Solved

Configuring Barracuda and Exchange with TLS

Posted on 2010-08-26
27
5,914 Views
Last Modified: 2013-11-30
Hi all:

We are running into a frustrating issue and are looking for some help. Up until recently, we were running a Back-End Exchange 2003 server along with a Front-End Exchange 2003 server (without OWA). Both were running MS Server 2003 Enterprise. We have since implemented a Barracuda Spam and Firewall 300 device that has replaced our FE Exchange server. We completely removed Exchange from the FE and all traces of that server have been removed from AD as well. We then turned around and gave the Barracuda the same host name and IP as the (now removed) FE sever. So everything is in place and mail seems to traverse perfectly fine.

Now for the dilema:

We are required to enable TLS for secure communications between the BE and the Barracuda. We have TLS enabled on the Barracuda and a valid certificate. We also have TLS enable on the Exchange BE Virtual Server and the Connector (in order to use TLS for both incoming and outgoing mail) along with a certificate loaded and the Require Secure Channel and Use 128-bit Encryption settings turned on with the cert. As soon as all those goodies are turned on, mail no longer flows. The Connector in the queue fails trying to send mail to the Barracuda stating that "an SSL error occrued" and incoming mail is "deferring" in the Barracuda log stating that the conneciton has been dropped with the BE.

So in experimenting with this, we have found that if we remove the BE Exchange certificate (by either uninstalling it or by turing off the Require Secure Channel and Use 128-bit Encryption settings) mail will flow in from the Barracuda. And if we remove the TLS setting from the Connector, mail will flow out. So if we remove both...mail flows both ways again, without having to change any settings on the Barracuda.

When the BE was orginally setup with the FE Exchange server (before the Barracuda came into the picture) everything was working well with TLS. Now it seems the BE and Barracuda don't want to play nice with TLS involved.

So the questions are:

1) Has anyone been through this type of configuration with TLS and how did you get it to work?
2) Does the certificate indeed need to be on the BE Exchange with TLS enabled, or is Barracuda able to handle all the encryption? (that would instantly solve this problem, wouldn't it?)
3) Should a new certificate be created for the BE in order for it to talk with Barracuda over TLS (as opposed to the BE and FE certificate that was working previously)?

This is a new device to everyone on the team that I work with, so this is all new to us. We have been working with Barracuda Tech Support and currently have them stumped. So any advice or ideas are greatly appreciated.
0
Comment
Question by:Herezja
  • 16
  • 11
27 Comments
 
LVL 25

Accepted Solution

by:
Tony1044 earned 500 total points
ID: 33540270
Do you have anything between your BE server and the Barracuda that could be stripping out the STARTTLS verb?

I've had similar problems in the past when upgrading to Exchange 2007/2010 and it turns out there's an older firewall in between stripping out ESMTP verbs as the firewall believes them to be malformed.

Older Cisco PIX are notorious for it.

Barracuda mention it here too, on their KB:

http://www.barracudanetworks.com/ns/support/solutions.php#form

It won't allow a direct link so look for article Solution #00003659
0
 

Author Comment

by:Herezja
ID: 33541494
We have 3 network devices running between these two pieces of equipment and I am hoping that is what the problem may be. Our network engineer is currently working out of another office until Monday, but I plan on hitting him up next week on this. In the meantime, I am trying to eliminate my equipment as the potential issue.
0
 
LVL 25

Expert Comment

by:Tony1044
ID: 33541531
It's generally only firewalls that you need to worry about.

From the BE server, can you telnet to the Barracuda on port 25?

If you get a response along the lines of ***************220*******20 then you have a firewall problem.

But, not knowing these devices, I'm not sure if you can actually even telnet into them from the LAN like that.

0
 

Author Comment

by:Herezja
ID: 33541870
I will give that a try. I am currently able to telnet to the BE from several locations, but have not tried from the BE to the Barracuda. Thanks....good idea.
0
 

Author Comment

by:Herezja
ID: 33567843
So I was able to connect to the Barracuda via telnet from the BE Exchange server. If I send a test to my personal email (gmail.com) from my internal email address, everything works just fine. I also tried a loop (from my internal email address back to my internal email address) and I immediately received a "530 Must Issue STARTTLS" error right after the RCPT TO: line.

