Académique Documents
Professionnel Documents
Culture Documents
Advanced Configuration
In this Section
Sender Authentication
Recipient Verification
Remote IMAP/POP Accounts
Advanced Networking
Non-Delivery Reports
Remote Administration
https://techlib.barracuda.com/IwA7
1/9
Sender Authentication
This is a key feature of the Barracuda Spam Firewall for protecting your network and users from spammers who might
"spoof" a domain or otherwise hide the identity of the true sender. The following techniques are used to verify the "from"
address of a message.
To use the Invalid Bounce Suppression feature, the Barracuda Spam Firewall must have Outbound Relay configured on
the BASIC > Outbound page. For more details about Outbound Relay, refer to How to Route Outbound Mail From the
Barracuda Spam Firewall.
Configure Invalid Bounce Suppression on the BLOCK/ACCEPT > Sender Authentication page and enter a Bounce
Suppression Shared Secret as a non-null password which will be included in the headers of valid emails sent from and
bounced back to the Barracuda Spam Firewall. Email bounces that dont include the password will be blocked if this feature
is enabled. In a clustered environment, the Bounce Suppression Shared Secret will be synchronized across all Barracuda
Spam Firewalls in the cluster.
https://techlib.barracuda.com/IwA7
2/9
You can choose to tag, block or quarantine both DKIM signed messages that fail the DKIM database check as well as
unsigned messages, depending on how you configure DomainKeys Inspection on the BLOCK/ACCEPT > Sender
Authentication page. You can also exempt domains from being tagged, quarantined or blocked if they fail this check. As
stated elsewhere in this guide, it is safest to NOT exempt domain names from any kind of spam filtering due to the
possibility of domain name spoofing by spammers.
DomainKeys inspection does require more CPU resources to encrypt & decrypt the key and is turned off by default.
Messages that pass DKIM checks will still be scanned for spam.
https://techlib.barracuda.com/IwA7
3/9
Custom policies
Organizations can define their own allowed sender domains or email addresses for sender authentication using the
BLOCK/ACCEPT > Sender Filters page, but the safest way to indicate valid senders on the Barracuda Spam Firewall is to
whitelist (allow) the IP addresses of trusted email servers on the BLOCK/ACCEPT > IP Filters page, then blocklist (block,
quarantine or tag) their domain names on the BLOCK/ACCEPT > Sender Filters page to prevent domain name spoofing.
https://techlib.barracuda.com/IwA7
4/9
Recipient Verification
LDAP Lookup
On the Barracuda Spam Firewall 300 and higher, email recipients can be validated with your existing LDAP server.
Configuration of LDAP lookup is done at the domain level. From the DOMAINS > Domain Manager page, after clicking
Manage Domain for the selected domain, youll configure LDAP on the USERS > LDAP Configuration page. click the
Help button on that page for details about entering your server details. If LDAP is not configured, the Barracuda Spam
Firewall will do SMTP recipient verification through RCPT TO commands.
LDAP server types supported include Active Directory, Novell eDirectory, Domino Directory and OpenLDAP.
Alias Linking
Alias linking allows quarantined email from multiple accounts to be directed to one account when using per-user quarantine.
In the ADVANCED > Explicit Users page you can specify the email addresses to be linked together in the Explicit Users
to Accept For and Alias Linking text box. click the Help button on that page for more details.The quarantine account for
all of the linked email addresses will be associated with the first email address. Make sure to also enter the first email
address on a separate line as well. In this way, a "catchall" account can be created to receive all quarantined emails from a
particular domain.
https://techlib.barracuda.com/IwA7
5/9
https://techlib.barracuda.com/IwA7
6/9
Advanced Networking
Port Forwarding
If your organization has a single public IP address, when you install the Barracuda Spam Firewall between the Internet and
your mail server, you can forward incoming SMTP traffic (port 25) from port 80 on the Barracuda to your mail server using
the Port Forwarding feature from the ADVANCED > Advanced Networking page.
