It seems like your browser didn't download the required fonts. Please revise your security settings and try again.

Why is encryption not working on my Barracuda Spam & Virus Firewall?

  • Type: Knowledgebase
  • Date changed: one year ago
Solution #00006100


 
Scope:


All Email Security Gateway, All Firmware versions
For customers using a Cisco PIX/ASA Firwall


 
Answer:

If you are trying to enable encryption or trying to send email via TLS connection, but receive STARTTLS errors, you will need to make a change on your Cisco firewall to turn off SMTP/ESMTP inspection. This can be done within a matter of a few seconds. There are two ways to accomplish this. You can use the Cisco ADSM or you can use the Cisco CLI.


First, let?s test the TLS connection from inside of your network. From a PC (server, workstation, linux box, anything that can establish an SMTP connection through the firewall) we are going to establish a connection to Google?s mail server. What we are looking for is the STARTTLS extension. Instead of the STARTTLS extension, we see the masked SMTP banner which is synonymous to SMTP inspection. As you can see below, the Cisco ASA is masking the SMTP banner with asterisks. This connection was established from the Barracuda Spam and Virus Firewall.


220 *************************************** 

ehlo testing.barracuda.com

250-mx.google.com at your service, [xxx.xxx.xxx.xxx]

250-SIZE 35882577

250-8BITMIME

250-XXXXXXXA

250 ENHANCEDSTATUSCODES


Here is an example of what a telnet to google.com is supposed to look like. This connection was established from a host behind a firewall without SMTP/ESTMP Inspection enabled.


220 mx.google.com ESMTP g67si2945576yhk.95 ?banner

ehlo testing.barracuda.com

250-mx.google.com at your service, [xxx.xxx.xxx.xxx]

250-SIZE 35882577

250-8BITMIME

250-STARTTLS ? starttls

250 ENHANCEDSTATUSCODES


After verifying that the Cisco firewall is inspecting (e)smtp traffic, you must disable the inspection.


CiscoASA(config)#policy-map global_policy 

CiscoASA(config-pmap)#class inspection_default 

CiscoASA(config-pmap-c)#no inspect esmtp


Please visit the links below for further explanation.

Once inspection has been turned off, the connection to google?s mail server should look like this.

220 mx.google.com ESMTP j49si2946484yhl.107

ehlo testing.barracuda.com

250-mx.google.com at your service, [xxx.xxx.xxx.xxx]

250-SIZE 35882577

250-8BITMIME

250-STARTTLS

250 ENHANCEDSTATUSCODES


References: