All Email Security Gateways, all firmware versions.
When recipient verification is configured, the Email Security Gateway will reject email addressed to users that do not exist at the addressed domain. This is an SMTP-level block that occurs before other, more resource-intensive defense layers that will increase both the effectiveness and efficiency of the Email Security Gateway, when enabled.
You may configure three different types of recipient verification on the Email Security Gateway:
- SMTP Verification
The Email Security Gateway will automatically reject email addressed to any recipients that would be rejected by the configured destination server. There is no place to configure this on the Email Security Gateway; if your mail server is rejecting mail to invalid recipients with an SMTP reject code like 550 No such user, the Email Security Gateway will block incoming email in the same way.
If SMTP verification is active, when the Email Security Gateway accepts an SMTP connection and receives the destination email address, it will momentarily put that connection on hold and make an SMTP connection to the destination mail server for that domain, echoing the recipient address. If the mail server accepts the recipient, the Email Security Gateway will close that connection without actually sending an email, and resume accepting the email from the sending mail server. If the destination mail server rejects the message because that user does not exist at that domain, the Email Security Gateway, will send a similar SMTP block message to the sending mail server, rejecting the message. These messages will appear as having been blocked for reason of Invalid Recipient on the Basic > Message Log page of the Email Security Gateway's web interface.
- LDAP/Active Directory Verification (models 300 and above)
If you have an LDAP or Active Directory server, you can configure the Email Security Gateway to connect to that directory server and verify the recipient email addresses of incoming mail with that LDAP or Active Directory server. LDAP/Active Directory verification is usually faster than SMTP verification, and enabling it will automatically disable SMTP verification. For more information on configuring LDAP/Active Directory on the Email Security Gateway, see Solution #00002192 and Solution #00001330.
LDAP/Active Directory verification works by querying the directory server with the account provided to see whether the recipient exists for that particular domain. If that user does exist, the Email Security Gateway will receive the message and hand it off to the next defense layer. If that user is not present on the directory server, the Email Security Gateway will block that message at the SMTP level.
- The Valid Recipients List (firmware versions 3.5.11 and above)
New to firmware version 3.5.11, the Valid Recipients list allows you to specify a local list of valid recipients for each of your domains on the Barracuda Spam Firewall. This means that the Email Security Gateway will not make any connections to external devices to verify any of the users listed on the Valid Recipients list. This feature is useful if you do not have any other means of recipient verification, or if your LDAP or Active Directory server will only properly verify a portion of your users.
You can configure the Valid Recipients list to work with either SMTP or LDAP/Active Directory verification, or you can restrict valid users to only those present on the list. For more information on configuring the Valid Recipients list, see Solution #00003395.
When testing recipients over SMTP with the destination mail server (before sending the recipient address for verification), the Email Security Gateway will, by default, use the sender address email@example.com. If your mail server is configured to block mail addressed to invalid recipients, and recipient verification is not working, you may need to whitelist this address on your mail server. Alternatively, if you need to change this address, you'll need to go to the Advanced > Expert Variables page to set the Recipient Verification From Address option to anything that you know your mail server will allow. The Email Security Gateway should now use this sender address when verifying recipient addresses over SMTP.
For notes on configuring a Microsoft Exchange 2003 server to work with the SMTP verification feature on the Email Security Gateway, see Solution #00002976.
Link to This Page: