remote Administration
Copyright © 2017, Barracuda Networks Inc.
175
Barracuda Email Security Gateway Administrator's Guide - Page
176
Sender Authentication
This is a key feature of the Barracuda Email Security Gateway for protecting your network and users from spammers who might "spoof" a domain
or otherwise hide the identity of the true sender. The following techniques are used to verify the "from" address of a message.
Mail Protocol (SMTP) Checking
The Barracuda Email Security Gateway can perform thorough checks on incoming email for RFC 821 compliance, require mail clients to
introduce themselves with an SMTP "HELO" or "EHLO" command before stating a sender, and otherwise manage SMTP protocol to block
spammers. See the ADVANCED > Email Protocol page for these and other optional SMTP settings.
Sender Spoof Protection
The Barracuda Email Security Gateway has the option to prevent "spoofing" of an organization’s own domain by blocking emails with that domain
name in the "From" field that are sent from outside the organization. Note that sender spoof protection should not be enabled if the organization
sends messages from outside their internal email infrastructure (e.g., in the case of marketing bulk-mail services).
The Sender Spoof Protection feature can be configured at the global level from the ADVANCED > Email Protocol page or at the per-domain
level on the DOMAINS > Manage Domain > ADVANCED > Email Protocol page. At the domain level, however, this feature is labeled as Rejec
t messages from my domain.
Note that if the administrator enables Sender Spoof Protection at the global level it will supersede any whitelist entry created at the per-user
level by a User, Helpdesk or Domain Admin account holder.
Invalid Bounce Suppression
The Invalid Bounce Suppression feature is used to determine whether or not the bounce address specified in a message is valid. It is designed
to reduce the number of bounce messages to forged return addresses; i.e., you don’t want to get bounced messages from spammers who spoof
your domain or email address. Every email sent from the Barracuda Email Security Gateway is tagged with an encrypted password and
expiration time. With Invalid Bounce Suppression enabled, any bounced email received by the Barracuda Email Security Gateway that does
not include that tag is blocked. Each blocked message is recorded in the Message Log with the reason "Invalid Bounce".
To use the Invalid Bounce Suppression feature, the Barracuda Email Security Gateway must have Outbound Relay configured on the
BASIC > Outbound page. For more details about Outbound Relay, refer to How to Route Outbound Mail From the Barracuda Email
Security Gateway.
Configure Invalid Bounce Suppression on the BLOCK/ACCEPT > Sender Authentication page and enter a Bounce Suppression Shared
Secret as a non-null password which will be included in the headers of valid emails sent from and bounced back to the Barracuda Email Security
Gateway. Email bounces that don’t include the password will be blocked if this feature is enabled. In a clustered environment, the Bounce
Suppression Shared Secret will be synchronized across all Barracuda Email Security Gateways in the cluster.
Sender Policy Framework (SPF)
Sender Policy Framework (SPF) is an open standard specifying a method to prevent sender address forgery. The current version of SPF protects
the envelope sender address, which is used for the delivery of messages. SPF works by having domains publish reverse MX records to display
which machines (IP addresses) are designated as valid mail sending machines for that domain. When receiving a message from a domain, the
recipient can check those records to make sure mail is coming from a designated sending machine. If the message fails the SFP check, it may be
spam. Enabling this feature does create more performance overhead for the system due to the multiple DNS queries needed to retrieve a
domain's SPF record; for this reason, the default setting for the Enable SPF feature on the BLOCK/ACCEPT > Sender Authentication page is
No (off). For more information on SPF, please visit http://www.openspf.org.
Messages that fail SPF check can be tagged or blocked and will be logged as such. Messages that pass SPF checks will still be scanned for
spam. The recommended setting is to Tag messages identified by SPF as spam so that if there is any possibility that a message is
legitimate, it will be allowed to go on to the next stage of processing.
Exemptions from SPF Checking - Trusted Forwarders
You may specify a list of Trusted Forwarder IP addresses, on the BASIC > IP Configuration page, which will be ignored when performing SPF
checks, as well as rate control and IP Reputation checks. Trusted Forwarders are mail servers that are set up specifically to forward email to the
Barracuda Email Security Gateway from outside sources. The Barracuda Email Security Gateway scans the IP addresses in the Received From
headers list of each email and performs an SPF check on the first IP address that is not in the list of Trusted Forwarders.
Domain Keys (DKIM) Inspection
DomainKeys is a method of email authentication that enables a sending domain to cryptographically sign outgoing messages, allowing the
sending domain to assert responsibility for a message. When receiving a message from a domain, the Barracuda Email Security Gateway can
check the signature of the message to verify that the message is, indeed, from the sending domain and that the message has not been tampered
Copyright © 2017, Barracuda Networks Inc.
Barracuda Email Security Gateway Administrator's Guide - Page
177
with. Because most spam messages contain spoofed addresses, DomainKeys can help greatly in the reduction of spam.
DomainKeys uses a public and private key-pairs system. An encrypted public key is published to the sending server's DNS records and then
each outgoing message is signed by the server using the corresponding encrypted private key. For incoming messages, when the Barracuda
Email Security Gateway sees that a message has been signed, it will retrieve the public key from the sending server's DNS records and then
compare that key with the message's DomainKeys signature to determine its validity. If the incoming message cannot be verified, the Barracuda
Email Security Gateway knows it contains a spoofed address or has been tampered with or changed.
The benefits of enabling this feature include:
Email sender is validated
Email body is validated
Validation through DNS is difficult to foil
DomainKeys works well with email forwarding because it doesn’t deal with the relay server IP address
You can choose to tag, block or quarantine both DKIM signed messages that fail the DKIM database check as well as unsigned messages,
depending on how you configure DomainKeys Inspection on the BLOCK/ACCEPT > Sender Authentication page. You can also exempt
domains from being tagged, quarantined or blocked if they fail this check. As stated elsewhere in this guide, it is safest to NOT exempt domain
names from any kind of spam filtering due to the possibility of domain name spoofing by spammers.
DomainKeys inspection does require more CPU resources to encrypt & decrypt the key and is turned off by default. Messages that pass DKIM
checks will still be scanned for spam.
Custom policies
Organizations can define their own allowed sender domains or email addresses for sender authentication using the BLOCK/ACCEPT > Sender
Filters page, but the safest way to indicate valid senders on the Barracuda Email Security Gateway is to whitelist (allow) the IP addresses of
trusted email servers on the BLOCK/ACCEPT > IP Filters page, then blocklist (block, quarantine or tag) their domain names on the BLOCK/AC
CEPT > Sender Filters page to prevent domain name spoofing.
Copyright © 2017, Barracuda Networks Inc.
Barracuda Email Security Gateway Administrator's Guide - Page
178
Recipient Verification
LDAP Lookup
On the Barracuda Email Security Gateway 300 and higher, email recipients can be validated with your existing LDAP server. Configuration of
LDAP lookup is done at the domain level. From the DOMAINS > Domain Manager page, after clicking Manage Domain for the selected domain,
you’ll configure LDAP on the USERS > LDAP Configuration page. click the Help button on that page for details about entering your server
details. If LDAP is not configured, the Barracuda Email Security Gateway will do SMTP recipient verification through RCPT TO commands.
LDAP server types supported include Active Directory, Novell eDirectory, Domino Directory and OpenLDAP.
Explicit Users to Accept For (Valid Recipients)
If LDAP lookup is not being used for recipient verification, the Barracuda Email Security Gateway provides a local database with which email
recipients can be compared for validation. Valid Recipients (Explicitly Accepted Users) can be specified either at the global level from the AD
VANCED > Explicit Users page or at the per-domain level from the DOMAINS > Domain Manager > USERS > Valid Recipients page. Note
that the number of entries in the text box for Explicitly Accepted Users and Alias Linking is limited by model: on the Barracuda Email Security
Gateway 600 and lower, the maximum is 1000 per domain, and on the Barracuda Email Security Gateway 800 and above, the limit is 5000 per
domain.
To administer the local database, either at the global or domain level, fill in the text box in the Explicit Users to Accept For section of the page,
entering each email address for which the Barracuda Email Security Gateway should accept email. If you select Yes for the Only accept email
for these recipients feature, email will REJECTED for any email recipients not in the list. Note that domain-specific lists override the global list.
Alias Linking
Alias linking allows quarantined email from multiple accounts to be directed to one account when using per-user quarantine. In the ADVANCED >
Explicit Users page you can specify the email addresses to be linked together in the Explicit Users to Accept For and Alias Linking text box.
click the Help button on that page for more details.The quarantine account for all of the linked email addresses will be associated with the first
email address. Make sure to also enter the first email address on a separate line as well. In this way, a "catchall" account can be created to
receive all quarantined emails from a particular domain.
Copyright © 2017, Barracuda Networks Inc.
Barracuda Email Security Gateway Administrator's Guide - Page
179
Remote IMAP/POP Accounts
The Barracuda Email Security Gateway provides an email-retrieval and forwarding utility which fetches email from remote mail servers and
forwards it to your local machine's delivery system. You can repeatedly poll each account at a specified interval. This utility can gather mail from
servers supporting POP3 and IMAP and is configured from the ADVANCED > Remote IMAP/POP page.
Note that all email will be DELETED from the remote mail server after retrieval by the Barracuda Email Security Gateway.
There are two types of operations for each account from which the Remote Accounts utility retrieves mail: Global and User. With the User type,
it is assumed that all messages in the user's account are intended for a single recipient. The Global type is used when multiple recipients under
the same domain are specified for a particular server account.
From the ADVANCED > Remote IMAP/POP page you can specify polling interval, SSL (yes/no), user account passwords and email addresses.
Copyright © 2017, Barracuda Networks Inc.
Barracuda Email Security Gateway Administrator's Guide - Page
180
Advanced Networking
Port Forwarding
If your organization has a single public IP address, when you install the Barracuda Email Security Gateway between the Internet and your mail
server, you can forward incoming SMTP traffic (port 25) from port 80 on the Barracuda to your mail server using the Port Forwarding feature from
the ADVANCED > Advanced Networking page.
Configuring the Network Interfaces
With the Barracuda Email Security Gateway 600 and higher, you can configure each of the two Ethernet (NICS) interfaces directly from the ADV
ANCED > Advanced Networking page to accept email on both interfaces or to route ingress email to one NIC and egress through the other
NIC. Benefits of this feature include redundancy, filtering email for domains on separate networks and improving throughput. Up to 250 IP
addresses can be configured per NIC.
Static Routes
With the Barracuda Email Security Gateway 600 (and 600Vx) and higher, you can specify a default gateway between the Barracuda Email
Security Gateway and a mail server on another subnet in your organization using the Static Routes feature on the ADVANCED > Advanced
Networking page. This will guarantee that return traffic is routed back to the Barracuda Email Security Gateway from the unassociated network.
If you have problems with static route configuration, please contact Barracuda Networks Technical Support.
Loopback Adapter
If you want to use this Barracuda Email Security Gateway with a Barracuda Load Balancer in Direct Server Return mode, you must enable a
non-ARPing loopback adapter. If you are using any other mode you do not need to make any changes to the Barracuda Email Security Gateway
configuration.
Each Virtual IP address supported by the Real Server (the Barracuda Email Security Gateway in this case) requires its own loopback adapter.
For each loopback adapter, enter a Virtual IP address in the Loopback Adapter Configuration field on the ADVANCED > Advanced
Networking page.
Copyright © 2017, Barracuda Networks Inc.
Barracuda Email Security Gateway Administrator's Guide - Page
181
Non-Delivery Reports
Spam Bounce Non-Delivery Reports (NDRs)
The Barracuda Email Security Gateway sends NDRs to email recipients and senders when one of their messages is blocked. The NDR contains
a brief explanation of why the Barracuda Email Security Gateway blocked the message. Information that you may want to add to an NDR
includes the contact information of the Barracuda Email Security Gateway administrator so that internal users know who to contact if they have
questions about a blocked message.
The ADVANCED > Bounce/NDR Messages page in the Barracuda Email Security Gateway web interface allows for customizing the information
in an NDR and for selecting the default language to use in the message.
Reducing Backscatter
By default, your Barracuda Email Security Gateway is configured to NOT send an NDR to a sender when the Barracuda Email Security Gateway
blocks their email (see the NDR on Block setting on the ADVANCED > Bounce/NDR Settings page). You may want to enable NDRs to alert
legitimate senders that their message has not been delivered to the recipient. However, if the email came from an illegitimate source such as a
spammer, then sending a bounce notification is not necessary.
Additionally, many spammers spoof valid domains, and you don’t want to send bounce messages to your domain if it is being spoofed. Sending
bounce messages to illegitimate senders, or to senders who were spoofed and did not actually send the offending message, is known as
“backscatter”. Backscatter can increase the load on your Barracuda Email Security Gateway and may generate a lot of email to fake addresses or
to senders whose email addresses were spoofed by a spammer. Your domain could also end up on a real-time blocklist as a consequence.
If your Barracuda Email Security Gateway rarely blocks a legitimate email, consider setting NDR on Block to No for Inbound and/or Outbound
mail to reduce backscatter.
Copyright © 2017, Barracuda Networks Inc.
Barracuda Email Security Gateway Administrator's Guide - Page
182
Remote Administration
Barracuda Networks provides a set of APIs for remote administration and configuration of the Barracuda Email Security Gateway. The APIs work
through manipulation of variables inside of the system configuration database, and anything that can be declared in that database can be set or
checked with the APIs. This includes most things that you can set by clicking the Save Changes button in the Barracuda Email Security Gateway
web interface. For example, from the BASIC > Spam Checking page, you can set global Spam Scoring Limit values for the actions Block, Tag or
Quarantine, then click the Save Changes button. These values can be set remotely using the APIs.
The framework of the API provides for the programmer to get or set variables inside an XML-RPC request that correspond to field values in the
configuration database in the Barracuda Email Security Gateway. Some languages such as Perl, for example, provide wrappers for XML-RPC
requests, providing an interface to form the request. To view the variables and current settings of the Barracuda Email Security Gateway
configuration database, on the ADVANCED > Backup page, select System Configuration for Backup Type and click the Backup button.
To prepare the Barracuda Email Security Gateway for use with the APIs, you must first enter the IP addresses that are allowed to communicate
with the APIs in the Allowed SNMP and API IP/Range field on the BASIC > Administration page, and you must create an API Password that
will be included with all calls to the APIs. For more information on using the APIs, see the Barracuda Email Security Gateway API Guide.
Copyright © 2017, Barracuda Networks Inc.
Barracuda Email Security Gateway Administrator's Guide - Page
183
Creating and Managing Domains
Your Barracuda Email Security Gateway will only accept emails addressed to domains that it has been configured to recognize. Settings for
individual domains can be configured by the administrator and, with some restrictions, by the Domain Admin and Helpdesk account roles as
described in Roles and Navigating the Web Interface. All three roles will see a DOMAINS tab from which they can click Manage Domain next to
the domain for which to edit the domain-level settings.
Only an administrator can add or delete domains using the controls available in the DOMAINS page. The administrator can also add domains
from the BASIC > IP Configuration page. Domains added from either page will be initially configured with whatever you have specified your
default global settings to be.
If the administrator deletes a domain, all user accounts associated with that domain will also be deleted from the Barracuda Email Security
Gateway. A confirmation dialog box will prompt you to confirm whether or not you want to delete a domain.
Clicking the Manage Domain link for a particular domain will show some or all of the BASIC, USERS, BLOCK/ACCEPT, OUTBOUND
QUARANTINE and ADVANCED tabs, depending on the permissions level of the logged in account role.
Figure 1: The administrator can add domains on which to filter email.
Domain Level Settings
Some settings are only configurable at the domain level, while others are configurable at both the global and domain levels, with the domain level
setting taking precedence.The Domain Admin role or the Admin role can override some global settings for spam and virus checking and
quarantine at the domain level.
Setting values on a per-domain basis overrides the values configured at the global in the web interface. However, if you have never
changed a particular setting for a domain, any global level changes to that feature will be applied for that domain. This also means that
any changes you make to the global values of the Barracuda Email Security Gateway will NOT be inherited by the domains that you
edit and for which you have changed configuration values.
Basic configuration of a domain consists of identifying the name of the domain (and/or a specific sub-domain) and specifying a destination mail
server. Additional settings available for a domain are dependent on the model of your Barracuda Email Security Gateway, and can include any or
all of the following:
Destination Mail Server
Enabling of spam scanning and setting spam score limits for the domain
Enabling or disabling virus scanning
Per-user quarantine enable/disable
Control over which features users can see and configure for their accounts (see Controlling Access to Account Features).
A defined global quarantine email address (for the domain only)
Option to reject messages from same domain name. If set to Yes, the Barracuda Email Security Gateway will reject email where the
FROM envelope or header address domain matches the domain (in the TO address). This feature provides protection from 'spoofing' of
the domain.
Option to require an encrypted TLS connection when receiving email from either ALL or specified domains. See the ADVANCED >
Email Protocol page at the domain level for details.
Option to require an encrypted TLS connection when relaying email to specified destination domains. See the ADVANCED > Email
Protocol page at the domain level for details.
IP address/range, Sender domain, Sender email and Recipient filtering. Note: BLOCK/ACCEPT policies created at the per-domain level
do NOT apply to outbound messages - they only apply to inbound messages for that domain.
Copyright © 2017, Barracuda Networks Inc.
Barracuda Email Security Gateway Administrator's Guide - Page
184
LDAP configuration
Option to specify local database of valid recipients (if not using LDAP) and alias linking
Single Sign-On with various authentication mechanisms
Emailreg.org: option to require header, body or subject content filtering on mail from registered email addresses
Ability to validate the domain and specify an image for branding encrypted email messages and notifications sent to the recipient. Note
that encryption policy can only be set at the global level by the administrator.
The Barracuda Email Security Gateway 400 and higher contains support for APIs that can be used to automate the steps for creating
and configuring multiple domains on the Barracuda Email Security Gateway.
Copyright © 2017, Barracuda Networks Inc.
Barracuda Email Security Gateway Administrator's Guide - Page
Managing Inbound Quarantine
In this Section
How Quarantine of Inbound Mail Works
Quarantine Options
Controlling Access to Account Features
How Quarantine Notifications Work
Retention Policy and Purging Old Messages
Copyright © 2017, Barracuda Networks Inc.
185
Barracuda Email Security Gateway Administrator's Guide - Page
186
How Quarantine of Inbound Mail Works
After a message travels through the initial filtering layers of the Barracuda Email Security Gateway, it is assigned a score based on the probability
that it is spam. The administrator can decide how to deal with messages based on the Spam Scoring levels (from 0 to 10): allow, tag, quarantine
or block, as set on the BASIC > Spam Checking page.
Tagging the message means the user will receive the message in their regular mailbox with the subject text modified to indicate that the
message might be spam.
Quarantining the message means that the message will either be delivered, with the subject text modified to indicate that the message
might be spam, to a special "quarantine inbox" assigned to a user or to a "global" quarantine mailbox designated by the administrator.
Blocking the message means it will not be delivered.
Messages can also be determined to be quarantined (as opposed to allowed, blocked or tagged) by custom policies you set based on domain
name, IP address, region, content filters and other filtering tools in the BLOCK/ACCEPT pages. Spam Scoring and some block/accept policy
settings can be further refined at the domain level and/or per-user level, depending on what the administrator enables on the USERS > User
Features page at the global level and what the Domain Admin role enables on the USERS > User Features page at the domain level. For more
information on the Domain Admin and other account roles, please see Roles and Navigating the Web Interface.
Quarantine can be enabled or disabled completely. If it is enabled at the global level, no messages are stored on the Barracuda Email Security
Gateway; rather, all quarantined mail is sent to the Quarantine Delivery Address you specify on the BASIC > Quarantine page. If it is enabled
at the per-user level, user accounts are created on the Barracuda Email Security Gateway for users listed either in the authentication server (see
Automatic Account Creation) or in the local database on the Barracuda Email Security Gateway. Quarantined messages need to be received and
determined to either be delivered to the user’s regular email inbox or deleted.
As the administrator, you can configure a Retention Policy to limit the amount of disk space used for storing each user's quarantined messages,
thereby conserving system resources on the Barracuda Email Security Gateway. Alternatively, messages can be scheduled for regular purging
based on age and/or size (see Retention Policy and Purging Old Messages).
Copyright © 2017, Barracuda Networks Inc.
Barracuda Email Security Gateway Administrator's Guide - Page
187
Quarantine Options
By default, the Barracuda Email Security Gateway does not quarantine incoming messages, but you may want to enable quarantine if, for
example, your organization requires it, or if you want to reduce load on the mail server while giving users a chance to determine what they
consider to be "spam" or "not spam". There are three options available for configuring quarantine with the Barracuda Email Security Gateway as
described below, with the pros and cons of each.
Turning Quarantine Off
Barracuda Networks recommends disabling quarantine unless, for example, your organization has a business requirement to provide quarantine
of messages suspected to be spam or you don’t want those messages stored on the mail server. Disabling quarantine means less management
either by the administrator or by the user and, in the case of per-user quarantine, saves system resources that would otherwise be used to store
the messages until the user delivers or deletes them.
An alternative to using quarantine is tagging email that may be spam based on scoring or are otherwise identified as possible spam. Benefits
include:
No messages are stored on the Barracuda Email Security Gateway, thus saving system resources
The user doesn’t have an extra quarantine inbox to manage
Tagged messages, with a keyword such as "[BULK]" prepended to the subject line, can be filtered by the subject line to a separate folder
for later examination by the user (see the BASIC > Spam Checking page and the BLOCK/ACCEPT pages to configure spam scoring
and criteria for tagging messages).
To disable Quarantine completely:
Check the Disable check box next to "Quarantine" in the Spam Scoring Limits section of the BASIC > Spam Checking page
Make sure nothing on the BLOCK/ACCEPT pages is set to Quarantine
Using Global Quarantine
With global quarantine there is almost no difference in use of system resources versus having quarantine turned off because messages aren’t
stored on the Barracuda Email Security Gateway; they are forwarded to a mailbox as designated by the administrator. Global quarantine
identifies email to quarantine, rewrites the "From" address of the message and sends it to the Quarantine Delivery Address specified on the BA
SIC > Quarantine page. The subject line of each message is prepended with the Quarantine Subject Text (for example, [QUAR], as specified
on the same page). Global quarantine does require some time and effort by the administrator to manage quarantined messages. Global
quarantine can be enabled at the system level or at the domain level.
Enabling global quarantine on the Barracuda Email Security Gateway provides the administrator with complete control over how quarantined
messages are handled, and it saves system resources because messages are not stored on the appliance.
To set up global quarantine:
From the BASIC > Quarantine page, set the Quarantine Type to Global and configure settings as described below for global
quarantine.
From the BASIC > Spam Checking page, if you want messages to be quarantined based on score, make sure that the Disable check
box next to Quarantine in the Spam Scoring Limits section is NOT checked.
Set filters on the BLOCK/ACCEPT pages to Quarantine per your organization's policies.
Enter a Quarantine Delivery Address on the BASIC > Quarantine page.This mailbox can either be on the mail server that the
Barracuda Email Security Gateway protects or a remote mail server. Note: If you have a Barracuda Email Security Gateway 400 or
above, you can specify the quarantine delivery address on a per-domain basis by going to the DOMAINS tab and clicking the Manage
Domains link, then using the BASIC > Quarantine page for that domain to configure the address.
Messages determined to be quarantined by the Barracuda Email Security Gateway will have the subject line prepended by the Quarantine
Subject Text as entered on the BASIC > Quarantine page. The default text is [QUAR]. This allows you to identify quarantined messages when
you have them delivered to a mailbox that also receives non-quarantine messages.
Note that with global quarantine, users will have no control over whitelisting or blocklisting of email addresses, which they do have with
per-user quarantine. Allowing them this control by using per-user quarantine can help reduce the number of messages processed by
the Barracuda Email Security Gateway. However, if using global quarantine, users can communicate domains, IP addresses or email
addresses that should be white or blocklisted to the administrator to configure at the global level.
Using Per-user Quarantine
Providing a user with a quarantine inbox gives them greater control over how their messages are quarantined, but also requires them to manage
their quarantine inbox on the Barracuda Email Security Gateway. Since per-user quarantine entails storing quarantined messages on the
Barracuda Email Security Gateway until the user delivers or deletes, them, you may want to only provide a quarantine inbox to a subset of power
users. For details about managing the quarantine inbox, please see the Barracuda Email Security Gateway User's Guide - 5.x.
Copyright © 2017, Barracuda Networks Inc.
Barracuda Email Security Gateway Administrator's Guide - Page
188
When enabling per-user quarantine on the Barracuda Email Security Gateway, keep in mind that quarantined email stored on the Barracuda
Email Security Gateway requires storage capacity, so system load will vary with the average size of emails.
If the email patterns of your organization are such that many emails include large attachments (as with architecture firms, marketing firms, etc.),
the system may push the edge of performance more quickly than if emails tend to be small in size. See the Mail/Log Storage indicator in the Per
formance Statistics pane of the BASIC > Dashboard page to monitor disk storage on the Barracuda Email Security Gateway.
To set up per-user quarantine:
On the BASIC > Quarantine page, select the Quarantine Type to be Per-User and configure settings as described below for global
quarantine.
From the BASIC > Spam Checking page, if you want messages to be quarantined based on score, make sure that the Disable check
box next to Quarantine in the Spam Scoring Limits section is NOT checked.
Set filters on the BLOCK/ACCEPT pages to Quarantine per your organization's policies.
If Per-User quarantine is set by the administrator, the Domain Admin can either enable or disable Per-User quarantine at the domain level.
From the USERS > User Features page the administrator can choose to allow the user to decide whether to deliver quarantined messages to
their regular email address associated with their account or to their quarantine inbox. This can alternatively be decided for the user by preventing
them from accessing this setting. From this page the administrator can also allow the user to control their whitelist (allowed) and blocklist
(blocked) of email addresses.
For the Barracuda Email Security Gateway 300 and higher, be sure to set a Retention Policy (see the USERS > Retention Policies pa
ge) before enabling per-user quarantine in order to prevent running out of quarantine space.
Where Do the Quarantined Messages Go?
If the administrator sets Quarantine Type to Per-User on the BASIC > Quarantine page and the New User Quarantine State feature is set to O
n, the Barracuda Email Security Gateway will automatically create quarantine accounts for all users listed in the authentication server or local
database as configured at the domain level. Account holders can then log into the Barracuda Email Security Gateway and view their Quarantine
Inbox to view and take actions with quarantined messages.
If a user's quarantine inbox is disabled (by an administrator or a Domain Admin or Helpdesk account, or by the user), emails sent to that user that
would normally have been placed in quarantine will simply be delivered to the user's regular mailbox with the subject line prepended with a
quarantine tag.
Linking Domains for One Quarantine Inbox
In some cases it may be practical to direct all quarantined email to one quarantine inbox on the Barracuda Email Security Gateway. You may
employ one or more "power users" to manage it, or allow all users to log in to the same inbox.
Using only one quarantine inbox for all users greatly simplifies management of per-user quarantine because you only have to configure user
features (from the BASIC > User Features page) for ONE inbox. The Linking Domains feature, configurable on the BASIC > Quarantine page,
allows the option for all domains protected by this Barracuda Email Security Gateway be treated as if they were alternate names for the default
domain name for the system. So, for example, if the Default Domain for the system as specified on the BASIC > IP Configuration page is
mybarracuda.com, then user@domain1.com will be treated as user@mybarracuda.com when determining user validity and preferences, and
will have a quarantine inbox under the name user@mybarracuda.com.
The Quarantine Inbox
When an account holder with the User role logs in to the Barracuda Email Security Gateway they’ll see the QUARANTINE INBOX and PREFER
ENCES tabs. They can view and choose to whitelist, deliver or delete quarantined emails from the QUARANTINE INBOX page and configure
their account settings from the PREFERENCES page to the extent that their account permissions allow as described below under Controlling
Access to Account Features. Domain Admin and Helpdesk account holders will see the QUARANTINE INBOX and PREFERENCES tabs when
they click the Manage Account link in the upper-right corner of the web interface.
For details on how all account holders manage their quarantine inbox, please see the Barracuda Email Security Gateway User's Guide - 5.x.
Alias Linking
This feature allows one quarantine account to receive quarantined email for multiple accounts, using the Explicit Users to Accept For section of
the USERS > Valid Recipients page. Note that this account, if entered on one line only with associated accounts for which it should receive
email, is not considered a Valid Recipient. This account needs to be added on a separate line to also be considered a Valid Recipient. The
quarantine account that receives quarantined email for other accounts does not need to belong to the same domain as the others.
Copyright © 2017, Barracuda Networks Inc.
Barracuda Email Security Gateway Administrator's Guide - Page
189
Controlling Access to Account Features
When accounts are created by the Barracuda Email Security Gateway, permissions are automatically assigned for users to manage their account
features based on what is configured on the USERS > User Features page in the Default User Features section. Domain Admin roles can
further limit user access to these features based on what the administrator has enabled at the global level.
For example, if the Whitelist/Blocklist feature is set to No (disabled) at the global level in the Default User Features section of the USERS >
User Features page, the Domain Admin role will not see or be able to control that setting for accounts in domains that they manage.
Configurable user account features include:
Quarantine Inbox – allow the account holder to enable their quarantine inbox on the Barracuda Email Security Gateway, or disable it
such that quarantined message go to their regular email inbox.
Spam scanning – allow the account holder to enable or disable
Edit frequency at which quarantine notifications are sent to the account holder
Add addresses and domains to a whitelist or blocklist
Use Bayesian filtering
Allow account holder to set their own tag, quarantine and block levels according to spam scoring
If allowed permissions by the administrator, the Domain Admin can edit the Default User Features settings (i.e. disabling certain features that
were enabled at the global level by the administrator) at the domain level for account holders in the domain. The Helpdesk role does not have this
permission.
Overriding Default Account Features Settings
The User Features Override section of the USERS > User Features page allows you to make exceptions to the rules specified above for
particular account holders. Domain Admin and Helpdesk roles can view and set override of user feature defaults ONLY for features that are
enabled in the Default User Features section by the administrator. Consequently, nothing will appear on the USERS > User Features page for
Domain Admin and Helpdesk roles if all Default User Features options have been set to No by the administrator.
User overrides only apply when the domain level setting in Default User Features matches the global setting.
Assigning Quarantine Inbox Permissions to Selected Users
One of the most common scenarios for overriding quarantine settings is when you want to provide a few "power users" with a quarantine inbox on
the Barracuda Email Security Gateway and have the rest of your users receive quarantine messages in their standard email inbox. Providing a
user with a quarantine inbox gives them greater control over how their messages are quarantined, but also requires them to manage their
quarantine queue. For this reason, you may only want to provide a quarantine inbox to a subset of sophisticated users. In this example, you
would do the following:
Set the quarantine type to Per-user on the BASIC > Quarantine page.
Set the New User Quarantine State to Off so that accounts are not automatically created by the Barracuda Email Security Gateway
when needed (for conditions under which new accounts can be automatically created, see Automatic Account Creation).
Enable the features you want those account holders to be able to manage for their accounts on the USERS > User Features page.
In the User Account text box in the User Account Create/Update section of the USERS > User Add/Update page, enter the email
addresses of the users you for whom you want to create a quarantine inbox and set Enable User(s) Quarantine to Yes in the same
section.
Set the Email New User(s) option to Yes to email login information to the new users.
If you enable user quarantine, you should remove any mailing lists you may have added on the ADVANCED > Explicit Users page and public
folders so no per-user accounts are created based on those email addresses.
Copyright © 2017, Barracuda Networks Inc.
Barracuda Email Security Gateway Administrator's Guide - Page
190
How Quarantine Notifications Work
The Barracuda Email Security Gateway can send notifications at predefined intervals and in selected languages to let users know that they have
quarantined messages. The notification interval and email address can be set at the global level on the BASIC > Quarantine page and
overridden at the domain level if allowed by the administrator. Because creating a quarantine digest for each user requires lots of system I/O, it is
recommended to set the Notification Start Time on the BASIC > Quarantine page to outside of peak traffic time frames during the weekday.
The default start time is 3:35pm (15:35). Users can override the Notification Interval of daily, weekly or never from their PREFERENCES tab if
enabled by the administrator.
Multiple quarantine notifications can be sent out in a 24 hour period to let users know that they have quarantined mail. Configure this option by
entering multiple times for Notification Start Time. Note that sending multiple notifications could affect system performance.
If you enable quarantine notifications, be sure to open port 8000 on your firewall (or whatever port you are using for the web interface) if
you want the Barracuda Email Security Gateway to send quarantine notifications outside of the network.
It is a recommended to set the Quarantine Host value, which appears as the sending hostname in all quarantine and welcome emails from the
system. Using this hostname as opposed to the system IP address (default) ensures that users are able to reach the Barracuda Email Security
Gateway from their old notifications even after any possible changes in IP addresses.
At the domain level, to enable users (including Domain Admin, Helpdesk and User roles) to manage quarantine notifications for their own
accounts, make sure the Enable User Features setting on the BASIC > Quarantine page is turned On. Account holders can then access
notification settings from their PREFERENCES > Quarantine page, overriding the global setting. The Default Language used in notification
emails can also be set from this page.
How the Quarantine Digest Works
The quarantine digest only goes out if new quarantined mail is saved in the user’s folder since the last notification cycle. Each day the quarantine
notification service runs for all users. If there is no new quarantined mail for a user since the last notification interval, or if a user has logged into
their account since the last notification interval, no quarantine digest will be generated and sent to that user for that same 24 hour period. Note
also that links in the quarantine digest for viewing, delivering, whitelisting or deleting a message from the quarantine inbox expire in 5 days from
the date the digest is sent out.
Copyright © 2017, Barracuda Networks Inc.
Barracuda Email Security Gateway Administrator's Guide - Page
191
Retention Policy and Purging Old Messages
As the administrator, you can configure retention policy to limit the amount of disk space used for storing each user's quarantined messages,
thereby conserving system resources on the Barracuda Email Security Gateway.
From the USERS > Retention Policies page, you can enable the user to easily schedule quarantined messages for regular purging based on
age (in number of days), disk space used (specified in kilobytes), or both. Setting the Age Limit to a 7-14 day range is recommended assuming
that older quarantined emails may lose importance with time.
Note that regardless of these settings, no messages younger than 3 days will be removed. For example, if the maximum size limit on email size is
10MB and a quarantined email has a 19MB attachment, the email will be retained for 3 days, giving the user time to examine and process that
email before it is automatically deleted by the Barracuda Email Security Gateway.
Minimize Excessive Email Storage
It is recommended that users be trained to manage their own quarantine areas, since constant reliance on the Barracuda Email Security Gateway
to automatically remove quarantined messages based on either age or disk usage may impact system performance.
The level at which performance is affected depends on the number of user quarantine areas that are kept on the Barracuda, the amount of email
that is quarantined each day, and the number of tasks the system performs (e.g., reporting, or body filtering).
Use the filters on the USERS > Account View page to quickly determine which users have the largest quarantine areas. Each account entry
shows Yes/No in the Quarantine column ("Yes" indicates per-user quarantine is in effect for that user) and number of Kbytes of email stored in
their quarantine inbox in the Size column. Individual user quarantine areas can be disabled from the USERS > Add/Update page so that any
repeat offenders can be prevented from utilizing the Barracuda Email Security Gateway quarantine areas. When a user's quarantine is disabled,
emails sent to that user that would normally have been placed in quarantine will simply be delivered to the user's actual mailbox with the subject
line prepended with a quarantine tag.
When you enable retention policies, keep in mind that if your system has been accumulating email without retention policies for a
period of time, the first day retention policies are enabled results in an impact on system performance. The longer a system runs
without retention policies, the larger the performance impact. After the first day or two, the load stabilizes as the system is able to keep
large quarantine fluctuations to a minimum. Retention policies are run daily starting at approximately 02:30 AM.
Copyright © 2017, Barracuda Networks Inc.
Barracuda Email Security Gateway Administrator's Guide - Page
192
Managing Outbound Quarantine
For outbound mail, there is no per-user quarantine mechanism on the Barracuda Email Security Gateway as there is with inbound mail.
Messages that meet or exceed the scoring level you set on the BASIC > Spam Checking page for the quarantine of outbound messages, and
messages that violate outbound policies you have configured on various BLOCK/ACCEPT pages will be placed in outbound quarantine for the
system. These messages will be logged and can be viewed on the BASIC > Outbound Quarantine page. At the domain level, messages in
outbound quarantine can be viewed and managed by domain under DOMAINS > Manage Domain > OUTBOUND QUARANTINE > Outbound
Quarantine.
Configure outbound quarantine settings discussed here from the BASIC > Quarantine page.
Immediate notifications can be sent to the administrator via the specified Notification Address whenever an outbound message is placed into
quarantine. As with inbound quarantine notifications, a quarantine summary can be sent on a daily or weekly basis, if at all.
An Age Retention Policy can be specified for outbound mail, indicating when "old" quarantined outbound messages should be removed from the
Barracuda Email Security Gateway. Use this option together with the Size Limit (KB) and Size Retention Policy to limit the amount of disk
space allotted on the Barracuda Email Security Gateway for storing quarantined outbound mail. Regardless of these settings, quarantined
outbound messages are always retained for at least 3 days.
Copyright © 2017, Barracuda Networks Inc.
Barracuda Email Security Gateway Administrator's Guide - Page
193
Creating and Managing Accounts
With the Barracuda Email Security Gateway 300 and higher, you can enable per-user quarantine and the system will create user accounts to
enable access to quarantine settings and messages. The Barracuda Email Security Gateway 600 and higher supports per-user account spam
score settings. There are two ways of creating user accounts on the Barracuda Email Security Gateway - automatically and manually. Depending
on how the administrator configures the Barracuda Email Security Gateway, user accounts may be configured to display a quarantine inbox for
individual use, or accounts may only provide users with the ability to manage their own whitelist and blocklist of email addresses and domains or
spam scoring levels.
Account Roles
In addition to the administrator account role, which includes permissions to configure all settings on the Barracuda Email Security Gateway, four
other account roles with associated levels of permissions are available:
User, the default account role whose permissions are limited to managing their own quarantine account to the degree enabled by the
administrator.
Auditor, a unique account (you can only create one instance) whose role it is to monitor the Outbound Quarantine - deleting, rejecting
or allowing delivery of messages based on policy. This account already exists on the Barracuda Email Security Gateway and must be
enabled on the BASIC > Administration page. Note that email privacy can be protected by limiting the Auditor account to only viewing
message entries, not actual message contents. Use the Secondary Authorization feature, configurable on the BASIC >
Administration page.
Helpdesk (available on the Barracuda Email Security Gateway 300 and higher), with increased permissions.
Domain Admin (available on the Barracuda Email Security Gateway 600 and higher), the role with the most permissions other than the
administrator. This role can configure certain types of policy for the domains assigned to their account.
Thus you can delegate various levels of authority to members of your organization for administering quarantine accounts, monitoring outbound
quarantined mail and managing per-domain level settings on the Barracuda Email Security Gateway.
Once accounts are created, each account (with the exception of Auditor) can be assigned a role other than the default User role from the USERS
> Account View page at the global level or at the per-domain level. This feature is especially useful for ISPs/web hosting providers to give
helpdesk and more sophisticated technical support personnel access to domain and per-user account configuration for groups of users. See Role
-based Administration for details on role-based permissions and web interface navigation.
Automatic Account Creation
The Barracuda Email Security Gateway automatically creates accounts when all of the following conditions are met:
The New User Quarantine State feature is set to On on the BASIC > Quarantine page:
The administrator enables quarantine and sets quarantine type to Per-User on the BASIC > Quarantine page. For more information on
enabling quarantine, refer to Managing Inbound Quarantine.
The Barracuda Email Security Gateway receives an email that needs to be quarantined, which triggers creation of the account.
The Barracuda Email Security Gateway automatic account creation process is as follows:
1. Checks the recipient email address against the Local database or the LDAP server as specified at the per-domain level on the USERS >
Single Sign-On page (Barracuda Email Security Gateway 400 and higher), as well as the Explicit Users to Accept For text box on the
USERS > Valid Recipients page. To increase security, you can configure the Barracuda Email Security Gateway to validate the
receiving email address (using LDAP or the SMTP command RCPT TO) before it creates an account. This helps prevent the Barracuda
Email Security Gateway from creating accounts for invalid users.
2. Creates a new account with User level permissions (See Roles and Navigating the Web Interface for more information about account
roles and permissions) for the recipient if the address does not exist. The Barracuda Email Security Gateway uses the email address of
the recipient as the username of the account and auto-generates a password.
3. If Single Sign-On is not enabled, the Barracuda Email Security Gateway sends the account holder an email with the login information so
they can access their quarantine inbox. With Single Sign-On enabled:
The account holder will be able to log into the Barracuda Email Security Gateway with their regular network credentials.
The account holder can alternatively log in with an alias as well. If the per-domain Unify Email Aliases option is set to Yes, then
when a user logs in with an alias, that user will be directed to the primary account. Please see the USERS > LDAP
Configuration page at the per-domain level for details on this option.
4. Places the quarantined message in the account holder’s quarantine inbox.
5. Sends a quarantine summary report to the account holder.
The settings chosen in the Default User Features section of the USERS > User Features page are applied to all new accounts that are
created.
When to Disable Automatic Creation of Accounts
Copyright © 2017, Barracuda Networks Inc.
Barracuda Email Security Gateway Administrator's Guide - Page
194
If your LDAP server is running slowly, email will still be processed by the Barracuda Email Security Gateway but unavailability of your LDAP
server could result in creation of invalid quarantine accounts for unverified users on the Barracuda Email Security Gateway. In this case it may be
preferable to disable automatic account creation by setting the New User Quarantine State to Off from the BASIC > Quarantine page. User
accounts can be manually created in bulk as described below.
Another reason to disable automatic creation of accounts is that you may not want all of your users to have quarantine inboxes to manage,
access to whitelist/blocklist capabilities, etc. In that case, you can manually create user accounts for those individuals for whom it is appropriate,
as described in the next section.
Manually Creating User Accounts
In addition to the two cases mentioned above, you will want to manually create user accounts with the USERS > User Add/Update page when
you want to override the default quarantine, virus and spam checking settings for specific account holders. Creating the account before the
Barracuda Email Security Gateway automatically creates it enables you to initially configure the account settings if they are different from the
default settings for other users.
The Barracuda Email Security Gateway allows for account holders to manage various aspects of spam and virus checking and whitelist/blocklist
behavior for their email without having to manage a quarantine inbox on the system. By doing this you can enable global quarantine, but create
per-user settings for user control of spam and virus checking features.
For example, if you want your users to be able to maintain their own whitelists and blocklists of email addresses and domains, but you don’t want
to use resources on the Barracuda Email Security Gateway to store quarantine messages, or you don’t want to have to train or depend on users
to manage their quarantine inboxes, you can easily create accounts from the USERS > User Add/Update page for one or more users and
disable their quarantine inbox(es). Then, on the USERS > User Features page, enable the features over which you want those users to have
control by entering the same list of new account names (email addresses) in the User Account(s): text box in the User Features Override secti
on of the page.
Account Creation by Users
Another way to manually create accounts on the Barracuda Email Security Gateway is to use the Create New Password button on the login
page which new users can click to create an account with their email address as their username. Their password will be emailed to the email
address they enter in the username field.
Single Sign-On and User Authentication
Single Sign-On is a per-domain setting available on the Barracuda Email Security Gateway 400 and higher.
If Single Sign-On is enabled for a particular domain, account holders associated with that domain can log into the Web interface of the Barracuda
Email Security Gateway with their regular network credentials to manage their accounts.
When enabling Single Sign-On for a domain, you should also configure HTTPS/SSL Access Only at the global level on the ADVANCED >
Secure Administration page to protect the transmission of network passwords. See How to Enable SSL for Administrators and Users to
configure SSL on the Barracuda Email Security Gateway 400 and higher.
Assigning Features to User Accounts
The USERS > User Features page enables the administrator to enable or disable user control over their account settings:
For newly created accounts, in the Default User Features section of the page
For existing accounts, in the User Features Override and the Default User Features sections of the page
These features provide the user’s ability to enable or disable the following:
Whitelist/blocklist of email addresses and domains
Quarantine inbox
Notification settings - email address for receiving a quarantine summary report, and notification intervals
Use of a personal Bayesian database
Spam scanning (on/off)
Setting spam tag, quarantine and block score levels (Barracuda Email Security Gateway 600 and higher)
For all of the user features enabled by the administrator, the Domain Admin account role can override the global setting and disable any Default
User Features for newly created accounts. BOTH the Domain Admin and Helpdesk account roles can override the global settings for existing
accounts in the User Features Override section of the USERS > User Features page on a per-domain basis.
To enable account holders (including Domain Admin, Helpdesk and User roles) to edit preferences/user features for their accounts, make sure
that the Enable User Features setting on the per-domain BASIC > Quarantine page is turned On.
One of the most common scenarios for overriding quarantine settings is when you want to provide a few "power" users with a quarantine inbox on
the Barracuda Email Security Gateway, with the rest of your users receiving quarantined messages in their standard email inbox. Those
Copyright © 2017, Barracuda Networks Inc.
Barracuda Email Security Gateway Administrator's Guide - Page
195
quarantined messages will have a tag prepended to the subject line indicating that the Barracuda Email Security Gateway suspects the message
to be spam. See How Quarantine of Inbound Mail Works for more information.
Copyright © 2017, Barracuda Networks Inc.
Barracuda Email Security Gateway Administrator's Guide - Page
196
Role-based Administration
The Barracuda Email Security Gateway offers several levels of 'scope' when accessing the web interface and configuring the system. This
enables delegation of tasks such as:
Domain Administration: Management of only domain-level settings for one or more domains that are protected by the Barracuda Email
Security Gateway
Helpdesk duties such as supporting end-user management of quarantine inbox, passwords and associated preferences
Application of governance, risk management and compliance policies to outbound email content by managing messages in the outbound
quarantine log
Only the administrator (Admin) role has access to the global scope, with access to all settings. Administration of domain-level settings can be
delegated to the Domain Admin role, which has the most permissions, the Helpdesk role, with fewer permissions, or the Governance, Risk
Management and Compliance (GRC) Account role, which has very limited permissions and a specific role. Finally, the User role can only see and
manage their account, or quarantine inbox and related settings. See Role Descriptions for more detail. To create roles and to understand the
difference in navigating the web interface for the Admin versus other roles, see Roles and Navigating the Web Interface.
Copyright © 2017, Barracuda Networks Inc.
Barracuda Email Security Gateway Administrator's Guide - Page
197
Roles and Navigating the Web Interface
Depending on the login role, the links in the upper right corner of the web interface will indicate the login name and, if in the domain level scope,
the domain being managed, or the name of the user account. This article addresses navigation of the web interface for the Admin, Domain
Admin, Helpdesk and User roles. For more information about these roles, please see Role Descriptions. The GRC account provides a special
role with very limited scope, and exists only for the purpose of meeting governance, risk management and compliance policies of an organization.
For information about the GRC role, please see Governance, Risk Management and Compliance (GRC) Account Role.
The administrator can step into the domain level scope of the web interface, which is what the Domain Admin and Helpdesk roles will see, from
the DOMAINS page, by selecting a domain to manage. The DOMAINS page represents the "top level" of navigation of the web interface for Dom
ain Admin and Helpdesk roles, as shown in Figure 1.
Figure 1: The DOMAINS page as viewed by the Domain Admin or Helpdesk roles upon login.
Clicking on Manage Domain enables managing domain-level settings and user accounts for that domain. The Domain Admin or Helpdesk role
can "drill down" another level by selecting an account associated with that domain to edit from the USERS > Account View page (see Figure 2
below). Editing an account displays the quarantine inbox and preferences for the account, which is what the User role sees. Domain Admin and
Helpdesk roles can also edit their own personal account settings and quarantine inboxes.
Figure 2: Drilling down from the DOMAINS page to account level.
Copyright © 2017, Barracuda Networks Inc.
Barracuda Email Security Gateway Administrator's Guide - Page
Figure 3: Links enable Domain Admin role to return to DOMAINS page or edit account.
Editing Accounts and Assigning Roles
Copyright © 2017, Barracuda Networks Inc.
198
Barracuda Email Security Gateway Administrator's Guide - Page
199
From the USERS > Account View page in the global scope, the administrator can manage accounts (other than the Auditor account) for all
domains on the Barracuda Email Security Gateway, editing account roles, deleting invalid accounts as needed and changing account passwords.
The USERS > Account View page displays role types and whether or not each account has quarantine enabled. Role permissions are described
in the next section. The GRC account is managed from the BASIC > Administration page.
Figure 4: Account View from global scope as seen by the administrator.
Note that links in the upper right of the page always indicate the login name of the current account holder, the Log Off link and, if applicable, links
to manage the system, domains or user accounts.
Clicking Edit Role brings up the Edit Role page, as shown in the figure below, for changing the account role from User (the default) to Helpdesk
or Domain Admin and assigning domains for Helpdesk and Domain Admin account holders to manage.
To grant a Helpdesk or Domain Admin role permissions to manage ALL domains configured on the Barracuda Email Security Gateway, put the
phrase "all_domains" in the Managed domains for text box on the Edit Role page for that account as shown in Figure 6 below instead of listing
individual domains to manage.
Figure 5: The Edit Role page for assigning roles and domains to manage.
Figure 6: Assigning all_domains permissions on the Edit Role page.
Copyright © 2017, Barracuda Networks Inc.
Barracuda Email Security Gateway Administrator's Guide - Page
Copyright © 2017, Barracuda Networks Inc.
200
Barracuda Email Security Gateway Administrator's Guide - Page
Role Descriptions
In This Section:
Domain Admin Role
Helpdesk Role
User Role
Governance, Risk Management and Compliance (GRC) Account Role
Copyright © 2017, Barracuda Networks Inc.
201
Barracuda Email Security Gateway Administrator's Guide - Page
202
Domain Admin Role
The Domain Admin role is available on the Barracuda Email Security Gateway 600 and above and can configure all domain settings for
designated domains as well as account settings for account holders who have lesser permissions. This role includes Helpdesk level permissions
and use cases as described above plus the ability to:
View message contents (if privacy settings allow) for designated domains.
Enable or disable per-user quarantine at the domain level and, if per-user quarantine is disabled, specify a global quarantine email
address for designated domains.
Enable or disable various Default User Features for new accounts (see Controlling Access to Account Features) for designated
domains.
Domain Admin Role - All_Domains Permissions
The Domain Admin role has the above permissions for ALL domains configured on the Barracuda Email Security Gateway if the Managed
domains for text box on the USERS > Account View > Edit Role page for this account holder includes the phrase "all_domains". In this case,
all domains for which the Barracuda Email Security Gateway filters email will appear in the DOMAINS page.
A Domain Admin account holder with all_domains permission can also do the following:
Create or change the role of a Domain Admin account holder who does not have all_domains permissions.
Log into and manage the quarantine inbox of a Domain Admin who does not have all_domains permissions.
Create or edit a Helpdesk account with all_domains permissions.
Navigation of the web interface for the Domain Admin role follows the examples illustrated for the Helpdesk Role, plus the following.
Figure 1: The Domain Admin role can configure domain-level settings.
Copyright © 2017, Barracuda Networks Inc.
Barracuda Email Security Gateway Administrator's Guide - Page
203
Helpdesk Role
This role is available for the Barracuda Email Security Gateway 300 and higher and can manage basic account settings for accounts associated
with one or more domains and assist users with managing their quarantine inboxes. This role has the User level permissions plus the ability to:
Change or update user account settings in the domain(s) to which the helpdesk user is assigned, which includes users spam scoring,
whitelist/blocklist, quarantine enable/disable, notification and Bayesian filtering settings.
View the Message Log for the domain(s) managed and deliver quarantined messages. The Helpdesk role cannot, however, view the
body of messages in the Message Log.
Log into an account with lesser permissions and manage the associated quarantine inbox – mark as spam/not spam, deliver, whitelist or
delete messages.
View domain-level status and reports (with the exception of the daily False Positive and False Negative, which can only be generated at
the global level by the administrator).
Edit account roles for account holders with lesser permissions.
The Helpdesk role has the above permissions for ALL domains configured on the Barracuda Email Security Gateway if the Managed domains
for text box on the USERS > Account View > Edit Role page for this account holder includes the phrase "all_domains".
A Helpdesk account holder with all_domains permission can also do the following:
Change the role of a Helpdesk account holder (to the User role) who does not have all_domains permissions.
Log into and manage the quarantine inbox of a Helpdesk or a Domain Admin who does not have all_domains permissions
If the Helpdesk account holder only administers a subset of all domains configured on the Barracuda Email Security Gateway, only those
domains will appear in the DOMAINS page. Here, the Helpdesk account only administers two domains:
Figure 1: Helpdesk account holder sees a list of only domains that they manage.
Clicking on the Manage Domain link will show a subset of the web interface. The Helpdesk role sees basic email statistics, can view reports and
the Message Log for the selected domain and manage the quarantine inbox and settings for other account holders, depending on their
permissions level.
From the USERS > Account View page, the Helpdesk account holder can view and edit accounts and quarantine inboxes for the domain or
manage their own account.
Figure 3: USERS > Account View page: the Helpdesk role sees a list of the accounts associated with the domain.
Copyright © 2017, Barracuda Networks Inc.
Barracuda Email Security Gateway Administrator's Guide - Page
204
For any account holders listed for the domain, the Helpdesk account holder can manage the quarantine inbox and some account settings, as
described above.
Example Helpdesk Use Cases
Disabling quarantine on the USERS > Add/Edit page for one or more users for reasons such as the following:
You don’t want to use Barracuda Email Security Gateway resources to store quarantined email, but you want your users to
maintain their own whitelists and blocklists of email addresses and domains.
Users don’t want to maintain two inboxes, but want to control spam scoring and quarantine notification intervals for their
incoming email.
A User account holder needs help changing their password.
A User account holder needs to know why email from a particular address is getting blocked by the Barracuda Email Security Gateway
and the Helpdesk role can:
View the reason for blocking on the BASIC > Message Log page.
Deliver the message if necessary.
Copyright © 2017, Barracuda Networks Inc.
Barracuda Email Security Gateway Administrator's Guide - Page
205
User Role
This is the default role assigned to newly created accounts on the Barracuda Email Security Gateway, and only provides the account holder with
a view of their quarantine inbox and some account preference settings, depending on what has been enabled for their account. For details about
managing the quarantine inbox, please see Barracuda Email Security Gateway User 's Guide 6 and Above.
User role permissions may include:
Modify individual settings for quarantine, spam tag and block levels.
Management of quarantine inbox - mark as Spam/Not Spam, deliver, whitelist, delete quarantined messages.
Change password (if Single Sign-On authentication is not configured).
Create whitelists and blocklists for email addresses and domains.
Manage a personal Bayesian database.
If granted the permission, the User role can disable quarantine for their account such that all messages quarantined for that account holder’s
email address(es) by the Barracuda Email Security Gateway will be delivered to their regular email inbox. The User account holder will see the
following page upon login, with option to set preferences (see Assigning Features to User Accounts) and manage their quarantine inbox of
messages. See also Using Per-user Quarantine.
Figure 1: User role view of web interface, displaying the Quarantine inbox.
Copyright © 2017, Barracuda Networks Inc.
Barracuda Email Security Gateway Administrator's Guide - Page
206
Governance, Risk Management and Compliance (GRC) Account Role
Beyond just protection from spam and viruses, the Barracuda Email Security Gateway provides tools to protect sensitive personal, financial,
medical, legal data and intellectual property transmitted via email. The GRC role is a tool that provides DLP (data loss prevention) for your
organization by assigning one or more responsible persons with the task of viewing either message entries (Subject, From, To, etc.) or both the
entries and the message contents in the outbound quarantine log. The GRC can then decide whether to deliver, reject or delete emails from this
log based on the policies of the organization. In this way, the GRC role serves to provide governance, risk management and compliance to
email content.
This account always exists on the Barracuda Email Security Gateway, but must be enabled via the Enable GRC Account setting on the BASIC
> Administration page to be active. The administrator can enable or disable the GRC account at any time, but must re-create a password each
time the account is re-enabled. The GRC account only has access to Outbound Quarantine logs, and can take the following actions with
outbound quarantined messages:
Deliver – GRC determines that the message is allowed, per policy, and clicks the Deliver button.
Reject – GRC determines that the message is not allowed for delivery, per policy, and clicks the Reject button. If the Admin has
configured it on the ADVANCED > Bounce/NDR Settings page, this action sends a bounce message to the sender in addition to
deleting the message.
Delete – GRC determines that the message is not allowed to be sent and clicks the Delete button. The message will then be removed
from the Outbound Quarantine log.
Note that you must enter a new password each time you set Enable GRC Account to Yes.
When the GRC logs in, only two pages will be visible in the web interface: the Outbound Quarantine page and a Password page as shown in
Figure 1, below. From the Password page, the GRC can change the current GRC password.
Note that, to protect email privacy, the Secondary Authorization feature on the BASIC > Administration page can be configured to
require a password for the GRC role to be able to see message contents when monitoring the outbound quarantine. If Enable
Secondary Authorization is set to Yes and Include Privacy for GRC Account is also set to Yes, then the GRC must supply the
password to see message contents in the log.
Figure 1: The GRC role can view the Outbound Quarantine and Deliver, Delete or Reject messages.
Copyright © 2017, Barracuda Networks Inc.
Barracuda Email Security Gateway Administrator's Guide - Page
Monitoring the System
In this Section
Basic Monitoring Tools
Reporting
How to Set Up Alerts and SNMP Monitoring
Using a Syslog Server to Centrally Monitor System Logs
How to Set Up Barracuda Cloud Control
Barracuda Email Security Gateway Panel Indicators and Ports
Troubleshooting
Copyright © 2017, Barracuda Networks Inc.
207
Barracuda Email Security Gateway Administrator's Guide - Page
208
Basic Monitoring Tools
Viewing Performance Statistics
The BASIC > Dashboard page provides an overview of the health and performance of your Barracuda Email Security Gateway, including:
Hourly and daily email statistics that display the number of viruses blocked and messages rate controlled (deferred), blocked,
quarantined, tagged (inbound only), sent (outbound only) and allowed (inbound only) for the last 24 hours and 28 days.
The subscription status of Energize Updates.
Performance statistics, including CPU temperature and system load. Performance statistics displayed in red signify that the value
exceeds the normal threshold. These values will fluctuate based on the amount of traffic that is being handled, but if any setting remains
consistently in the red for a long period of time, please contact Barracuda Networks Technical Support.
If the Mail/Log Storage rises above 75%, this indicates that more disk space has been taken up by the message and log storage than is
allocated for that purpose and you should contact Barracuda Networks Technical Support.
If per-user quarantine is enabled and system performance has decreased, check the Quarantined number of messages shown in the Email
Statistics [inbound] pane on the BASIC > Dashboard page. If this number is high, changing the Retention Policies for per-user quarantine on
the USERS > Retention Policies page may solve the problem. See Retention Policy and Purging Old Messages for details and warnings about
deleting large amounts of messages.
On the Barracuda Email Security Gateway 600 and higher, if a disk drive in the RAID array exhibits a problem, the Redundancy (RAID) indicator
will highlight in red and show one of the drives as degraded with a link Click To Repair. Clicking this link will display a pop-up indicating the drive
to replace and an Ok button and a Cancel button. You must first replace the disk drive that indicates a problem before proceeding with the repair
operation. Please contact Barracuda Networks Technical Support if you need assistance.
Inbound and Outbound Message Queues
You can view the mail queues from the BASIC > Dashboard page with the In/Out Queue Size links.
The number of current inbound messages (In) plus accepted messages waiting for virus and spam scanning is shown, separated by a “/”, from
the number of messages in the outbound queue (Out) waiting for the outbound server. Click either number to view a summary of the messages
currently in the queues.
To view the queues in a Message Log format, with the ability to filter, requeue, delete and view details of selected queued messages, use the AD
VANCED > Queue Management page.
Retrying All Outbound Messages
If the outbound queue number is high, the mail server could be down or there could be another network issue. Messages in the outbound queue
will automatically expire if not successfully delivered within 48 hours (default). This may happen normally if the destination mail server rejects
email based on mail server policy and the message is bounced back to the sender.
To requeue, or retry delivering ALL email messages in the out queue, click the Retry button at the bottom of the BASIC > Administration page
to retry sending the messages immediately. The button will then be disabled until the requeue process has completed. To requeue, or retry
delivering selected email messages in the out queue, use the ADVANCED > Queue Management page.
Note that alerts and notifications are queued separately from email so that the administrator can be alerted if the out message queue is high.
The Message Log
The BASIC > Message Log page displays details about all email traffic that passes through the Barracuda Email Security Gateway.You can view
message source and analysis by clicking on a message; you will also see spam scoring for the message and Bayesian analysis, if enabled.
This data is captured initially in the Mail Syslog and appears on the mail facility at the debug priority level on the specified syslog server.
The Message Log stores data for up to 6 months. Actual number of messages are allocated 75% of available storage, which includes
quarantine messages. If your organization needs to access more message log data than 6 months' worth, Barracuda recommends
using a syslog server or a Message Archiver.
The Message Log is a window into how the current spam and virus settings are filtering email coming through the Barracuda Email Security
Gateway, and sorting data using the wide variety of filters can quickly provide a profile of email by allowed, tagged, quarantined or blocked
messages by domain, sender, recipient, time, subject, size, reason for action taken or score.
Watch the Message Log after making changes to the spam and virus settings to determine if the Barracuda Email Security Gateway spam
checking and quarantine behavior is tuned per the needs of your organization. See Monitor and Classify Incoming Emails for more information
about using the Message Log.
Copyright © 2017, Barracuda Networks Inc.
Barracuda Email Security Gateway Administrator's Guide - Page
209
Using the Task Manager to Monitor System Tasks
The ADVANCED > Task Manager page provides a list of tasks that are in the process of being performed and displays any errors encountered
when performing these tasks. Some of the tasks that the Barracuda Email Security Gateway tracks include:
Clustered environment setup
Configuration and Bayesian data restoration
Removal of invalid users
If a task takes a long time to complete, you can click the Cancel link next to the task name and then run the task at a later time when the system
is less busy. The Task Errors section will list an error until you manually remove it from the list. The errors are not automatically phased out over
time.
Front and Rear Panel Configurations
See Barracuda Email Security Gateway Panel Indicators and Ports.
Copyright © 2017, Barracuda Networks Inc.
Barracuda Email Security Gateway Administrator's Guide - Page
210
Reporting
Generate System Reports
The Barracuda Email Security Gateway has a variety of system reports that can help you keep track of such statistics as the top spam senders
and the top viruses detected by the system.
Reports can be created for data collected at the global level as well as at the per-domain level. You can run reports and configure report settings
from the BASIC > Reports page, and online help for that page includes a table listing all reports, the kind of data each report includes for
inbound and/or outbound mail, and types of graphs available. You can either generate a system report on demand or schedule reports for regular
delivery to specific users.
On demand reports can cover data for a specified date range, but generating a report to view instead of to send as an email can potentially
consume excessive system resources on the Barracuda Email Security Gateway. For this reason, discretion should be used when deciding on
the date range a given report is to cover. To minimize impact of report generation on the Barracuda Email Security Gateway performance, reports
of over 7 days in length can only be generated through email.
Automate the Delivery of Scheduled System Reports
The Reporting Email Options section of the BASIC > Reporting page lets you configure the Barracuda Email Security Gateway to
automatically deliver system reports daily, weekly or monthly to specific users by entering their email addresses in the field next to each report
type.
You can enter as many email addresses as you like for each report as long as each address is separated by a comma. If you do not want a daily
report to be distributed, do not enter an email address next to that report type.
Each scheduled report covers traffic for the selected Date Range and Start and End times, and can be automatically generated either Daily,
Weekly or Monthly. The Traffic Summary report is a good status reporting tool, and having it emailed to your mail box every day is helpful for
monitoring the system.
Report Format Options
Report output format options include HTML, PDF and Text.
Copyright © 2017, Barracuda Networks Inc.
Barracuda Email Security Gateway Administrator's Guide - Page
211
How to Set Up Alerts and SNMP Monitoring
Setting up Emailed System Alerts
The BASIC > Administration page allows you to configure the Barracuda Email Security Gateway to automatically email system notifications
and alerts to the email address(es) you specify. To enter multiple addresses, separate each address with a comma. Note that notifications are
queued separately from outbound messages. System alerts are sent from the Barracuda Email Security Gateway to the System Alerts Email
Address(es) you specify when a system issue triggers an automated alert, including:
LDAP lookup or server errors. This alert email is sent once per day reporting LDAP errors logged over the past 24 hours. A few errors
may not be indicative of a problem, but more than a few may mean that there is mail that is being blocked for one or more invalid
recipients.
Failure of an automated backup. The email will indicate the cause of failure, such as, for example, the backup server is not available,
invalid username or invalid password. Check the settings on the ADVANCED > Backup page in the Automated Backups section.
Notifications are sent from Barracuda Central to the System Contact Email Address when:
Your Energize Update subscription is about to expire
Problems arise with RAID disk storage
New security bulletins are available
Setting up SNMP Query and Alerts
While the Barracuda Email Security Gateway will send email alerts to the System Alerts Email Address specified on the BASIC >
Administration page, these alerts are limited and do not include latency, inqueue sizes, and other similar information. To monitor more specific
information on a Barracuda Email Security Gateway, Barracuda Networks recommends using SNMP monitoring with an SNMP server. The
Barracuda Email Security Gateway 400 and higher offers the ability to monitor various settings via SNMP, including:
System statistics, such as:
inbound/outbound queue size
average email latency
encrypted, blocked, quarantined and tagged messages based on spam, custom policy, virus, etc. (outbound mail included)
appliance uptime
Performance statistics, including mail/log storage, CPU temperature and system load.
To query the Barracuda Email Security Gateway for these statistics via SNMP, you must first enable the SNMP agent, specify the SNMP version
you’re using, the community string, and enter the IP address of the server(s) that will be making the SNMP connection in the SNMP Manager
section of the BASIC > Administration page.
To configure SNMP with the Barracuda Email Security Gateway, see How to Use SNMP Monitoring.
Copyright © 2017, Barracuda Networks Inc.
Barracuda Email Security Gateway Administrator's Guide - Page
212
How to Use SNMP Monitoring
This article applies to the Barracuda Email Security Gateway 400 and higher, version 5.1 and above.
In addition to the system performance statistics on the BASIC > Dashboard page, you can use the Barracuda Email Security Gateway SNMP
agent with your SNMP monitor to query the system for performance and email filtering statistics. You can also use SNMP monitoring to receive
alerts (traps) by email that report system load and other vitals of the Barracuda Email Security Gateway.
Step 1. Configure SNMP on the Barracuda Email Security Gateway
1.
2.
3.
4.
Log into the web interface of the Barracuda Email Security Gateway as the administrator.
Navigate to the BASIC > Administration page and, in the SNMP Manager section, set Enable SNMP Agent to Yes.
Click the Help button on the page for instructions on choosing the SNMP Version (see SNMP Versions below for details).
Set the Allowed SNMP IP/Range. Only the IP addresses/networks you enter here will be allowed SNMP access to the Barracuda Email
Security Gateway.
5. Configure SNMP Traps and SNMP Threshold sections. Click the Help button for instructions.
Note that the Barracuda Email Security Gateway communicates SNMP information using a community string of cudaSNMP by default.
This string can be changed for version 5.x and higher in the SNMP Manager section of the BASIC > Administration page.
Step 2. Configure SNMP/Email Notifications
In the Email Notifications of the page, you can optionally set the Barracuda Email Security Gateway to send notifications to the System Alerts
Email Address via SNMP for these conditions:
The inbound message queue size exceeds normal thresholds
The outbound message queue size exceeds normal thresholds
The average latency exceeds normal thresholds
Problems with RAID disk storage
To receive email notifications about system health via SNMP:
1. Send SNMP/Email Notifications to Yes.
2. Enter a value for the System Alerts Email Address.
Step 3. Get the MIB files for your SNMP monitor
Click to download the Barracuda Email Security Gateway SNMP MIB and the Barracuda Reference MIB. You can use reference objects included
in these MIBs for monitoring either from custom scripts or from your SNMP monitor. The MIB files can be viewed in your web browser by simply
replacing YOURBARRACUDA in the following links with the IP address of your Barracuda Email Security Gateway:
http://YOURBARRACUDA:8000/Barracuda-SPAM-MIB.txt
http://YOURBARRACUDA:8000/Barracuda-REF-MIB.txt
SNMP Versions
The Barracuda Email Security Gateway supports both SNMP versions v2c and v3. SNMP v2c queries and responses are NOT encrypted, so it is
not as secure as SNMP v3. With SNMP v3, traffic is encrypted and you can set up access control for specified users with passwords. Barracuda
recommends using version v3. You can configure which SNMP version you want to use as well as authentication and encryption methods for
v3 in the SNMP Manager section of the BASIC > Administration page of the Barracuda Email Security Gateway web interface. Examples of
snmpget commands for both versions are shown below.
Syntax for SNMP queries
If you are using an SNMP monitor tool, all you need to do is import the MIBs as mentioned above into the SNMP monitor. You can refer to the
MIBs for the Object IDs (OIDs) that correspond to the type of status you want to monitor. Please refer to the objects and traps listed in the next
section.
If you are querying the Barracuda Email Security Gateway from code, use the following syntax (where System IP or hostname or localhost is
the IP address of the Barracuda Email Security Gateway). Note that, if using the snmpwalk command, if you don’t include an OID you will get a
listing of all of the OIDs in the MIB.
Examples: Getting Mail and Performance Statistics
The standard SNMP MIB reports the email traffic and performance statistics for the Barracuda Email Security Gateway on an hourly, daily and
monthly basis. These examples demonstrate the syntax for using snmpget to obtain some of these measurements.
Example 1: Using SNMP v2, get the size of the inbound queue (number of current messages in the inbound queue waiting for virus and spam
scanning), where the OID for Inbound Queue is 1.3.6.1.4.1.20632.2.2 (see Objects and Traps below).
Copyright © 2017, Barracuda Networks Inc.
Barracuda Email Security Gateway Administrator's Guide - Page
213
$ snmpget -On -v2c -c public 192.168.132.74 1.3.6.1.4.1.20632.2.2
SNMP Response:
.1.3.6.1.4.1.20632.2.2 = INTEGER: 0
Example 2: Using SNMP v3, calculate the size of the outbound queue (number of messages in the outbound queue waiting for the outbound
server (delivery) where the OID for Inbound Queue is 1.3.6.1.4.1.20632.2.3:
$ snmpget -On -v3 -a MD5 -x DES -A password -X password -l authPriv -u admin 192.168.132.74
1.3.6.1.4.1.20632.2.3
SNMP Response:
.1.3.6.1.4.1.20632.2.3 = INTEGER: 0
Objects and Traps
As you will see in the Barracuda Email Security Gateway MIB, the system provides the following objects. Please see the online help in the
Barracuda Email Security Gateway web interface for details on these settings.
OID
Object
Description
1.3.6.1.4.1.20632.2.2
inQueueSize
Number of messages waiting to be
processed by the Barracuda Email Security
Gateway.
1.3.6.1.4.1.20632.2.3
outQueueSize
Number of messages waiting to be sent to
the mail server. Note that alerts and
notifications are queued separately from
outbound email.
1.3.6.1.4.1.20632.2.4
deferredQueueSize
Number of messages deferred because they
could not be processed, and will be
requeued for processing.
1.3.6.1.4.1.20632.2.5
avgEmailLatency
Difference between the time a message was
received by the Barracuda Email Security
Gateway and the time it is sent to the mail
server.
1.3.6.1.4.1.20632.2.8
notifyQueueSize
Count of messages in the notification queue.
1.3.6.1.4.1.20632.2.9
encryptionEnabled
A flag that is set if encryption is enabled for
at least one domain.
1.3.6.1.4.1.20632.2.11
lastMessageDelivery
Time and date the last message was
delivered by the Barracuda Email Security
Gateway.
1.3.6.1.4.1.20632.2.12
uniqueRecipients
Number of unique recipients of mail
processed by the Barracuda Email Security
Gateway.
1.3.6.1.4.1.20632.2.13
systemLoad
Estimate of CPU and disk load on the
system.
1.3.6.1.4.1.20632.2.14
sysFanSpeed
System fan speed.
1.3.6.1.4.1.20632.2.15
cpuFanSpeed
CPU fan speed.
1.3.6.1.4.1.20632.2.16
cpuTemperature
CPU temperature.
1.3.6.1.4.1.20632.2.17
firmwareStorage
Amount of disk storage used for various
system components.
1.3.6.1.4.1.20632.2.18
maillogStorage
Amount of disk storage used for message
and log storage.
1.3.6.1.4.1.20632.2.19
raidStatus
The status of the RAID disk array: Fully
Operational, Degraded, Rebuilding.
Copyright © 2017, Barracuda Networks Inc.
Barracuda Email Security Gateway Administrator's Guide - Page
214
1.3.6.1.4.1.20632.2.20
totalInboundBlocked
Total number of inbound messages blocked
since last system reset.
1.3.6.1.4.1.20632.2.21
dailyInboundBlocked
Total number of inbound messages blocked
in the past 24 hours.
1.3.6.1.4.1.20632.2.22
hourlyInboundBlocked
Total number of inbound messages blocked
in the past hour.
1.3.6.1.4.1.20632.2.23
totalInboundVirusBlocked
Total number of inbound messages blocked
due to viruses since last system reset.
1.3.6.1.4.1.20632.2.24
dailyInboundVirusBlocked
Total number of inbound messages blocked
due to viruses in the past 24 hours.
1.3.6.1.4.1.20632.2.25
hourlyInboundVirusBlocked
Total number of inbound messages blocked
due to viruses in the past hour.
1.3.6.1.4.1.20632.2.26
totalInboundRateControlled
Total number of inbound messages deferred
due to Rate Control since last system reset.
1.3.6.1.4.1.20632.2.27
dailyInboundRateControlled
Total number of inbound messages deferred
due to Rate Control in the past 24 hours.
1.3.6.1.4.1.20632.2.28
hourlyInboundRateControlled
Total number of inbound messages deferred
due to Rate Control in the past hour.
1.3.6.1.4.1.20632.2.29
totalInboundQuarantined
Total number of inbound messages
quarantined since last system reset.
1.3.6.1.4.1.20632.2.30
dailyInboundQuarantined
Total number of inbound messages
quarantined in the past 24 hours.
1.3.6.1.4.1.20632.2.31
hourlyInboundQuarantined
Total number of inbound messages
quarantined in the past hour.
1.3.6.1.4.1.20632.2.32
totalInboundTagged
Total number of inbound messages tagged
since last system reset.
1.3.6.1.4.1.20632.2.33
dailyInboundTagged
Total number of inbound messages tagged
in the past 24 hours.
1.3.6.1.4.1.20632.2.34
hourlyInboundTagged
Total number of inbound messages tagged
in the past hour.
1.3.6.1.4.1.20632.2.35
totalAllowed
Total number of inbound messages allowed
since last system reset.
1.3.6.1.4.1.20632.2.36
dailyAllowed
Total number of inbound messages allowed
in the past 24 hours.
1.3.6.1.4.1.20632.2.37
hourlyAllowed
Total number of inbound messages allowed
in the past hour.
1.3.6.1.4.1.20632.2.38
totalOutboundPolicyBlocked
Total number of outbound messages blocked
due to policy since last system reset.
1.3.6.1.4.1.20632.2.39
dailyOutboundPolicyBlocked
Total number of outbound messages blocked
due to policy in the past 24 hours.
1.3.6.1.4.1.20632.2.40
hourlyOutboundPolicyBlocked
Total number of outbound messages blocked
due to policy in the past hour.
1.3.6.1.4.1.20632.2.41
totalOutboundSpamBlocked
Total number of outbound messages blocked
due to spam since last system reset.
1.3.6.1.4.1.20632.2.42
dailyOutboundSpamBlocked
Total number of outbound messages blocked
due to spam in the past 24 hours.
1.3.6.1.4.1.20632.2.43
hourlyOutboundSpamBlocked
Total number of outbound messages blocked
due to spam in the past hour.
Copyright © 2017, Barracuda Networks Inc.
Barracuda Email Security Gateway Administrator's Guide - Page
215
1.3.6.1.4.1.20632.2.44
totalOutboundVirusBlocked
Total number of outbound messages blocked
due to viruses sincelast system reset.
1.3.6.1.4.1.20632.2.45
dailyOutboundVirusBlocked
Total number of outbound messages blocked
due to viruses in the past 24 hours.
1.3.6.1.4.1.20632.2.46
hourlyOutboundVirusBlocked
Total number of outbound messages blocked
due to viruses in the past hour.
1.3.6.1.4.1.20632.2.47
totalOutboundRateControlled
Total number of outbound messages
deferred due to Rate Control since last
system reset.
1.3.6.1.4.1.20632.2.48
dailyOutboundRateControlled
Total number of outbound messages
deferred due to Rate Control in the past 24
hours.
1.3.6.1.4.1.20632.2.49
hourlyOutboundRateControlled
Total number of outbound messages
deferred due to Rate Control in the past
hour.
1.3.6.1.4.1.20632.2.50
totalOutboundQuarantined
Total number of outbound messages
quarantined since last system reset.
1.3.6.1.4.1.20632.2.51
dailyOutboundQuarantined
Total number of outbound messages
quarantined in the past 24 hours.
1.3.6.1.4.1.20632.2.52
hourlyOutboundQuarantined
Total number of outbound messages
quarantined in the past hour.
1.3.6.1.4.1.20632.2.53
totalEncrypted
Number of messages sent to the Barracuda
Message Center for encryption and delivery
since last system reset.
1.3.6.1.4.1.20632.2.54
dailyEncrypted
Number of messages sent to the Barracuda
Message Center for encryption and delivery
in the past 24 hours.
1.3.6.1.4.1.20632.2.55
hourlyEncrypted
Number of messages sent to the Barracuda
Message Center for encryption and delivery
in the past hour.
1.3.6.1.4.1.20632.2.56
totalRedirected
Number of messages redirected to another
mail server since last system reset.
1.3.6.1.4.1.20632.2.57
dailyRedirected
Number of messages redirected to another
mail server in the past 24 hours.
1.3.6.1.4.1.20632.2.58
hourlyRedirected
Number of messages redirected to another
mail server in the past hour.
1.3.6.1.4.1.20632.2.59
totalSent
Number of outbound messages delivered to
the intended recipient, without modification,
since last system reset.
1.3.6.1.4.1.20632.2.50
totalOutboundQuarantined
Number of outbound messages quarantined
since last system reset.
1.3.6.1.4.1.20632.2.60
dailySent
Number of outbound messages delivered to
the intended recipient, without modification,
in the past 24 hours.
1.3.6.1.4.1.20632.2.61
hourlySent
Number of outbound messages delivered to
the intended recipient, without modification,
in the past hour.
1.3.6.1.4.1.20632.2.62
domainCount
Number of domains configured on the
system.
Copyright © 2017, Barracuda Networks Inc.
Barracuda Email Security Gateway Administrator's Guide - Page
216
The system provides the following traps:
OID
Object
1.3.6.1.4.1.20632.2.1.2
cpuFanDead
1.3.6.1.4.1.20632.2.1.3
sysFanDead
1.3.6.1.4.1.20632.2.1.4
cpuTempHigh
1.3.6.1.4.1.20632.2.1.5
firmwareStorageHigh
1.3.6.1.4.1.20632.2.1.6
mailStorageHigh
1.3.6.1.4.1.20632.2.1.7
raidDegrading
1.3.6.1.4.1.20632.2.1.8
inQueueHigh – "Severity: Alert. In-queue size is high"
1.3.6.1.4.1.20632.2.1.9
outQueueHigh –"Severity: Alert. Out-queue size is high"
1.3.6.1.4.1.20632.2.1.10
notifyQueueHigh
1.3.6.1.4.1.20632.2.1.11
latencyHigh
1.3.6.1.4.1.20632.2.1.12
noMailForTooLong
Copyright © 2017, Barracuda Networks Inc.
Barracuda Email Security Gateway Administrator's Guide - Page
217
Barracuda Email Security Gateway SNMP MIB
Missing the language English in this article! Please add the language, otherwise this article can not be displayed properly.
Copyright © 2017, Barracuda Networks Inc.
Barracuda Email Security Gateway Administrator's Guide - Page
218
Barracuda Reference MIB
Missing the language English in this article! Please add the language, otherwise this article can not be displayed properly.
Copyright © 2017, Barracuda Networks Inc.
Barracuda Email Security Gateway Administrator's Guide - Page
219
Using a Syslog Server to Centrally Monitor System Logs
Use the ADVANCED > Advanced Networking page to specify a server to which the Barracuda Email Security Gateway sends syslog data.
Syslog is a standard UNIX/Linux tool for sending remote system logs and is available on all UNIX/Linux systems. Syslog servers are also
available for Windows platforms from a number of free and premium vendors.
The Web Syslog data contains information about user login activities and any configuration changes made on the machine. This syslog data
appears on the local facility with login information at the info priority level, and configuration changes appear at the debug priority level on the
specified syslog server.
The Mail Syslog captures data related to mail flow and is the same information as that used to build the Message Log in the Barracuda Email
Security Gateway. The Mail Syslog includes data such as the connecting IP, envelope 'From' address, envelope 'To' address, and the spam
score for the messages transmitted. This syslog data appears on the mail facility at the debug priority level on the specified syslog server.
See the Syslog section of the ADVANCED > Troubleshooting page for the facility to open a window and view the Mail Syslog or Web Syslog o
utput.
For details about using the Barracuda syslog with the Barracuda Email Security Gateway, see Syslog and the Barracuda Email Security Gateway
.
Copyright © 2017, Barracuda Networks Inc.
Barracuda Email Security Gateway Administrator's Guide - Page
220
Syslog and the Barracuda Email Security Gateway
Information Provided by the Syslog
The Barracuda Email Security Gateway generates syslog messages as a means of logging both changes to the Web interface configuration and
what happens to each message as it is processed. The syslog messages are stored in text file format on the Barracuda Email Security Gateway
and can be sent to a remote server configurable by the administrator. There are two syslog outputs you can monitor: the Mail syslog and the Web
syslog.
The Web syslog contains information about user login activities and any configuration changes made to the Barracuda Email Security Gateway
Web interface. User activity data appears on the local facility with login information at the info priority level, and configuration changes appear at
the debug priority level on the specified syslog server. See the Syslog section of the ADVANCED > Troubleshooting page for the facility to
open a browser window and view the Web syslog output. Since Web syslog messages do not use any special formatting, Web syslog is not
covered in this guide.
The Mail syslog logs what happens to each message as it is processed and is presented in a raw data format that includes reason codes relative
to the message process. This guide will help you understand, parse, and utilize the mail syslog messages and reason codes generated by the
Barracuda Email Security Gateway.
Configuring the Barracuda Mail Syslog
To configure the Mail syslog, using the Barracuda Email Security Gateway Web interface, navigate to the ADVANCED > Advanced Networking
page and enter the IP address and port of the syslog server to which syslog data related to mail flow should be sent. You can also specify the
protocol, TCP or UDP, over which syslog data should be transmitted. TCP is recommended.
Syslog data is the same information as that used to build the Message Log in the Barracuda Email Security Gateway and includes data such as
the connecting IP Address, envelope 'From' address, envelope 'To' address, and the spam score for the messages transmitted. This syslog data
appears on the mail facility at the debug priority level on the specified syslog server. As the Barracuda Email Security Gateway uses the syslog
messages internally for its own message logging, it is not possible to change the facility or the priority level. See the Syslog section of the ADVA
NCED > Troubleshooting page in the Barracuda Email Security Gateway Web interface to open a window and view the Mail syslog output.
If you are running syslog on a UNIX machine, be sure to start the syslog daemon process with the “-r” option so that it can receive messages
from sources other than itself. Windows users will have to install a separate program to utilize syslog since the Windows OS doesn’t include
syslog capability. Kiwi Syslog is a popular solution, but there are many others are available to choose from, both free and commercial.
Syslog messages are sent via either TCP or UDP to the standard syslog port of 514. If there are any firewalls between the Barracuda Email
Security Gateway and the server receiving the syslog messages, make sure that port 514 is open on the firewalls.
Parsing the Syslog
The format of the Barracuda Email Security Gateway syslog output is detailed below. For a programmer's guide to parsing the syslog, see How to
Parse the Barracuda Email Security Gateway Syslog.
Barracuda Syslog Format
The Barracuda Email Security Gateway sends syslog messages in the following format. Whenever an action is taken on a message, it is logged
with the syslog. A message sent to multiple recipients will be logged separately for each recipient. Please be aware that the various syslog
implementations may not display the messages in this exact format. However, the sections should still be present in the syslog lines as shown in
the table below. The following represents the main part of the syslog line:
Each section of the syslog line is defined in the table below.
Syslog Section
Description
Timestamp
The time that the syslog message was logged. For reporting
purposes, this section of the syslog line can be ignored. It is useful
when analyzing the logs by hand, but is not needed for compiling
reports. NOTE: In version 5.1.3.007, the Year was appended to the
end of the Timestamp field.
Host
Indicates the host that generated the syslog message. Useful if you
have multiple Barracuda appliances and need to know which host
sent the message.
Copyright © 2017, Barracuda Networks Inc.
Barracuda Email Security Gateway Administrator's Guide - Page
221
Barracuda Process
Indicates the process that the email message was in when the syslog
message was generated. Possibilities are: inbound/pass1 …
inbound/pass2 … scan … outbound/smtp. NOTE: In version
6.0.2.002, the 5 digit Process ID ([27564] in the example above) was
removed.
Barracuda Message ID
The most important piece of the syslog entry. This ID is used to
uniquely identify a message. The ID may occur in one of two formats
(a different format is used for the inbound process and for the scan
process). For example, this ID 1126226282-27564-2-0 is used for
RECV transactions and it means the following:
1126226282 = UNIX timestamp
27564-2= Internal Process ID
0 = Message number in SMTP session – this number indicates how
many messages have been sent in that single SMTP session
Start
The start time of the message in UNIX timestamp format, indicating
when the sender began giving us the “From” information for the
message.
End
The end time of the message in UNIX timestamp format, indicating
when the sending server terminated sending of the message.
Service
The service that produced the message. The following services are
available:
RECV – This service indicates a message was handled by the
MTA and processing stopped.
SCAN – This service indicates the message was scanned and
processing may have stopped or it may have been sent to the
outbound processing for delivery.
SEND – This service indicates status of outbound delivery. It is
the only message that may appear multiple times for a given
message ID since delivery may initially have been deferred
before succeeding later on.
Copyright © 2017, Barracuda Networks Inc.
Barracuda Email Security Gateway Administrator's Guide - Page
222
This section contains the actual information about what happened to
a given message. It is dependent on the service that sent the
information, and the following formats are used:
Info
RECV – Sender Recipient Action Reason ReasonExtra
SCAN – Encrypted Sender Recipient Score Action
Reason ReasonExtra SZ "SUBJ:"Subject
Note that if TLS is used, then 'ENC' will be displayed before the
SZ: entry; if TLS is not USED, there will be a '–' before the SZ:
entry.
SEND – Encrypted Action QueueID Response
The possible fields have the following meanings:
Sender – The address of the sender, if available, and '–' if the
SENDER is blank.
Recipient – The address of the recipient if available and, ‘-‘ if
not available.
Action – The action code indicating what action was taken for
the message. For the “SEND” service these action codes have
different meanings.
Reason – The reason code indicating the reason for the taken
action.
ReasonExtra – Extra information about a given reason (e.g. the
RBL or the body filter that matched in the message).
Encrypted – Indicates whether or not the message was
received or sent encrypted.
Score – The score given to the message if the scoring
mechanism was run.
Subject – The subject of the message if it was available.
QueueID – The queue ID of the message on the Barracuda as
delivery is being attempted.
Response – The response given back by the mail server if
available.
Barracuda Action Codes
RECV and SCAN Services
ID
Meaning
0
Allowed Message
1
Aborted Message
2
Blocked Message
3
Quarantined Message
4
Tagged Message
5
Deferred Message
6
Per-User Quarantined
Message
7
Whitelisted Message
8
Encrypted Message
9
Redirected Message
10
Attachments Stubbed*
* Applies to version 6.0 and higher
SEND Service
ID
Meaning
1
Delivered Message
Copyright © 2017, Barracuda Networks Inc.
Barracuda Email Security Gateway Administrator's Guide - Page
2
Rejected Message
3
Deferred Message
4
Expired Message
Barracuda Reason Codes
RECV and SCAN Services
ID
Meaning
1
Virus
2
Banned Attachment
3
RBL Match
4
Rate Control
5
Too Many Message In Session
6
Timeout Exceeded
7
No Such Domain
8
No Such User
9
Subject Filter Match
11
Client IP
12
Recipient Address
13
No Valid Recipients
14
Domain Not Found
15
Sender Address
17
Need Fully Qualified Recipient
18
Need Fully Qualified Sender
19
Unsupported Command
20
MAIL FROM Syntax Error
21
Bad Address Syntax
22
RCPT TO Syntax Error
23
Send EHLO/HELO First
24
Need MAIL Command
25
Nested MAIL Command
27
EHLO/HELO Syntax Error
30
Mail Protocol Violation
31
Score
34
Header Filter Match
35
Sender Block/Accept
36
Recipient Block/Accept
37
Body Filter Match
38
Message Size Bypass
39
Intention Analysis Match
Copyright © 2017, Barracuda Networks Inc.
223
Barracuda Email Security Gateway Administrator's Guide - Page
224
40
SPF/Caller-ID
41
Client Host Rejected
44
Authentication Not Enabled
45
Allowed Message Size Exceeded
46
Too Many Recipients
47
Need RCPT Command
48
DATA Syntax Error
49
Internal Error
50
Too Many Hops
51
Mail Protocol Error
55
Invalid Parameter Syntax
56
STARTTLS Syntax Error
57
TLS Already Active
58
Too Many Errors
59
Need STARTTLS First
60
Spam Fingerprint Found
61
Barracuda Reputation Whitelist
62
Barracuda Reputation Blocklist
63
DomainKeys
64
Recipient Verification Unavailable
65
Realtime Intent
66
Client Reverse DNS
67
Email Registry
68
Invalid Bounce
69
Intent - Adult
70
Intent - Political
71
Multi-Level Intent
72
Attachment Limit Exceeded
73
System Busy
74
BRTS Intent
75
Per Domain Recipient
76
Per Domain Sender
77
Per Domain Client IP
78
Sender Spoofed
79
Attachment Content
80
Outlook Add-in
82
Barracuda IP/Domain Reputation
83
Authentication Failure
Copyright © 2017, Barracuda Networks Inc.
Barracuda Email Security Gateway Administrator's Guide - Page
225
85
Attachment Size
86
Virus detected by Extended Malware Protection **
87
Extended Malware Protection engine is busy **
88
A message was categorized for Email Category**
89
Macro Blocked*
* Applies to version 8.0.1 and higher
** Applies to version 6.1 and higher
***With version 7.1.1, no longer used
****Applies to version 7.1.1.002 and higher
Copyright © 2017, Barracuda Networks Inc.
Barracuda Email Security Gateway Administrator's Guide - Page
226
How to Parse the Barracuda Email Security Gateway Syslog
For Programmers: Parsing the Barracuda Syslog
For general information about using the syslog, see Syslog and the Barracuda Email Security Gateway.
Syslog messages generated by the Barracuda Email Security Gateway can be parsed for reporting purposes or for building of a custom message
log. It is easiest to think of each syslog line in terms of the main components, and the INFO portion can then be parsed based on that service.
The following Perl code illustrates a simple parsing of the log lines. It takes a line and places the resulting message information into a hash –
pushing that hash onto a global array of messages when it completes.
sub parse_log_line
{
# Grab the line we were given and create a new message hash for our message
my($line) = @_;
my %message = ();
# These are the components we may have parsed out of the message based on the service
my ($ip, $id, $start_time, $end_time, $name, $info, $domain);
my ($enc, $sender, $recip, $score, $action, $reason, $reason_extra, $subject);
# Grab the main components from the line (IP, MSG_ID, START_TIME, END_TIME, SERVICE, INFO)
#
#
# NOTE: If this is for the SEND log line then the IP, as well as the START/END times are
# bogus values of 127.0.0.1 and 0/0 respectively
if( $line =~ /\s+:\s+([^\s]+) ([^\s]+) (\d+) (\d+) (RECV|SCAN|SEND) (.*)$/)
{
# Grab the main pieces of the log entry and the process specific info
($ip, $id, $start_time, $end_time, $name, $info) = ($1, $2, $3, $4, $5, $6);
# Set the connecting IP, message-id, start-time, and end-time if this wasn't
# for the SEND service
if( $name !~ /SEND/ )
{
$message{client} = $ip;
$message{id} = $id;
$message{start_time} = $start_time;
$message{end_time} = $end_time;
}
# Break out the process specific pieces from the info portion
if( $name =~ /RECV/ )
{
Copyright © 2017, Barracuda Networks Inc.
Barracuda Email Security Gateway Administrator's Guide - Page
227
# Break the MTA info up into sender/recip/action/reason/reason_extra
if( $info =~ /([^\s]+)\s([^\s]+)\s(\d+)\s(\d+)\s(.*)$/ )
{
($sender, $recip, $action, $reason, $reason_extra) = ($1, $2, $3, $4, $5);
# Store the readable time of this message based on when it was started by
# converting the unix time to its components and then sprintf’ing into readable form
my ($sec,$min,$hour,$mday,$mon,$year,$wday,$yday,$isdst) = localtime($start_time);
$message{time} = sprintf("%02d/%02d/%02d %02d:%02d:%02d", $mon+1, $mday, $year-100, $hour,
$min, $sec);
# Store the sender if we had one
if( $sender ne '-' )
{
$message{from} = $sender;
}
# Store the recipient if we had one
if( $recip ne '-' )
{
$message{mailto} = $recip;
}
# Set our action/reason codes
$message{action_id} = $action;
$message{reason_id} = $reason;
# Pull in the reason_extra field. This should never be anything other
# than ASCII since the mta doesn't have any multi-byte functionality
# ... thus we don't need to eval it.
if( $reason_extra ne '-' )
{
$message{reason_extra} = " ($reason_extra)";
}
}
}
elsif( $name =~ /SCAN/ )
{
# Break the scanner info up into
encrypted/sender/recip/score/action/reason/reason_extra/subject
if( $info =~ /([^\s]+)\s([^\s]+)\s([^\s]+)\s([-\.\d+]+)\s(\d+)\s(\d+)\s(.*)\sSUBJ:(.*)$/ )
Copyright © 2017, Barracuda Networks Inc.
Barracuda Email Security Gateway Administrator's Guide - Page
228
{
($enc, $sender, $recip, $score, $action, $reason, $reason_extra, $subject) =
($1, $2, $3, $4, $5, $6, $7, $8);
# Store the readable time of this message based on when it was started by
# converting the unix time to its components and then sprintf’ing into readable form
my ($sec,$min,$hour,$mday,$mon,$year,$wday,$yday,$isdst) = localtime($start_time);
$message{time} = sprintf("%02d/%02d/%02d %02d:%02d:%02d", $mon+1, $mday, $year-100, $hour,
$min, $sec);
# Store the sender if we had one
if( $sender ne '-' )
{
$message{from} = $sender;
}
# Store the recipient if we had one and build the msg_file path
if( $recip ne '-' )
{
$message{mailto} = $recip;
}
# Set the subject line
if( $subject )
{
eval
{
# Note: if this is encoded you may want to decode it here and that
# is why this section is in an eval – since nothing guarantees the
# sender encoded the subject properly.
$message{subject} = decode( $subject );
};
}
# Set the score if we had one
if( $score ne '-' )
{
$message{spam_score} = $score;
Copyright © 2017, Barracuda Networks Inc.
Barracuda Email Security Gateway Administrator's Guide - Page
229
}
# Set our action/reason codes
$message{action_id} = $action;
$message{reason_id} = $reason;
# Pull in the reason_extra field. This has the extra info the filter that matched
# and other things that might be multi-byte so it should probably be eval’d
eval
{
if( $reason_extra ne '-' )
{
$message{reason_extra} = decode( $reason_extra );
}
}
}
}
elsif( $name =~ /SEND/ )
{
# Break the Outbound MTA info up into encrypted/action/queue_id/response
if( $info =~ /([^\s]+)\s(\d+)\s([^\s]+)\s(.*)$/ )
{
my ($enc, $action, $queue_id, $reason) = ($1, $2, $3, $4);
# Do whatever you would like with the delivery transactions – just keep in
# mind that a single message may have multiple outbound entries because of
# being deferred by the downstream server.
}
}
# Put a ref to this message onto our array of messages so we can use it later
push(@message_list, \%message);
# Send back whatever info you would like to the caller here. In this case
# we are sending back the end time as an example that could handle tracking
# last seen message time or something similar
return( $end_time );
}
# No message info to send back
Copyright © 2017, Barracuda Networks Inc.
Barracuda Email Security Gateway Administrator's Guide - Page
return undef;
}
For questions after reading this document, please contact Barracuda Networks Technical Support.
Copyright © 2017, Barracuda Networks Inc.
230
Barracuda Email Security Gateway Administrator's Guide - Page
231
How to Set Up Barracuda Cloud Control
Barracuda Cloud Control enables administrators to manage, monitor and configure multiple Barracuda Email Security Gateways (version 5.0 and
higher) at one time from one console. If you are using the Cloud Protection Layer feature of the Barracuda Email Security Gateway, you will
manage it using Barracuda Cloud Control (see Cloud Protection Layer for details). For information specific to the Barracuda Cloud Control
product configuration and management, see the Barracuda Cloud Control Overview.
The same tabbed pages are available on the Barracuda Cloud Control for managing all aspects of your Barracuda Email Security Gateway
configuration that you see in each individual web interface, and you can create aggregated reports for multiple Barracuda Email Security
Gateways from the Barracuda Cloud Control console. You can connect one or more Barracuda Email Security Gateways to Barracuda Cloud
Control by doing the following:
1. If you don't already have an account with Barracuda Networks, click the Create a New Barracuda Cloud Control Account link on the A
DVANCED > Cloud Control page.
2. Fill in the required information in the popup window to create the account and click Save Changes. Once the changes are saved, you'll
receive a confirmation email in the email account you listed. Respond to the email to complete the new account setup.
3. Log into your Barracuda Email Security Gateway as the administrator. From the ADVANCED > Firmware Upgrade page, check to make
sure you have the latest firmware installed. If not, download and install it now.
4. From the ADVANCED > Cloud Control page, select Yes, enter the Barracuda Networks username and password and click Save
Changes to connect to Barracuda Cloud Control. Note that your Barracuda Email Security Gateway can connect with only one
Barracuda Cloud Control account at a time.
