We use cookies on our website to ensure we provide you with the best experience on our website. By using our website, you agree to the use of cookies for analytics and personalized content.This website uses cookies. More Information
It seems like your browser didn't download the required fonts. Please revise your security settings and try again.

Barracuda Email Security Gateway

Why is my Barracuda Spam Firewall inappropriately accepting or deferring messages for invalid or valid recipients when the LDAP configuration tests correctly?

  • Type: Knowledgebase
  • Date changed: one year ago
Solution #00001330

Scope:
This question applies to Barracuda Spam Firewall, firmware versions 3.3 and greater, on models 300 and up.

Answer:
If LDAP/Active Directory verification has been configured for a particular domain and the Exchange Accelerator/LDAP Verification option is set to Yes (on the Domains > Edit Domain page, under the Edit LDAP Settings heading) for that domain, the Barracuda Spam Firewall will attempt to check the recipients for that domain against the configured LDAP server to determine whether those users exist at that domain. If this verification takes longer than 5 seconds to get a response, it will time out. Depending on how the Unify Email Aliases option on the Domains > Edit Domain page has been set, the Barracuda Spam Firewall will either fail open, allowing mail addressed to all users at that domain, or fail closed, deferring all mail for that domain.
  • If the Unify Email Aliases option on the Domains > Edit Domain page is set to Yes, and there is No Canary email filled out,  the Barracuda Spam Firewall will fail closed and block incoming mail for that domain until the problem is resolved.
  • If the Unify Email Aliases option on the Domains > Edit Domain page is set to Yes, and there is a canary email filled out,  the Barracuda Spam Firewall will fail open and defer incoming mail for that domain until the problem is resolved.
  • If the Unify Email Aliases option on the Domains > Edit Domain page is set to No, the Barracuda Spam Firewall will fail open and accept mail for any recipient at that domain until the LDAP/Active Directory server is available again.

If the CANARY ADDRESS (found on the same page) is provided and if it is not found in the LDAP directory or if the LDAP server is offline, then the mail for any user in that domain will be deferred until the Canary Address is either removed or the problem is fixed.


To troubleshoot, use the LDAP Test at the bottom of the Domains > Edit Domain page to test your LDAP/Active Directory server's response time. To use this test, enter a valid email address as the Valid Email (for testing) address and click the Test LDAP button. The results will display the response time.
  • If the response time is under a second, everything should be fine.
  • If the response time is between 1 and 2 seconds, everything should be fine, but under a heavy load the LDAP/Active Directory server's response time may rise, risking an occasional failure state.
  • If the response time is between 2 and 3 seconds, the Barracuda Spam Firewall may frequently or infrequently enter an LDAP/Active Directory verification failure state as the LDAP/Active Directory server takes more than 5 seconds to response to an LDAP search query.
  • If the response time is greater than 3 seconds, the Barracuda Spam Firewall will likely enter an LDAP/Active Directory verification failure state often, and this issue should be resolved as soon as possible.
Additional Notes:
By editing the LDAP Filter and LDAP Search Base you should be able to considerably reduce the response time of your LDAP/Active Directory server. For more information, see Solution #00001802.


Link to This Page:
https://campus.barracuda.com/solution/50160000000GQD6AAO