The Barracuda NextGen Firewall X-Series scans SMTP traffic in two steps:
- SSL Inspection decrypts SSL-encrypted SMTP connections. For incoming connections, your mail server's SSL certificates are used.
The DNS blacklist database is queried via a DNS lookup using the sender's IP address. If the DNS reputation database is not available, the email is not modified. If the domain or IP address is blacklisted, the email's subject line is modified to start with
[SPAM]
and the following non-configurable MIME type headers are set:X-Spam-Prev-Subject:
Your email subject without the [SPAM] tag.X-Spam-Flag: YES
X-Spam-Status: Yes
X-Spam-Level: ***
- Email attachments are scanned by the virus scanner. If malware is found, the attachment is stripped from the email and replaced by a customizable text informing the user that the malicious attachment has been removed.
Before you begin
- Enable and configure SSL Inspection. If needed, adjust the SSL Inspection settings to support MTAs requiring SSLv3. For more information, see How to Configure SSL Inspection.
Step 1. Import the mail server certificates
Import the SSL certificates of your internal mail server(s). For more information, see How to Use and Manage Certificates with the Certificate Manager.
Step 2. Enable virus protection for mail traffic
Enable virus scanning and SSL Inspection in the firewall.
- Go to FIREWALL > Settings.
- In the Firewall Policy Settings section, enable TCP Stream Reassembly.
- Make sure that Application Control is enabled.
- In the Virus Protection section,
- Set Enable Virus Protection to Yes.
- Set Enable for SMTP & SMTPS to Yes.
(optional) Configure advanced virus scanner settings:
- In the Advanced Options section, click Advanced / Show.
(optional) Change the default behavior If Virus Scanner is not available.
Block All – (default) All pages will be blocked.
Allow All – All pages will be allowed.
- Configure the following settings:
- Block Large Files / Large File Limit – To block files that exceed the Large File Limit, enable Block Large Files.The large file policy is set to a sensible value for your appliance. The maximum value is 1024 MB. If disabled, large files will not be scanned. Instead, they will be delivered directly to the client.
- Scanned MIME Types – If applicable, you can add MIME types of files you want the X-Series Firewall to scan to the Scanned MIME Types list (see: Default MIME Types in Virus Protection in the Firewall). To add a file type, enter the file path and click +. To remove a file type, click - next to the file entry in the list. Click Reset to Defaults to restore the default list.
- At the bottom of the page, click Save.
- (Optional) Enable Advanced Threat Detection. For more information, see Advanced Threat Protection (ATP/ATD).
- In the Mail Security section, enter the public IP address that your mail server domain's MX record resolves to in the Mail Server SSL Certificates section, select the mail server SSL certificate from the Certificate list, and click +.
- Enter the FQDN of the DNS Blacklist Server. Default:
b.barracudacentral.org
- Click Save.
Step 3. Create a DNAT access rule for incoming SMTP traffic
Enable Application Control, SSL Interception, and Virus Protection in the access rule.
- Go to FIREWALL > Firewall Rules.
- Create an access rule with the following settings:
- Action – Select DNAT.
- Connection – Select No SNAT.
- Source – Select Internet, and click +.
- Network Services – Select SMTP, and click +.
- Destination – Enter the public IP address that your mail server domain's MX record resolves to, and click +.
- Redirect – Enter the IP address(es), or select a network object for your internal mail server(s), and click +.
- Enable Application Control, SSL Inspection, Virus Protection, and Mail Blacklist Checks.
- Click Save.
Step 4. (optional) Create an access rule for outgoing SMTP connections
Create an access rule to scan outgoing SMTP traffic from your internal mail server or mail clients for malware.
- Go to FIREWALL > Firewall Rules.
- Create an access rule with the following settings:
- Action – Select Allow.
- Connection – If used for an internal mail server, create and select a connection object using the public IP address that your mail server's MX record resolves to as the source IP address. If this rule applies to SMTP clients, select Dynamic SNAT.
- Source – Create and select a network object containing your mail server IP addresses, or for SMTP client connections the network containing the SMTP clients, and click +.
- Network Services – Select SMTP for outgoing mail server traffic, or create a service object for TCP port 587 for outgoing mail client traffic, and click +.
- Destination – Select Internet, and click +.
- Enable Application Control, SSL Inspection, and Virus Protection.
- Click Save.
Monitoring and testing
You can test the virus scanner setup by sending EICAR test files from http://www.eicar.com via email to a mail server located behind the firewall.
To monitor detected viruses and malware, go to the BASIC > Recent Threats page.
Next steps
- Customize the text used to replace removed email attachments. For more information, see Custom Block Pages.