5. Log into Barracuda Cloud Control with your username and password and you will see your Barracuda Email Security Gateway statistics
displayed on the BASIC > Dashboard page. To access the web interface of your Barracuda Email Security Gateway, click on the link in
the Products column in the Cloud Control pane on the left side of the page. Or you can click on the product name in the Product column
of the Unit Health pane on the right side of the page.
6. Follow steps 3 and 4 to connect every subsequent Barracuda Email Security Gateway to Barracuda Cloud Control.
7. To stop the synchronization between your Barracuda Email Security Gateway and Barracuda Cloud Control, from the ADVANCED >
Cloud Control page on the Barracuda Email Security Gateway, enter the Barracuda Cloud Control username and password for the
particular account associated with that device and click No for Connect to Barracuda Cloud Control. Do this when you know that there
will be a loss of connectivity between the Barracuda Email Security Gateway and Barracuda Cloud Control due to the appliance being
physically moved or other network connectivity issues.
Note that reports cannot be emailed from the Barracuda Email Security Gateway when using Barracuda Cloud Control. The Barracuda Cloud
Control Status field indicates whether or not this Barracuda Email Security Gateway is connected to Barracuda Cloud Control.
Copyright © 2017, Barracuda Networks Inc.
Barracuda Email Security Gateway Administrator's Guide - Page
232
Barracuda Email Security Gateway Panel Indicators and Ports
The illustrations in this article are based on current hardware models, however, models differ based on release date and may change in
the future. If your appliance connections differ from those shown in this article, contact Barracuda Technical Support for additional
information.
Barracuda Email Security Gateway Models 100, 200, 300, and 400
Front Panel Model 100, 200, 300, and 400
The following figure illustrates the Barracuda Email Security Gateway power and disk activity indicator lights for models 100, 200, 300, and 400:
The following table describes the Barracuda Email Security Gateway power and disk activity indicator lights for models 100, 200, 300, and 400:
Component Name
Description
Power Button
Push to power on the Barracuda Email Security Gateway, tap to
safely reset the Barracuda Email Security Gateway.
Reset Button
Push for five seconds to reset the Barracuda Email Security
Gateway.
Power Indicator
Displays a solid blue when the system is powered on.
Disk Light
Displays a solid green light and blinks during disk activity.
Rear Panel Ports and Connectors Models 100 and 200
The following figure illustrates the Barracuda Email Security Gateway rear panel ports and connectors for models 100 and 200:
The following table describes the Barracuda Email Security Gateway models 100 and 200:
Port/Connector Name
Details
Power Supply
Power supply input.
Mouse Port
Optional. Mouse port.
Keyboard Port
Optional. PS2 keyboard connection.
VGA Port
Recommended. Video graphics array (VGA) monitor connection.
HDMI Port
Optional. HDMI video connection.
USB Ports (4)
Optional. USB device connection.
Network Port
Network connection.
Microphone
Optional. Microphone line-in connection.
Copyright © 2017, Barracuda Networks Inc.
Barracuda Email Security Gateway Administrator's Guide - Page
Line In/Line Out Jack
233
Optional. Audio input/output connections.
Rear Panel Ports and Connectors Model 300
The following figure illustrates the Barracuda Email Security Gateway rear panel ports and connectors for model 300:
Rear Panel Ports and Connectors Model 300
The following table describes the Barracuda Email Security Gateway model 300:
Port/Connector Name
Details
Power Supply
Power supply input.
Mouse Port
Optional. Mouse port.
Keyboard Port
Optional. PS2 keyboard connection.
USB Ports (4)
Optional. USB device connection.
Dual Link DVI-D Port
Optional. Digital monitor connection.
VGA Port
Recommended. Video graphics array (VGA) monitor connection.
Network Port
Network connection.
Rear Panel Ports and Connectors Model 400
The following figure illustrates the Barracuda Email Security Gateway rear panel ports and connectors for model 400:
The following table describes the Barracuda Email Security Gateway model 400:
Port/Connector Name
Details
Power Supply
Power supply input.
Fan
Fan.
Mouse Port
Optional. Mouse port.
Keyboard Port
Optional. PS2 keyboard connection.
USB Ports (4)
Optional. USB device connection.
Dual Link DVI-D Port
Optional. Digital monitor connection.
VGA Port
Recommended. Video graphics array (VGA) monitor connection.
Network Port
Network connection.
Barracuda Email Security Gateway Model 600
Front Panel Model 600
Copyright © 2017, Barracuda Networks Inc.
Barracuda Email Security Gateway Administrator's Guide - Page
234
The following figure illustrates the Barracuda Email Security Gateway power and disk activity indicator lights for model 600:
The following table describes the Barracuda Email Security Gateway power and disk activity indicator lights for model 600:
Component Name
Description
Reserved
Reserved for future use.
Network Activity (2)
Blinks green to indicate network activity.
Disk Indicator
Displays a solid green light and blinks during disk activity.
Power Indicator
Displays a solid green when the system is powered on.
Reset Button
Push for 5 seconds to reset the Barracuda Email Security Gateway.
Power Button
Push to power on the Barracuda Email Security Gateway, tap to
safely reset the Barracuda Email Security Gateway.
Rear Panel Port and Connectors Model 600
The following figure illustrates the Barracuda Email Security Gateway rear panel ports and connectors for model 600:
The following table describes the Barracuda Email Security Gateway model 600:
Port/Connector Name
Details
Power Supply
Power supply input.
Mouse Port
Optional. Mouse port.
Keyboard Port
Optional. PS2 keyboard connection.
USB Ports (2)
Optional. USB device connection.
Serial Port
Optional. Serial device connection.
VGA Port
Recommended. Video graphics array (VGA) monitor connection.
Network Ports (2)
Network connection.
Barracuda Email Security Gateway Models 800, 900, and 1000
Front Panel Models 800, 900, and 1000
The following figure illustrates the Barracuda Email Security Gateway power and disk activity indicator lights for models 800, 900, and 1000:
Copyright © 2017, Barracuda Networks Inc.
Barracuda Email Security Gateway Administrator's Guide - Page
235
The following table describes the Barracuda Email Security Gateway power and disk activity indicator lights for model 800, 900, and 1000:
Component Name
Description
Reserved
Reserved for future use.
Network Activity (2)
Blinks green to indicate network activity.
Disk Indicator
Displays a solid green light and blinks during disk activity.
Power Indicator
Displays a solid green when the system is powered on.
Reset Button
Push for 5 seconds to reset the Barracuda Email Security Gateway.
Power Button
Push to power on the Barracuda Email Security Gateway, tap to
safely reset the Barracuda Email Security Gateway.
Rear Panel Port and Connectors Models 800, 900, and 1000
The following figure illustrates the Barracuda Email Security Gateway rear panel ports and connectors for models 800, 900, and 1000
The following table describes the Barracuda Email Security Gateway models 800, 900, and 1000:
Port/Connector Name
Details
Power Supply (2)
Power supply input.
Power Indicator Lights
Displays:
Green light when the system is powered on and the power
supply is healthy.
Orange/Amber light = the power supply is degraded, such as, for
example, one of the two PSUs is not functioning. Pushing the
Reset button may solve
the problem; otherwise one of the PSUs should be replaced.
No light = the power supply is not working.
Mouse Port
Optional. Mouse port.
Keyboard Port
Optional. PS2 keyboard connection.
USB Ports (2)
Optional. USB device connection.
Serial Port
Optional. Serial device connection.
VGA Port
Recommended. Video graphics array (VGA) monitor connection.
Network Ports (2)
Network connection.
Copyright © 2017, Barracuda Networks Inc.
Barracuda Email Security Gateway Administrator's Guide - Page
236
Troubleshooting
The following diagnostic tools should help you troubleshoot most problems. Please read this article before contacting Barracuda Networks
Technical Support. See also Replacing a Failed System.
Basic Troubleshooting Tools
The ADVANCED > Troubleshooting page provides a suite of tools that help troubleshoot network connectivity issues that may be impacting the
performance of your Barracuda Email Security Gateway.
For example, you can test your Barracuda Email Security Gateway’s connection to the Barracuda Networks update servers to make sure that it
can successfully download the latest Energize Update definitions. You can also ping or telnet to other devices from the Barracuda Email Security
Gateway, perform dig/NS-lookup, TCP dump and perform a trace route from the Barracuda Email Security Gateway to any another system.
Connect to Barracuda Support Servers
In the Support Diagnostics section of the ADVANCED > Troubleshooting page, you can initiate a connection between your Barracuda Email
Security Gateway and the Barracuda Networks Technical Support Center which will allow technical support engineers to troubleshoot any issues
you may be experiencing.
Rebooting the System in Recovery Mode
If your Barracuda Email Security Gateway experiences a serious issue that impacts its core functionality, you can use diagnostic and recovery
tools that are available from the reboot menu (see below) to return your system to an operational state.
Before you use the diagnostic and recovery tools, do the following:
Use the built-in troubleshooting tools on the ADVANCED > Troubleshooting page to help diagnose the problem.
Perform a system restore from the last known good backup file.
Contact Barracuda Networks Technical Support for additional troubleshooting tips.
As a last resort, you can reboot your Barracuda Email Security Gateway and run a memory test or perform a complete system recovery, as
described below.
To perform a system recovery or hardware test:
1. Connect a monitor and keyboard directly to your Barracuda Email Security Gateway.
2. Reboot the system by doing one of the following:
- In the web interface: Go to the BASIC > Administration page, navigate to the System Management section, and click Restart.
- At the front panel of the Barracuda Email Security Gateway: Press the Power button on the front panel to turn off the system, and then
press the Power button again to turn the system on.
The splash screen displays with the following three boot options:
Barracuda
Recovery
Hardware_Test
3. Use your keyboard to select the desired boot option, and press the Enter key. You must select the boot option within three seconds after
the splash screen appears. If you do not select an option within three seconds, the Barracuda Email Security Gateway starts up in Norm
al mode (first option). For a description of each boot option, refer to Reboot Options below.
To stop a hardware test, reboot your Barracuda Email Security Gateway by pressing the Ctrl-Alt-Del keys.
Reboot options
The table below describes the options available at the reboot menu.
Reboot Options
Description
Barracuda
Starts the Barracuda Email Security Gateway in the normal (default)
mode. This option is automatically selected if no other option is
specified within the first three seconds of the splash screen
appearing.
Copyright © 2017, Barracuda Networks Inc.
Barracuda Email Security Gateway Administrator's Guide - Page
Recovery
237
Displays the Recovery Console, where you can select the following
options:
Barracuda Repair (no data loss) – Repairs the file system on
the Barracuda Email Security Gateway.
Full Barracuda Recovery (all data lost) – Restores the factory
settings on your Barracuda Email Security Gateway and clears
out the configuration information.
Enable remote administration (reverse runnel) – Turns on
reverse tunnel that allows Barracuda Networks Technical
Support to access the system. Another method for enabling
remote administration is to click Establish Connection to
Barracuda Support Center on the ADVANCED
>Troubleshooting page.
Diagnostic memory test – Runs a diagnostic memory test from
the operating system. If problems are reported when running this
option, Barracuda recommends running the Hardware_Test
option next.
Hardware_Test
Performs a thorough memory test that shows most memory related
errors within a two-hour time period. The memory test is performed
outside of the operating system and can take a long time to
complete. Reboot your Barracuda Email Security Gateway to stop
the hardware test.
Copyright © 2017, Barracuda Networks Inc.
Barracuda Email Security Gateway Administrator's Guide - Page
238
Maintenance
Backing up and Restoring Your System
You should back up your system on a regular basis in case you need to restore this information on a replacement Barracuda Email Security
Gateway or in the event that your current system data becomes corrupt. Please see How to Back Up and Restore System Information and make
this a part of your routine maintenance plan.
Updating the Firmware on your Barracuda Email Security Gateway
This should be one of the steps the administrator performs in the initial installation of the Barracuda Email Security Gateway. Use the ADVANCE
D > Firmware Update page to manually update the firmware version of the system or revert to a previous version. The only time you should
revert back to an old firmware version is if you recently downloaded a new version that is causing unexpected problems. In this case, call Barracu
da Networks Technical Support before reverting back to a previous firmware version.
Updating the Firmware of Clustered Systems
If a system is part of a cluster, we recommend changing the system’s Mode in the Clustered Systems section of the ADVANCED > Clustering
page to Standby before you upgrade its firmware, and then repeat this process on each system in the cluster. Once the firmware on each system
has been upgraded, you can then change the mode on each system back to Active.
Changing a clustered system to Standby mode before upgrading prevents a system on a more recent firmware version from trying to synchronize
its configuration with a system on an earlier firmware version. If you have the latest firmware version already installed, the Download Now button
on the ADVANCED > Firmware Update page is disabled.
Applying a new firmware version results in a temporary loss of service. For this reason, you should apply new firmware versions during
non-busy hours. Before upgrading, BE SURE TO TAKE THE Barracuda Email Security Gateway OFFLINE. This will ensure that the
inbound mail queue is emptied and all messages are scanned before the upgrade process begins. DO NOT MANUALLY REBOOT
YOUR SYSTEM at any time during an upgrade, unless otherwise instructed by Barracuda Networks Technical Support.
The current firmware version shows in the top section of the page, with the latest General Release version of the firmware shown below in the Fir
mware Download section. To download the latest firmware version, click the Download Now button. The web interface will display download
progress. When the firmware download is complete, click the Apply Now button. The Barracuda Email Security Gateway will reboot and you will
need to log in again to the web interface.
Updating the Definitions from Energize Updates
This should be one of the steps the administrator performs in the initial installation of the Barracuda Email Security Gateway. The ADVANCED >
Energize Updates page allows you to manually update the Virus, Policy, and Security Definitions used on your Barracuda Email Security
Gateway or to have them updated automatically. Barracuda Networks recommends that the Automatic Updates option be set to On for all three
types of definitions so that your Barracuda Email Security Gateway receives the latest rules as soon as they are made available by Barracuda
Networks.
Important: If you are using the Barracuda Exchange Anti-Virus Add-in with your MS Exchange mail server, make SURE to set the Automatic
Updates option to On in the Virus Definition Updates section of the ADVANCED > Energize Updates page. This is necessary to ensure that
the add-in receives constant updates of virus signatures from the Barracuda Email Security Gateway.
Reloading, Restarting, and Shutting Down the System
The System Management/Shutdown section on the BASIC > Administration page allows you to shut down, restart, and reload system
configuration on the Barracuda Email Security Gateway. You can also take the system offline if necessary, which is recommended whenever you
do a Firmware Update. A unit in Offline (Maintenance) mode will stop accepting incoming mail until it is put back online.
Shutting down the system powers off the unit. Restarting the system reboots the unit. Reloading the system re-applies the system configuration.
You can also perform a hard reset of the Barracuda Email Security Gateway by pressing the RESET button on the front panel of the system.
Caution should be used when pressing the reset button, however, since doing so while the Barracuda Email Security Gateway is in the midst of a
configuration update or other task can result in inadvertent corruption of the system.
When you press the Reset button, the following actions occur:
Reboots the system
Resets the IP address if held down for 5 seconds or more. Do not press and hold the RESET button for longer than a few seconds –
doing so changes the IP address of the system. Pushing and holding the RESET button for:
5 seconds changes the IP address to the default of 192.168.200.200
8 seconds changes the IP address to 192.168.1.200
12 seconds changes the IP address to 10.1.1.200
Copyright © 2017, Barracuda Networks Inc.
Barracuda Email Security Gateway Administrator's Guide - Page
239
Bayesian Database Reset
If you have Use Bayesian set to Yes on the BASIC > Spam Checking page, read this section. For more information about how Bayesian
Analysis works, please see Bayesian Analysis Inbound.
For a global Bayesian database, the administrator should periodically (every 6 months or so) clear it out by resetting it from the BASIC >
Spam Checking page, then, from the BASIC > Message Log page, marking at least 200 messages as either Spam or Not spam using
the buttons on the page. Bayesian filtering will NOT take effect until 200 or more of each spam and not-spam messages are marked as
such.
If per-user Bayesian is enabled (from the USERS > User Features page), each user should reset their own Bayesian database and
follow up with marking 200 or more messages as spam or not spam, either in their quarantine inbox (QUARANTINE > Quarantine Inbox
page) or from their regular email client if they have installed either the MS Outlook add-in or Lotus add-in. For more information about
mail client add-ins, see Barracuda Outlook Add-In Overview 6 and Above and the USERS > User Features page in the web interface.
Copyright © 2017, Barracuda Networks Inc.
Barracuda Email Security Gateway Administrator's Guide - Page
240
How to Back Up and Restore System Information
Three Kinds of Backup Files
The ADVANCED > Backup page lets you back up and restore three kinds of backup files for your Barracuda Email Security Gateway:
System configuration
Bayesian databases - global and per-user (if your model supports per-user)
Explicit Users to Accept For and Alias Linking data
You should back up your system on a regular basis in case you need to restore this information on a replacement Barracuda Email Security
Gateway or in the event that your current system data becomes corrupt.
To prepare the system for backing up, first configure your backup server information, then select which, if not all, backups you want to create,
and, if desired, a schedule of automated backups on the ADVANCED > Backup page. If you are restoring a backup file on a new Barracuda
Email Security Gateway that is not configured, you first need to assign your new system an IP address and DNS information on the BASIC > IP
Configuration page of the new system.
Important notes about backups:
Do not edit backup files. Any configuration changes you want to make need to be done through the Web interface. The configuration
backup file contains a checksum that prevents the file from being uploaded to the system if any changes are made.
You can safely view a backup file in Windows WordPad or TextPad. You should avoid viewing backup files in Windows Notepad
because the file can become corrupted if you save the file from this application.
The firmware version running on the system when the backup file was generated should match the firmware version on the system you
are restoring onto. If it does not match, you will see a warning at the top of the page when you attempt to restore.
Information not backed up with the system configuration file includes system password, system IP information, DNS information
and clustering settings. For a complete list of settings that are not backed up, please click the Help button on the ADVANCED > Backup
page.
For Automated Backups, you must select a server type. If you select FTP, note the following. The Barracuda Email Security Gateway, by
default, initiates ftp in passive mode. If your backup times out, and your ftp server is running in passive mode, and you have a firewall
between your Barracuda Email Security Gateway and your ftp server, you may need to open ports on your firewall to allow passive-mode
ftp connections. The port range depends on your ftp server configuration. Ideally, the firewall should be configured so that only that range
of ports is accessible to the ftp server machine. Make sure that there aren't any other TCP services with port numbers in the port range
listening on the ftp server machine.
Restoring a Backup
Restoring a backup simply requires browsing your local system with the click of a button on the ADVANCED > Backup page and selecting a
backup file. Please click the Help button on that page for details about restoring backups.
Do not restore a configuration file onto a machine that is currently part of a cluster. All cluster information will be lost and the units will
need to be re-clustered if this happens.
If you need to restore a backup from one Barracuda Email Security Gateway model to a different model, please contact Barracuda
Technical Support before proceeding. Note that settings on one model may not apply to a different model.
Copyright © 2017, Barracuda Networks Inc.
Barracuda Email Security Gateway Administrator's Guide - Page
241
Replacing a Failed System
Replacing a Failed System
Before you replace your Barracuda Email Security Gateway, use the tools provided on the ADVANCED > Troubleshooting page to try to
resolve the problem, or call Barracuda Networks Technical Support.
Barracuda Instant Replacement Service
In the event that a Barracuda Email Security Gateway fails and you cannot resolve the issue, customers that have purchased the Instant
Replacement service can call Barracuda Networks Technical Support and arrange for a new unit to be shipped out within 24 hours.
After receiving the new system, ship the old Barracuda Email Security Gateway back to Barracuda Networks at the address below with an RMA
number marked clearly on the package. Barracuda Networks Technical Support can provide details on the best way to return the unit.
Barracuda Networks
3175 S. Winchester Blvd
Campbell, CA 95008
attn: RMA # <your RMA number>
To set up the new Barracuda Email Security Gateway so it has the same configuration as your old failed system, first manually
configure the new system’s IP information on the BASIC > IP Configuration page, and then restore the backup file from the old
system onto the new system. For information on restoring data, refer to How to Back Up and Restore System Information. For
information on returned device management, refer to How Barracuda Networks Manages Returned Device Drives.
Copyright © 2017, Barracuda Networks Inc.
Barracuda Email Security Gateway Administrator's Guide - Page
Tools and Add-Ins
In this Section
Barracuda Email Security Gateway API Guide
Barracuda Message Center User's Guide
Barracuda Email Security Gateway User 's Guide 6 and Above
Barracuda Spam Firewall User's Guide 5.x
Barracuda Outlook Add-In Overview 6 and Above
Barracuda Outlook Add-In Overview 5.x
Barracuda Outlook Add-In Deployment Guide 6.1.2 and Above
Barracuda Outlook Add-In Deployment Guide 5.x
SMTP Error Codes
Barracuda Outlook Add-In Deployment Guide version 7 and Above
Copyright © 2017, Barracuda Networks Inc.
242
Barracuda Email Security Gateway Administrator's Guide - Page
243
Barracuda Email Security Gateway API Guide
How the Barracuda API Works
The Barracuda set of APIs provides for remote administration and configuration of the Barracuda Email Security Gateway version 4.x and above.
Two sets of APIs are presented in this guide: the General APIs section covers "generic" APIs that may be used with all Barracuda Networks
appliances that support an API, and the APIs for the Barracuda Email Security Gateway section covers APIs that are specific only to the
Barracuda Email Security Gateway. Most of the examples shown use Perl script.
The framework of the API provides for the programmer to get or set variables inside an XML-RPC request that correspond to field values in the
configuration database in the Barracuda Email Security Gateway. Some languages such as Perl, for example, provide wrappers for XML-RPC
requests, providing an interface to form the request.
What Can Be Configured With the APIs
The APIs work through manipulation of variables inside of the system configuration database, and anything that can be declared in that database
can be set or checked with the APIs. This includes most things that you can set by clicking the Save button in the Barracuda Email Security
Gateway web interface. For example, from the BASIC > Spam Checking page, you can set global Spam Scoring Limit for the actions Block,
Tag or Quarantine, and then click the Save button:
Conversely, most things that correspond to "action" type buttons in the web interface cannot be configured by the APIs. For example, from the B
ASIC > Administration page, you can click a button to take the system offline, to shut it down or to clear the message log, but you cannot
execute these "actions" via the APIs. An exception to this is the Reload feature/button – there is an API to re-apply the system configuration.
Understanding Variables in the Configuration
The examples in this guide demonstrate getting and setting some of the variables in the configuration database. Some examples use variable
names in the method calls, while other examples use explicit values, just to demonstrate both ways of making API calls.
Important note: Make sure not to use an editor that may add special characters. Also make sure to use single quotes to surround literal values in
your calls, and use double quotes to surround variables. For example:
my $url
= "http://$cuda_ip:80/cgi-mod/api.cgi?password=help";
my $result = $xmlrpc->call ('config.set', { type=>'domain',
path => 'barracuda.com',
mta_relay_advanced_host => '1.3.3.7'
});
Two of the methods in the General APIs section, config.varlist and config.var_attr, are utilities that provide information on scope and attributes of
configuration variables to help you understand how to access and use them. Calling these methods prior to using the other APIs will provide a
good reference of the configuration variables.
Secured Access to the APIs
Copyright © 2017, Barracuda Networks Inc.
Barracuda Email Security Gateway Administrator's Guide - Page
244
Access to these APIs are limited to IP addresses on a trusted IP address list configured on the BASIC > Administration page in the Allowed
API IP/Range section of the Barracuda Email Security Gateway web interface. Make sure to enter the IP address(es) from which you'll access
the APIs in this section of the web interface as the first thing you do. Attempts to call these APIs from any IP address that is not on the list will be
denied. All calls to the APIs require the use of the API password, which is set on the same page and section in the web interface.
XML-RPC Model
In the APIs, action parameters are received as XML strings that comply with the XML-RPC specification, which can be viewed here: http://www.X
MLrpc.com/spec. This requires that requests for all actions be in the form of an HTTP POST request. All actions are rolled into one CGI script (for
example: api.cgi) and map to an XML-RPC method, and the parameters are those needed for the action to complete.
For example, the get action maps to the config.get XML-RPC method and all the parameters needed for the get will be sent in the XML body.
The Perl module XML::RPC (note that this is not a part of the standard Perl distribution) will be used by api.cgi to retrieve the requested method
and parameters. Once this is done, the action is performed and the response is sent back to the client. When an error is detected, a response
that complies with the fault response of the XML-RPC specification is sent (see examples below). This response contains both a fault code and a
meaningful fault string. See Appendix 1 of this guide for a list and explanation of fault codes.
The XML-RPC Request and Response
The XML script is called from a Perl script or other scripting language. Each API takes its own set of parameters which are submitted in the XML
body of the request. Examples of the XML output follow the request example below, both for a successful request as well as for a request that
returns an error. The single-value request / response involves a single variable value. Responses that contain multiple values will send the values
back as an XML-RPC array. The response from the scripts is in the form of XML per the examples shown in this guide.
To make the request, use the base URL of your Barracuda Email Security Gateway that you use for connecting to the web interface and append
the script name you wish to use. For example, if your script is called 'api.cgi', your URL might look something like this:
http://barracuda.mydomain.com:8000/cgi-mod/api.cgi
Parameters used to build the request typically include some or all of the following:
variable :: A required parameter that tells the API which variable to return from the configuration. For example, the configuration variable
'scana_block_level' represents the global Spam Scoring Limit block level as set on the BASIC > Spam Checking page in the web
interface. To get or set this variable's value, you'd put 'scana_block_level' in the XML request body specified as a variable:
<name>variable</name>
<value>
<string><![CDATA[scana_block_level]]>
</string>
</value>
password :: A required parameter which the API uses to authenticate access to a page and which is set by the administrator on the BAS
IC > Administration page in the API Password field. See the contents of 'my $url' in the Single Value Request / Response example
below, which uses a password of '1234'.
type :: A parameter that specifies the class/scope of a variable. The "scope" of a variable would be one of either global (for global
settings), domain (for per-domain settings) or user (for per-user settings).
If the variable is a "tied variable", however, one or more other variables are related to it, so multiple variables will be specified in the XML request.
For example, on the BLOCK/ACCEPT > IP Reputation page, a custom RBL domain name or IP address is associated with, or "tied to" an
"action" of Block, Quarantine or Tag. The variable names to set, which you'll see in the configuration file, are mta_rbl_custom_name and
mta_rbl_custom_action respectively. In this case, the "type" would be 'mta_rbl_custom_name'.
path :: A parameter that typically corresponds to scope_data which refers to the particular instance of the object. For variables with
global scope, the path is an empty string because there can be only one instance of global and it is the "starting point" in the same
manner, for example, as the root (/) directory in Unix. So all variable and objects under global scope have type as 'global' and path as an
empty string.
When setting the value of a variable or variables that have a type of 'domain', the path would be expressed as the domain name. When
working with tied variables such as 'httpd_acl_ip_config_address' which relates to a value of 'httpd_acl_ip_config_netmask', for example,
the path would be expressed as the actual IP address corresponding to 'httpd_acl_ip_config_address', as shown in this example:
To get the value of httpd_acl_ip_config_netmask corresponding to the httpd_acl_ip_config_address of 192.168.1.1 , the arguments would be:
type:
httpd_acl_ip_config_address
path:
192.168.1.1
variable: httpd_acl_ip_config_netmask
Single Value Request / Response
Copyright © 2017, Barracuda Networks Inc.
Barracuda Email Security Gateway Administrator's Guide - Page
245
To determine the Spam Scoring Limit global Block level (set in the web interface on the BASIC > Spam Checking page) for the Barracuda
Email Security Gateway, use the config.get method to retrieve the current Block value as shown in this example.
To set the value of the global Block level, call the config.set method and set the variable scana_block_level to the desired value. Both calls deal
with a single value. In the configuration, you'll see this entry for the global Spam Scoring Limit Block level, indicating that the current setting is '9'
on the scale from 0-10:
# Default Block Level
scana_block_level = 9
Example: Perl
The config.get request would look something like this as called from a Perl script. The additional examples in further sections of this guide will
only show the call from a Perl script.
#!/usr/bin/perl
use strict;
use LWP::UserAgent;
use HTTP::Request::Common;
# IP Address of your Barracuda
my $cuda_ip = '192.168.126.98';
my $url = "http://$cuda_ip:80/cgi-mod/api.cgi?password=help" ;
my $ua = new LWP::UserAgent;
my $req = new HTTP::Request 'POST', $url;
my $xml = qq|
Here's the XML:
<?xml version="1.0" encoding="UTF8"?>
<methodCall>
<methodName>config.get</methodName>
<params>
<param>
<value>
<struct>
<member>
<name>variable</name>
<value><string><![CDATA[scana_block_level]]></string>
</value>
</member>
<member>
<name>type</name>
<value><string><![CDATA[global]]></string>
</value>
</member>
</struct>
</value>
</param>
</params>
</methodCall>
|;
# setup transport object with request object
$req->content_type('text/xml');
$req->content($xml);
# send the request over transport object
my $res = $ua->request($req);
# show the response from the Barracuda
print $res->as_string;
# END
The request is an HTTP POST to the /cgi-mod/api.cgi '. The POST data is an XML body that contains the request method config.get inside the
<methodName> tag. The requested method is config.get since we are trying to retrieve the global Block level.
Copyright © 2017, Barracuda Networks Inc.
Barracuda Email Security Gateway Administrator's Guide - Page
246
Note that the mandatory parameters needed for completing this action, "variable" (name of the configuration variable) and "password", are
contained inside the <struct> tag. Each parameter is identified by the name (<name> tag) and the value (<value> tag). Possible types for each
parameter are restricted by the types listed in the XML-RPC specification.
This example includes only the mandatory parameters. Optional parameters can be added to the XML body using the format mentioned and will
be processed accordingly. Sample output for the request would look something like this:
HTTP/1.1 200 OK
Connection: close
Date: Thu, 24 Jun 2010 18:41:47 GMT
Server: BarracudaHTTP 2.0
Content-Type: text/xml; charset=UTF-8
Client-Date: Thu, 24 Jun 2010 18:42:08 GMT
Client-Peer: 192.168.126.98:80
Client-Response-Num: 1
Client-Transfer-Encoding: chunked
Here's the XML:
<?xml version="1.0" encoding="UTF-8" ?>
<methodResponse>
<methodName>config.get</methodName>
<params>
<param>
<value>
<i4>7</i4>
</value>
</param>
</params>
</methodResponse>
All responses will contain the 200 OK success status code. Content-type of the response will be text/XML. The actual response, i.e. the value of
the requested configuration variable, will be sent inside the <value> tag.
Multi-Value Response
Responses that contain multiple values will send the values back as an XML-RPC array. The example below is a request for a list of domains
configured as Accepted Email Recipient Domain(s) on the Barracuda Email Security Gateway, which can be set from the BASIC > IP
Configuration page in the web interface and which are stored in the configuration database in the mta_relay_domain variable.
The response may include multiple values, returned as an array inside the <array> tag. The format of the XML response body looks like this,
returning three (domain name) values:
Copyright © 2017, Barracuda Networks Inc.
Barracuda Email Security Gateway Administrator's Guide - Page
247
OK <?XML version="1.0" encoding="UTF8"?>
<methodResponse>
<params>
<param>
<value>
<struct>
<member>
<name>mta_relay_domain</name>
<value>
<array>
<data>
<value>
<string>domain1.com</string>
</value>
<value>
<string>domain2.com</string>
</value>
<value>
<string> domain3.com</string>
</value>
</data>
</array
</value>
</member>
</struct>
</value>
</param>
</params>
</methodResponse>
Error Response
Error responses use the XML-RPC faultCode and faultString formats. The error code will be the value of the faultCode member and the error
string will be the value
of the faultString member. See the Appendix 1 for a list of faultCodes and descriptions of possible errors. Here's an example of an error
response, showing the XML:
OK <?XML version="1.0"?>
<methodResponse>
<fault>
<value>
<struct>
<member>
<name>faultCode</name>
<value><i4>500</4></value>
</member>
<member>
<name>faultString</name>
<value>
<string>No such variable in configuration</string>
</value>
</member>
</struct>
</value>
</fault>
</methodResponse>
Example – PHP
This example calls the user.create API to create a new user account, which is covered in the APIs for the Barracuda Email Security Gateway s
ection of this guide. The library used for this example can be found on the following sourceforge page:
Copyright © 2017, Barracuda Networks Inc.
Barracuda Email Security Gateway Administrator's Guide - Page
248
http://sourceforge.net/projects/phpxmlrpc/
In the code the library is included as a file. Make sure this file is readable from within your environment.
<?php
include("xmlrpc.inc");
$y = new xmlrpcval(
array(
"user" => new xmlrpcval("newuser@domain.com", "string")
), "struct");
$m = new xmlrpcmsg('user.create');
$m->addParam($y);
$c = new xmlrpc_client("/cgi-mod/api.cgi?password=[APIPassword]", "[BarracudaIP]", [BarracudaPort]);
$r = $c->send($m);
if (!$r->faultCode()) {
$v = $r->value();
print $r->serialize();
} else {
print "Fault <BR>";
print "Code: " . htmlentities($r->faultCode()) . "<BR>" .
