Topic: SME with Barracuda SFW - LDAP issue

[edb]

This is way off topic but I have just installed a new Barracuda 400 Spam Firewall and it is configured to intercept & scrub all mail prior to passing it off to my SME server.
All is fine but what I wanted to do was to configure the Barracuda to use LDAP to contact the SME mail server to see if the user exists then drop the message if not found rather than using SMTP authentication.
Overhead and bandwidth issues are 2/3's higher with SMTP authentication vs LDAP.

I cannot seem to get this to work properly but here are the parameters it requires on the Barracuda side:

LDAP Server:__________________(Hostname or IP address of LDAP or Active Directory server. Delimit failover server with a space.)

LDAP Port:________(Port for LDAP or Active Directory server. Default: 389)

SSL/TLS Mode:   ___Off , ___StartTLS or ___LDAPS

Require SSL/TLS: __Yes or __No

Bind DN:  _________   (Distinguished Name (DN) of a user in your directory that has read access to all information about valid users. This is the LDAP/Exchange Username under which LDAP queries will be performed.)

Bind Password:________ (Password for the username specified above.)

LDAPFilter:(|(othermailbox=smtp$${recipient_email})(othermailbox=smtp:${recipient_email})(proxyaddresses=smtp$${recipient_email})(proxyaddresses=smtp:${recipient_email})(mail=${recipient_email})(userPrincipalName=${recipient_email}))
(List of attributes to check during account verification.)

LDAP Search Base:${defaultNamingContext}
(Starting search point in LDAP, which is usually the Base DN for your directory. If your domain is test.com, your Base DN might be dc=test,dc=com.)


LDAP UID:__________(Attribute containing the username. Examples:
   for Open LDAP: uid
   for Active Directory:
       sAMAccountName)

LDAP Primary Email Attribute:______________________(Attribute which contains the user's primary email account. Used only when Unify Email Alias is enabled.)
_____________________________________


Any assistance would be greatly appreciated.

edb

[edb]

OK, I finally figured it out and I now have my Barracuda doing LDAP authentication which is working for the Primary Domain without issue.  

Here is what I changed ....

Require SSL/TLS: should be "YES"

LDAP Filter: (|(mail=${recipient_email}))

LDAP Search Base: dc=test,dc=com

LDAP UID: cn

LDAP Primary Email Attribute: mail

Now I just can't seem to get it working the same way for the vitual domains that I'm hosting?
Ideas anyone?

[jfarschman]

Ed,

  I'm working on the same problem... or i am now.  Initially, we wanted to SME to respond back with a 550 reject message if the user did not exist, but that's not possible.  It's a major change in the architecture.

  So let me ask you this?

  Did you have to do anything else to get this working... like open up the firewall to allow outside LDAP access?

[jfarschman]

This works great    and it dropped the load drastically.

one recommendation... when doing your config, take a look at /etc/openldap/slapd.conf to get the exact setting for the barracuda (or other device)

[edb]

Sorry Jay

I've been out of the loop for a while and never seen your post until now but I assume you got it all working and your Barracuda is behaving the way it should now.
I know I pulled my hair out for a while until I came up with the right combination but it sure does help having the Barracuda use LDAP user verification from the SME server doesn't it.

Hope you have it all worked out ... BTW I just love my Sonicwall, Barracuda, SME server combination I have in place and I think it's a hard team to beat. Rock solid security with ease of use!

edb

[jfarschman]

Ed,

  Yep... it's working as expected now.  Thanks for the roadmap.

[ltc6netspec]

Have the same setup with barracuda 400.  You didn't say how to allow virtual domains.


Please let me know?

Thank you in advance

[CharlieBrady]

BTW I just love my Sonicwall, Barracuda, SME server combination I have in place and I think it's a hard team to beat.

I'm curious to know what the Barracuda provides that SME server itself does not (or which they both provide, but Barracuda does better).

[edb]

Have the same setup with barracuda 400.  You didn't say how to allow virtual domains.

If you are asking how to allow the users of a virtual domain that you have created to have their email scanned, then it may be easier to use the new list feature where you can specify all Valid Recipients in a list format. This is what I'm using right now for my vitual domains becuase the LDAP feature is setup for only your primary domain and it cannot verify your vitual users or pseudonyms.

Under the Domains tab create your virtual domain, then click the "edit domain" button and scroll to the bottom of the screen where you see "Valid Recipients" section the just add all the users for the virtual domain in the following format "user1@virtual.domain.com". It may be a little effort to plug-in all the email addresses and aliases but once it is done it's done until you need to either add another user or remove a user that has left.

Hope this helps.

edb 

[BartManInNZ]

I'm curious to know what the Barracuda provides that SME server itself does not (or which they both provide, but Barracuda does better).

