All Email Security Gateway, all firmware versions.
The Email Security Gateway utilizes a hardened Linux operating system for maximum security and stability. The end customer interfaces to the Email Security Gateway include a console-based, menu driven interface for basic system configuration and troubleshooting and a Web based interface for administration and end user access. Barracuda Networks appliances are not designed for end customers to have any operating system or shell access to the device. As such, the most appropriate method of performing vulnerability assessments of Barracuda Networks appliances are from the network side.
The following is a list of network connections and communications by the Email Security Gateway:
1. Inbound communications
Across Barracuda Networks appliances, there are several ports that are generally open inbound for Barracuda Networks appliances to operate. These include:
- HTTP for Web user interface (usually port 8000, this can be configured by the administrator)
- HTTPS for secure Web user interface (usually port 443, this can be configured by the administrator)
- SNMP over port 161
- Clustering protocols over ports 8002 note: older firmwares used 8002 also
- Port 25 for SMTP traffic
Barracuda Networks products communicate with Barracuda Central both to receive ongoing updates. In addition, Barracuda Networks products report aggregated statistics to help Barracuda Networks fight spam, virus, and other threats as well as optimize and monitor the product. Information is collected electronically and automatically. Statistics include, but are not limited to, the number of messages processed, the number of messages that are categorized as spam, the number of virus and types, IP addresses of the largest spam senders, the number of emails classified for Bayesian analysis, and other statistics.
Customer data will be kept private and will only be reported in aggregate by Barracuda Networks.
The following outbound ports are utilized across Barracuda Networks appliances:
- HTTP over port 80 or 8000 outbound to Barracuda Central servers for updates.
- NTP over port 123 to Barracuda Central servers (this can be reconfigured to use internal NTP servers).
- SSH over port 22. System administrators can manually initiate a reverse tunnel to Barracuda Central support servers for remote support. This feature can also be disabled.
- SMTP over port 25 for submitting messages marked as spam to Barracuda Central servers (this can be disabled).
- SMTP over port 25 for submitting suspected virus samples to Barracuda Central servers (this can be disabled).
- DNS queries over port 53 for Barracuda Real-Time Virus Protection (this can be disabled).
- Aggregated statistics collection over port 5022, port 443, and port 80 to Barracuda Central servers.
Depending on the features utilized, Barracuda Networks products may use the network to communicate with external infrastructure. These ports include:
- DNS over port 53 udp
- SMTP over port 25
- SNMP over port 161 tcp/udp
- syslog over port 514 udp
- LDAP over port 389/636 for recipient verification, single-sign on, and outbound relay authentication.
- RADIUS over port 1812 tcp/udp for single sign-on features.
- POP3 over port 110 (or port 995 for POP3 over SSL), used for remote mail collection and single-sign on features.
- IMAP over port 143 (or port 993 for IMAP over SSL), used for remote mail collection.
The Email Security Gateway should be open for outbound communication using the following protocols:
- SMTP to deliver outgoing mail for outbound relay functions
- DNS for use by any customer external blacklists (DNSBL's)