The Barracuda NextGen Firewall F-Series enforces mail security in the firewall by transparently scanning incoming and outgoing SMTP connections for malware and checking the reputation of the sender's IP address via a DNS blacklist (DNSBL). SMTP connections are supported on the following ports:
SMTP and SMTP with StartTLS – TCP 25, TCP 587
- SMTPS – TCP 465
SSL Interception for Mail
SSL-encrypted SMTP connections are decrypted differently for inbound and outbound connections. Outbound SSL-encrypted SMTP connections are SSL-intercepted using a dynamically generated SSL certificate derived from the root certificate uploaded in the SSL Interception configuration. Inbound SSL-encrypted connections are intercepted using the same SSL certificate chain as is installed on the internal mail server. The SSL certificates are bound to the IP address on the F-Series Firewall that the mail server domain's MX record resolves to. This allows remote MTAs to use the information included in the SSL certificate to verify the identify of the server it is connecting to. You must install the SSL Interception root certificate on all mail clients connecting to a mail server via an SSL-intercepted SMTP connection to avoid certificate errors.
For more Information see How to Configure SSL Interception in the Firewall.
Virus Scanning for Mail
Both inbound and outbound email attachments are scanned by the Virus Scanner service. If malware is detected in an email attachment, the infected file is removed and replaced by an attachment containing a customizable text, and the 5005 Virus Scan file blocked event is triggered. If Advanced Threat Protection (ATP) is enabled on the system, attachments that have passed the Virus Scanner are uploaded and analyzed in the Barracuda ATP cloud. Mail attachments are always scanned in Deliver first, then scan mode. If malware is found by ATP, the result is only reported; the email recipient is not placed in quarantine. The Virus Scanner fail-close policy does not apply to SMTP and SMTPS connections. If the Virus Scanner service is unavailable, emails with attachments are not scanned by either the Virus Scanner or ATP. Instead, they are delivered as-is to the internal mail server. A dedicated virus-scan log file is created if logging is activated under Firewall > Security Policy > Virus Scanner Configuration > Advanced.
Inbound email can also be classified according to DNS blacklists (DNSBL), such as the Barracuda Reputation Block List. For sender IP addresses blacklisted by the DNSBL, [SPAM] is prepended to the subject line of the email, and the MIME headers of the email are modified to allow the email to be immediately identified as spam by the mail server. If the DNSBL server is not available, the email is not modified. The email itself is delivered to the internal mail server.
For more information, see How to Configure Mail Security in the Firewall.