Link to home
Start Free TrialLog in
Avatar of Herezja
Herezja

asked on

Configuring Barracuda and Exchange with TLS

Hi all:

We are running into a frustrating issue and are looking for some help. Up until recently, we were running a Back-End Exchange 2003 server along with a Front-End Exchange 2003 server (without OWA). Both were running MS Server 2003 Enterprise. We have since implemented a Barracuda Spam and Firewall 300 device that has replaced our FE Exchange server. We completely removed Exchange from the FE and all traces of that server have been removed from AD as well. We then turned around and gave the Barracuda the same host name and IP as the (now removed) FE sever. So everything is in place and mail seems to traverse perfectly fine.

Now for the dilema:

We are required to enable TLS for secure communications between the BE and the Barracuda. We have TLS enabled on the Barracuda and a valid certificate. We also have TLS enable on the Exchange BE Virtual Server and the Connector (in order to use TLS for both incoming and outgoing mail) along with a certificate loaded and the Require Secure Channel and Use 128-bit Encryption settings turned on with the cert. As soon as all those goodies are turned on, mail no longer flows. The Connector in the queue fails trying to send mail to the Barracuda stating that "an SSL error occrued" and incoming mail is "deferring" in the Barracuda log stating that the conneciton has been dropped with the BE.

So in experimenting with this, we have found that if we remove the BE Exchange certificate (by either uninstalling it or by turing off the Require Secure Channel and Use 128-bit Encryption settings) mail will flow in from the Barracuda. And if we remove the TLS setting from the Connector, mail will flow out. So if we remove both...mail flows both ways again, without having to change any settings on the Barracuda.

When the BE was orginally setup with the FE Exchange server (before the Barracuda came into the picture) everything was working well with TLS. Now it seems the BE and Barracuda don't want to play nice with TLS involved.

So the questions are:

1) Has anyone been through this type of configuration with TLS and how did you get it to work?
2) Does the certificate indeed need to be on the BE Exchange with TLS enabled, or is Barracuda able to handle all the encryption? (that would instantly solve this problem, wouldn't it?)
3) Should a new certificate be created for the BE in order for it to talk with Barracuda over TLS (as opposed to the BE and FE certificate that was working previously)?

This is a new device to everyone on the team that I work with, so this is all new to us. We have been working with Barracuda Tech Support and currently have them stumped. So any advice or ideas are greatly appreciated.
ASKER CERTIFIED SOLUTION
Avatar of Tony J
Tony J
Flag of United Kingdom of Great Britain and Northern Ireland image

Link to home
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Start Free Trial
Avatar of Herezja
Herezja

ASKER

We have 3 network devices running between these two pieces of equipment and I am hoping that is what the problem may be. Our network engineer is currently working out of another office until Monday, but I plan on hitting him up next week on this. In the meantime, I am trying to eliminate my equipment as the potential issue.
It's generally only firewalls that you need to worry about.

From the BE server, can you telnet to the Barracuda on port 25?

If you get a response along the lines of ***************220*******20 then you have a firewall problem.

But, not knowing these devices, I'm not sure if you can actually even telnet into them from the LAN like that.

Avatar of Herezja

ASKER

I will give that a try. I am currently able to telnet to the BE from several locations, but have not tried from the BE to the Barracuda. Thanks....good idea.
Avatar of Herezja

ASKER

So I was able to connect to the Barracuda via telnet from the BE Exchange server. If I send a test to my personal email (gmail.com) from my internal email address, everything works just fine. I also tried a loop (from my internal email address back to my internal email address) and I immediately received a "530 Must Issue STARTTLS" error right after the RCPT TO: line.

I do have two connectors created. In following Microsoft's intructions, I created one wihtout TLS enabled and then a second configured to handle all outgoing TLS. Both of which forward to the Barracuda Smarthost.

I am wondering at this point if I can delete both connectors and configure the Virtual Server to forward everyitng to the Smarthost on the Advanced Delivery options. Since everything is heading from the BE to the Barracuda, I am beginning to think I may not need the connectors at all. This doesn't solve the incoming issue, but it may solve the outgoing issue.
Not sure if this is relevant or not but at the top of page 79 on the admin guide it appears to suggest that in order for the barracuda to use TLS, you require secure LDAP enabled:

http://www.theboss.net/Barracuda/PDFs/barracuda_spam_admin_guide.pdf
Avatar of Herezja

ASKER

In reading that section, I'm not real sure if that is what its saying or not. It seems that if LDAP is enabled along with TLS and an LDAP connection cannot be made, then TLS will fail. I guess the question is, if LDAP is not being used, is TLS able to be used without it?
I agree that they don't make it clear but my own reading of it was that to use TLS for SMTP you require TLS for LDAP.