Hi Charlie,

Yes SME server does all and more than the Barracuda (up until just recently they were both using the same RBLs), but the Barracuda is dedicated to the monitoring, filtering and reporting of email its user interface is geared around that. Whereas within an SME server out-of-the-box there is enough in the user interface to get you up and running but when it comes to more than that you need to go and locate and install contribs etc (sysmon, awstats, etc). The log files are fairly rudimentary compared to the message log of the Barracuda but then again they do the job for most users of SME Server.

What I have found is that as server hardware has come down in price, the days of running all off one box is coming to an end specifically in the small to medium enterprise businesses. Speaking from my experience, our organisation has 20+ servers, nearly 500 workstations and 800 users*. We are moving away from monolithic-one-server-does-all to specialised appliances designed for one purpose. We run an iPrism for Internet filtering, Barracuda 200 for Spam, Citrix SSL Gateway for remote access etc. We are in the process of consolidating our out-date server (20+ Dell poweredge POS) to 4 HP Proliant blades and implementing VMWare ESX Server. Within this environment I see a further expansion of  servers (virtual), each one dedicated to its own area so that if it needs to go down for whatever reason only a small section of the entire systems is affected.

As far as SME server goes I am hoping to implement this primarily as a Squid Cache within a VM as we burn through 100+GB of data per month!

Just my $0.02 worth.
Bart.

*This is large by New Zealand standards but would probably be in the medium size in other parts of the world.

[slords]

Have the same setup with barracuda 400.

That is causing all kinds of bouncing due to your misconfigured SPF checking.  Please disable or fix.

[edb]

I'm curious to know what the Barracuda provides that SME server itself does not (or which they both provide, but Barracuda does better).

Hi Charlie,

I have to agree with BartManInNZ, the Barracuda is a very specialized device designed for only a single purpose and capable (in the case of my 400 model) of handling millions of messages per day with ease. Not to mention the fact that we have a zero SPAM environment now.
The Barracuda Spam Firewall protects your email server with twelve defense layers:
(it also has a nice Outlook plugin to be able to label a message as SPAM or not)

• Network Denial of Service Protection
• Rate Control
• IP Reputation Analysis
• Sender Authentication
• Recipient Verification
• Virus Scanning
• Policy (User-specified rules)
• Spam Fingerprint Check
• Intent Analysis
• Image Analysis
• Bayesian Analysis
• Rule-based Scoring

All this with a very simple and easy to use GUI, constant reliable updates that are updated on an hourly basis.
It is a set-it and forget-it solution. My Barracuda scrubs all email first and hands it over to the SME server for delivery to the users inbox.
I use SME as my main Mail and Web server and the Barracuda helps to take the load off of the SME server to allow it to do other tasks more effectively.
I just find it makes my life a whole lot easier too because it is a very reliable device and well ... just one less thing I have to worry about.

I used to rely solely on the SME server to provided my SPAM solution but found that it was really taxing on my server resources.
It's not that there is anything wrong with SME server, but just that it is a lot to expect from one server to handle everything.
I think that SME server is a wonderfull brainchild that has evolved to be a very easy to use and reliable solution for any Small to Medium business and it also has an absolutely great community of fellow users that is invaluable, unlike so many other distros.

I love SME but it is hard to beat an Enterprise device devoted solely to eliminating SPAM.

edb

[ltc6netspec]

Performing this with 61 primary and virtual domains

Barracuda doing LDAP authentication for primary and virtual domains

"If smeserver is behind a firewall first open port 389"

In Barracuda check on "Domains" Tab,
Then check on "edit LDAP" for the specific domain.

SETTINGS for LDAP queries:

LDAP Server:  IP address for sme server

Require SSL/TLS: should be "YES"

LDAP Filter: (|(mail=${recipient_local_part}@primary.domain))  **Change for your primary domain

LDAP Search Base: dc=primary,dc=domain   **Change for your primary domain

LDAP UID: uid

LDAP Primary Email Attribute: mail

Test with valid email address

Then

check box for:

Exchange Accelerator/LDAP Verification:

and press SAVE CHANGES button

There you go

[edb]

Excellent!!!!! 

Thanks for that nice piece of info ltc6netspec. It works a treat ... I struggled with that to no end.
The LDAP filter part is what I had problems with.

edb

[slords]

ltc6netspec fix your email.  You are bouncing all email:

<roearchivetest@mhs.org>:
64.107.96.18 does not like recipient.
Remote host said: 550-5.7.0 <roearchivetest@mhs.org>... This mail server uses an anti-spam technique called SPF.  SPF Records published by your
550-5.7.0 email provider indicate that you are not authorized to transmit email using this email address
550-5.7.0 from your current IP.  Your email has been rejected.   Please contact your domain administrator.
550-5.7.0 For more information about SPF please see: http://en.wikipedia.org/wiki/Sender_Policy_Framework
550 5.7.0 For more information about CIPAFilter please seee: http://www.cipafilter.com
Giving up on 64.107.96.18.

Because you are passing all email through some other hop you are destroying SPF.