It seems like your browser didn't download the required fonts. Please revise your security settings and try again.
Barracuda Campus Barracuda Campus
Barracuda Email Gateway Defense
formerly Email Security
Overview Documentation Training Materials

Amazon WorkMail Deployment

  • Last updated on

You can specify Email Gateway Defense as an inbound mail gateway through which all incoming mail for your domain is filtered before reaching your Amazon WorkMail account. Email Gateway Defense filters out spam and viruses, then passes the mail on to Amazon SES (Simple Email Service).

You can also specify Email Gateway Defense as the outbound mail gateway through which all mail is sent from your domain via your Amazon WorkMail account to the recipient. As the outbound gateway, Email Gateway Defense processes the mail by filtering out spam and viruses before final delivery. Enable Simple Mail Transfer Protocol (SMTP) gateways for use with outbound email flow rules to route email messages sent from your Amazon WorkMail organization through the SMTP gateways.

Configure Inbound Mail

Launch the Email Gateway Defense Setup Wizard

The setup wizard includes steps to identify your email server, add MX records, and remove MX records. Each of the domains where you want to filter email must be verified by Email Gateway Defense for proof of ownership; Email Gateway Defense does not process email for a domain until the verification process is complete.

Note that after verifying your domain, any mail sent to your domain from another Barracuda Email Gateway Defense customer will be processed normally by your Email Gateway Defense account and not delivered via MX records.

  1. Log into Barracuda Cloud Control. If this is your first time launching the Email Gateway Defense setup wizard, you will be redirected to the Barracuda Trials Hub page. Click Set Up under Email Gateway Defense.

    egdTrialHub.png

    Alternatively, if you have started the setup wizard but did not complete it, after logging into Barracuda Cloud Control, select Email Gateway Defense on the left side. In the top banner, click Set Up Now to launch the setup wizard.

    egdWizardSetUpNow.png

    The Email Gateway Defense wizard launches. 

  2. Select the Region for your data center. Then click Confirm region.

    egdDataCenterRegion.png

    After you select your region, you cannot change it.

  3. Enter a valid email address from the email server domain you want to protect with Email Gateway Defense. Click Detect email server.

  4. The system automatically auto-fills your destination mail server. If this is not the correct server, click Edit, enter the correct details, and then click Update.

  5. After you have determined that the settings are correct, click Verify server

    egdWizardSpecifyMailSvr.png

    Note that mail servers can take up to 48 hours to be discoverable for new domains.

  6. Once your email server is verified, a green check markgreen-check.pngwill appear at Step 1 and the Status will showgreen-verified.png. You can now move on to Step 2 Add new MX records.

  7. To add new MX records:

    1. Log into your DNS hosting account.

    2. Add the primary and backup MX records shown in the Add new MX records section. Instructions for your DNS hosting provider will vary; you can use search terms such as add, edit, manage, or MX records.

      egd_setup_addMXrecords1.png

    3. Add the MX records with a low priority, for example, 99. Adding the new MX records to your existing list should look similar to this:

      egd_wizard_addMXrecords1.png

      After updating your MX records, allow at least 24-48 hours before completing the next step to allow time for your changes to propagate.

    4. Verify that the new Email Gateway Defense MX records have been added by clicking on the Verify records button. 

    5. Once your MX records are added, a green check markgreen-check.pngwill appear at Step 2 and the Status will showgreen-verified.png. You can now move on to Step 3 Remove old MX records.

  8. To remove old MX Records:

    1. Log into your DNS hosting account.

    2. Remove the existing MX records shown in the Remove old MX records section. Instructions for your DNS hosting provider will vary; you can use search terms such as add, edit, manage, or MX records.

      egd_setup_removeMXrecords1.png

    3. Update the priority of your primary and backup Barracuda MX records to 1 and 10. 

    4. In the Email Gateway Defense wizard, verify that your non-Barracuda Networks MX records have been removed by clicking on the Verify update button.

    5. Once your MX records are removed, a green check markgreen-check.pngwill appear at Step 3 and the Status will showgreen-verified.png

  9. After you have successfully completed all the steps in the Email Gateway Defense setup wizard, click the Complete setup button. To exit the wizard and come back at a later time, click Save & exit

Configure Outbound Filtering

Step 1. Set Up Custom MAIL FROM Domain

By default, Amazon WorkMail uses an amazonses.com domain in the MAIL FROM [envelope] sender. To relay your outbound mail through Barracuda Networks, you must configure WorkMail to use your custom domain instead.
If you have already completed this step, proceed to Step 2. Create an SMTP Gateway.

  1. Navigate to AmazonSES https://console.aws.amazon.com/ses.

  2. Under Configuration, select Identities, and then select your custom email domain.

    customDomain.png

  3. Scroll down to the Custom MAIL FROM domain section, and click Edit.

  4. Check the box to Use custom MAIL FROM domain and enter a value, such as ses, in the MAIL FROM domain field.

    editCustomDomain.png

  5. Click Save changes.

  6. Under the Custom MAIL FROM domain section, follow the instructions to publish the MX and SPF (type TXT) records to the DNS server of the custom MAIL FROM domain to verify your domain.

    publishDNS.png

  7. Once your custom domain shows a Successful status, continue to the next step.

    success.png
Step 2. Create an SMTP Gateway

  1. Open the Amazon WorkMail console at https://console.aws.amazon.com/workmail/.

  2. In the navigation pane, select Organizations, and then select the name of an organization.

  3. In the navigation pane, select Organization settings.
    The Organization settings page appears and displays a set of tabs.

  4. Select the SMTP gateways tab, and then select Create gateway.

  5. Enter the following:

    1. Gateway name – Barracuda

    2. Gateway address – The outbound SMTP smarthost from your Email Gateway Defense interface

    3. Port number – 25

    4. Username and Password – Enter a period. These values are not needed for outbound relay.

  6. Select Create.

    createGateway1.png

The SMTP gateway is now available for use with outbound email flow rules.

Step 3. Update SPF Record

  1. Log into your DNS provider and locate the SPF record created for your custom [sub] domain, which was required as part of Step 1. Set Up Custom MAIL FROM Domain.

  2. Add the Barracuda include statement for your region. See Sender Policy Framework for Outbound Mail for the relevant SPF INCLUDE based on the region you selected for Email Gateway Defense.
    An example SPF record for the US region:
    v=spf1 include:amazonses.com include:spf.ess.barracudanetworks.com ~all

Step 4. Create Outbound Email Flow Rules 

  1. Open the Amazon WorkMail console at https://console.aws.amazon.com/workmail/

  2. In the navigation pane, select Organizations, and then select the name of an organization.

  3. In the navigation pane, select Organization settings.
    The Organization settings page appears and displays a set of tabs.

  4. Select the Outbound rules tab, and then click Create. 

  5. Enter the following: 

    1. Rule name – Barracuda Outbound

    2. Action – Route to SMTP gateway 

    3. SMTP Gateway – Select the SMTP gateway you created in Step 2 Create a SMTP Gateway 

    4. Sender domains or addresses *

    5. Destination domains or addresses – *

  6. Click Create

    outboundRule.png