[Last Call] Learn how to a build a cloud-first strategyRegister Now

x
  • Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 6587
  • Last Modified:

Configuring Barracuda and Exchange with TLS

Hi all:

We are running into a frustrating issue and are looking for some help. Up until recently, we were running a Back-End Exchange 2003 server along with a Front-End Exchange 2003 server (without OWA). Both were running MS Server 2003 Enterprise. We have since implemented a Barracuda Spam and Firewall 300 device that has replaced our FE Exchange server. We completely removed Exchange from the FE and all traces of that server have been removed from AD as well. We then turned around and gave the Barracuda the same host name and IP as the (now removed) FE sever. So everything is in place and mail seems to traverse perfectly fine.

Now for the dilema:

We are required to enable TLS for secure communications between the BE and the Barracuda. We have TLS enabled on the Barracuda and a valid certificate. We also have TLS enable on the Exchange BE Virtual Server and the Connector (in order to use TLS for both incoming and outgoing mail) along with a certificate loaded and the Require Secure Channel and Use 128-bit Encryption settings turned on with the cert. As soon as all those goodies are turned on, mail no longer flows. The Connector in the queue fails trying to send mail to the Barracuda stating that "an SSL error occrued" and incoming mail is "deferring" in the Barracuda log stating that the conneciton has been dropped with the BE.

So in experimenting with this, we have found that if we remove the BE Exchange certificate (by either uninstalling it or by turing off the Require Secure Channel and Use 128-bit Encryption settings) mail will flow in from the Barracuda. And if we remove the TLS setting from the Connector, mail will flow out. So if we remove both...mail flows both ways again, without having to change any settings on the Barracuda.

When the BE was orginally setup with the FE Exchange server (before the Barracuda came into the picture) everything was working well with TLS. Now it seems the BE and Barracuda don't want to play nice with TLS involved.

So the questions are:

1) Has anyone been through this type of configuration with TLS and how did you get it to work?
2) Does the certificate indeed need to be on the BE Exchange with TLS enabled, or is Barracuda able to handle all the encryption? (that would instantly solve this problem, wouldn't it?)
3) Should a new certificate be created for the BE in order for it to talk with Barracuda over TLS (as opposed to the BE and FE certificate that was working previously)?

This is a new device to everyone on the team that I work with, so this is all new to us. We have been working with Barracuda Tech Support and currently have them stumped. So any advice or ideas are greatly appreciated.
0
Herezja
Asked:
Herezja
  • 16
  • 11
1 Solution
 
Tony JLead Technical ArchitectCommented:
Do you have anything between your BE server and the Barracuda that could be stripping out the STARTTLS verb?

I've had similar problems in the past when upgrading to Exchange 2007/2010 and it turns out there's an older firewall in between stripping out ESMTP verbs as the firewall believes them to be malformed.

Older Cisco PIX are notorious for it.

Barracuda mention it here too, on their KB:

http://www.barracudanetworks.com/ns/support/solutions.php#form 

It won't allow a direct link so look for article Solution #00003659
0
 
HerezjaAuthor Commented:
We have 3 network devices running between these two pieces of equipment and I am hoping that is what the problem may be. Our network engineer is currently working out of another office until Monday, but I plan on hitting him up next week on this. In the meantime, I am trying to eliminate my equipment as the potential issue.
0
 
Tony JLead Technical ArchitectCommented:
It's generally only firewalls that you need to worry about.

From the BE server, can you telnet to the Barracuda on port 25?

If you get a response along the lines of ***************220*******20 then you have a firewall problem.

But, not knowing these devices, I'm not sure if you can actually even telnet into them from the LAN like that.

0
Enhanced Intelligibility Without Cable Clutter

Challenge: The ESA office in Brussels wanted a reliable audio conference system for video conferences. Their requirement - No participant must be left out from the conference and the audio quality must not be compromised.

 
HerezjaAuthor Commented:
I will give that a try. I am currently able to telnet to the BE from several locations, but have not tried from the BE to the Barracuda. Thanks....good idea.
0
 
HerezjaAuthor Commented:
So I was able to connect to the Barracuda via telnet from the BE Exchange server. If I send a test to my personal email (gmail.com) from my internal email address, everything works just fine. I also tried a loop (from my internal email address back to my internal email address) and I immediately received a "530 Must Issue STARTTLS" error right after the RCPT TO: line.

I do have two connectors created. In following Microsoft's intructions, I created one wihtout TLS enabled and then a second configured to handle all outgoing TLS. Both of which forward to the Barracuda Smarthost.

I am wondering at this point if I can delete both connectors and configure the Virtual Server to forward everyitng to the Smarthost on the Advanced Delivery options. Since everything is heading from the BE to the Barracuda, I am beginning to think I may not need the connectors at all. This doesn't solve the incoming issue, but it may solve the outgoing issue.
0
 
Tony JLead Technical ArchitectCommented:
Not sure if this is relevant or not but at the top of page 79 on the admin guide it appears to suggest that in order for the barracuda to use TLS, you require secure LDAP enabled:

http://www.theboss.net/Barracuda/PDFs/barracuda_spam_admin_guide.pdf
0
 
HerezjaAuthor Commented:
In reading that section, I'm not real sure if that is what its saying or not. It seems that if LDAP is enabled along with TLS and an LDAP connection cannot be made, then TLS will fail. I guess the question is, if LDAP is not being used, is TLS able to be used without it?
0
 
Tony JLead Technical ArchitectCommented:
I agree that they don't make it clear but my own reading of it was that to use TLS for SMTP you require TLS for LDAP.

But...that could be my mistake in how I interpreted it.

