how to get barracuda spam firewall 300 to talk to LDAP on exchange 2007 server???

we just installed a new barracuda spam firewall 300 and everything is working fine except when i go to configure the LDAP settings on the barracuda the test LDAP keeps failing.  i know when i telnet to the mail server on port 389 i get nothing so that tells me that barracuda cannot talk to LDAP on my mail server.  how do i fix this??
amoosAsked:
Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

ziggykCommented:
Did you set up an account in Active Directory for the barracuda to use?

Is your barracuda internal to your domain or external?

Is your Exchange server also a domain controller?  If not, you need to tell the barracuda to use the DC not the Exchange server.

Could you post the message that the barracuda returns when you click the Test LDAP button?  It should pop up with a "LDAP Test Unsuccessful (details below)" box.

FYI, when you telnet into port 389 it should return nothing.  So, your barracuda could be talking to the LDAP.
0
amoosAuthor Commented:
the barracuda is internal to our network.  it is behind a firewall.  my exchange server is not a domain controller just a mail server.

below is the message that i get from the test LDAP in the barracuda

could not set open file limit to 8192: Operation not permitted
lookup order: fb
listening on localhost/56656
answering client connection request from 127.0.0.1/56657
received from 127.0.0.1/56657: GET administrator@op%2dtn.org
email address: administrator@op-tn.org
administrator@op-tn.org not found in cache
LDAP test succeeded
requesting LDAP connection to 192.168.10.4/389 for 127.0.0.1/56657
binding with '(null)' / '(null)'
failed to bind to LDAP directory 192.168.10.4/389: Can't contact LDAP server
resetting LDAP connection to 192.168.10.4/389
reaping LDAP connection to 192.168.10.4/389
delisting LDAP connection to 192.168.10.4/389
LDAP connect failed on user administrator@op-tn.org: Connection failed
telling 127.0.0.1/56657: FAILED
received from 127.0.0.1/56657: QUIT
hanging up on client 127.0.0.1/56657
exiting on SIGTERM

if i point the Barracuda towards my DC for the LDAP settings will that hurt anything with the mail??
0
ziggykCommented:
Pointing your Barracuda at your DC won't do anything.  The LDAP query will only look at the directory but not actually write anything to it.  I created a user called ldap and use it for my barracuda.  That account only needs to be part of the domain user's group and nothing more.

Check your LDAP settings to to make sure:
LDAP Server: SERVERNAME.op-tn.org
LDAP Port: 389
Exchange Accelerator: YES
Unify Email Address: YES
SSL: OFF
Require SSL: NO
Bind DN: ldap@op-tn.org
Bind Passwod: LDAP's PASSWORD
LDAP Filter: (|(proxyaddresses=smtp$${recipient_email})(proxyaddresses=smtp:${recipient_email}))
--the filter can be changed but this one looks at all of the user's e-mail addresses for verifcation
LDAP Search Base: ${defaultNamingContext}
LDAP UID: sAMAccountName
LDAP Primary Email Attribute: MAIL
0

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
ON-DEMAND: 10 Easy Ways to Lose a Password

Learn about the methods that hackers use to lift real, working credentials from even the most security-savvy employees in this on-demand webinar. We cover the importance of multi-factor authentication and how these solutions can better protect your business!

amoosAuthor Commented:
ok i did those changes and it works, but we are also using anti-spam on he exchange 2007 server for extra filtering and when i send an email to an account it gets caught as spam.

why is this??

it was not like that before
0
ziggykCommented:
That's a whole different question to be honest with you.

I would think that it has to do with the barracuda possibly changing the e-mail slightly and the Exchange server picks it up as SPAM.

I personally would turn off Exchange's SPAM and just use the barracuda.  I get about one SPAM a month just using my barracuda.

I have my settings set at:
Tag Score: 10
Quar. Score: 4
Block Score: 7
0
amoosAuthor Commented:
great thank you
0
eclipseaviationCommented:
Hi,
We have a Barracuda 400 and are looking at setting this up.   My question is, WHY?
Can someone tell me the advantages and disadvantages of setting up the LDAP config?
Does it speed things up?  or What?
There has to be some disadvantages too.

Thanks
0
ziggykCommented:
Advantages:
- Ensures that a user/group exists before even processing the e-mail for SPAM
- Saves processing time on Barracuda because it doesn't have to process every message

Disadvantages
- If your Barracuda and LDAP server are in the same location, you won't have any disadvantages.  Even if they aren't in the same location the LDAP queries do not take up much bandwidth.
0
eclipseaviationCommented:
Thanks for the response !!
Sounds like we should move ahead with this.  Your advantages match what I have read.
One more question on this.........

Is it built into the Barracuda somehow that if the LDAP query is broken for whatever reason, the server is down or network connection is down between the barracuda and the LDAP server, what happens?
Does all mail get rejected with NDR's ?  Or is all mail passed on and scrutinized the current way without LDAP ?
I hope I am making sense.
Thanks
0
ziggykCommented:
It will just process the messages regularly if it cannot query the LDAP server
0
eclipseaviationCommented:
Actually I think it depends on your Unify settings.  I checked with Barracuda.
Thanks
0
miro_at_the_towerCommented:
ldap account to use must be in Users OU
0
daxatviyuCommented:
Miro, not necessarily.  However, it is very important that you use the users email address (user@yourdomain.com) for the username as demonstrated by ziggyk in his post.
0
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
AntiSpam

From novice to tech pro — start learning today.

Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.