"Reason: '" . htmlentities($r->faultString()) . "'<BR>";
}
?>
Example – Java
This example calls the user.create API to create a new user account, which is covered in the APIs for the Barracuda Email Security Gateway
section of this guide. In the example, a key value pair is created using a standard Map class and added into a Vector list.
Required: Apache WS XML-RPC:
http://ws.apache.org/xmlrpc/
import org.apache.xmlrpc.client.XmlRpcClient;
import org.apache.xmlrpc.client.XmlRpcClientConfigImpl;
import java.net.URL;
import java.util.Hashtable;
import java.util.Map;
import java.util.Vector;
public class BarracudaAPI {
public static void main(String[] argv) {
try {
XmlRpcClientConfigImpl config = new XmlRpcClientConfigImpl();
config.setServerURL(new URL("http://[BarracudaIP]:[BarracudaPort]/cgi-mod/api.cgi?password=[APIPassword]"));
XmlRpcClient client = new XmlRpcClient();
client.setConfig(config);
// Create key value pair
Map keyVals = new Hashtable();
keyVals.put("user","newuser@domain.com");
// Start building the parameter list
Vector params = new Vector();
// Add key parameter
params.add( keyVals );
Object result = client.execute("user.create", params);
System.out.println(result);
} catch( Exception ex) {
ex.printStackTrace();
}
}
}
How to Access Variables in the Configuration
To determine the name of the variable you want to configure, log into the Barracuda Email Security Gateway web interface as admin. On the
page where you configure the setting, highlight the value field, right click and select Inspect Element. The <input_id> typically contains the name
of the configuration variable. See the blue highlight in the figure below: the part of the <input_id> after UPDATE_ is the variable name. In this
case, it is alerts_email_address.
Copyright © 2017, Barracuda Networks Inc.
Barracuda Email Security Gateway Administrator's Guide - Page
249
General APIs
The API interfaces presented in this section are general in that they are applicable to the Barracuda Email Security Gateway as well as to other
Barracuda Networks appliances. The examples presented here are specific to the Barracuda Email Security Gateway.
Config.get
Use this method to retrieve values of variables in the system configuration. If the variable requested has only a single value (Spam Tag
Configuration Subject Tag level, for example), the output will be different than the output for a variable that contains a list (users, domains, etc.).
This method gets the value of the variable in the object of $type named $path. The return $value is a reference to an array if it is multi-valued, i.e.
a list.
Refer to the example in Single Value Response above for getting a variable with a single value and to Multi-value Response above for getting
a variable that contains a list. Arguments to the method can be specified by just adding the parameter in the XML request.
Parameters Allowed : The following variables are used with the config.get method. These variables should be provided as part of the request
XML in the HTTP POST request.
variable :: A required parameter that tells the API which variable to return.
password :: A required parameter which the API uses to authenticate access to a page and which is set by your administrator.
type :: A required parameter that specifies the class/scope of a variable.
path :: A required parameter that is the qualified name of an object for which the value is required. Note that the value for path is an
empty string for getting a variable under global scope.
Example 1: Get the value of a variable under global scope - System Alerts Email Address
Getting the current value of a system variable uses the config.get method. This example gets the value of the System Alerts Email Address vari
able, typically set from the BASIC > Administration page.
Arguments:
type: 'global'
variable: alerts_email_address
The name of the variable, alerts_email_address , is shown in the <input_id>, to the right of Update_.
Copyright © 2017, Barracuda Networks Inc.
Barracuda Email Security Gateway Administrator's Guide - Page
250
XML code for this example
Note that the <name> tag indicates that the API applies to a single variable in the configuration. The <value> tag indicates that the expected
value of that variable is a string, and takes the variable name noted above, alerts_email_address, as the input.
<?xml version="1.0" encoding="UTF8"?>
<methodCall>
<methodName>config.get</methodName>
<params>
<param>
<value>
<struct>
<member>
<name>variable</name>
<value><string><![CDATA[alerts_email_addressl]]></string>
</value>
</member>
<member>
<name>type</name>
<value><string><![CDATA[global]]></string>
</value>
</member>
</struct>
</value>
</param>
</params>
</methodCall>
Perl code for this example:
Be sure to use single quotes to surround literal values in your calls, and use double quotes to surround variables.
Copyright © 2017, Barracuda Networks Inc.
Barracuda Email Security Gateway Administrator's Guide - Page
251
use strict;
use warnings;
use XML::RPC;
# IP Address of your Barracuda Web Filter
my $cuda_ip = "10.5.7.211";
# API Password
my $password = "1234";
my $url = " http://$cuda_ip:8000/cgi-mod/api.cgi?password=$password ";
#Create the XML::RPC object
my $xmlrpc = XML::RPC->new ($url);
my $result;
$result = $xmlrpc->call ('config.get',
{
type => 'global',
variable => 'alerts_email_address',
});
# show the response from the Barracuda Web Filter
print "--- RESPONSE ---";
print $xmlrpc->xml_in();
# END
XML response returned by Perl script:
Here is the XML response returned after running the above Perl script, returning myalerts@barracuda.com as the System Alerts Email
Address:
<methodResponse>
<params>
<param>
<value>
<string><![CDATA[myalerts@barracuda.com]]></string>
</value>
</param>
</params>
</methodResponse>
Example 2: Get the value of a variable under global scope - Subject Tag for Spam Messages
Get the value of a variable, scana_subject_tag in this case, under global scope. This example will return the Subject Tag string to be inserted by
the Barracuda Email Security Gateway in the subject of a message determined to be spam. This setting is configured from the BASIC > Spam
Checking page for the global setting. Note that the path value is an empty string and can be left out, since the scope, or type, is global.
Arguments:
type: 'global'
variable: scana_subject_tag
Sample Request:
Copyright © 2017, Barracuda Networks Inc.
Barracuda Email Security Gateway Administrator's Guide - Page
252
<?xml version="1.0" encoding="UTF8"?>
<methodCall>
<methodName>config.get</methodName>
<params>
<param>
<value>
<struct>
<member>
<name>variable</name>
<value><string><![CDATA[scana_subject_tag]]></string>
</value>
</member>
<member>
<name>type</name>
<value>
<string><![CDATA[global]]></string>
</value>
</member>
</struct>
</value>
</param>
</params>
</methodCall>
Response:
OK <?XML version="1.0"?>
<methodResponse>
<params>
<param>
<value>
<string><![CDATA[Block]]></string>
</value>
</param>
</params>
</methodResponse>
Example 3: Get the value of a per-domain setting
This example gets the value of the Spam Scoring Limit block level, scana_pd_block_level, for domain thisdomain.net. Since this variable is
in per-domain scope, the type is 'domain' and the path argument must specify a value for the domain you're working with. In the configuration,
this variable is listed like this:
# Domain Spam Block Score
scana_pd_block_level = 5
Arguments:
type: 'domain'
path: 'thisdomain.net'
variable: 'scana_pd_block_level'
Sample Request:
Copyright © 2017, Barracuda Networks Inc.
Barracuda Email Security Gateway Administrator's Guide - Page
253
<?XML version="1.0" encoding="UTF8"?>
<methodCall>
<methodName>config.get</methodName>
<params>
<param>
<value>
<struct>
<member>
<name>variable</name>
<value><string><![CDATA[mta_acl_ip_allow_comment]]></string>
</value>
</member>
<member>
<name>type</name>
<value>
<string><![CDATA[global]]></string>
</value>
</member>
</struct>
</value>
</param>
</params>
</methodCall>
Response:
OK <?XML version="1.0" encoding="UTF8"?>
<methodResponse>
<params>
<param>
<value>
<i4>5</i4>
</value>
</param>
</params>
</methodResponse>
Config.get - tied variable examples
The config.get method can also be used to get the values of variables that are dependent upon, or "tied to" other variables.
Example 1: Get the value of a global tied variable
This example gets the netmask value, httpd_acl_ip_config_netmask, tied to the Allowed API IP/Range value, httpd_acl_ip_config_address, set
on the BASIC > Administration page. These IP addresses allow access to the Barracuda Email Security Gateway via SNMP queries to retrieve
error information or to administer the system via the API. In the request, the IP address is specified in the path. These variables appear in the
configuration like this:
# API/SNMP IP Address List
httpd_acl_ip_config_address = 192.168.1.1
# API/SNMP IP Netmask List
httpd_acl_ip_config_netmask = 255.255.128.0
Arguments:
type:
httpd_acl_ip_config_address
path:
192.168.1.1
variable: httpd_acl_ip_config_netmask
Copyright © 2017, Barracuda Networks Inc.
Barracuda Email Security Gateway Administrator's Guide - Page
254
Sample Request:
<?XML version="1.0" encoding="UTF8"?>
<methodCall>
<methodName>config.get</methodName>
<params>
<param>
<value>
<struct>
<member>
<name>variable</name>
<value><string> <![CDATA[httpd_acl_ip_config_netmask]]> </string>
</value>
</member>
<member>
<name>path</name>
<value><string>< ![CDATA[global]]> ></string>
</value>
</member>
<member>
<name>type</name>
<value>
<string><![CDATA[domain]]></string>
</value>
</member>
</struct>
</param>
</params>
</methodCall>
Response:
OK <?XML version="1.0" encoding="UTF8"?>
<methodResponse>
<params>
<param>
<value>
<string>![CDATA[255.255.128.0]]</string>
</value>
</param>
</params>
</methodResponse>
Example 2: Get the value of a global tied variable
This example gets the action (Block, Tag, Quarantine) currently assigned to a custom reputation blocklist (RBL) which can be set from the BLOC
K/ACCEPT > IP Reputation page in the web interface. The call gets the value of the mta_rbl_custom_action variable, which is set to "Block",
corresponding to the mta_rbl_custom_name sbl.spamhaus.org, which is under global scope. These variables appear in the configuration like
this:
# Custom RBL Action List
mta_rbl_custom_action = Block
# Custom RBL List
mta_rbl_custom_name = sbl.spamhaus.org
Arguments:
type: 'mta_rbl_custom_name'
path: 'sbl.spamhaus.org'
variable: 'mta_rbl_custom_action'
Copyright © 2017, Barracuda Networks Inc.
Barracuda Email Security Gateway Administrator's Guide - Page
Sample Request:
<?XML version="1.0" encoding="UTF8"?>
<methodCall>
<methodName>config.get</methodName>
<params>
<param>
<value>
<struct>
<member>
<name>variable</name>
<value>
<string><![CDATA[mta_rbl_custom_action]]></string>
</value>
</member>
<member>
<name>path</name>
<value>
<string><![CDATA[sbl.spamhaus.org]]></string>
</value>
</member>
<member>
<name>type</name>
<value>
<string><![CDATA[mta_rbl_custom_name]]></string>
</value>
</member>
</struct>
</value>
</param>
</params>
</methodCall>
Response:
Copyright © 2017, Barracuda Networks Inc.
255
Barracuda Email Security Gateway Administrator's Guide - Page
256
<?XML version="1.0" encoding="UTF8"?>
<methodResponse>
<params>
<param>
<value>
<string><![CDATA[Block]]></string>
</value>
</param>
</params>
</methodResponse>
Example 3: Get the value of a per-domain tied variable
This example gets the netmask currently assigned to a configured IP whitelist, which can be set from the BLOCK/ACCEPT > IP Filters page in
the web interface. The call gets the value of the mta_acl_ip_allow_netmask variable, which is set to "255.255.255.255", corresponding to the
mta_acl_ip_allow_address 2.2.2.2, which is under domain scope with scope_data of thisdomain.net. These variables appear in the
configuration like this:
# Whitelist Netmask
mta_acl_ip_allow_netmask = 255.255.255.255
# Whitelist Address
mta_acl_ip_allow_address = 2.2.2.2
Arguments:
type: 'mta_acl_ip_allow_address'
path: 'thisdomain.net:2.2.2.2'
variable: 'mta_acl_ip_allow_comment'
Sample Request:
Copyright © 2017, Barracuda Networks Inc.
Barracuda Email Security Gateway Administrator's Guide - Page
257
<?XML version="1.0" encoding="UTF8"?>
<methodCall>
<methodName>config.get</methodName>
<params>
<param>
<value>
<struct>
<member>
<name>variable</name>
<value><string> <![CDATA[mta_acl_ip_allow_comment]]> </string>
</value>
</member>
<member>
<name>path</name>
<value><string><![CDATA[thisdomain.net:2.2.2.2]]></string>
</value>
</member>
<member>
<name>type</name>
<value>
<string><![CDATA[mta_acl_ip_allow_address]]></string>
</value>
</member>
</struct>
</param>
</params>
</methodCall>
Response:
OK <?XML version="1.0" encoding="UTF8"?>
<methodResponse>
<params>
<param>
<value>
<string><![CDATA[255.255.255.255]]></string>
</value>
</param>
</params>
</methodResponse>
Config.list
This method lists the children of child_type ('domain', in this case) under the object parent_path of type 'parent_type'.
Parameters Allowed: The following variables are used by the config.list method and should be provided as part of the request XML in the HTTP
POST request.
password :: A required parameter which the API uses to authenticate access to a page and which is set by your administrator.
type :: A required parameter that tells the API about the class/scope of the parent container.
path :: A required parameter that is the qualified name of a parent object. Note that the value for path is an empty string for getting a
variable under global scope.
child_type :: A required parameter that specifies the child class/scope to list.
Example 1: List all valid domains
List all the children of type 'domain' under scope 'global'. This call returns a list of all domains for which the Barracuda Email Security Gateway
will accept email, and which can be created and viewed from the DOMAINS page of the web interface. Each instance of the child_type (domain)
appears in the configuration like this:
#scope:<domain>::scope_data: = 'thisdomain.net'
#scope:<domain>::scope_data = 'barracuda.com'
Arguments:
type: 'global'
path: ''
Copyright © 2017, Barracuda Networks Inc.
Barracuda Email Security Gateway Administrator's Guide - Page
child_type: 'domain'
Sample Request:
<?xml version="1.0" encoding="UTF8"?>
<methodCall>
<methodName>config.list</methodName>
<params>
<param>
<value>
<struct>
<member>
<name>child_type</name>
<value>
<string>
<![CDATA[domain]]>
</string>
</value>
</member>
<member>
<name>path</name>
<value>
<string></string>
</value>
</member>
<member>
<name>type</name>
<value>
<string>
<![CDATA[global]]>
</string>
</value>
</member>
</struct>
</value>
</param>
</params>
</methodCall>
Copyright © 2017, Barracuda Networks Inc.
258
Barracuda Email Security Gateway Administrator's Guide - Page
259
Response:
OK <?xml version="1.0" encoding="UTF8"?>
<methodResponse>
<params>
<param>
<value>
<array>
<data>
<value>
<string>
<![CDATA[thisdomain.net]]>
</string>
</value>
<value>
<string>
<![CDATA[barracuda.com]]>
</string>
</value>
</data>
</array>
</value>
</param>
</params>
</methodResponse>
Example 2: List of tied objects - all custom RBLs
This example lists all values for the tied object mta_rbl_custom_name, under global scope. Custom RBLs are created from the web interface on
the BLOCK/ACCEPT > IP Reputation page and have an associated action of Block, Tag or Quarantine. In the configuration, the three RBLs
configured in this example would appear like this:
# Custom RBL List
mta_rbl_custom_name = sbl.spamhaus.org
xbl.spamhaus.org
sbl.org
Arguments:
type: 'global'
path: ''
child_type: 'mta_rbl_custom_name'
Copyright © 2017, Barracuda Networks Inc.
Barracuda Email Security Gateway Administrator's Guide - Page
Sample Request:
<?xml version="1.0" encoding="UTF8"?>
<methodCall>
<methodName>config.list</methodName>
<params>
<param>
<value>
<struct>
<member>
<name>child_type</name>
<value>
<string>
<![CDATA[mta_rbl_custom_name]]>
</string>
</value>
</member>
<member>
<name>path</name>
<value>
<string></string>
</value>
</member>
<member>
<name>type</name>
<value>
<string>
<![CDATA[global]]>
</string>
</value>
</member>
</struct>
</value>
</param>
</params>
</methodCall>
Response:
Copyright © 2017, Barracuda Networks Inc.
260
Barracuda Email Security Gateway Administrator's Guide - Page
261
OK <?xml version="1.0" encoding="UTF8"?>
<methodResponse>
<params>
<param>
<value>
<array>
<data>
<value>
<string>
<![CDATA[sbl.spamhaus.org]]>
</string>
</value>
<value>
<string>
<![CDATA[xbl.spamhaus.org]]>
</string>
</value>
<value>
<string>
<![CDATA[sbl.org]]>
</string>
</value>
</data>
</array>
</value>
</param>
</params>
</methodResponse>
Config.set
Use this method to set the values of variables in the system configuration. This method sets the variables(s) with the given values(s) for the
object of type $type, identified by $path.
Parameters Allowed: The following variables are used by the config.set method and should be provided as part of the request XML in the HTTP
POST request.
password :: A required parameter which the API uses to authenticate access to a page and which is set by your administrator.
type :: A required parameter that specifies the class/scope of an object.
path :: A required parameter that is the qualified name of an object for which the values are to be set.
variable list :: This is a required parameter that tells the API what variables are to be set and the corresponding values.
Example 1: Set the value for a scoped object under global scope
Set the value for a scoped object under global scope. This example sets the value of Spam Score limit block level to '4' for the xyz.com domain.
In the web interface, this value would be set from the BASIC > Spam Checking page after clicking on the Manage Domain link for xyz.com on
Copyright © 2017, Barracuda Networks Inc.
Barracuda Email Security Gateway Administrator's Guide - Page
the DOMAINS page.
Arguments:
type: 'domain',
path: 'xyz.com'
variable list: scana_pd_block_level = 4
Sample Request:
Copyright © 2017, Barracuda Networks Inc.
262
Barracuda Email Security Gateway Administrator's Guide - Page
<?xml version="1.0" encoding="UTF8"?>
<methodCall>
<methodName>config.set</methodName>
<params>
<param>
<value>
<struct>
<member>
<name>scana_pd_block_level</name>
<value>
<i4>4</i4>
</value>
</member>
<member>
<name>path</name>
<value>
<string>
<![CDATA[xyz.com]]>
</string>
</value>
</member>
<member>
<name>type</name>
<value>
<string>
<![CDATA[domain]]>
</string>
</value>
</member>
</struct>
</value>
</param>
</params>
</methodCall>
Response:
Copyright © 2017, Barracuda Networks Inc.
263
Barracuda Email Security Gateway Administrator's Guide - Page
264
OK <?xml version="1.0" encoding="UTF8"?>
<methodResponse>
<params>
<param>
<value>
<struct>
<member>
<name>Result</name>
<value>
<string>
<![CDATA[200: OK]]>
</string>
</value>
</member>
</struct>
</value>
</param>
</params>
</methodResponse>
Example 2: Set values for several variables under global scope
Set the values of https_port to '443' and mta_rate_control to '40'. The value for Web Interface HTTPS/SSL port can be set on the ADVANCED
> Secure Administration page of the web interface, and the value of Rate Control is set on the BLOCK/ACCEPT > Rate Control page. These
variables appear in the configuration like this (values not yet set):
# HTTPS Web Interface Port
https_port =
# Maximum Connections By IP Per 30 Minutes
mta_rate_control =
Arguments:
type: 'global'
path: ''
variable list: https_port => 443, mta_rate_control => 40
Sample Request:
Copyright © 2017, Barracuda Networks Inc.
Barracuda Email Security Gateway Administrator's Guide - Page
<?xml version="1.0" encoding="UTF8"?>
<methodCall>
<methodName>config.set</methodName>
<params>
<param>
<value>
<struct>
<member>
<name>https_port</name>
<value>
<i4>443</i4>
</value>
</member>
<member>
<name>mta_rate_control</name>
<value>
<i4>40</i4>
</value>
</member>
<member>
<name>path</name>
<value>
<string></string>
</value>
</member>
<member>
<name>type</name>
<value>
<string>
<![CDATA[global]]>
</string>
</value>
</member>
</struct>
</value>
</param>
</params>
</methodCall>
Example 3: Set the value of a global tied variable
Copyright © 2017, Barracuda Networks Inc.
265
Barracuda Email Security Gateway Administrator's Guide - Page
266
Set the value of httpd_acl_ip_config_netmask to 255.255.128.0 for the httpd_acl_ip_config_address of 192.168.130.222. Note that these
variables are available in the configuration only if you have entered values for Allowed API IP/Range in the BASIC > Administration page, and
would appear in the configuration like this:
# API/SNMP IP Address List
httpd_acl_ip_config_address = 192.168.130.222
# API/SNMP IP Netmask List
httpd_acl_ip_config_netmask =
Arguments:
type: 'httpd_acl_ip_config_address'
path: '192.168.130.222'
variable-value list: httpd_acl_ip_config_netmask =255.255.128.0
Sample Request:
Copyright © 2017, Barracuda Networks Inc.
Barracuda Email Security Gateway Administrator's Guide - Page
<?xml version="1.0" encoding="UTF8"?>
<methodCall>
<methodName>config.set
</methodName>
<params>
<param>
<value>
<struct>
<member>
<name>
httpd_acl_ip_config_netmask
</name>
<value>
<string>
<![CDATA[255.255.128.0]]>
</string>
</value>
</member>
<member>
<name>path</name>
<value>
<string>
<![CDATA[192.168.130.222]]>
</string>
</value>
</member>
<member>
<name>type</name>
<value>
<string>
<![CDATA[httpd_acl_ip_config_address]]>
</string>
</value>
</member>
</struct>
</value>
</param>
</params>
</methodCall>
Copyright © 2017, Barracuda Networks Inc.
267
Barracuda Email Security Gateway Administrator's Guide - Page
268
Config.create
This method creates an object of a given type and name under the specified parent path. Required variables will be set to their defaults if they
have one; otherwise you must ensure that they have a value before a commit.
Parameters Allowed: The following variables are used by the config.create method and should be provided as part of the request XML in the
HTTP POST request.
password :: A required parameter which the API uses to authenticate access to a page and which is set by your administrator.
parent_type :: A required parameter that tells the API about the class/scope of the parent container.
parent_path :: A required parameter that is the qualified name of a parent object under which a new object will be created.
type :: A required parameter that specifies the child's class/scope to be created.
name :: A required parameter that specifies the name of an object to be created.
variable list :: An optional parameter that tells the API which variable(s) to set in the new object.
Example 1: Create a scoped object in global scope - a new domain
Create a new domain entry of 'xyz.com' under global scope and set the value of variable scana_pd_block_level (per-domain Spam Block level)
to '5'.
Arguments:
parent_type: 'global'
parent_path: ''
type: 'domain'
name: 'xyz.com'
variable list: scana_pd_block_level = '5'
Sample Request:
<?xml version="1.0" encoding="UTF8"?>
<methodCall>
<methodName>config.create</methodName>
<params>
<param>
<value>
<struct>
<member>
<name>scana_pd_block_level
</name>
<value>
<i4>5</i4>
</value>
</member>
<member>
<name>parent_type
</name>
<value>
Copyright © 2017, Barracuda Networks Inc.
Barracuda Email Security Gateway Administrator's Guide - Page
269
<string>
<![CDATA[global]]>
</string>
</value>
</member>
<member>
<name>name</name>
<value>
<string>
<![CDATA[xyz.com]]>
</string>
</value>
</member>
<member>
<name>type</name>
<value>
<string>
<![CDATA[domain]]>
</string>
</value>
</member>
<member>
<name>parent_path</name>
<value>
<string></string>
</value>
</member>
</struct>
</value>
</param>
</params>
</methodCall>
Example 2: Create a tied object - custom RBL with a custom action
Create a tied object mta_rbl_custom_name of 'spamhaus.org' with an mta_rbl_custom_action of 'Block'. The resulting entries in the
configuration would look something like this:
# Custom RBL List
mta_rbl_custom_name = spamhaus.org
Arguments:
parent_type:'global'
Copyright © 2017, Barracuda Networks Inc.
Barracuda Email Security Gateway Administrator's Guide - Page
parent_path: ''
type: 'mta_rbl_custom_name'
name: 'spamhaus.org'
variable list: mta_rbl_custom_action = Block
Sample Request:
<?xml version="1.0" encoding="UTF8"?>
<methodCall>
<methodName>config.create</methodName>
<params>
<param>
<value>
<struct>
<member>
<name>parent_type</name>
<value>
<string><![CDATA[global]]></string>
</value>
</member>
<member>
<name>name</name>
<value>
<string><![CDATA[spamhaus.org]]></string>
</value>
</member>
<member>
<name>type</name>
<value>
<string>
<![CDATA[mta_rbl_custom_name]]>
</string>
</value>
</member>
<member>
<name>parent_path</name>
<value>
<string></string>
</value>
</member>
<member>
Copyright © 2017, Barracuda Networks Inc.
270
Barracuda Email Security Gateway Administrator's Guide - Page
271
<name>mta_rbl_custom_action</name>
<value>
<string><![CDATA[Block]]></string>
</value>
</member>
</struct>
</value>
</param>
</params>
</methodCall>
Config.delete
This method deletes an object of type $type identified by $path.
Parameters Allowed: The following variables are used by the config.delete method. These variables should be provided as part of the request
XML in the HTTP POST request.
password :: A required parameter which the API uses to authenticate access to a page and which is set by your administrator.
type :: A required parameter which specifies the class/scope of an object.
path :: A required parameter which is the qualified name of an object to be deleted.
Example 1: Deleting a scoped object
Delete domain 'xyz.com'.
Arguments:
type: 'domain'
path: 'xyz.com'
variable-value list: httpd_acl_ip_config_netmask = 255.255.128.0
Sample Request:
Copyright © 2017, Barracuda Networks Inc.
Barracuda Email Security Gateway Administrator's Guide - Page
272
<?xml version="1.0" encoding="UTF8"?>
<methodCall>
<methodName>config.delete</methodName>
<params>
<param>
<value>
<struct>
<member>
<name>path</name>
<value>
<string><![CDATA[xyz.com]]></string>
</value>
</member>
<member>
<name>type</name>
<value>
<string>
<![CDATA[domain]]>
</string>
</value>
</member>
</struct>
</value>
</param>
</params>
</methodCall>
Example 2: Delete a tied object and its tied variable values – global scope
Delete the global tied object mta_rbl_custom_name 'xyz.com' along with all of its tied variables. In this example, the tied variable is
mta_rbl_custom_action, which stores the action (Block, Tag or Quarantine) to take with messages originating from IP addresses in custom
external RBLs. These variables appear in the configuration like this:
# Custom RBL Action List
mta_rbl_custom_action = Block
# Custom RBL List
mta_rbl_custom_name = xyz.com
Arguments:
type: 'mta_rbl_custom_name'
path: 'xyz.com'
Sample Request:
Copyright © 2017, Barracuda Networks Inc.
Barracuda Email Security Gateway Administrator's Guide - Page
<?xml version="1.0" encoding="UTF8"?>
<methodCall>
<methodName>config.delete</methodName>
<params>
<param>
<value>
<struct>
<member>
<name>path</name>
<value>
<string><![CDATA[xyz.com]]></string>
</value>
</member>
<member>
<name>type</name>
<value>
<string>
<![CDATA[mta_rbl_custom_name]]>
</string>
</value>
</member>
</struct>
</value>
</param>
</params>
</methodCall>
Response:
Copyright © 2017, Barracuda Networks Inc.
273
Barracuda Email Security Gateway Administrator's Guide - Page
274
OK <?xml version="1.0" encoding="UTF8"?>
<methodResponse>
<params>
<param>
<value>
<struct>
<member>
<name>Result</name>
<value>
<string>
<![CDATA[200: OK]]>
</string>
</value>
</member>
</struct>
</value>
</param>
</params>
</methodResponse>
Example 3: Delete a tied object and its tied variable values – domain scope
Delete the per-domain tied variable mta_sender_allow_address along with its tied variable values. This example deletes the Allowed Email
Address and Domains tied variable values 'test1.com' and 'test2.com' for the domain ‘barracuda.com’.
Arguments:
type: 'mta_sender_allow_address'
path: 'barracuda.com'
Sample Request:
<?xml version="1.0" encoding="UTF8"?>
<methodCall>
<methodName>config.delete</methodName>
<params>
<param>
<value>
<struct>
<member>
<name>path</name>
<value>
<string><![CDATA[barracuda.com]]></string>
</value>
Copyright © 2017, Barracuda Networks Inc.
Barracuda Email Security Gateway Administrator's Guide - Page
</member>
<member>
<name>type</name>
<value>
<string>
<![CDATA[domain]]>
</string>
</value>
</member>
<member>
<name>variable</name>
<value>
<string>
<![CDATA[mta_sender_allow_address]]>
</string>
</value>
</member>
<member>
<name>values</name>
<value>
<array>
<data>
<value>
<string>
<![CDATA[test1.com]]>
</string>
</value>
<value>
<string>
<![CDATA[test2.com]]>
</string>
</value>
</data>
</array>
</value>
</member>
</struct>
</value>
</param>
</params>
Copyright © 2017, Barracuda Networks Inc.
275
Barracuda Email Security Gateway Administrator's Guide - Page
276
</methodCall>
Config.add
This method adds the given values to the list variable. This method will not add values to tied variables, and a value added must not already exist
in the list. For adding values to tied variables, use the config.create method.
Parameters Allowed: The following parameters are used by the config.add method and should be provided as part of the request XML in the
HTTP POST request.
password :: A required parameter which the API uses to authenticate access to a page and which is set by your administrator.
parent_type :: A required parameter that tells the API about the class/scope of a parent container.
parent_path :: A required parameter which is the qualified name of a parent object
variable :: A required parameter that specifies the variable for which values will be added.
values :: A required parameter specifying a list of values to be added.
Example – Adding a value to a variable
Add values 192.168.128.34 and 192.168.128.2 to the mta_trusted_relay_host list.
Arguments:
parent_type: 'global'
parent_path: ''
variable: 'mta_trusted_relay_host'
values: ['192.168.128.34', '192.168.128.2']
Sample Request:
<?xml version="1.0" encoding="UTF8"?>
<methodCall>
<methodName>config.add</methodName>
<params>
<param>
<value>
<struct>
<member>
<name>parent_type</name>
<value>
<string>
<![CDATA[global]]>
</string>
</value>
</member>
<member>
<name>variable</name>
<value>
<string>
<![CDATA[mta_trusted_relay_host]]>
Copyright © 2017, Barracuda Networks Inc.
Barracuda Email Security Gateway Administrator's Guide - Page
277
</string>
</value>
</member>
<member>
<name>values</name>
<value>
<array>
<data>
<value>
<string>
<![CDATA[192.168.128.34]]>
</string>
</value>
<value>
<string>
<![CDATA[192.168.128.2]]>
</string>
</value>
</data>
</array>
</value>
</member>
<member>
<name>parent_path</name>
<value>
<string></string>
</value>
</member>
</struct>
</value>
</param>
</params>
</methodCall>
Config.remove
Use this method to remove the given value(s) from the list variable. This will not remove values from tied variables. For removing values from tied
variables, use the config.delete method.
Parameters Allowed: The following parameters are used by the config.remove method and should be provided as part of the request XML in the
HTTP POST request.
password :: A required parameter which the API uses to authenticate access to a page and which is set by your administrator.
parent_type :: A required parameter that tells the API about the class/scope of the parent container.
Copyright © 2017, Barracuda Networks Inc.
Barracuda Email Security Gateway Administrator's Guide - Page
278
parent_path :: A required parameter and is the qualified name of a parent object.
variable :: A required parameter that specifies the variable for which values should be removed.
values :: A required parameter specifying a list of values to be removed.
Example – Removing values from a variable under global scope
Removes host/domain name values 'mytrustedrelay1.com' and 'mytrustedrelay2.com from the mta_trusted_relay_host list. These Trusted Relay
Host/Domain names are added or deleted on the ADVANCED > Outbound page in the web interface and represent trusted relays on the
Barracuda Email Security Gateway.
Arguments:
parent_type: 'global',
parent_path: ''
variable: 'mta_trusted_relay_host'
values: ['mytrustedrelay1.com', 'mytrustedrelay2.com']
Sample Request:
<?xml version="1.0" encoding="UTF8"?>
<methodCall>
<methodName>config.remove</methodName>
<params>
<param>
<value>
<struct>
<member>
<name>parent_type</name>
<value>
<string>
<![CDATA[global]]>
</string>
</value>
</member>
<member>
<name>variable</name>
<value>
<string>
<![CDATA[mta_trusted_relay_host]]>
</string>
</value>
</member>
<member>
<name>values</name>
<value>
Copyright © 2017, Barracuda Networks Inc.
Barracuda Email Security Gateway Administrator's Guide - Page
<array>
<data>
<value>
<string>
<![CDATA[mytrustedrelay1.com]]>
</string>
</value>
<value>
<string>
<![CDATA[mytrustedrelay2.com]]>
</string>
</value>
</data>
</array>
</value>
</member>
<member>
<name>parent_path</name>
<value>
<string></string>
</value>
</member>
</struct>
</value>
</param>
</params>
</methodCall>
Response:
Copyright © 2017, Barracuda Networks Inc.
