We use cookies on our website to ensure we provide you with the best experience on our website. By using our website, you agree to the use of cookies for analytics and personalized content.This website uses cookies. More Information
It seems like your browser didn't download the required fonts. Please revise your security settings and try again.
Barracuda Email Security Service
Barracuda Email Security Service

How to Configure Office 365 for Inbound and Outbound Mail

  • Last updated on

You can configure Microsoft Office 365 with the Barracuda Email Security Service as your inbound and/or outbound mail gateway.

If you make setting changes, allow a few minutes for the changes to take effect.

Office 365 IP addresses and user interfaces can change; refer to Microsoft documentation for configuration details.

Before getting started, contact Barracuda Technical Support and request that Outbound Groups be enabled on your Barracuda Email Security Service account.

You can specify the Barracuda Email Security Service as an inbound mail gateway through which all incoming mail for your domain is filtered before reaching your Office 365 account. The Barracuda Email Security Service filters out spam and viruses, then passes the mail on to the Office 365 mail servers. Use the Configure Inbound Mail Flow instructions below to configure.

You can also specify the Barracuda Email Security Service as the outbound mail gateway through which all mail is sent from your domain via your Office 365 account to the recipient. As the outbound gateway, the Barracuda Email Security Service processes the mail by filtering out spam and viruses before final delivery. By configuring Office 365 as described in Configure Outbound Mail Flow below, you instruct the Office 365 mail servers to pass all outgoing mail from your domain to the Barracuda Email Security Service (the gateway server).

Step 1. Ensure Connectivity and Redundancy

Step 2. Launch the Barracuda Email Security Service Setup Wizard

  1. In the login screen, enter your Barracuda Cloud Control credentials, and click Sign In.
  2. The Barracuda Email Security Service Dashboard displays. Click the Wizard link at the top of the page to use the setup wizard. Alternatively, you can click the Domains tab to use the web interface to manually configure domains and settings.
  3. In the Setup Wizard, click Get Started.
  4. In the Specify Primary Email Domain page, enter the primary email domain you want to filter, for example: 
    cudaware.com
  5. Click Next. In the Specify Email Servers page, enter the mail server hostname (FQDN) or IP address for the domain entered in the previous step, for example:
    cudaware-com.mail.protection.outlook.com

    If the Barracuda Email Security Service Setup wizard has already identified your mail server IP based on the MX record, the Mail Server field pre-populates.

  6. Click Add. Enter an email address to test the server configuration, and click Test All Mail Servers.
  7. Once the mail server is verified, the Verified (verified_icon.png) icon displays in the status column and a confirmation message displays at the top of the page.
  8. Click Next. The Configure Settings page displays. Select from the following options:
    1. Virus Protection – Set to On to direct the Barracuda Email Security Service to detect and block viruses on inbound email.
    2. Spam Protection – Set to On to direct the Barracuda Email Security Service to evaluate inbound mail for spam based on a score assigned to each processed message. When set to Off inbound mail is not scanned for spam.
    3. Spam Scoring – Set Spam Protection to On to enable Spam Scoring. Scoring ranges from 1 (definitely not spam) to 10 (definitely spam). Setting a score of '1' blocks most legitimate messages while setting a score of '10' allows more messages through the system. Based on this score the Barracuda Email Security Service blocks messages that appear to be spam and logs these messages in the user's Message Log with Score as the reason for the block.

      The following features are enabled when Spam Protection is set to On:
      Barracuda Reputation Block List (BRBL) – Database of IP addresses manually verified to be a noted source of spam.
      Barracuda Real-Time System (BRTS) – Advanced service to detect zero-hour spam and virus outbreaks even where traditional heuristics and signatures to detect such messages do not yet exist.
      Sender Policy Framework (SPF) – Block Fail is disabled.
      Barracuda Anti-Fraud Intelligence – Barracuda Networks anti-phishing detection which uses a special Bayesian database for detecting Phishing scams.
      Intent Analysis – Blocking based on intent analysis.
      CloudScan Scoring – A cloud-based spam scanning engine which assigns a score to each message processed ranging from 0 (definitely not spam) to 10 (definitely spam).

  9. Click Next. The Route Email Through Barracuda page displays.

  10. To verify your domain, replace your current MX records with the Barracuda Email Security Service Primary and Backup MX records displayed on the page.

    During the evaluation period, to complete the verification process but allow your legitimate mail to continue using your current mail server, you can add the MX records with a low priority, for example, 99.

    Some mail may appear in the Message Log after making this MX record change as spammers routinely send mail to all MX records for a domain.

    Once you have made the change to your MX records, return to the Route Email Through Barracuda page and click Verify MX Records. The Barracuda Email Security Service should see the changes made and verify your domain. If the domain does not verify correctly, verify that your MX changes are live. You can do this by using the following sites that return your MX information:

    http://mxtoolbox.com/
    https://toolbox.googleapps.com/apps/dig/ (select the MX option)

    If your domain's MX records do not display in the Barracuda Email Security Service MX records, you must wait until they display before your domain can be verified.

  11. If you only want to route your inbound mail through the Barracuda Email Security Service and not your outbound mail, select I do not want to route my e-mail through Barracuda at this time, and select the verification option:
    1. CNAME Records – To use the CNAME records method to verify the domain ownership:
      1. Log in to your DNS Server and, under this domain, create a subdomain whose name is created by concatenating 'barracuda' and the CNAME token shown in the Route Email Through Barracuda page. For example:
        barracuda30929916985.corpdomain.com

      2. Point the CNAME record of that subdomain to ess.barracuda.com

        Allow the DNS propagation to take effect before proceeding.