I do have two connectors created. In following Microsoft's intructions, I created one wihtout TLS enabled and then a second configured to handle all outgoing TLS. Both of which forward to the Barracuda Smarthost.

I am wondering at this point if I can delete both connectors and configure the Virtual Server to forward everyitng to the Smarthost on the Advanced Delivery options. Since everything is heading from the BE to the Barracuda, I am beginning to think I may not need the connectors at all. This doesn't solve the incoming issue, but it may solve the outgoing issue.
0
 
LVL 25

Expert Comment

by:Tony1044
ID: 33568018
Not sure if this is relevant or not but at the top of page 79 on the admin guide it appears to suggest that in order for the barracuda to use TLS, you require secure LDAP enabled:

http://www.theboss.net/Barracuda/PDFs/barracuda_spam_admin_guide.pdf
0
 

Author Comment

by:Herezja
ID: 33568413
In reading that section, I'm not real sure if that is what its saying or not. It seems that if LDAP is enabled along with TLS and an LDAP connection cannot be made, then TLS will fail. I guess the question is, if LDAP is not being used, is TLS able to be used without it?
0
 
LVL 25

Expert Comment

by:Tony1044
ID: 33568503
I agree that they don't make it clear but my own reading of it was that to use TLS for SMTP you require TLS for LDAP.

But...that could be my mistake in how I interpreted it.

I have to say that they do seem to make this far more difficult than it really needs to be.
0
 

Author Comment

by:Herezja
ID: 33568678
I agree with that one!! I just wish they had a full admin guide on setting this thing up with Exchange!

I have a call into our tech support rep at Barracuda to ask whether LDAP is required to utilize TLS. Will let you know what I find out when he calls back.
0
 
LVL 25

Expert Comment

by:Tony1044
ID: 33568694
Sorry I've not been more help on this one but the last time I configured a Baraccuda it was simple SSL and there were no TLS options.
0
 
LVL 25

Expert Comment

by:Tony1044
ID: 33568757
Does this help?

http://www.barracudanetworks.com/ns/downloads/Admin_Guides/Barracuda_Spam_&_Virus_Firewall_4.1_AG_US.pdf

Page 46 onwards - seems a tad simplistic, plerhaps.
0
 

Author Comment

by:Herezja
ID: 33576337
Still haven't gotten a hold of our tech support rep with Barracuda, but I found something interesting yesterday....If you go into the Domains tab | Domain Manager | Manage Domain, then go to Advanced | Email Protocol, there are two additional settings (as opposed to the System settings) in there that we had configured, with our domain name, to require TLS. The descriptions of the settings on that page are as follows:

Require Encrypted TLS receiving email from these domains: "Require domains you add here to always send messages through the Barracuda Spam & Virus Firewall to this domain over a TLS connection."

Require Encrypted TLS relaying email to these destination servers: "Require messages relayed out through the Barracuda Spam & Virus Firewall from this domain to destination servers listed here to be sent over a TLS connectiona. Destination server can be Host name or IP address."

Since our domain name was in both these settings, I started reading the descriptions a little closer. The way that they are worded leads me to believe that if our domain is set there, then we will be in sort of a TLS loop (for lack of a better term). So I removed our domain from both these settings and whattya know...email traffic started flowing out!

I'm not out of the woods yet though...I still need to get incoming functioning (or at least tested that it is functioning) and verify that TLS is still encrypting traffic via the System settings, but I think we may be on the right track.

0
 
LVL 25

Expert Comment

by:Tony1044
ID: 33576409
Nice one. Sorry I couldn't be more help directly.

No such settings for incoming mail?
0
Do email signature updates give you a headache?

Do you feel like you are constantly making changes to email signatures? Are the images not formatting how you want them to? Want high-quality HTML signatures on all devices, including on mobiles and Macs? Then, let Exclaimer solve all your email signature problems today.

 

Author Comment

by:Herezja
ID: 33577798
I haven't found any settings like that for incoming mail, but in the mail log on the Barracuda it is saying that the connection is being lost to the BE server when trying to connect. We are currently looking at some of the network equipment to see where the connection is breaking down. Will keep you posted on what we find.
0
 

Author Comment

by:Herezja
ID: 33577869
So far, from what we can tell, the BE is resetting the connection when Barracuda tries to connect to pass traffic. Any ideas?
0
 

Author Comment

by:Herezja
ID: 33578024
Correction....it is actually the Barracuda that is resetting the connection for whatever reason.
0
 
LVL 25

Expert Comment

by:Tony1044
ID: 33578202
Does it give any indication why it drops the connection?

What firmware version does it run, by the way?
0
 

Author Comment

by:Herezja
ID: 33578340
Absolutely no indication.

We are using the latest firmware version too
0
 
LVL 25

Expert Comment

by:Tony1044
ID: 33578359
Wonder if this is LDAP - reading the admin guide suggests that if it fails to make a LDAP connection with TLS it'll drop it.
0
 

Author Comment

by:Herezja
ID: 33578401
We are not using LDAP. That is one of the questions that I am looking to bring up with the Barracuda Tech Support Rep. Is LDAP required in order for TLS to function correctly??
0
 
LVL 25

Expert Comment

by:Tony1044
ID: 33578418
Yes I believe that if you want to secure communication between the Barracuda and the Exchange server, it has to use secure LDAP (although it does say on the manual that it can do so over 389 the "non-secure" LDAP port.
0
 

Author Comment

by:Herezja
ID: 33585889
Whether I get a hold of our Tech Support Rep or not, I think I am going to set up LDAP today anyway...to test it out if nothing else. Our Network Engineer and I were also discussing yesterday the possibility of moving the Barracuda device to the inside (as opposed to the DMZ where it resides now) to eliminate any issues between it and the BE. Will let you know how this goes today.
0
 

Author Comment

by:Herezja
ID: 33588915
Got LDAP working and verifying just fine...still no incoming mail with TLS enabled.
0
 

Author Comment

by:Herezja
ID: 33588926
Oh yeah...just an FYI: according to Barracuda Tech Support LDAP is not needed for TLS to function.
0
 

Author Comment

by:Herezja
ID: 33636719
We suspect that our Sidewinder may be the culprit in all this now. We have exhausted every angle and all signs are pointing in that direction now. So....we are working on getting a McAfee and a Barracuda engineer out here at the same time to solve this once and for all. Well....at least this is where this problem is heading, which means this has now gone from Systems to Network and away from my realm.

Tony...I really appreciate all your help with this. Even though we didn't get it solved, your comments definitely helped me to troubleshoot this thing to death. If I can, I will try and get some points to you for all this. Hey...out of this entire site, you were the only one who chimed in!
0
 

Author Closing Comment

by:Herezja
ID: 33636764
Thanks to Tony, we were able to rule out our Exchange server and find that one of our network devices is to blame for this issue.
0
 
LVL 25

Expert Comment

by:Tony1044
ID: 33637207
Thank you for the points - much appreciated even though all I really did was bounce ideas around.

I have been in the same position so many times I've lost count and if I can, I'll always at least try to throw in a few pointers :)

Good luck with tracking the offending device down mate.
0

Featured Post

How does your email signature look on mobiles?

Do your employees use mobile devices to reply to emails? With mobile becoming increasingly important to the business world, it is in your best interest to make sure that your email signature looks great across all types of devices.

Join & Write a Comment

Find out how to use Active Directory data for email signature management in Microsoft Exchange and Office 365.
Great sound, comfort and fit, excellent build quality, versatility, compatibility. These are just some of the many reasons for choosing a headset from Sennheiser.
In this video we show how to create a mailbox database in Exchange 2013. We show this process by using the Exchange Admin Center. Log into Exchange Admin Center.: First we need to log into the Exchange Admin Center. Navigate to the Servers >> Data…
how to add IIS SMTP to handle application/Scanner relays into office 365.

760 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

17 Experts available now in Live!

Get 1:1 Help Now