Static Routes
With the Barracuda Spam Firewall 600 (and 600Vx) and higher, you can specify a default gateway between the Barracuda
Spam Firewall and a mail server on another subnet in your organization using the Static Routes feature on the ADVANCED
> Advanced Networking page. This will guarantee that return traffic is routed back to the Barracuda Spam Firewall from
the unassociated network. If you have problems with static route configuration, please contact Barracuda Networks
Technical Support.
Loopback Adapter
If you want to use this Barracuda Spam Firewall with a Barracuda Load Balancer in Direct Server Return mode, you must
enable a non-ARPing loopback adapter. If you are using any other mode you do not need to make any changes to the
Barracuda Spam Firewall configuration.
Each Virtual IP address supported by the Real Server (the Barracuda Spam Firewall in this case) requires its own loopback
adapter. For each loopback adapter, enter a Virtual IP address in the Loopback Adapter Configuration field on the
ADVANCED > Advanced Networking page.
https://techlib.barracuda.com/IwA7
7/9
Non-Delivery Reports
Spam Bounce Non-Delivery Reports (NDRs)
The Barracuda Spam Firewall sends NDRs to email recipients and senders when one of their messages is blocked. The NDR
contains a brief explanation of why the Barracuda Spam Firewall blocked the message. Information that you may want to
add to an NDR includes the contact information of the Barracuda Spam Firewall administrator so that internal users know
who to contact if they have questions about a blocked message.
The ADVANCED > Bounce/NDR Messages page in the Barracuda Spam Firewall web interface allows for customizing the
information in an NDR and for selecting the default language to use in the message.
Reducing Backscatter
By default, your Barracuda Spam Firewall is configured to NOT send an NDR to a sender when the Barracuda Spam Firewall
blocks their email (see the NDR on Block setting on the ADVANCED > Bounce/NDR Settings page). You may want to
enable NDRs to alert legitimate senders that their message has not been delivered to the recipient. However, if the email
came from an illegitimate source such as a spammer, then sending a bounce notification is not necessary.
Additionally, many spammers spoof valid domains, and you dont want to send bounce messages to your domain if it is
being spoofed. Sending bounce messages to illegitimate senders, or to senders who were spoofed and did not actually send
the offending message, is known as backscatter. Backscatter can increase the load on your Barracuda Spam Firewall and
may generate a lot of email to fake addresses or to senders whose email addresses were spoofed by a spammer. Your
domain could also end up on a real-time blocklist as a consequence.
If your Barracuda Spam Firewall rarely blocks a legitimate email, consider setting NDR on Block to No for Inbound and/or
Outbound mail to reduce backscatter.
https://techlib.barracuda.com/IwA7
8/9
Remote Administration
Barracuda Networks provides a set of APIs for remote administration and configuration of the Barracuda Spam Firewall. The
APIs work through manipulation of variables inside of the system configuration database, and anything that can be declared
in that database can be set or checked with the APIs. This includes most things that you can set by clicking the Save
Changes button in the Barracuda Spam Firewall web interface. For example, from the BASIC > Spam Checking page, you
can set global Spam Scoring Limit values for the actions Block, Tag or Quarantine, then click the Save Changes button.
These values can be set remotely using the APIs.
The framework of the API provides for the programmer to get or set variables inside an XML-RPC request that correspond to
field values in the configuration database in the Barracuda Spam Firewall. Some languages such as Perl, for example,
provide wrappers for XML-RPC requests, providing an interface to form the request. To view the variables and current
settings of the Barracuda Spam & Firewall configuration database, on the ADVANCED > Backup page, select System
Configuration for Backup Type and click the Backup button.
To prepare the Barracuda Spam Firewall for use with the APIs, you must first enter the IP addresses that are allowed to
communicate with the APIs in the Allowed SNMP and API IP/Range field on the BASIC > Administration page, and you
must create an API Password that will be included with all calls to the APIs. For more information on using the APIs, see the
Barracuda Spam Firewall API Guide.
https://techlib.barracuda.com/IwA7
9/9