279
Barracuda Email Security Gateway Administrator's Guide - Page
280
OK <?xml version="1.0" encoding="UTF8"?>
<methodResponse>
<params>
<param>
<value>
<struct>
<member>
<name>Result</name>
<value>
<string>
<![CDATA[200: OK]]>
</string>
</value>
</member>
</struct>
</value>
</param>
</params>
</methodResponse>
Config.reload
Use this method to re-apply the system configuration, as can be done with the Reload button on the BASIC > Administration page of the web
interface. The output of a successful call is a simple '200 OK' response - results are shown below.
Parameters Allowed: The following variable is used by the config.reload method.
password :: A required parameter which the API uses to authenticate access to a page and which is set by your administrator.
Sample Request:
Copyright © 2017, Barracuda Networks Inc.
Barracuda Email Security Gateway Administrator's Guide - Page
281
<?xml version="1.0" encoding="UTF8"?>
<methodCall>
<methodName>config.reload</methodName>
<params>
<param>
<value>
<struct>
</struct>
</value>
</param>
</params>
</methodCall>
Config.varlist
Use this method to list all the variables of the configuration and their attributes. This is a good method to call prior to using other APIs so you have
a reference of the configuration variables.
Parameters Allowed: The following variable is used by the config.varlist method.
password :: A required parameter which the API uses to authenticate access to a page and which is set by your administrator.
Sample Request:
<?xml version="1.0" encoding="UTF8"?>
<methodCall>
<methodName>config.varlist</methodName>
<params>
<param>
<value>
<struct/>
</value>
</param>
</params>
</methodCall>
Response:
OK <?xml version="1.0" encoding="UTF8"?>
<methodResponse>
<params>
<param>
Copyright © 2017, Barracuda Networks Inc.
Barracuda Email Security Gateway Administrator's Guide - Page
<value>
<struct>
<member>
<name>new_mta_trusted_relay_netmask</name>
<value>
<struct>
<member>
<name>min</name>
<value>
<string></string>
</value>
</member>
<member>
<name>max</name>
<value>
<string></string>
</value>
</member>
<member>
<name>default</name>
<value>
<string></string>
</value>
</member>
<member>
<name>description</name>
<value>
<string>
<![CDATA[Subnet Mask]]>
</string>
</value>
</member>
<member>
<name>choices</name>
<value>
<array>
<data/>
</array>
</value>
</member>
Copyright © 2017, Barracuda Networks Inc.
282
Barracuda Email Security Gateway Administrator's Guide - Page
<member>
<name>required</name>
<value>
<i4>1</i4>
</value>
</member>
<member>
<name>class</name>
<value>
<string>
<![CDATA[global]]>
</string>
</value>
</member>
<member>
<name>type</name>
<value>
<string>
<![CDATA[ip_address]]>
</string>
</value>
</member>
</struct>
</value>
</member>
<member>
<name>mta_outbound_max_queue_lifetime
</name>
<value>
<struct>
<member>
<name>min</name>
<value>
<string></string>
</value>
</member>
<member>
<name>max</name>
<value>
<string></string>
Copyright © 2017, Barracuda Networks Inc.
283
Barracuda Email Security Gateway Administrator's Guide - Page
</value>
</member>
<member>
<name>default</name>
<value>
<i4>48</i4>
</value>
</member>
<member>
<name>description</name>
<value>
<string>
<![CDATA[Outbound Queue Max Message Lifetime(hours):]]>
</string>
</value>
</member>
<member>
<name>choices</name>
<value>
<array>
<data/>
</array>
</value>
</member>
<member>
<name>required</name>
<value>
<i4>1</i4>
</value>
</member>
<member>
<name>class</name>
<value>
<string>
<![CDATA[global]]>
</string>
</value>
</member>
<member>
<name>type</name>
Copyright © 2017, Barracuda Networks Inc.
284
Barracuda Email Security Gateway Administrator's Guide - Page
<value>
<string>
<![CDATA[float]]>
</string>
</value>
</member>
</struct>
</value>
</member>
<member>
<name>auth_radius_server</name>
<value>
<struct>
<member>
<name>min</name>
<value>
<string></string>
</value>
</member>
<member>
<name>max</name>
<value>
<string></string>
</value>
</member>
<member>
<name>default</name>
<value>
<string></string>
</value>
</member>
<member>
<name>description</name>
<value>
<string></string>
</value>
</member>
<member>
<name>choices</name>
<value>
Copyright © 2017, Barracuda Networks Inc.
285
Barracuda Email Security Gateway Administrator's Guide - Page
286
<array>
<data/>
</array>
</value>
</member>
<member>
<name>required</name>
<value>
<string></string>
</value>
</member>
<member>
<name>class</name>
<value>
<string>
<![CDATA[domain]]>
</string>
</value>
</member>
<member>
<name>type</name>
<value>
<string>
<![CDATA[text]]>
</string>
</value>
</member>
</struct>
</value>
</member>
</struct>
</value>
</param>
</params>
</methodResponse>
Config.var_attr
Use this method to list the attributes of the specified variable.
Parameters Allowed: The following variables should be provided as part of the request XML in the HTTP POST request.
Copyright © 2017, Barracuda Networks Inc.
Barracuda Email Security Gateway Administrator's Guide - Page
287
password :: A required parameter which the API uses to authenticate access to a page and which is set by your administrator.
variable :: A required parameter that specifies the variable for which attributes are required.
Example – List the attributes and their values for global Block level.
This example lists the attributes of global blocking: min level, max level, current setting, etc. and returns the current value for each attribute.
Sample Request:
<?xml version="1.0" encoding="UTF8"?>
<methodCall>
<methodName>config.var_attr</methodName>
<params>
<param>
<value>
<struct>
<member>
<name>variable</name>
<value>
<string>
<![CDATA[scana_block_level]]>
</string>
</value>
</member>
</struct>
</value>
</param>
</params>
</methodCall>
Response:
OK <?xml version="1.0" encoding="UTF8"?>
<methodResponse>
<params>
<param>
<value>
<struct>
<member>
<name>scana_block_level</name>
<value>
<struct>
<member>
<name>min</name>
Copyright © 2017, Barracuda Networks Inc.
Barracuda Email Security Gateway Administrator's Guide - Page
<value>
<string></string>
</value>
</member>
<member>
<name>max</name>
<value>
<string></string>
</value>
</member>
<member>
<name>default</name>
<value>
<i4>7</i4>
</value>
</member>
<member>
<name>description</name>
<value>
<string>
<![CDATA[Spam Block Level]]>
</string>
</value>
</member>
<member>
<name>choices</name>
<value>
<array>
<data/>
</array>
</value>
</member>
<member>
<name>required</name>
<value>
<i4>1</i4>
</value>
</member>
<member>
<name>class</name>
Copyright © 2017, Barracuda Networks Inc.
288
Barracuda Email Security Gateway Administrator's Guide - Page
289
<value>
<string>
<![CDATA[global]]>
</string>
</value>
</member>
<member>
<name>type</name>
<value>
<string>
<![CDATA[float]]>
</string>
</value>
</member>
</struct>
</value>
</member>
</struct
</value>
</param>
</params>
</methodResponse>
APIs for the Barracuda Email Security Gateway
Creating a block of new user accounts or domains, deleting one or more of each, listing user accounts, using Regular Expressions and updating
user-level spam score or quarantine inbox settings are some of the remote configuration capabilities presented here for the Barracuda Email
Security Gateway.
User.create
This method creates a user account for the user as specified. The output of a successful call is a simple '200 OK'.
Parameters Allowed: These variables should be provided as part of the request XML in the HTTP POST request.
password :: A required parameter which the API uses to authenticate access to a page and which is set by your administrator.
user :: A required parameter that specifies the user account to be created.
Arguments:
user: test@xyz.com
Sample Request:
Copyright © 2017, Barracuda Networks Inc.
Barracuda Email Security Gateway Administrator's Guide - Page
290
<?xml version="1.0" encoding="UTF8"?>
<methodCall>
<methodName>user.create</methodName>
<params>
<param>
<value>
<struct>
<member>
<name>user</name>
<value>
<string>
<![CDATA[test@xyz.com]]>
</string>
</value>
</member>
</struct>
</value>
</param>
</params>
</methodCall>
User.list
This method simply lists all the user accounts currently on the system.
Parameters Allowed: The following variable should be provided as part of the request XML in the HTTP POST request.
password :: A required parameter which the API uses to authenticate access to a page and which is set by your administrator.
Sample Request:
<?xml version="1.0" encoding="UTF8"?>
<methodCall>
<methodName>user.list</methodName>
<params>
<param>
<value>
<struct/>
</value>
</param>
</params>
</methodCall>
Copyright © 2017, Barracuda Networks Inc.
Barracuda Email Security Gateway Administrator's Guide - Page
291
Response:
OK <?xml version="1.0" encoding="UTF8"?>
<methodResponse>
<params>
<param>
<value>
<array>
<data>
<value>
<string>
<![CDATA[test@xyz.com]]>
</string>
</value>
<value>
<string>
<![CDATA[test@thisdomain.net]]>
</string>
</value>
</data>
</array>
</value>
</param>
</params>
</methodResponse>
User.remove
Use this method to remove a user account for the user as specified. The output of a successful call is a simple '200 OK'.
Parameters Allowed: The following variables are used by the user.remove method and should be provided as part of the request XML in the
HTTP POST request:
password:: A required parameter which the API uses to authenticate access to a page and which is set by your administrator.
user :: A required parameter that specifies the user account to be removed.
Arguments:
user: test@abcd.com
Sample Request:
Copyright © 2017, Barracuda Networks Inc.
Barracuda Email Security Gateway Administrator's Guide - Page
?xml version="1.0" encoding="UTF8"?>
<methodCall>
<methodName>user.remove</methodName>
<params>
<param>
<value>
<struct>
<member>
<name>user</name>
<value>
<string>
<![CDATA[test@abcd]]>
</string>
</value>
</member>
</struct>
</value>
</param>
</params>
</methodCall>
Response:
Copyright © 2017, Barracuda Networks Inc.
292
Barracuda Email Security Gateway Administrator's Guide - Page
293
OK <?xml version="1.0" encoding="UTF8"?>
<methodResponse>
<params
<param>
<value>
<struct>
<member>
<name>Result</name>
<value>
<string>
<![CDATA[200: OK]]>
</string>
</value>
</member>
</struct>
</value>
</param>
</params>
</methodResponse>
User.update_pref
This method updates the preferences for the user account specified. The output of a successful call is a simple '200 OK'.
Parameters Allowed: The following variables are used by the user.update_pref method. These variables should be provided as part of the
request XML in the HTTP POST request.
password :: A required parameter which the API uses to authenticate access to a page and which is set by your administrator.
user :: A required parameter that specifies the user account whose preference is to be updated.
Note: First, use the config.set method to set the user- specific variables for preferences, then use this method to update the preferences.
Arguments:
user: test@abcd.com
Sample Request:
Copyright © 2017, Barracuda Networks Inc.
Barracuda Email Security Gateway Administrator's Guide - Page
294
<?xml version="1.0" encoding="UTF8"?>
<methodCall>
<methodName>user.update_pref</methodName>
<params>
<param>
<value>
<struct>
<member>
<name>user</name>
<value>
<string>
<![CDATA[test@abcd]]>
</string>
</value>
</member>
</struct>
</value>
</param>
</params>
</methodCall>
Domain.add
Use this method to add a domain, then use the config.set method to configure settings for that domain in a separate call. Use this method in a
loop to add multiple domains. The output of a successful call is a simple '200 OK'.
Parameters Allowed: The following variables are used by the domain.add method. These variables should be provided as part of the request
XML in the HTTP POST request.
password :: A required parameter which the API uses to authenticate access to a page and which is set by your administrator.
domain :: A required parameter that specifies the domain to be created.
Arguments:
domain: xyz.com
Sample Request:
Copyright © 2017, Barracuda Networks Inc.
Barracuda Email Security Gateway Administrator's Guide - Page
295
<?xml version="1.0" encoding="UTF8"?>
<methodCall>
<methodName>domain.add</methodName>
<params>
<param>
<value>
<struct>
<member>
<name>domain</name>
<value>
<string>
<![CDATA[xyz.com]]>
</string>
</value>
</member>
</struct>
</value>
</param>
</params>
</methodCall>
Domain.delete
This method deletes the specified domain. The output of a successful call is a simple '200 OK'.
Parameters Allowed: The following variables are used by the domain.delete method. These variables should be provided as part of the request
XML in the HTTP POST request.
password :: A required parameter which the API uses to authenticate access to a page and which is set by your administrator.
domain :: A required parameter that specifies the domain to be deleted.
Arguments:
domain: xyz.com
Sample Request:
Copyright © 2017, Barracuda Networks Inc.
Barracuda Email Security Gateway Administrator's Guide - Page
296
<?xml version="1.0" encoding="UTF8"?>
<methodCall>
<methodName>domain.delete</methodName>
<params>
<param>
<value>
<struct>
<member>
<name>domain</name>
<value>
<string>
<![CDATA[xyz.com]]>
</string>
</value>
</member>
</struct>
</value>
</param>
</params>
</methodCall>
Use Case Scenarios
These examples draw on the information presented above for using various methods to configure the Barracuda Email Security Gateway for
common use cases. Some use cases address domain-level settings and some address global settings.
Use Case – Adding a Whitelist Entry to a User Account
Use the config.add method to add any email senders to the whitelist for a particular user account. This list of senders are not blocked even if the
message matches spam rules. Virus scanning is still applied based on the policy set by the administrator. Whitelisting may be performed by full
email address ("user@domain.com") or domain only ("domain.com").
Important: Per-User Quarantine must be enabled for the domain via the web interface BEFORE you attempt to add per-user whitelist entries. To
do so, first, from the DOMAINS > Domain Manager page, click Manage Domain for the particular domain. For example, if the user account is cu
da_user@barracuda.com, click on Manage Domain for barracuda.com. At the domain level, navigate to the BASIC > Quarantine page and set
Quarantine Type to Per-User. Finally, set Enable User Features toYes.
Arguments:
my $value1
= 'user1@mymail.net';
my $value2
= 'user2@mymail.net';
my $user_account = 'cuda_user@mymail.net';
Sample Request:
Copyright © 2017, Barracuda Networks Inc.
Barracuda Email Security Gateway Administrator's Guide - Page
297
<?xml version="1.0" encoding="UTF8"?>
<methodCall>
<methodName>config.add</methodName>
<params>
<param>
<value>
<struct>
<member>
<name>parent_type</name>
<value>
<string>
<![CDATA[user]]>
</string>
</value>
</member>
<member>
<name>variable</name>
<value>
<string>
<![CDATA[user_scana_sender_allow]]>
</string>
</value>
</member>
<member>
<name>values</name>
<value>
<array>
<data>
<value>
<string>
<![CDATA[$value1]]>
</string>
</value>
<value>
<string>
<![CDATA[$value2]]>
</string>
</value>
</data>
</array>
</value>
</member>
<member>
<name>parent_path</name>
<value>
<string><![CDATA[$user_account]]></string>
</value>
</member>
</struct>
</value>
</param>
</params>
</methodCall>
Use Case – Adding a Blocklist Entry for a Domain
Use the config.create method to add any IP addresses or networks to the blocklist for a particular domain. This example adds an IP address to
the blocklist for the specified domain and adds values to the per-domain tied variables listed below. The mta_acl_ip_block_action is set to
'quarantine' for mail from the IP address added to the blocklist, and the mta_acl_ip_block_netmask is set to 255.255.255.0 since we're adding
an individual IP address. A comment of 'Blocked IP address' is added as well.
# Add values to per domain tied variable
# Domain – xyz.mydomain.net
# Variable – mta_acl_ip_block_address (domain scope): 10.5.36.59
# Tied variables – mta_acl_ip_block_netmask, mta_acl_ip_block_action, mta_acl_ip_block_comment.
Copyright © 2017, Barracuda Networks Inc.
Barracuda Email Security Gateway Administrator's Guide - Page
Arguments:
type:
mta_acl_ip_block_address
parent_path:
xyz.mydomain.net
mta_acl_ip_block_netmask: 255.255.255.0
mta_acl_ip_block_action: 'Quarantine'
mta_acl_ip_block_comment: 'Blocked IP Address'
Sample Request:
Copyright © 2017, Barracuda Networks Inc.
298
Barracuda Email Security Gateway Administrator's Guide - Page
299
<?xml version="1.0" encoding="UTF8"?>
<methodCall>
<methodName>config.create</methodName>
<params>
<param>
<value>
<struct>
<member>
<name>parent_type</name>
<value>
<string><![CDATA[domain]]></string>
</value>
</member>
<member>
<name>name</name>
<value>
<string><![CDATA[10.5.36.59]]></string>
</value>
</member>
<member>
<name>type</name>
<value>
<string>
<![CDATA[mta_acl_ip_block_address]]>
</string>
</value>
</member>
<member>
<name>parent_path</name>
<value>
<string><![CDATA[xyz.mydomain.net]]></string>
</value>
</member>
<member>
<name>mta_acl_ip_block_netmask</name>
<value>
<string><![CDATA[255.255.255.0]]></string>
</value>
</member>
<member>
<name>mta_acl_ip_block_action</name>
<value>
<string><![CDATA[Quarantine]]></string>
</value>
</member>
<member>
<name>mta_acl_ip_block_comment</name>
<value>
<string><![CDATA[Blocked IP address]]></string>
</value>
</member>
</struct>
</value>
</param>
</params>
</methodCall>
Use Case – Adding a Regular Expression to a Content Filter
This example uses the config.create method described in the previous section. Using config.create you can add regular expressions to a content
filter, which is a global setting. For more details about using regular expressions and content filtering, see the BLOCK/ACCEPT > Content
Filtering page. The output of a successful call is a simple '200 OK'.
Arguments:
Regular Expression: \bvi.gra\b (see Regular Expressions)
Copyright © 2017, Barracuda Networks Inc.
Barracuda Email Security Gateway Administrator's Guide - Page
Sample Request:
<?xml version="1.0" encoding="UTF8"?>
<methodCall>
<methodName>config.create</methodName>
<params>
<param>
<value>
<struct>
<member>
<name>parent_type</name>
<value>
<string><![CDATA[global]]></string>
</value>
</member>
<member>
<name>name</name>
<value>
<string><![CDATA[\\bvi.gra\\b]]></string>
</value>
</member>
<member>
<name>type</name>
<value>
<string>
<![CDATA[filter_header_list]]>
</string>
</value>
</member>
<member>
<name>parent_path</name>
<value>
<string></string>
</value>
</member>
<member>
<name>filter_header_list_comment</name>
<value>
<string><![CDATA[Filter this content]]></string>
</value>
</member>
<member>
<name>inbound_filter_header_list_action</name>
<value>
<string><![CDATA[Block]]></string>
</value>
</member>
<member>
<name>outbound_filter_header_list_action</name>
<value>
<string><![CDATA[Quarantine]]></string>
</value>
</member>
<member>
<name>apply_to_subject</name>
<value>
<string><![CDATA[1]]></string>
</value>
</member>
<member>
<name>apply_to_header</name>
<value>
<string><![CDATA[0]]></string>
</value>
</member>
<member>
Copyright © 2017, Barracuda Networks Inc.
300
Barracuda Email Security Gateway Administrator's Guide - Page
<name>apply_to_body</name>
<value>
<string><![CDATA[1]]></string>
</value>
</member>
</struct>
</value>
Copyright © 2017, Barracuda Networks Inc.
301
Barracuda Email Security Gateway Administrator's Guide - Page
302
</param>
</params>
</methodCall>
Use Case – Listing Explicit Users (Valid Recipients) and Aliases at the Global Level
Supported by firmware version 5.1.3.006, 6.x and higher
Use the config.list method to list valid recipients and aliased accounts at the global level - i.e. not domain-specific. Explicit Users and aliased
email accounts are added or deleted on the ADVANCED > Explicit Users page of the web interface. In this case, the Type, or scope, is blank
(empty) to indicate global. Note that the ‘variable’ ‘list_valid_recipient_aliases’ is not actually a variable as defined in the configuration; rather, it is
an indicator to the API of what is being listed by the config.list call.
Sample Request:
<?xml version="1.0" encoding="UTF8"?>
<methodCall>
<methodName>config.list</methodName>
<params>
<param>
<value>
<struct>
<member>
<name>variable</name>
<value>
<string>
<![CDATA[list_valid_recipient_aliases]]>
</string>
</value>
</member>
<member>
<name>child_type</name>
<value>
<string>
<![CDATA[global]]>
</string>
</value>
</member>
<member>
<name>path</name>
<value>
<string>
</string>
</value>
</member>
<member>
<name>type</name>
<value>
<string>
<![CDATA['']]>
</string>
</value>
</member>
</struct>
</value>
</param>
</params>
</methodCall>
Use Case – Adding and Configuring Multiple Domains
Use the domain.add method, described in the previous section, in a loop to add multiple domains for which the Barracuda Email Security
Gateway should process email. These domains will then be listed in the DOMAINS > Domain Manager page of the web interface.
Copyright © 2017, Barracuda Networks Inc.
Barracuda Email Security Gateway Administrator's Guide - Page
303
To configure the domains, use the config.set method for each domain. This example configures the 'Spam Score limit block level' to 4 for n
domains, by setting the scana_pd_block_level variable, if you put the request in a loop. In the web interface, you'll see this value on the BASIC >
Spam Checking page after clicking on the Manage Domain link for each domain.
Sample Request (for each domain):
<?xml version="1.0" encoding="UTF8"?>
<methodCall>
<methodName>config.set</methodName>
<params>
<param>
<value>
<struct>
<member>
<name>scana_pd_block_level</name>
<value>
<i4>4</i4>
</value>
</member>
<member>
<name>path</name>
<value>
<string>
<![CDATA[$domain]]>
</string>
</value>
</member>
<member>
<name>type</name>
<value>
<string>
<![CDATA[domain]]>
</string>
</value>
</member>
</struct>
</value>
</param>
</params>
</methodCall>
Use Case – Listing Valid Recipients and Aliases for a Domain
Supported by firmware version 5.1.3.006, 6.x and higher
Use the config.list method to list valid recipients and aliased accounts for a domain. Valid Recipients and aliased email accounts are added or
deleted on the per-domain USERS > Valid Recipients page of the web interface. In this case, the Type, or scope, is ‘domain’, and this call
returns a list of all valid recipients and aliased email accounts for the domain ‘mymail.net’. Note that the ‘variable’ ‘list_valid_recipient_aliases’ is
not actually a variable as defined in the configuration; rather, it is an indicator to the API of what is being listed by the config.list call.
Sample Request:
Copyright © 2017, Barracuda Networks Inc.
Barracuda Email Security Gateway Administrator's Guide - Page
304
<?xml version="1.0" encoding="UTF8"?>
<methodCall>
<methodName>config.list</methodName>
<params>
<param>
<value>
<struct>
<member>
<name>variable</name>
<value>
<string>
<![CDATA[list_valid_recipient_aliases]]>
</string>
</value>
</member>
<member>
<name>child_type</name>
<value>
<string>
<![CDATA[global]]>
</string>
</value>
</member>
<member>
<name>path</name>
<value>
<string> <![CDATA[mymail.net]]>
</string>
</value>
</member>
<member>
<name>type</name>
<value>
<string>
<![CDATA[domain]]>
</string>
</value>
</member>
</struct>
</value>
</param>
</params>
</methodCall>
Use Case – Adding Valid Recipients and Aliases for a Domain
Supported by firmware version 5.1.3.006, 6.x and higher
Use the config.set method to add valid recipients and aliases for a domain. This case adds a primary account and two email aliases for the
domain ‘testqa.com'. Aliased accounts are added or deleted on the per-domain USERS > Valid Recipients page of the web interface and are
linked to a 'primary account', which receives quarantined mail for the aliased accounts. The primary valid recipient is added first, followed by a
number of aliases. See the per-domain USERS > Valid Recipients page of the web interface for details about alias linking.
Note that the ‘member’ name ‘new_valid_recipient_aliases’ is an indicator to the API of what is being set by the config.set call. Make sure the
domain is present in the Barracuda Email Security Gateway before adding recipients and aliases.
Arguments:
path: testqa.com
type: domain
child_type: global
my $domain = "testqa.com";
my $primary_valid_recip = 'user1@testqa.com';
my $alias = 'user2@testqa.com'.' '.'user3@testqa.com';
my $primary_and_alias = $primary_valid_recip." ".$alias;
Copyright © 2017, Barracuda Networks Inc.
Barracuda Email Security Gateway Administrator's Guide - Page
305
new_valid_recipient_aliases = 'user1@testqa.com user2@testqa.com user3@testqa.com';
Sample Request:
<?xml version="1.0" encoding="UTF8"?>
<methodCall>
<methodName>config.set</methodName>
<params>
<param>
<value>
<struct>
<member>
<name>new_valid_recipient_aliases</name>
<value>
<string>$primary_and_alias</string>
</value>
</member>
<member>
<name>path</name>
<value>
<string>
<![CDATA[$domain]]>
</string>
</value>
</member>
<member>
<name>type</name>
<value>
<string>
<![CDATA[domain]]>
</string>
</value>
</member>
</struct>
</value>
</param>
</params>
</methodCall>
Use Case – Deleting Aliases and Valid Recipients for a Domain
Supported by firmware version 5.1.3.006, 6.x and higher
Use the config.delete method to delete valid recipients and aliases for a domain.This example deletes the valid recipient and aliases for the
domain ‘testqa.com’. Valid recipients and aliased accounts are added or deleted on the per-domain USERS > Valid Recipients page of the web
interface. Note that the variable ‘delete_valid_recipient_aliases’ is not actually a variable as defined in the configuration; rather, it is an indicator to
the API of what is being deleted by the config.delete call.
In this example, 'user2@testqa.com', 'user3@testqa.com' are the aliases to be deleted. Make sure the domain for which you are deleting aliased
accounts is present in the Barracuda Email Security Gateway. The list of per-domain aliased user accounts to be deleted can be specified in the
'Values' variable in the XML request.
Arguments:
path: testqa.com
type: domain
my $domain = "testqa.com";
my $user2 = 'user2@testqa.com';
my $user3 = 'user3@testqa.com';
Sample Request:
Copyright © 2017, Barracuda Networks Inc.
Barracuda Email Security Gateway Administrator's Guide - Page
306
<?xml version="1.0" encoding="UTF8"?>
<methodCall>
<methodName>config.delete</methodName>
<params>
<param>
<value>
<struct>
<member>
<name>path</name>
<value>
<string>
<![CDATA[$domain]]>
</string>
</value>
</member>
<member>
<name>type</name>
<value>
<string>
<![CDATA[domain]]>
</string>
</value>
</member>
<member>
<name>variable</name>
<value>
<string>
<![CDATA[delete_valid_recipient_aliases]]>
</string>
</value>
</member>
<member>
<name>values</name>
<value>
<array>
<data>
<value>
<string>
<![CDATA[$user2]]>
</string>
</value>
<value>
<string>
<![CDATA[$user3]]>
</string>
</value>
</data>
</array>
</value>
</member>
</struct>
</value>
</param>
</params>
</methodCall>
Appendix 1
See the Error Response format under The XML-RPC Request and Response above for an example of how the faultCodes (error codes),
shown below, will be returned with the XML response.
Error (Fault) Codes
Fault Code
400
Description
Example Fault Strings
Required arguments are missing
Copyright © 2017, Barracuda Networks Inc.
Too few arguments: <error message>
Barracuda Email Security Gateway Administrator's Guide - Page
307
401
Machine does not have access rights
Your machine does not have access rights to
administer...
402
Domain name error
Domain <domain name> already exists
Domain <domain name> is not a valid
domain
403
Access error
Access denied <error message>
406
API was called with incorrect parameters
Incorrect parameters for API call
411
Account error
User account does not exist
412
Account error
User account already exists
421
Account error
Unable to validate account
425
Input object or variable is not valid
Config: Error: Invalid variable: <variable
name used in api> Config: Error: variable
<variable name used in api> not
recognized
Config: Error: Invalid object type: <variable
name used in api>
Config: Error: <variable name used in api> is
not tied to <parent type>
Config: Error: <variable name used in api>
does not belong to any
class
Config: Error: <variable name used in api>
does not belong to <parent
type>
Config: Error: <variable name used in api> is
not of type <parent type>
426
Invalid operation
Config: Error: invalid operation for variable
<variable name used in api>
Config: Error: Cannot add values to tied
variable <variable name used in api>
Config: Error: Cannot remove values from
tied variable <variable name used in api>
427
The object does not exist in the database
Config: Error: Could not find tied object:
<parent type>, <parent path> [<parent
type>]
Config: Error: Could not find scoped object:
<parent type>, <parent path> [global]
Config: Error: Could not find scoped object:
<parent type>, <parent path> [<old parent
type>, <old parent path>]
428
Input value being set is not valid
Config: Error: Could not find values to delete
in <parent path>: <list of invalid values>
429
Required variable is missing
Variable required to create object of type
<parent type>
450
The method you used is unknown
Unknown method called <API method>
499
Unknown error
An unknown error has occurred
500
Unknown error
An unknown error has occurred
Copyright © 2017, Barracuda Networks Inc.
Barracuda Email Security Gateway Administrator's Guide - Page
} catch( Exception ex) {
Copyright © 2017, Barracuda Networks Inc.
308
Barracuda Email Security Gateway Administrator's Guide - Page
309
Barracuda Message Center User's Guide
This article applies to messages encrypted by the Barracuda Email Security Gateway or the Barracuda Email Security Service.
Receive an Encrypted Email Message
If you have received one or more encrypted email messages via the Barracuda Message Center, the sender of the encrypted message(s)
intended to secure the contents of message such that only you, the recipient, can view the body of the message. The subject of the email
notifying you that you've received an encrypted message will look something like this:
You have a new encrypted message from
<mailbox name>@<yourdomain>.com
(or .net, .edu, .org,
etc.)
The body of the email will contain a message that reads something like this:
To view the email message, click here to log into the Barracuda Message Center. You'll be
prompted to either create a password or enter the one you may already have. You can also paste
the following URL into your browser to access the Barracuda Message Center: <URL>
The secure message will expire in 30 days. Need Help?
Log into the Barracuda Message Center
Once you paste the URL into your browser, a Barracuda Networks Message Center page should appear.
1. The first time this system is used, you will be asked to create a password. This password does not have an expiration date.
2. The password can be anything you want, but must meet these password strength requirements:
a. Include at least one special character.
b. Be at least 8 characters long.
3. Once you have chosen an acceptable password and click Done, the Encrypted Messages page will open. On all subsequent uses, the
system will ask for a username and password. Your username will always be your email address. If you forget your password, click on
the Forgot your password link. The system will send you an email to reset your password. Click on the link in the email to be directed
to the Barracuda Networks Message Center, which will ask for a new password and confirmation.
Pick Up Secure Email Message
The Barracuda Message Center provides you with a web interface much like any web based email program. As shown in Figure 1, you can view
a list of your encrypted messages, click on one to view the contents, delete one or more of them or download the message(s) to your local
system.
Figure 1. Encyrpted Messages Inbox
View Messages
Click on a message to view the contents of a message, as shown in Figure 2. You are the only one who can read the message body. You can
view the message headers by clicking the Show All Headers link in the upper right. From the message window you can use buttons on the
message bar Reply to, Reply All, Print, Delete or Download the message. Attachments can be downloaded individually by clicking on them.
Figure 2. Viewing an Encyrpted Message
Reply to Messages
Click Reply to reply to your encrypted message. The contents of your reply will also be encrypted. Once you click Reply, you can upload files
Copyright © 2017, Barracuda Networks Inc.
Barracuda Email Security Gateway Administrator's Guide - Page
310
and send them securely back to the sender as part of the reply email by choosing Browse (to choose the selected files to add) or Add (to include
an attachment in the reply email).
When finished, click Send. This will cause your reply message to be encrypted before returning to the sender.
Click Reply All to send your encrypted response to all other recipients of the message.
Saving Message Content
If you want to save the original email, the entire message (including attachments) can be saved by clicking Download.
Delete Multiple Messages
In the Encrypted Messages window, click the check box next to the message(s), and then click Delete on the tool bar. To refresh the message
list, click Refresh next to Delete on the tool bar.
Copyright © 2017, Barracuda Networks Inc.
Barracuda Email Security Gateway Administrator's Guide - Page
311
Barracuda Email Security Gateway User 's Guide 6 and Above
This guide describes how you can use the Barracuda Email Security Gateway web interface to:
Check your quarantined messages
Classify messages as Spam and Not Spam
Manage whitelisting and blocklisting email addresses
Modify your User Preferences
The guide also covers use of the Barracuda Microsoft Outlook Add-in for classifying messages as spam or not spam and encrypting outbound
messages. The Add-in might be installed in your Microsoft Outlook mail client by your administrator or by you, depending on how the system is
configured.
Some features covered in this guide may not appear on your system, depending on your level of permissions as set by your administrator.