I have to say that they do seem to make this far more difficult than it really needs to be.
0
 
HerezjaAuthor Commented:
I agree with that one!! I just wish they had a full admin guide on setting this thing up with Exchange!

I have a call into our tech support rep at Barracuda to ask whether LDAP is required to utilize TLS. Will let you know what I find out when he calls back.
0
 
Tony JLead Technical ArchitectCommented:
Sorry I've not been more help on this one but the last time I configured a Baraccuda it was simple SSL and there were no TLS options.
0
 
Tony JLead Technical ArchitectCommented:
Does this help?

http://www.barracudanetworks.com/ns/downloads/Admin_Guides/Barracuda_Spam_&_Virus_Firewall_4.1_AG_US.pdf

Page 46 onwards - seems a tad simplistic, plerhaps.
0
 
HerezjaAuthor Commented:
Still haven't gotten a hold of our tech support rep with Barracuda, but I found something interesting yesterday....If you go into the Domains tab | Domain Manager | Manage Domain, then go to Advanced | Email Protocol, there are two additional settings (as opposed to the System settings) in there that we had configured, with our domain name, to require TLS. The descriptions of the settings on that page are as follows:

Require Encrypted TLS receiving email from these domains: "Require domains you add here to always send messages through the Barracuda Spam & Virus Firewall to this domain over a TLS connection."

Require Encrypted TLS relaying email to these destination servers: "Require messages relayed out through the Barracuda Spam & Virus Firewall from this domain to destination servers listed here to be sent over a TLS connectiona. Destination server can be Host name or IP address."

Since our domain name was in both these settings, I started reading the descriptions a little closer. The way that they are worded leads me to believe that if our domain is set there, then we will be in sort of a TLS loop (for lack of a better term). So I removed our domain from both these settings and whattya know...email traffic started flowing out!

I'm not out of the woods yet though...I still need to get incoming functioning (or at least tested that it is functioning) and verify that TLS is still encrypting traffic via the System settings, but I think we may be on the right track.

0
 
Tony JLead Technical ArchitectCommented:
Nice one. Sorry I couldn't be more help directly.

No such settings for incoming mail?
0
 
HerezjaAuthor Commented:
I haven't found any settings like that for incoming mail, but in the mail log on the Barracuda it is saying that the connection is being lost to the BE server when trying to connect. We are currently looking at some of the network equipment to see where the connection is breaking down. Will keep you posted on what we find.
0
 
HerezjaAuthor Commented:
So far, from what we can tell, the BE is resetting the connection when Barracuda tries to connect to pass traffic. Any ideas?
0
 
HerezjaAuthor Commented:
Correction....it is actually the Barracuda that is resetting the connection for whatever reason.
0
 
Tony JLead Technical ArchitectCommented:
Does it give any indication why it drops the connection?

What firmware version does it run, by the way?
0
 
HerezjaAuthor Commented:
Absolutely no indication.

We are using the latest firmware version too
0
 
Tony JLead Technical ArchitectCommented:
Wonder if this is LDAP - reading the admin guide suggests that if it fails to make a LDAP connection with TLS it'll drop it.
0
 
HerezjaAuthor Commented:
We are not using LDAP. That is one of the questions that I am looking to bring up with the Barracuda Tech Support Rep. Is LDAP required in order for TLS to function correctly??
0
 
Tony JLead Technical ArchitectCommented:
Yes I believe that if you want to secure communication between the Barracuda and the Exchange server, it has to use secure LDAP (although it does say on the manual that it can do so over 389 the "non-secure" LDAP port.
0
 
HerezjaAuthor Commented:
Whether I get a hold of our Tech Support Rep or not, I think I am going to set up LDAP today anyway...to test it out if nothing else. Our Network Engineer and I were also discussing yesterday the possibility of moving the Barracuda device to the inside (as opposed to the DMZ where it resides now) to eliminate any issues between it and the BE. Will let you know how this goes today.
0
 
HerezjaAuthor Commented:
Got LDAP working and verifying just fine...still no incoming mail with TLS enabled.
0
 
HerezjaAuthor Commented:
Oh yeah...just an FYI: according to Barracuda Tech Support LDAP is not needed for TLS to function.
0
 
HerezjaAuthor Commented:
We suspect that our Sidewinder may be the culprit in all this now. We have exhausted every angle and all signs are pointing in that direction now. So....we are working on getting a McAfee and a Barracuda engineer out here at the same time to solve this once and for all. Well....at least this is where this problem is heading, which means this has now gone from Systems to Network and away from my realm.

Tony...I really appreciate all your help with this. Even though we didn't get it solved, your comments definitely helped me to troubleshoot this thing to death. If I can, I will try and get some points to you for all this. Hey...out of this entire site, you were the only one who chimed in!
0
 
HerezjaAuthor Commented:
Thanks to Tony, we were able to rule out our Exchange server and find that one of our network devices is to blame for this issue.
0
 
Tony JLead Technical ArchitectCommented:
Thank you for the points - much appreciated even though all I really did was bounce ideas around.

I have been in the same position so many times I've lost count and if I can, I'll always at least try to throw in a few pointers :)

Good luck with tracking the offending device down mate.
0

Featured Post

New Tabletop Appliances Blow Competitors Away!

WatchGuard’s new T15, T35 and T55 tabletop UTMs provide the highest-performing security inspection in their class, allowing users at small offices, home offices and distributed enterprises to experience blazing-fast Internet speeds without sacrificing enterprise-grade security.

  • 16
  • 11
Tackle projects and never again get stuck behind a technical roadblock.
Join Now