But...that could be my mistake in how I interpreted it.

I have to say that they do seem to make this far more difficult than it really needs to be.
Avatar of Herezja

ASKER

I agree with that one!! I just wish they had a full admin guide on setting this thing up with Exchange!

I have a call into our tech support rep at Barracuda to ask whether LDAP is required to utilize TLS. Will let you know what I find out when he calls back.
Sorry I've not been more help on this one but the last time I configured a Baraccuda it was simple SSL and there were no TLS options.
Avatar of Herezja

ASKER

Still haven't gotten a hold of our tech support rep with Barracuda, but I found something interesting yesterday....If you go into the Domains tab | Domain Manager | Manage Domain, then go to Advanced | Email Protocol, there are two additional settings (as opposed to the System settings) in there that we had configured, with our domain name, to require TLS. The descriptions of the settings on that page are as follows:

Require Encrypted TLS receiving email from these domains: "Require domains you add here to always send messages through the Barracuda Spam & Virus Firewall to this domain over a TLS connection."

Require Encrypted TLS relaying email to these destination servers: "Require messages relayed out through the Barracuda Spam & Virus Firewall from this domain to destination servers listed here to be sent over a TLS connectiona. Destination server can be Host name or IP address."

Since our domain name was in both these settings, I started reading the descriptions a little closer. The way that they are worded leads me to believe that if our domain is set there, then we will be in sort of a TLS loop (for lack of a better term). So I removed our domain from both these settings and whattya know...email traffic started flowing out!

I'm not out of the woods yet though...I still need to get incoming functioning (or at least tested that it is functioning) and verify that TLS is still encrypting traffic via the System settings, but I think we may be on the right track.

Nice one. Sorry I couldn't be more help directly.

No such settings for incoming mail?
Avatar of Herezja

ASKER

I haven't found any settings like that for incoming mail, but in the mail log on the Barracuda it is saying that the connection is being lost to the BE server when trying to connect. We are currently looking at some of the network equipment to see where the connection is breaking down. Will keep you posted on what we find.
Avatar of Herezja

ASKER

So far, from what we can tell, the BE is resetting the connection when Barracuda tries to connect to pass traffic. Any ideas?
Avatar of Herezja

ASKER

Correction....it is actually the Barracuda that is resetting the connection for whatever reason.
Does it give any indication why it drops the connection?

What firmware version does it run, by the way?
Avatar of Herezja

ASKER

Absolutely no indication.

We are using the latest firmware version too
Wonder if this is LDAP - reading the admin guide suggests that if it fails to make a LDAP connection with TLS it'll drop it.
Avatar of Herezja

ASKER

We are not using LDAP. That is one of the questions that I am looking to bring up with the Barracuda Tech Support Rep. Is LDAP required in order for TLS to function correctly??
Yes I believe that if you want to secure communication between the Barracuda and the Exchange server, it has to use secure LDAP (although it does say on the manual that it can do so over 389 the "non-secure" LDAP port.
Avatar of Herezja

ASKER

Whether I get a hold of our Tech Support Rep or not, I think I am going to set up LDAP today anyway...to test it out if nothing else. Our Network Engineer and I were also discussing yesterday the possibility of moving the Barracuda device to the inside (as opposed to the DMZ where it resides now) to eliminate any issues between it and the BE. Will let you know how this goes today.
Avatar of Herezja

ASKER

Got LDAP working and verifying just fine...still no incoming mail with TLS enabled.
Avatar of Herezja

ASKER

Oh yeah...just an FYI: according to Barracuda Tech Support LDAP is not needed for TLS to function.
Avatar of Herezja

ASKER

We suspect that our Sidewinder may be the culprit in all this now. We have exhausted every angle and all signs are pointing in that direction now. So....we are working on getting a McAfee and a Barracuda engineer out here at the same time to solve this once and for all. Well....at least this is where this problem is heading, which means this has now gone from Systems to Network and away from my realm.

Tony...I really appreciate all your help with this. Even though we didn't get it solved, your comments definitely helped me to troubleshoot this thing to death. If I can, I will try and get some points to you for all this. Hey...out of this entire site, you were the only one who chimed in!
Avatar of Herezja

ASKER

Thanks to Tony, we were able to rule out our Exchange server and find that one of our network devices is to blame for this issue.
Thank you for the points - much appreciated even though all I really did was bounce ideas around.

I have been in the same position so many times I've lost count and if I can, I'll always at least try to throw in a few pointers :)

Good luck with tracking the offending device down mate.