Managing Your Quarantine Inbox
Receiving Messages from the Barracuda Email Security Gateway
The Barracuda Email Security Gateway sends you the following two types of messages:
Greeting Message
Spam Quarantine Summary Report
Greeting Message
The first time the Barracuda Email Security Gateway quarantines an email intended for you, the system sends you a greeting message with a
subject line of User Quarantine Account Information. The greeting message contains the following information:
Welcome to the Barracuda Email Security Gateway. This message contains the information you will need to
access your Spam Quarantine and Preferences.
Your account has been set to the following username and password:
Username: <your email address>
Password: <your default password>
Access your Spam Quarantine directly using the following link:
http://<barracuda system address or name>:8000
The Barracuda Email Security Gateway automatically provides your login information (username and password)
and the link to access the quarantine interface. You should save this email because future messages from
the system do not contain your login information.
Quarantine Summary Report
The Barracuda Email Security Gateway sends you a daily quarantine summary report so you can view the quarantined messages you did not
receive. From the quarantine summary report you can also add messages to your whitelist, delete messages, and have messages delivered to
your inbox.
Note that the quarantine summary report only goes out if new quarantined mail is saved in your account since the last notification cycle.
Each day the quarantine notification service runs for all users. If there is no new quarantined mail for your account since the last
notification cycle, or if you have logged into your account since then, no quarantine summary report will be generated and sent to
you for that same 24 hour period. Note also that links in the quarantine digest for viewing, delivering, whitelisting or deleting a message
from the quarantine inbox expire in 5 days from the date the digest is sent out.
The following shows an example of a quarantine summary report:
Figure 1: Example quarantine summary report ('digest').
Copyright © 2017, Barracuda Networks Inc.
Barracuda Email Security Gateway Administrator's Guide - Page
312
Using the Quarantine Interface
At the end of every quarantine summary report is a link to the quarantine interface where you can set additional preferences and classify
messages as spam and not spam.
Logging into the Quarantine Interface
To log into your quarantine interface:
Click the link provided at the bottom of the Quarantine Summary Report (displayed above). The login page appears.
Enter your username and password, and click Login. Your login information resides in the greeting message sent to you from the
Barracuda Email Security Gateway.
Using your Quarantine Inbox
After logging into the quarantine interface, select the QUARANTINE INBOX tab to view a list of your quarantined messages. When you first start
using the quarantine interface, you should view this list on a daily basis and classify as many messages as you can. Clicking on an email displays
the message.
The Barracuda Email Security Gateway has a Bayesian learning engine which, if enabled by your administrator, learns how to deal with future
messages based on the ones you classify as spam and not spam. The learning engine becomes more effective over time as you teach the
system how to classify messages and as you set up rules based on your whitelist and blocklist.
To effectively "train" your Bayesian database, you must classify at least 200 spam messages and 200 not spam messages from your
Quarantine Inbox, which will train the Bayesian database as to what word or phrase patterns that appear, perhaps multiple times,
throughout a message you consider to be valid content or characteristic of spam. Continue to classify an equal number of each type of
message as needed.
The following table describes the actions you can perform from this page.
Action
Description
Deliver
Delivers the selected message to your standard inbox.
Note: If you want to classify a message or add it to your whitelist,
make sure to do so before delivering the message to your inbox.
Once the Barracuda Email Security Gateway delivers a message, it
is removed from your quarantine list.
Copyright © 2017, Barracuda Networks Inc.
Barracuda Email Security Gateway Administrator's Guide - Page
Whitelist
313
Whitelist Adds the selected message to your whitelist so all future
emails from this sender are not quarantined unless the message
contains a virus or banned attachment type.
The Barracuda Email Security Gateway adds the sending email
address exactly as it appears in the message to your personal
whitelist.
Note that some commercial mailings may come from one of several
servers such as mail3.abcbank.com, and a subsequent message
may come from mail2.abcbank.com. See the section on managing
your whitelists and blocklists for tips on specifying whitelists with
greater effectiveness.
Delete
Deletes the selected message from your quarantine list. The main
reason to delete messages is to help you keep track of which
quarantine messages you have reviewed. You cannot recover
messages you have deleted.
Classify as Not Spam
Classifies the selected message as not spam. Note: Some bulk
commercial email may be considered useful by some users and
spam by others. For this reason, classifying such messages may not
be very effective because users may counteract each others’
classification. Instead of classifying bulk commercial email, it may be
more effective to add it to your whitelist (if you wish to receive such
messages) or blocklist (if you prefer not to receive them).
Classify as Spam
Classifies the selected message as spam.
Changing Your User Preferences
After logging into your quarantine interface, depending on your account permissions, you can use the PREFERENCES tab to change your
account password, modify your quarantine and spam settings, and manage your whitelist and blocklist.
Changing Your Account Password
To change your account password, do one of the following:
On the quarantine interface login page, click Create New Password, or
After logging into your quarantine interface, go to PREFERENCES > Password. This option is not available if single sign-on has been
enabled via LDAP or Radius.
In the provided fields, enter your existing password and enter your new password twice. Click Save Changes when finished.
Note Changing your password breaks the links in your existing quarantine summary reports so you cannot delete, deliver, or whitelist
messages from those reports. New quarantine summary reports will contain updated links that you can use the same as before.
Changing Your Quarantine Settings
The following table describes the quarantine settings you can change from the PREFERENCES > Quarantine Settings page, depending on how
the administrator has configured your account:
Quarantine Setting
Description
Enable Quarantine
Whether the Barracuda Email Security Gateway quarantines your
messages.
If you select Yes, the Barracuda Email Security Gateway does not
deliver quarantined messages to your general email inbox, but you
can view these messages from the quarantine interface and
quarantine summary reports.
If you select No, all messages that would have been quarantined for
you are delivered to your general email inbox with the subject line
prefixed with [QUAR]:. The Barracuda Email Security Gateway
administrator can modify this prefix.
Copyright © 2017, Barracuda Networks Inc.
Barracuda Email Security Gateway Administrator's Guide - Page
314
Notification Interval
The frequency the Barracuda Email Security Gateway sends you
quarantine summary reports. The default is daily. The Barracuda
Email Security Gateway only sends quarantine summary reports
when one or more of your emails have been quarantined.
If you select Never, you can still view your quarantined messages
from the quarantine interface, but you will not receive quarantine
summary reports.
Notification Address
The email address the Barracuda Email Security Gateway should
use to
deliver your quarantine summary report. Leave this field blank to use
the email address associated with your user account.
Default Language
The language in which you want to receive your quarantine
notifications.
This setting also sets the default encoding for handling unknown
character sets during filtering. All email notifications from the
Barracuda Email Security Gateway are in UTF8 encoding.
Enabling and Disabling Spam Scanning of your Email
If you do not want the Barracuda Email Security Gateway scanning your emails for spam content, you can disable spam filtering from the PREFE
RENCES > Spam Settings page. From this page you can also change the default spam scoring levels that determine when your emails are
tagged, quarantined or blocked.
When the Barracuda Email Security Gateway receives an email for you, it scores the message for its spam probability. This score ranges from 0
(definitely not spam) to 10 or higher (definitely spam). Based on this score, the Barracuda Email Security Gateway either allows, quarantines, or
blocks the message.
A setting of 10 for any setting disables that option. The following table describes the fields on the PREFERENCES > Spam Settings page.
Adding Email Addresses and Domains to Your Whitelist and Blocklist
The PREFERENCES > Whitelist/Blocklist page lets you specify email addresses and domains from which you do or do not want to receive
emails.
List Type
Description
Whitelist
The list of email addresses or domains from which you always wish
to receive
messages. The only time the Barracuda Email Security Gateway
blocks a message from someone on your whitelist is when the
message contains a virus or a disallowed attachment file extension.
Blocklist
The list of senders from whom you never want to receive messages.
The Barracuda Email Security Gateway immediately discards
messages from senders on your blocklist. These messages are not
tagged or quarantined are not tagged or quarantined and cannot be
recovered.
The sender does not receive a notice that the message was deleted,
and neither do you. The only time a blocklisted email address is
delivered is if the same email address also appears in your whitelist.
To whitelist senders or to add senders to your blocklist, follow these steps:
1.
2.
3.
4.
Go to the PREFERENCES > Whitelist/Blocklist page.
A list of your existing whitelisted and blocklisted addresses appears on this page.
To delete a whitelist or a blocklist entry, click the trash can icon next to the address.
To add an entry, type an email address into the appropriate field and click the Add button.
Tips on specifying addresses
When adding addresses to your whitelist and blocklist, note the following tips:
If you enter a full email address, such as johndoe@yahoo.com, just that user is specified. If you enter just a domain, such as yahoo.com,
all users in that domain are specified.
Copyright © 2017, Barracuda Networks Inc.
Barracuda Email Security Gateway Administrator's Guide - Page
315
If you enter a domain such as barracudanetworks.com, all subdomains are also included, such as support.barracudanetworks.com and t
est.barracudanetworks.com.
Mass mailings often come from domains that do not resemble the company’s website name. For example, you may want to receive
mailings from historybookclub.com, but you will find that this site sends out its mailing from the domain hbcfyi.com. Examine the From:
address of an actual mailing that you are trying to whitelist or blocklist to determine what to enter.
Changing the Language of the Quarantine Interface
You can change the language of your quarantine interface by selecting a language from the dropdown menu in the upper right corner of the QUA
RANTINE INBOX and PREFERENCES tabs. Supported languages include Chinese, Japanese, Spanish, French, and others. The language you
select is only applied to your individual quarantine interface. No other user’s interface is affected.
Microsoft Outlook Add-in for Classifying Messages
Instead of using your quarantine inbox to classify your email messages, you can download a client add-in that lets you classify messages from
your MS Outlook application. Your Barracuda Email Security Gateway administrator may chose not to make this add-in available. If this is the
case, you need to log into your quarantine inbox to classify your messages.
Downloading the Add-in
To download and install the client add-in that is needed to classify messages from MS Outlook:
1. Go to the login page of the administration interface and click the link below the login information, as shown in the following figure:
Figure 2. The login page lets you download the client add-in if your administrator has made it available.
2.
3.
4.
5.
If this link does not appear, then your Barracuda Email Security Gateway administrator has configured the system to not make the add-in
available and the next section will not apply to your configuration.
After clicking the link, you'll see a popup prompting you to save the executable file BsfOutlookAddIn.exe. Click Save File.
Close MS Outlook on your system.
Run the file and follow the instructions in the setup wizard to install the add-in on your local system or network.
Re-start MS Outlook.
Using the Microsoft Outlook Add-in
Classifying Messages as Spam or Not-Spam
After downloading and installing the add-in, you can begin classifying messages using the green checkmark and the red X buttons in your MS
Outlook client. The green button marks messages as not spam and the red button marks messages as spam.
Copyright © 2017, Barracuda Networks Inc.
Barracuda Email Security Gateway Administrator's Guide - Page
316
The MS Outlook add-in is configured to automatically:
Whitelist email addresses associated with sent messages and new contacts
Move spam-declared messages to the Deleted Items folder in your mail client
Whitelist the 'From:' email address within 'Not-Spam'-declared messages.
Optional Message Encryption
With the Barracuda Email Security Gateway 5.1 or later, choose to encrypt any outbound message by clicking the Encrypt Message button that
appears in the Outlook New Message window, as shown in Figure 3, when the add-in is installed. The recipient of the message will retrieve it
from the Barracuda Message Center.
Figure 3. Encrypting a message from Microsoft Outlook.
You can change the default behavior of the Outlook Add-in by going to the Tools menu in your MS Outlook client and selecting Options | Email
Security Gateway tab.
Copyright © 2017, Barracuda Networks Inc.
Barracuda Email Security Gateway Administrator's Guide - Page
317
Barracuda Spam Firewall User's Guide 5.x
This guide describes how you can check your quarantined messages, classify messages as spam and not spam, manage whitelisting and
blocklisting email addresses, and modify your user preferences using the Barracuda Spam Firewall interface. Some features covered in this guide
may not appear on your system, depending on your level of permissions as set by your administrator.
Managing Your Quarantine Inbox
Receiving Messages from the Barracuda Spam Firewall
The Barracuda Spam Firewall sends you the following two types of messages:
Greeting Message
Spam Quarantine Summary Report
Greeting Message
Depending on how the system administrator has configured the quarantine function, the Barracuda Spam Firewall will send you a greeting
message with a subject line of User Quarantine Account Information when one of the following happens:
Your account is first created by the system administrator
Your account is automatically created the first time the Barracuda Spam Firewall quarantines an email intended for you
The greeting message contains the following information:
Welcome to the Barracuda Spam Firewall. This message contains the
information you will need to access your Spam Quarantine and Preferences.
Your account has been set to the following username and password:
Username: <your email address> Password: <your default password>
Access your Spam Quarantine directly using the following link: http://<barracuda system address or
name>:8000
The Barracuda Spam Firewall automatically provides your login information (username and password) and the link to access the quarantine
interface. You should save this email because future messages from the system do not contain your login information.
Quarantine Summary Report
The Barracuda Spam Firewall sends you a quarantine summary report either daily, weekly, or not at all, depending on how the system
administrator has configured it. This summary report enables you to view the quarantined messages you did not receive. From the quarantine
summary report you can also add messages to your whitelist, delete messages, and have messages delivered to your inbox.
Note that the quarantine summary report only goes out if new quarantined mail is saved in your account since the last notification cycle.
Each day the quarantine notification service runs for all users. If there is no new quarantined mail for your account since the last
notification cycle, or if you have logged into your account since then, no quarantine summary report will be generated and sent to
you for that same 24 hour period. Note also that links in the quarantine digest for viewing, delivering, whitelisting or deleting a message
from the quarantine inbox expire in 5 days from the date the digest is sent out.
The following shows an example of a quarantine summary report:
Figure 1: Sample quarantine summary report ('digest').
Copyright © 2017, Barracuda Networks Inc.
Barracuda Email Security Gateway Administrator's Guide - Page
318
Using the Quarantine Interface
At the end of every quarantine summary report is a link to the quarantine interface where you can set additional preferences and classify
messages as spam and not spam.
Logging into the Quarantine Interface
To log into your quarantine interface:
Click the link provided at the bottom of the Quarantine Summary Report (displayed above). The login page appears.
Enter your username and password, and click Log In. Your login information resides in the greeting message sent to you from the
Barracuda Spam Firewall.
Using your Quarantine Inbox
After logging into the quarantine interface, you'll see the QUARANTINE INBOX listing your quarantined messages. When you first start using the
quarantine interface, you should view this list on a daily basis and classify as many messages as you can. Clicking on an email displays the
message.
The Barracuda Spam Firewall has a Bayesian learning engine which, if enabled by your administrator, learns how to deal with future messages
based on the ones you classify as spam and not spam. The learning engine becomes more effective over time as you teach the system how to
classify messages and as you set up rules based on your whitelist and blocklist.
To effectively "train" your Bayesian database, you must classify at least 200 spam messages and 200 not spam messages from your
Quarantine Inbox, which will train the Bayesian database as to what word or phrase patterns that appear, perhaps multiple times,
throughout a message you consider to be valid content or characteristic of spam. Continue to classify an equal number of each type of
message as needed.
The following table describes the actions you can perform from this page.
Action
Description
Deliver
Delivers the selected message to your standard inbox.
Note: If you want to classify a message or add it to your whitelist,
make sure to do so before delivering the message to your inbox.
Once the Barracuda Spam Firewall delivers a message, it is removed
from your quarantine list.
Copyright © 2017, Barracuda Networks Inc.
Barracuda Email Security Gateway Administrator's Guide - Page
Whitelist
319
Whitelist Adds the selected message to your whitelist so all future
emails from this sender are not quarantined unless the message
contains a virus or banned attachment type.
The Barracuda Spam Firewall adds the sending email address exactl
y as it appears in the message to your personal whitelist.
Note that some commercial mailings may come from one of several
servers such as mail3.abcbank.com, and a subsequent message
may come from mail2.abcbank.com. See the section on managing
your whitelists and blocklists for tips on specifying whitelists with
greater effectiveness.
Delete
Deletes the selected message from your quarantine list. The main
reason to delete messages is to help you keep track of which
quarantine messages you have reviewed. You cannot recover
messages you have deleted.
Classify as Not Spam
Classifies the selected message as not spam. Note: Some bulk
commercial email may be considered useful by some users and
spam by others. For this reason, classifying such messages may not
be very effective because users may counteract each others'
classification. Instead of classifying bulk commercial email, it may be
more effective to add it to your whitelist (if you wish to receive such
messages) or blocklist (if you prefer not to receive them).
Classify as Spam
Classifies the selected message as spam.
Changing Your User Preferences
After logging into your quarantine interface, depending on your account permissions, you can use the PREFERENCES tab to change your
account password, modify your quarantine and spam settings, and manage your whitelist and blocklist.
Changing Your Account Password
To change your account password, do one of the following:
On the quarantine interface login page, click Create New Password, or
After logging into your quarantine interface, go to PREFERENCES > Password. This option is not available if single sign-on has been
enabled via LDAP or Radius.
In the provided fields, enter your existing password and enter your new password twice. Click Save Changes when finished.
Note Changing your password breaks the links in your existing quarantine summary reports so you cannot delete, deliver, or whitelist
messages from those reports. New quarantine summary reports will contain updated links that you can use the same as before.
Changing Your Quarantine Settings
The following table describes the quarantine settings you can change from the PREFERENCES > Quarantine Settings page, depending on how
the administrator has configured your account:
Quarantine Setting
Description
Enable Quarantine
Whether the Barracuda Spam Firewall quarantines your messages.
If you select Yes, the Barracuda Spam Firewall does not deliver
quarantined messages to your general email inbox, but you can view
these messages from the quarantine interface and quarantine
summary reports.
If you select No, all messages that would have been quarantined for
you are delivered to your general email inbox with the subject line
prefixed with [QUAR]. The Barracuda Spam Firewall administrator
can modify this prefix.
Copyright © 2017, Barracuda Networks Inc.
Barracuda Email Security Gateway Administrator's Guide - Page
Notification Interval
320
The frequency the Barracuda Spam Firewall sends you quarantine
summary reports. The default is daily, with weekly and never also as
options.. The Barracuda Spam Firewall only sends quarantine
summary reports when one or more of your emails have been
quarantined.
If you select never, you can still view your quarantined messages
from the quarantine interface, but you will not receive quarantine
summary reports.
Notification Address
The email address the Barracuda Spam Firewall should use to delive
r your quarantine summary report. Leave this field blank to use the
email address associated with your user account.
Default Language
The language in which you want to receive your quarantine
notifications.
This setting also sets the default encoding for handling unknown
character sets during filtering. All email notifications from the
Barracuda Spam Firewall are in UTF8 encoding.
Enabling and Disabling Spam Scanning of your Email
If you do not want the Barracuda Spam Firewall scanning your emails for spam content, you can disable spam filtering from the PREFERENCES
> Spam Settings page. From this page you can also change the default spam scoring levels that determine when your emails are tagged,
quarantined or blocked.
When the Barracuda Spam Firewall receives an email for you, it scores the message for its spam probability. This score ranges from 0 (definitely
not spam) to 10 or higher (definitely spam). Based on this score, the Barracuda Spam Firewall either allows, quarantines, or blocks the message.
A setting of 10 for any setting disables that option. The following table describes the fields on the PREFERENCES > Spam Settings page.
Setting
Description
Spam Scoring Enable/Disable
Enable Spam Scoring: Select Yes for the Barracuda Spam
Firewall to scan your emails for spam. Select No to have all your
messages delivered to you without being scanned for spam.
Spam Scoring
Use Domain Defaults: Select Yes to use the default scoring
levels. To configure the scoring levels yourself, select No and
make the desired changes in the Spam Scoring Levels section
described below.
Block: Messages with a score above this threshold are not
delivered to your inbox. Depending on how the system is
configured, the Barracuda Spam Firewall may notify you and the
sender that a blocked message could not be delivered. The
default value is 9.
Quarantine: Messages with a score above this threshold, but
below the block threshold, are forwarded to your quarantine
mailbox. The default setting is 10 (quarantine disabled). To
enable the quarantine feature, this setting must have a value
lower than the block threshold.
Tag: Messages with a score above this threshold, but below the
quarantine threshold, are delivered to you with the word [BULK]
added to the subject line. Any message with a score below this
setting is automatically allowed. The default value is 3.5.
Copyright © 2017, Barracuda Networks Inc.
Barracuda Email Security Gateway Administrator's Guide - Page
Barracuda Bayesian Learning
321
Reset Personal Bayesian Database:
Click Reset to remove your Bayesian rules learned by the
Barracuda Spam Firewall from the point of installation. Use the
Reset button on a regular basis to clear out old classifications of
valid email versus spam to account for the fact that spam tactics
change rapidly and the word and phrase patterns that appear in
spam messages tend to change over time.
Thus, by resetting your Bayesian database regularly and
classifying 200 spam and not spam messages anew, you'll keep
your Bayesian database refreshed such that it has the best
chance of identifying spam with a very high level of accuracy.
Bayesian Database Backup
Back Up Bayesian Database: Click Backup to download a copy
of your Bayesian database to your local system. This backup
copy can then be uploaded to any Barracuda Spam Firewall,
including this one, in the case of a corrupt Bayesian installation.
Restore Database: Click Browse to select the backup file
containing your Bayesian database, and then click Upload Now
to load the Bayesian settings to this Barracuda Spam Firewall.
The backup file does not need to have originated from this
Barracuda Spam Firewall, nor from the same user database.
Adding Email Addresses and Domains to Your Whitelist and Blocklist
The PREFERENCES > Whitelist/Blocklist page lets you specify email addresses and domains from which you do or do not want to receive
emails.
List Type
Description
Whitelist
The list of email addresses or domains from which you always wish
to receive
messages. The only time the Barracuda Spam Firewall blocks a
message from someone on your whitelist is when the message
contains a virus or a disallowed attachment file extension.
Blocklist
The list of senders from whom you never want to receive messages.
The Barracuda Spam Firewall immediately discards messages from
senders on your blocklist. These messages are not tagged or
quarantined and cannot be recovered.
The sender does not receive a notice that the message was deleted,
and neither do you. The only time a blocklisted email address is
delivered is if the same email address also appears in your whitelist.
To whitelist senders or to add senders to your blocklist, follow these steps:
1.
2.
3.
4.
Go to the PREFERENCES > Whitelist/Blocklist page.
A list of your existing whitelisted and blocklisted addresses appears on this page.
To delete a whitelist or a blocklist entry, click the trash can icon next to the address.
To add an entry, type an email address into the appropriate field and click the Add button.
Tips on specifying addresses
When adding addresses to your whitelist and blocklist, note the following tips:
If you enter a full email address, such as johndoe@yahoo.com, just that user is specified. If you enter just a domain, such as yahoo.com,
all users in that domain are specified.
If you enter a domain such as barracudanetworks.com, all subdomains are also included, such as support.barracudanetworks.com and t
est.barracudanetworks.com.
Mass mailings often come from domains that do not resemble the company's website name. For example, you may want to receive
mailings from historybookclub.com, but you will find that this site sends out its mailing from the domain hbcfyi.com. Examine the From:
address of an actual mailing that you are trying to whitelist or blocklist to determine what to enter.
Changing the Language of the Quarantine Interface
You can change the language of your quarantine interface by selecting a language from the dropdown menu in the upper right corner of the QUA
RANTINE INBOX and PREFERENCES tabs. Supported languages include Chinese, Japanese, Spanish, French, and others. The language you
select is only applied to your individual quarantine interface. No other user's interface is affected.
Using Microsoft Outlook and IBM Notes to Classify Messages
Copyright © 2017, Barracuda Networks Inc.
Barracuda Email Security Gateway Administrator's Guide - Page
322
Instead of using your quarantine inbox to classify your email messages, you can download a client add-in that lets you classify messages from
your Microsoft Outlook or IBM Notes application. Your Barracuda Spam Firewall administrator may chose not to make this add-in available.
If this is the case, you need to use your quarantine inbox to classify your messages.
Downloading the Client Add-in
To download the client add-in that is needed to classify messages from Microsoft Outlook or IBM Notes, go to the login page of the administration
interface and click the link below the login information, as shown in the following figure:
If this link does not appear, then your Barracuda Spam Firewall administrator has configured the system to not make the add-in available and the
next section will not apply to your configuration.
Using the Microsoft Outlook and IBM Notes Add-ins
After downloading and installing the add-in, you can begin classifying messages using the Mark as Spam and Mark as Not Spam icons in your
Microsoft Outlook or IBM Notes client. These icons are located in the upper right of your email client if the add-in has been installed. Highlight one
or more messages in your email client and click Mark as Spam if you think these messages are spam and should not have been delivered to
your inbox. Do the same for messages which are NOT spam, using the Mark as Spam icon, for good messages. This will train your Bayesian
database on the Barracuda Spam Firewall so it will become an 'expert' at what you do or do not consider to be spam.
The Microsoft Outlook and IBM Notes add-ins are configured to automatically:
Whitelist email addresses associated with sent messages and new contacts
Move messages you mark as Spam to the Deleted Items folder in your mail client
Whitelist the 'From:' email address within messages you mark as Not-Spam.
The Outlook Add-in also provides optional message Encryption. With the Barracuda Spam Firewall 5.1 or later, choose to encrypt any outbound
message by clicking the Encrypt Message button that appears in the Outlook New Message window when the add-in is installed.
Copyright © 2017, Barracuda Networks Inc.
Barracuda Email Security Gateway Administrator's Guide - Page
323
You can change the default behavior of the Outlook Add-in by going to the Tools menu in your Microsoft Outlook client and selecting Options |
Spam Firewall tab.
Copyright © 2017, Barracuda Networks Inc.
Barracuda Email Security Gateway Administrator's Guide - Page
324
Barracuda Outlook Add-In Overview 6 and Above
This guide applies to the Barracuda Email Security Gateway 300 and higher, version 6.0 and higher. The Barracuda Outlook Add-in
is compatible with:
Microsoft Outlook 2007 and Outlook 2010, and 2013 32-bit and 64-bit versions.
Microsoft Outlook 2016 if you are running version 7.1.1.003 or higher. If so, see Barracuda Outlook Add-In Deployment
Guide version 7 and Above.
If you are running version 6.0.0.028 or later of the Barracuda Email Security Gateway firmware, you must upgrade your Barracuda
Outlook Add-in to version 6.0.21 or later (see the USERS > User Features page).
If both per-user quarantine and per-user Bayesian are enabled, the administrator can install an add-in, or choose to allow users to download an
add-in, that provides the user with the following tools:
Classify messages as Spam or Not Spam directly from their MS Outlook client. This classification helps train the user’s personal
Bayesian database, and results in higher accuracy for the Barracuda Email Security Gateway. Users must have a quarantine account on
the Barracuda Email Security Gateway to use the Barracuda Outlook add-in. For information about automatically or manually creating
quarantine accounts for users, see Creating and Managing Accounts. Note that all feedback is stored in a per-user Bayesian database
on the system. This mechanism prevents users from compromising the global Bayesian database, and results in more specific scoring
due to learning about a user’s personal mail preferences.
Message encryption. The user can click a button in the MS Outlook client to encrypt the message contents before sending it. Any
messages encrypted using the add-In will appear in the Barracuda Email Security Gateway Message Log with a Reason of Outlook
Add-In. Email encryption is performed by the Barracuda Email Encryption Service, the same way encryption is performed when
configured on the Barracuda Email Security Gateway. The difference is that, with the add-in installed on the user’s machine, their
outgoing email can be encrypted inside the network, securing email exchanged among people in the organization. See Encryption of
Outbound Mail 6 and Above for more information about configuring email encryption.
Sender whitelisting. The user can decide who should be on their whitelist.
For instructions on the installation and configuration of the Barracuda Outlook Add-In for the Windows environment, please see the Barracuda
Outlook Add-In Deployment Guide.
Getting the Add-In
It is up to the administrator of the Barracuda Email Security Gateway to decide whether or not users should be given access to this add-in. If the
admin wishes to provide the add-in, download capability can be activated for the users under the USERS > User Features page. Users will then
be able to download and install the add-in from a link on the login screen.
If the administrator chooses to only provide the add-in to a small subset of users, the add-in deployment kit can be downloaded from the USERS
> User Features page in the Mail Client Plugins section and distributed to the necessary users. The add-in is downloaded in a zip file
containing .msi files, and is available in both 32 and 64-bit versions.
Using the Add-In
Spam / Not Spam Classification
Once installed, the add-in makes itself available to the user through the toolbar inside MS Outlook. Two icons are provided that perform the
necessary “Spam” or “Not Spam” classification functionality:
• A red envelope with an “X” in the lower right corner to classify messages as spam.
• A green envelope with a checkmark to classify messages as not-spam.
Figure 1: Users can mark messages as Spam or Not Spam using icons in their mail client
Select one or more items from the message window and click on the Mark as Spam / Mark as Not Spam icon to submit the messages to the
Barracuda Email Security Gateway for classification. For convenience, the toolbar icons are also provided when a mail message is opened in a
new window for viewing. If desired, the message can be classified immediately from that window.
Please note that Bayesian learning is only effective when the differences between “Spam” and “Not Spam” are known to the system. Therefore it
is important to make sure that both types of messages are classified from user desktops. This add-in is designed to make that classification
process as easy as possible. However, it is up to each user to make sure the items they classify from the add-in are really considered spam or
not spam as it will affect the scoring of future messages coming onto the system for them.
Copyright © 2017, Barracuda Networks Inc.
Barracuda Email Security Gateway Administrator's Guide - Page
325
Figure 2: Users can encrypt a message
Encryption
With the Barracuda Email Security Gateway 5.1 or later, when the user opens the New Message window in Microsoft Outlook, the Encrypt
Message icon will appear within the window as shown in Figure 2, providing the option to encrypt the message contents before sending it. When
the user sends an encrypted message using the Barracuda Outlook Add-In, the recipient will receive a notification email from the Barracuda
Message Center that includes a link the recipient can click to retrieve their message. The Barracuda Message Center provides a web client much
like any web mail client that the recipient can log into to view and manage encrypted messages. Note that the Encrypt Message icon can be
disabled through GPO.
For more information about the Barracuda Email Encryption Service, see Encryption of Outbound Mail 6 and Above.
Copyright © 2017, Barracuda Networks Inc.
Barracuda Email Security Gateway Administrator's Guide - Page
326
Barracuda Outlook Add-In Overview 5.x
The Barracuda Outlook Add-In is compatible with MS Outlook 2003-2013 (version 2013 requires Barracuda Spam Firewall
5.1.3.007 and higher). This guide applies to the Barracuda Spam Firewall 300 and higher, version 5.x.
If both per-user quarantine and per-user Bayesian are enabled, the administrator can install an add-in, or choose to allow users to download an
add-in, that provides the user with the following tools:
Classify messages as Spam or Not Spam directly from their MS Outlook client. This classification helps train the user’s personal
Bayesian database, and results in higher accuracy for the Barracuda Spam Firewall. Users must have a quarantine account on the
Barracuda Spam Firewall to use the Barracuda Outlook add-in. For information about automatically or manually creating quarantine
accounts for users, see Creating and Managing Accounts. Note that all feedback is stored in a per-user Bayesian database on the
system. This mechanism prevents users from compromising the global Bayesian database, and results in more specific scoring due to
learning about a user’s personal mail preferences.
Message encryption. The user can click a button in the MS Outlook client to encrypt the message contents before sending it. Any
messages encrypted using the add-In will appear in the Barracuda Spam Firewall Message Log with a Reason of Outlook Add-In. Email
encryption is performed by the Barracuda Email Encryption Service, the same way encryption is performed when configured on the
Barracuda Spam Firewall. The difference is that, with the add-in installed on the user’s machine, their outgoing email can be encrypted
inside the network, securing email exchanged among people in the organization. See Encryption of Outbound Mail 5.x for more
information about configuring email encryption.
For instructions on the installation and configuration of the Barracuda Outlook Add-In for the Windows environment, please see the Barracuda
Outlook Add-In Deployment Guide 5.x.
Getting the Add-In
It is up to the administrator of the Barracuda Spam Firewall to decide whether or not users should be given access to this add-in. If the admin
wishes to provide the add-in, download capability can be activated for the users under the USERS > User Features page. Users will then be able
to download and install the add-in from a link on the login screen. If the admin chooses to only provide the add-in to a small subset of users, the
add-in can be downloaded from the page where activation is performed and distributed to the necessary users. The add-in is downloaded in a zip
file containing .msi files, and is available in both 32 and 64-bit versions.
Using the Add-In
Spam / Not Spam Classification
Once installed, the add-in makes itself available to the user through the toolbar inside MS Outlook. Two icons are provided that perform the
necessary "Spam" or "Not Spam" classification functionality:
A red envelope with a red X in the lower right corner to classify messages as spam.
A green envelope with a checkmark to classify messages as not-spam.
To use the add-in, select one or more items from the message window and click on the spam / not-spam icon to submit the messages to the
Barracuda Spam Firewall for classification. For convenience, the toolbar icons are also provided when a mail message is opened in a new
window for viewing. If desired, the message can be classified immediately from that window.
Please note that Bayesian learning is only effective when the differences between "Spam" and "Not Spam" are known to the system. Therefore it
is important to make sure that both types of messages are classified from user desktops. This add-in is designed to make that classification
process as easy as possible. However, it is up to each user to make sure the items they classify from the add-in are really considered spam or
not spam as it will affect the scoring of future messages coming onto the system for them.
Encryption
With the Barracuda Spam Firewall 5.1 or later, when the user opens the New Message window in Microsoft Outlook, the Encrypt Message butto
n will appear within the window, providing the option to encrypt the message contents before sending it. When the user sends an encrypted
message using the Barracuda Outlook Add-In, the recipient will receive a notification email from the Barracuda Message Center that includes a
link the recipient can click to retrieve their message. The Barracuda Message Center provides a web client much like any web mail client that the
recipient can log into to view and manage encrypted messages. Note that the Encrypt Message button can be disabled through GPO.
For more information about the Barracuda Email Encryption Service, see Encryption of Outbound Mail 5.x.
Copyright © 2017, Barracuda Networks Inc.
Barracuda Email Security Gateway Administrator's Guide - Page
327
Barracuda Outlook Add-In Deployment Guide 6.1.2 and Above
This article applies to the Barracuda Spam Firewall running version 6.1.2 and above. For information about the features of the
Barracuda Spam Firewall Outlook Add-In, please see the Barracuda Outlook Add-In Overview 6 and Above. The Barracuda
Outlook Add-in is compatible with:
Microsoft Outlook 2007 and Outlook 2010, and 2013 32-bit and 64-bit versions.
Microsoft Outlook 2016 if you are running version 7.1.1.003 or higher. If so, see Barracuda Outlook Add-In Deployment
Guide version 7 and Above.
If you are running version 6.0.0.028 of the Barracuda Email Security Gateway firmware, you must upgrade your Barracuda Outlook
Add-in to version 6.0.21 or later (see the USERS > User Features page).
If you want end-users to use Bayesian classification via this add-in, you must enable Per-User Quarantine on the Barracuda Spam
Firewall from BASIC > Quarantine page in the Inbound Quarantine Type section. See also Bayesian Analysis Inbound. This
guide applies to the Barracuda Spam Firewall 300 and above, version 6.0 and above.
If the SMTP option Remove Barracuda Headers is turned off in the ADVANCED > Email Protocol page, any custom X-headers that
the Barracuda Spam Firewall has applied before the message leaves the appliance will be removed. Important: If these headers are
removed, the Barracuda Outlook add-in or other add-in will not function.
Note that the language for add-in options is determined by your Microsoft Office installation locale. Supported languages for the add-in include:
English
Spanish (continental)
French
Japanese
Dutch
Italian
Chinese
Polish
German
Step 1: Install the Outlook Add-In Deployment Kit
1. Log into your Barracuda Spam Firewall as an administrator.
2. Navigate to USERS > User Features and download the Outlook Add-In Deployment Kit (a .zip file) to the local system running Windows
Vista or above.
3. Extract the contents somewhere easily accessible. The deployment kit should contain the following:
Barracuda Spam Firewall Outlook Add-in installer for Outlook 2010 64-bit or for Outlook 2013 64-bit (BsfOutlookAddIn-version
_x64.msi)
Barracuda Spam Firewall Outlook Add-in installer for all other versions of Outlook (BsfOutlookAddIn-version_x86.msi).
Barracuda Spam Firewall Outlook Add-in Administrator module (Barracuda Spam Firewall Outlook Add-In version.admx
Step 2. Optional: Configure the Outlook Add-In
If you want to use GPO:
1. Go to the installation location, and open the ADMX folder, for example:
C:\Program Files\Barracuda\Spam Firewall\Deployment Kit\ADMX
2. Copy the ADMX and ADML locale directories to the PolicyDefinitions folder on your system, for example:
%systemroot%\sysvol\domain\policies\PolicyDefinitions
This procedure applies to domain controllers running Windows Server 2008 or higher; to edit local policy or domain policies on
a domain controller running Windows Server 2003 or earlier, consult Microsoft's documentation.
3. Start the Group Policy (GPO) Editor for the domain where you will be installing the Add-In. You can edit the default policy or create a new
policy object and link it to the desired container, for example, the particular OU containing the computers of users that will be using the
Add-In.
In order to create and edit domain-based GPOs with the latest Group Policy settings using ADMX files, you must have a Windo
ws Server 2008 domain name resolvable through a DNS Server, and a Windows Vista system to view policy settings from
ADMX files while editing the domain-based GPO.
In the GPO, expand User Configuration > Administrative Templates > Barracuda > Spam Firewall > Outlook Add-In:
Copyright © 2017, Barracuda Networks Inc.
Barracuda Email Security Gateway Administrator's Guide - Page
328
Configure any policies as needed. You will need to recreate any policies you previously configured, and then remove the old ADM
template.
Step 3. Deploy the MSI File
1. Open the GPO Editor for the organization that is to use the Barracuda Spam Firewall Outlook Add-in, e.g., the default domain policy.
2. Either edit the default policy, or create a new policy object, then link it to the desired container. For example, the particular OU containing
the computers on which the add-in is to be installed.
3. In the GPO, navigate to Computer Configuration > Policies > Software Settings > Software Installation :
4. Right-click Software Installation, point to New, and click Package:
Copyright © 2017, Barracuda Networks Inc.
Barracuda Email Security Gateway Administrator's Guide - Page
329
Enter the UNC path to the .msi file located in the shared folder. For example, enter: \\fileserver\deploy
Click Open. In the Deploy Software dialog box, click Assigned:
Click OK . The policy displays in the GPO Editor window.
Deploying the Add-In to Machines with 64-bit Windows and 32-bit Outlook
If any of the machines in your environment have a 64-bit version of Windows installed but are using a 32-bit version of Outlook, you will need to
deploy the 32-bit MSI to these machines. If you are also deploying the 64-bit MSI for machines with both 64-bit Windows and 64-bit Outlook, then
both software deployment policies will apply to the machines with 32-bit Outlook, which will result in both MSIs being installed on these
machines. Since Outlook will only load the Add-In that matches its bitness, this should not cause any problems.
1. In the GPO Editor, navigate toComputer Configuration > Policies > Software Settings , and clickSoftware Installation.
2. Right-click the 32-bitBarracuda Spam Firewall Outlook AddIn, and clickProperties.
3. Click the Deployment tab, and click Advanced. In the Advanced deployment options section, select Make this 32-bit X86
application available to Win64 machines.
4. Click OK. In the Properties dialog box, click Apply, and click OK to to save your settings and close the dialog box.
Finishing the Configuration
Copyright © 2017, Barracuda Networks Inc.
Barracuda Email Security Gateway Administrator's Guide - Page
330
After the Barracuda Spam Firewall Outlook AddIn is installed (either manually or through GPO), there is no initial configured identification with
your Barracuda Spam Firewall. This identification happens automatically as the add-in scans the user's inbox for recent messages and inspects
each message’s headers for a Barracuda Spam Firewall URI. If none is found, the add-in will monitor the user's inbox for new messages and
scan each new message header for a Barracuda Spam Firewall URI. When a Barracuda Spam Firewall URI is found, an authentication probe will
be initiated with that Barracuda Spam Firewall. The Barracuda Spam Firewall then sends an authentication probe via email to the user’s email
address, and the add-in will intercept the probe, extract the required authentication information contained in the probe, and then delete it. This
process is transparent to the user. Once the probe is received, the user is authenticated, and all of the add-in features are available for use.
Typically, this process should take no more than a few minutes.
Testing
Complete the following steps to test the Barracuda Spam Firewall Outlook Add-in deployment.
Group Policy updates can take several minutes to post; run gpupdate /force to perform an immediate update.
1. Restart a computer that is joined to the domain.
2. Verify that the Outlook Add-In is installed when you log in, and that the configured policies are applied.
Notify Users
Once the MSI file is successfully deployed, send the Outlook Add-In access details to your users. For additional resources, see the Barracuda
Spam Firewall User 's Guide 6.x.
Troubleshooting
1. A common cause of failure is the user and/or the user's computer does not have adequate access to the share location. Verify that that
all access and network privileges have been configured appropriately.
2. Additional error messages may be found in the Event Log on the domain computer.
3. If the Event Log has no useful information, consider enabling verbose logging and restarting the computer.
Configure the Add-In from the MS Outlook Client
For Microsoft Outlook 2003 and 2007:
1. Click Tools > Options.
2. Click the Barracuda Networks tab.
3. Click Configure to set whitelist options and configure actions for clicking the Spam and Not Spam buttons in the client.
For Microsoft Outlook 2010 and 2013:
1. In the MS Outlook client, click File > Barracuda Networks (Note that the UI graphics may look different between the versions, but the
actions you take are the same).
Figure 2: The File menu has a Barracuda Networks menu option.
2. Click the Configure button and configure whitelist and spam settings as described above.
Figure 3: The Barracuda Networks menu shows the Configure button to configure the add-in.
Copyright © 2017, Barracuda Networks Inc.
Barracuda Email Security Gateway Administrator's Guide - Page
Copyright © 2017, Barracuda Networks Inc.
331
Barracuda Email Security Gateway Administrator's Guide - Page
332
Barracuda Outlook Add-In Deployment Guide 5.x
For information about the features of the Barracuda Email Security Gateway Outlook Add-In, please see the Barracuda Outlook Add-In
Overview 5.x. To use this add-in, you must enable Per-User quarantine on the Barracuda Email Security Gateway from BASIC >
Quarantine page in the Inbound Quarantine Type section. Also see Barracuda Spam Firewall User's Guide 5.x.
Note that the language for installation instructions is determined by your Microsoft Office installation locale. Supported languages for the add-in
include:
English
Spanish (continental)
French
Japanese
Dutch
Italian
Chinese
Polish
German
Step 1: Install the Barracuda Email Security Gateway Outlook Add-In Deployment Kit
1.
2.
3.
4.
Log into your Barracuda Email Security Gateway as an administrator.
Navigate to USERS > User Features.
Download the Outlook Add-In Deployment Kit.
Extract the contents somewhere easily accessible. It should contain:
a. Installer for the add-in for Outlook 64-bit (BsfOutlookAddIn-version_x64.msi) for Outlook 2010 and 2013.
b. Installer for the add-in for all other versions of Outlook (BsfOutlookAddIn-version_x86.msi).
c. The administrator module for the add-in (Barracuda Email Security Gateway Outlook Add-In version.adm).
5. Move (or copy) the file ending in .adm to your local %systemroot%\inf, directory. Typically, this will be: C:\Windows.
6. Copy the .msi file(s) to a location that is accessible by your user.
Configuring the Software Installation Network Share
If you do not already have a network share for GPO software deployment, you'll need to create one. The share should be
accessible from all the machines that the software will be deployed to. The permissions for the share should give read access
to the "Everyone" group, and the permissions for the underlying NTFS folder should give read access to the "Authenticated
Users" group. The software will be installed by the machines themselves rather than by users, and machines are not members
of the "Everyone" group, so this modification to the default permissions is required.
7. Open the GPO Editor for whichever organization will be using the add-in (e.g. the default domain policy).
8. Either edit the default policy or create a new policy object, then link it to the desired container; for example, the particular OU containing
the computers on which the add-in will be installed.
9. Expand User Configuration.
10. Right-click on Administrative Templates, select All Tasks, then Add/Remove Templates.
11. Navigate to %systemroot%\inf, select Barracuda Email Security Gateway Outlook Add-In<version#>.adm, and press Add….
Step 2: Configure the Add-In
1. While still in the GPO Editor, go to User Configuration\Administrative Templates and expand the Barracuda node that should now be
visible.
2. Click on Email Security Gateway.
3. Click on Barracuda Email Security Gateway Outlook Add-In version.
4. Configure settings as required. For an explanation of the available settings, click the Explain tab of the policy.
Step 3: Deploy the MSI
1. Start the Group Policy Editor for the domain for which you'll be installing the add-in.
2. Either edit the default policy or create a new policy object, then link it to the desired container; for example, the particular OU containing
the computers of users that should have the add-in. Please note that the software deployment policy must be for computers, not users.
3. Navigate to Computer Configuration/Software Settings/Software Installation.
4. Right-click on Software Installation and select New/Package…. Enter the UNC path to the MSI located in the shared folder.
5. Click OK.
Support for Outlook 64-bit (2010 and 2013)
If you have both 32-bit and 64-bit machines in your environment, but none of the 64-bit machines are running Outlook 64-bit, then the x86 version
Copyright © 2017, Barracuda Networks Inc.
Barracuda Email Security Gateway Administrator's Guide - Page
333
of the MSI is the recommended version to use and is what is deployed by default to all 32-bit as well as 64-bit machines. However, if there are
some 64-bit machines that do have Outlook 64-bit installed, then there are 3 possible scenarios:
Scenario 1: Every 64-bit machine in your environment has Outlook 64-bit installed. In this case, perform all of the following steps:
a. Go the deployment tab for the 32-bit package.
b. Click the Advanced… button, and uncheck the Make this 32-bit x86 application available to Win64 machines option.
c. Repeat steps 3.1 - 3.5 for the 64-bit MSI.
The 32-bit MSI will now be deployed only to 32-bit machines, while the
64-bit MSI will be deployed only to 64-bit machines.
Scenario 2: Some 64-bit machines in your environment have Outlook 64-bit installed while others have the 32-bit versions of various other
Outlook versions on them, and Outlook was installed through a GPO. In this case, perform all of the following steps:
a. Apply the policy you created in the above steps to only those computers that were targeted for the installation of 32-bit Outlook.
b. Repeat steps 3.1 - 3.5 for the 64-bit MSI, and apply this second policy to only those computers that were targeted for the
installation of Outlook 64-bit.
The 64-bit MSI will only be installed on those computers with Outlook 64-bit installed, while the 32-bit add-in will be installed for all other
computers to which the policy has been applied.
Scenario 3: The 64-bit machines in your environment have a mixture of Outlook 2010 and 2013 64-bit and other 32-bit versions of Outlook
installed, but there are no existing AD containers that specify which of those computers have Outlook 64-bit on them. In this case, perform
only one of the following steps:
a. Manually create and populate these AD containers and then perform the steps in Scenario #2 above.
b. Consider installing Outlook 2010 32-bit on all computers (unless you have users that require the 64-bit capabilities of Office
64-bit)
c. Manually install the correct version of the add-in on each of the machines.
d. Allow your users to install the correct version of the add-in installer for themselves (they must have administrative privileges on
their computers).
Step 4: Testing
1. Remember that Group Policy updates can take several minutes to post. You can run
gpupdate /force
to perform an immediate update.
2. Restart a computer that is joined to the domain.
3. The add-in should be installed when you log in, and the policies you have configured should be applied.
Step 5: Troubleshooting
1. A common cause of failure is the user and/or the user's computer does not have adequate access to the share location. Verify that that
all access and network privileges have been configured appropriately.
2. Additional error messages may be found in the Event Log on the domain computer.
3. If the Event Log has no useful information, consider enabling verbose logging and restarting the computer.
4. Additional information on fixing Group Policy issues can be found here: http://technet.microsoft.com/en-us/library/cc775423.aspxh
Copyright © 2017, Barracuda Networks Inc.
Barracuda Email Security Gateway Administrator's Guide - Page
334
SMTP Error Codes
This is a basic guide to the SMTP return (or 'error') codes you may see for rejected or deferred messages in the Message Log of the Barracuda
Email Security Gateway when an outbound message cannot be delivered to or accepted by the destination mail server. Depending on the actual
problem it encounters, the destination mail server that did not accept the message may not be able to provide detailed help on how to resolve a
problem. In this case the mail server may only provide an SMTP error code in the server's log, or in the text of the message returned to the
sender..
To view an SMTP error code for a rejected or deferred message in the Barracuda Email Security Gateway web interface:
1. Go to the BASIC > Message Log page.
2. Double click on the message.
3. In the Delivery Status field you might see Rejected and a Delivery Detail with an SMTP error code. This example shows error 554:
SMTP error codes you'll see in the Delivery Details field of the Message Details popup for a rejected or deferred message include the following,
with more details listed in the table below:
420 - The message has been deferred due to suspect content.Try again later.
421 - The service is not available and the connection will be closed.
450 - The requested command failed because the user's mailbox was unavailable (for example because it was locked). Try again later.
451 - The command has been aborted due to a server error. Perhaps contact the the administrator to alert him/her of the issue.
452 - The command has been aborted because the server has insufficient system storage.
454 - TLS encoding is not available due to a temporary condition.
500 - The server could not recognize the command due to a syntax error.
501 - A syntax error was encountered in command arguments.
502 - This command is not implemented.
503 - The server has encountered a bad sequence of commands.
504 - A command parameter is not implemented.
530 - Must issue STARTTLS command.
535 - Authentication failed.
550 - The requested command failed because the user's mailbox was unavailable (for example, because it was not found, or because
the command was rejected for policy reasons).
551 - The recipient is not local to the server. The server then gives a forwarding address to try.
552 - The action was aborted due to exceeded storage allocation.
553 - The command was aborted because the mailbox name is invalid.
554 - The transaction failed.
Error
Code
Description
4XX_RVERIFY_DEFER
400
Deferred: temporary directory error
4XX_SUSPECT_REALTIME
420
Deferred due to suspect content, please try
again later
4XX_TIMEOUT
421
Error: timeout
4XX_CLIENT_DISCONNECT
421
Client disconnected
4XX_EINTERNAL
421
Internal error
4XX_ESEND
421
Failed to reply to client
4XX_TOO_MANY_ERRORS
421
Too many errors
Copyright © 2017, Barracuda Networks Inc.
Barracuda Email Security Gateway Administrator's Guide - Page
335
4XX_MSG_PER_SESSION
421
Error: too many messages in one session
4XX_TEMP_FAIL
421
Service not available, closing transmission
channel. Try again later.
4XX_VIRUSSCAN_TEMP_FAIL
421
Temporary failure. Try again later.
4XX_TEMP_RECIP
450
Requested action not taken: mailbox
unavailable.
4XX_EINTERNAL
451
Internal error.
4XX_EINTERNAL
451
Requested action aborted: local error in
processing.
4XX_TOO_MANY_RECIPS
452
Too many recipients.
4XX_TLS_TEMP_FAIL
454
TLS not available due to temporary reason.
4XX_BLOCKED_RATE
454
Too many connections from origin (rate
control).
4XX_BLOCKED_RATE2
454
Too many connections to server (rate
control).
4XX_SYNTAX_ERROR
500
Syntax error, command unrecognized.
5XX_INVALID_CHAR_RECIP
500
Syntax error - invalid character.
5XX_INVALID_PARAM
501
Syntax error in parameters or arguments.
5XX_AUTH_ABORT
501
Authentication aborted.
5XX_AUTH_MALFORMED
501
Malformed authentication input.
5XX_AUTH_RESPONSE_BAD
501
Error: malformed authentication response.
5XX_DATA_LINE_TOO_LONG
501
Command line too long or no terminating
CRLF in line buffer .
5XX_DATA_MISSING_CRLF
501
No terminating CRLF in line buffer.
5XX_NO_SUCH_COMMAND
502
This command is not implemented.
5XX_MISSING_EHLO
503
Error: send HELO/EHLO first.
5XX_ALREADY_AUTH
503
Error: already authenticated.
5XX_AUTH_REQUIRES_TLS
503
Issue STARTTLS first before using clear text
password.
5XX_BAD_AUTH_COMMAND_SEQ
503
Bad sequence of authentication commands Try the following: AUTH CRAM-MD5, AUTH
LOGIN.
5XX_BAD_COMMAND_SEQ
503
Bad sequence of commands.
5XX_AUTH_REQUIRES_TLS
504
Error: encryption required for requested
authentication mechanism.
5XX_NEED_FQDN
504
Need Fully Qualified Address (FQDN).
5XX_ERROR_PARAM
504
Command parameter not implemented.
5XX_AUTH_UNSUPPORTED
504
Error: unsupported mechanism.
5XX_AUTH_TYPE
504
Unrecognized authentication type.
5XX_AUTH_REQUIRES_TLS
530
Authentication required.
5XX_REQUIRES_TLS
530
Must issue STARTTLS.
5XX_AUTH_FAILED
535
Authentication failed.
Copyright © 2017, Barracuda Networks Inc.
Barracuda Email Security Gateway Administrator's Guide - Page
336
5XX_BLOCKED_RECIP
550
Recipient email address rejected.
5XX_BLOCKED_IP
550
Blocked IP address.
5XX_BLOCKED_SENDER2
550
Sender Rejected.
5XX_BLOCKED_SENDER3
550
Sender email address rejected.
5XX_INVALID_DOMAIN
550
No such domain at this location.
5XX_HANGUP
550
Executing hangup request.
5XX_DISCARD
550
Executing discard request.
5XX_EMPTY_SENDER
550
Empty envelope senders not allowed.
5XX_INVALID_SENDER2
550
Invalid sender address.
5XX_BLOCKED_IP2
550
Sender IP address rejected.
5XX_SPF_FAIL
550
Rejecting for Sender Policy Framework
(SPF).
5XX_RECIP 550
550
Requested action not taken: mailbox
unavailable.
5XX_SPOOFED
550
Rejecting spoofed message.
5XX_MSG_SIZE
552
Error: message too large.
5XX_MSG_SIZE2
552
Message size exceeds fixed limit.
5XX_FAIL_RECIP
553
Requested action not taken: mailbox name
not allowed.
5XX_NO_ACTION
553
Requested action not taken.
5XX_INVALID_RECIP
553
Requested action not taken: mailbox name
not allowed.
5XX_FAILED
554
Transaction failed.
5XX_BLOCKED_VIRUS
554
Rejected due to virus.
5XX_BLOCKED_SPAM
554
Rejected due to spam content.
5XX_BLOCKED_NO_PTR
554
IP name lookup failed. No PTR record found
for the given IP address.
5XX_BLOCKED_RBL
554
Service unavailable; client host blocked. The
final sending domain or IP address may be
on a Real Time Blacklist (RBL).
5XX_BLOCKED_ATT
554
Rejecting banned file attachment.
5XX_BLOCKED_ATT_ENC
554
Rejecting password protected file
attachment.
5XX_BLOCKED_BBL
554
Service unavailable; client host [IP or
hostname] blocked using Barracuda
Reputation; http://www.barracudanetworks.c
om/reputation/
5XX_BLOCKED_DLP
554
Rejected due to banned content.
5XX_BLOCKED_SPAM2
554
Rejected due to banned content.
Copyright © 2017, Barracuda Networks Inc.
Barracuda Email Security Gateway Administrator's Guide - Page
337
How to Customize SMTP Response Messages
Advanced Feature
This feature is for advanced administrators and internet service providers.
Customizing SMTP Responses
From the ADVANCED > SMTP Responses page in the web interface you can choose to override default SMTP error response messages with
customized text. Only ASCII characters are supported. To create the customized text:
1. Check the error code line to enable use of an alternate/customized message.
2. Edit the default text. You can optionally use one or more of the macros shown in the top section of the page to insert server hostname,
client HELO/EHLO, sending client IP address and/or other email message information into the response message.
Use macros from the top of the page to insert customized information such as an IP address. In this example, the phrase your IP is replaced
using the ${client[addr]} - sending client IP address macro.
An ISP might want to customize the Need Fully Qualified Address message:
Copyright © 2017, Barracuda Networks Inc.
Barracuda Email Security Gateway Administrator's Guide - Page
338
Barracuda Outlook Add-In Deployment Guide version 7 and Above
This article applies to the Barracuda Email Security Gateway running version 7 and above. For information about the features of the
Barracuda Email Security Gateway Outlook Add-In, please see the Barracuda Outlook Add-In Overview 6 and Above. The
Barracuda Microsoft Outlook Add-In is compatible with MS Outlook 2003 - 2016 (version 2016 requires the Barracuda Email
Security Gateway version 7.1.1.003 or higher).
If you want end-users to use Bayesian classification via this add-in, you must enable Per-User Quarantine on the Barracuda Email
Security Gateway from BASIC > Quarantine page in the Inbound Quarantine Type section. See also Bayesian Analysis Inbound.
This guide applies to the Barracuda Email Security Gateway 300 and above, version 6.0 and above.
If the SMTP option Remove Barracuda Headers is turned off in the ADVANCED > Email Protocol page, any custom X-headers that
the Barracuda Email Security Gateway has applied before the message leaves the appliance will be removed. Important: If these
headers are removed, the Barracuda Outlook add-in or other add-in will not function.
Note that the language for add-in options is determined by your Microsoft Office installation locale. Supported languages for the add-in include:
English
Spanish (continental)
French
Japanese
Dutch
Italian
Chinese
Polish
German
Step 1: Install the Outlook Add-In Deployment Kit
1. Log into your Barracuda Email Security Gateway as an administrator.
2. Navigate to USERS > User Features and download the Outlook Add-In Deployment Kit (a .zip file) to the local system running Windows
Vista or above.
3. Extract the contents somewhere easily accessible. The deployment kit should contain the following:
Barracuda Email Security GatewayOutlook Add-in installer for Outlook 2010 64-bit or for Outlook 2013 64-bit (BsfOutlookAddIn
-8.0.3.0_x64.msi)
Barracuda Email Security Gateway Outlook Add-in installer for all other versions of Outlook (BsfOutlookAddIn-8.0.3.0_x86.msi
).
Barracuda Email Security Gateway Outlook Add-in Administrator module (Barracuda Email Security Gateway Outlook
Add-In version.admx
Step 2. Optional: Configure the Outlook Add-In
If you want to use GPO:
1. Go to the installation location, and open the ADMX folder, for example:
C:\Program Files\Barracuda\Spam Firewall\Deployment Kit\ADMX
2. Copy the ADMX and ADML locale directories to the PolicyDefinitions folder on your system, for example:
%systemroot%\sysvol\domain\policies\PolicyDefinitions
This procedure applies to domain controllers running Windows Server 2008 or higher; to edit local policy or domain policies on
a domain controller running Windows Server 2003 or earlier, consult Microsoft's documentation.
3. Start the Group Policy (GPO) Editor for the domain where you will be installing the Add-In. You can edit the default policy or create a new
policy object and link it to the desired container, for example, the particular OU containing the computers of users that will be using the
Add-In.
In order to create and edit domain-based GPOs with the latest Group Policy settings using ADMX files, you must have a Windo
ws Server 2008 domain name resolvable through a DNS Server, and a Windows Vista system to view policy settings from
ADMX files while editing the domain-based GPO.
In the GPO, expand User Configuration > Administrative Templates > Barracuda > Spam Firewall > Outlook Add-In:
Copyright © 2017, Barracuda Networks Inc.
Barracuda Email Security Gateway Administrator's Guide - Page
339
Configure any policies as needed. You will need to recreate any policies you previously configured, and then remove the old ADM
template.
Step 3. Deploy the MSI File
1. Open the GPO Editor for the organization that is to use the Barracuda Email Security Gateway Outlook Add-in, e.g., the default domain
policy.
2. Either edit the default policy, or create a new policy object, then link it to the desired container. For example, the particular OU containing
the computers on which the add-in is to be installed.
3. In the GPO, navigate to Computer Configuration > Policies > Software Settings > Software Installation :
4. Right-click Software Installation, point to New, and click Package:
Copyright © 2017, Barracuda Networks Inc.
Barracuda Email Security Gateway Administrator's Guide - Page
340
5. Enter the UNC path to the .msi file located in the shared folder. For example, enter: \\fileserver\deploy
6. Click Open. In the Deploy Software dialog box, click Assigned:
7. Click OK . The policy displays in the GPO Editor window.
Deploying the Add-In to Machines with 64-bit Windows and 32-bit Outlook
If any of the machines in your environment have a 64-bit version of Windows installed but are using a 32-bit version of Outlook, you will need to
deploy the 32-bit MSI to these machines. If you are also deploying the 64-bit MSI for machines with both 64-bit Windows and 64-bit Outlook, then
both software deployment policies will apply to the machines with 32-bit Outlook, which will result in both MSIs being installed on these
machines. Since Outlook will only load the Add-In that matches its bitness, this should not cause any problems.
1. In the GPO Editor, navigate toComputer Configuration > Policies > Software Settings , and clickSoftware Installation.
2. Right-click the 32-bitBarracuda Email Security Gateway Outlook AddIn, and clickProperties.
3. Click the Deployment tab, and click Advanced. In the Advanced deployment options section, select Make this 32-bit X86
application available to Win64 machines.
4. Click OK. In the Properties dialog box, click Apply, and click OK to to save your settings and close the dialog box.
Finishing the Configuration
Copyright © 2017, Barracuda Networks Inc.
Barracuda Email Security Gateway Administrator's Guide - Page
341
After the Barracuda Email Security Gateway Outlook AddIn is installed (either manually or through GPO), there is no initial configured
identification with your Barracuda Email Security Gateway. This identification happens automatically as the add-in scans the user's inbox for
recent messages and inspects each message’s headers for a Barracuda Email Security Gateway URI. If none is found, the add-in will monitor the
user's inbox for new messages and scan each new message header for a Barracuda Email Security Gateway URI. When a Barracuda Email
Security Gateway URI is found, an authentication probe will be initiated with that Barracuda Email Security Gateway. The Barracuda Email
Security Gateway then sends an authentication probe via email to the user’s email address, and the add-in will intercept the probe, extract the
required authentication information contained in the probe, and then delete it. This process is transparent to the user. Once the probe is received,
the user is authenticated, and all of the add-in features are available for use. Typically, this process should take no more than a few minutes.
Testing
Complete the following steps to test the Barracuda Email Security Gateway Outlook Add-in deployment.
Group Policy updates can take several minutes to post; run gpupdate /force to perform an immediate update.
1. Restart a computer that is joined to the domain.
2. Verify that the Outlook Add-In is installed when you log in, and that the configured policies are applied.
Notify Users
Once the MSI file is successfully deployed, send the Outlook Add-In access details to your users. For additional resources, see the Barracuda
Email Security Gateway User 's Guide 6.x.
Troubleshooting
1. A common cause of failure is the user and/or the user's computer does not have adequate access to the share location. Verify that that
all access and network privileges have been configured appropriately.
2. Additional error messages may be found in the Event Log on the domain computer.
3. If the Event Log has no useful information, consider enabling verbose logging and restarting the computer.
Configure the Add-In from the MS Outlook Client
For Microsoft Outlook 2003 and 2007:
1. Click Tools > Options.
2. Click the Barracuda Networks tab.
3. Click Configure to set whitelist options and configure actions for clicking the Spam and Not Spam buttons in the client.
For Microsoft Outlook 2010 and 2013:
1. In the MS Outlook client, click File > Barracuda Networks (Note that the UI graphics may look different between the versions, but the
actions you take are the same).
2. Click the Configure button and configure whitelist and spam settings as described above.
Copyright © 2017, Barracuda Networks Inc.
Barracuda Email Security Gateway Administrator's Guide - Page
Copyright © 2017, Barracuda Networks Inc.
342
Barracuda Email Security Gateway Administrator's Guide - Page
343
LDAP Error Codes
The LDAPResult is the construct used in this protocol to return success or failure indications from servers to clients. In response to various
requests, servers will return responses containing fields of type LDAPResult to indicate the final status of a protocol operation request. The
contents of the table below are from RFC 2251.
All the result codes with the exception of success, compareFalse and compareTrue are to be treated as meaning the operation could not be
completed in its entirety. If a client receives a result code which is not listed in the table, it is to be treated as an unknown error condition.
LDAP Server Return Codes
LDAPResult
resultCode
Success
0
Operations error
1
Protocol error
2
Time limit exceeded
3
Size limit exceeded
4
Compare false
5
Compare true
6
Strong authentication not supported
7
Strong authentication required
8
Partial results
9
No such attribute
10
Admin limit exceeded
11
unavailableCriticalExtension
12
confidentialityRequired
13
saslBindInProgress
14
No such attribute
16
Undefined attribute type
17
Inappropriate matching
18
Constraint violation
19
Attribute or value exists
20
Invalid attribute syntax
21
UNUSED
(22-31)
No such object
32
Alias problem
33
Invalid DN syntax
34
RESERVED
35
Alias dereferencing problem
36
UNUSED
(37-47)
Inappropriate authentication
48
Invalid credentials
49
Copyright © 2017, Barracuda Networks Inc.
Barracuda Email Security Gateway Administrator's Guide - Page
Insufficient access rights
50
Busy
51
Unavailable
52
Unwilling to perform
53
Loop detect
54
UNUSED
(55-63)
Naming violation
64
Object class violation
65
Not allowed on nonleaf
66
Not allowed on RDN
67
Entry already exists
68
Object class mods prohibited
69
RESERVED
70
affectsMultipleDSAs
71
UNUSED
(72-79)
OTHER
80
Can't contact LDAP server
81
Local error
82
Encoding error
83
Decoding error
84
Timed out
85
Unknown authentication method
86
Bad search filter
87
User cancelled operation
88
Bad parameter to an ldap routine
89
Out of Memory
90
Copyright © 2017, Barracuda Networks Inc.
344
Was this manual useful for you? yes no
Thank you for your participation!

* Your assessment is very important for improving the work of artificial intelligence, which forms the content of this project

Download PDF

advertising