      3. Click Confirm Validation in the Route Email Through Barracuda page.

    2. Email to Technical Contact – This method sends a verification email to the technical contact email address, if it exists, listed on your domain's WHOIS entry.

      This verification option is not available if the Barracuda Email Security Service cannot find your domain's WHOIS entry. If there is not a technical contact, then only the MX Records, CNAME, and Email to the Postmaster options displays on this page.

    3. Email to Postmaster – This method sends a verification email to the postmaster email address for your domain. The confirmation email includes a link that the recipient must click to verify the domain. Click Send Email.

      This option is available if the Barracuda Email Security Service can find your postmaster in your domain’s WHOIS records. This method sends a verification email to the postmaster email address for your domain. The confirmation email includes a link that the recipient must click to verify the domain.

  12. Click Next, and click Next once again.

  13. On the Select Data Center Region page, select the data center for your locale, and click Get Started.
  14. Complete the wizard pages.
  15. The Confirmation page displays. Confirm domain ownership, and click Done.

Important
If you have Sender Policy Framework (SPF) checking enabled on your mail server or network, it is critical when using the Barracuda Email Security Service that you either disable SPF checking in the service OR add the Barracuda Email Security Service IP ranges 64.235.144.0/20 and 209.222.80.0/21 to your SPF exemptions. If this is not done, your SPF checker blocks mail from domains with an SPF record set to Block. This is because the mail is coming from a Barracuda Email Security Service IP address which is not in the sender's SPF record. For more information about SPF, see Sender Authentication

Step 3. Set Up User Accounts

You can add users manually or use LDAP authentication to automatically synchronize the Barracuda Email Security Service with your LDAP server.

To create a few test accounts during the evaluation period, use the Manually Add Users steps.

Manually Add Users
  1. Go to Users > Add/Update Users.
  2. In the User Accounts field, enter each user email address for the domain on a separate line, and then select from the following options:
    1. Enable User Quarantine – All emails for the user which meet the configured block policy go to the user's quarantine account.

      Depending on how you have configured the quarantine notification interval on the Users > Quarantine Notification page, the user receives a quarantine digest at a specified time. From the Users > Quarantine Notification page you can also allow the user to set their own quarantine notification interval.

    2. Notify New Users – When set to Yes, users receive a welcome email when the account is created.
  3. Click Save Changes. The users are added to the Users > Users List table where you can select from the following actions:
    1. Edit – Click to specify domains this user can manage.
    2. Reset – Click to send the user an email with instructions on how to reset their account password.
    3. Log in as this user – Click to view or change the user's settings (for example, quarantine notifications), view/manage the domains this user manages, and view/search/manage the user's Message Log.
    4. Delete – Click to remove the user account.

The first time the Barracuda Email Security Service receives an Allowed email for a non-existent user at a domain configured for the service, if that same recipient receives a second email within six days, a new user account is created. This method of new account creation does not use LDAP lookup, and the user receives an email from the Barracuda Email Security Service with their login information so they can access their quarantine account.

LDAP Synchronization

Automatically create user accounts for all users in the domain based on your LDAP directory.

Important
The Barracuda Email Security Service connects with your network from various IP addresses, including performing LDAP lookups. To ensure that the service can connect with your network, allow traffic originating from the network address ranges 64.235.144.0/20 and 209.222.80.0/21.

  1. Click Domains, and click Edit in the Settings column for the desired domain.
  2. In the Domains > Domain Settings page, scroll to the Directory Services section, and enter your LDAP settings:
    1. LDAP Host – LDAP lookup server. If this setting is a hostname, and is contained in multiple A records, or multiple space-separated hosts are provided, then fail-over capabilities will be available if the Barracuda Email Security Service is unable to connect to one of the machines listed here.
    2. Port – Port used to connect to the LDAP service on the specified LDAP server. Typically port 389 is used for regular LDAP and LDAP using the STARTTLS mode for privacy. Port 636 is assigned to the LDAP over SSL/TLS (LDAPS) service.
    3. Use SSL (LDAPS) – By default, LDAP traffic is transmitted unsecured. Set to Yes to use Secure Sockets Layer (SSL) / Transport Layer Security (TLS) technology to make LDAP traffic confidential and secure.  
    4. Bind DN/Username – Username used to connect to the LDAP service on the specified LDAP server. If of the form accountname@domain.com, the username is transformed into a proper LDAP bind DN when accessing the LDAP server, for example, CN=accountname,CN=users,DC=domain,DC=com. Sometimes the default transformation does not generate a proper bind DN. In such cases, you must enter a fully formed and valid bind DN.
    5. Bind Password – Password used to connect to the LDAP service on the specified LDAP server.
    6. Base DN – Base DN directory. This is the starting search point in the LDAP tree. The default value looks up the defaultNamingContext top-level attribute and uses it as the search base. For example, if your domain is test.com and your Base DN is dc=test,dc=com.
    7. Authentication Filter – Filter used to look up an email address and determine if it is valid for this domain. The filter consists of a series of attributes that might contain the email address. If the email address is found in any of those attributes, then the account is valid and is allowed by the Barracuda Email Security Service.
    8. User Filter – Filter used to limit the accounts that the Barracuda Email Security Service creates when an LDAP query is made. For example, limit the LDAP synchronization to users in sub-domains using the mail= parameter, or synchronize user-objects in a specific organizational unit (OU) using the ou= parameter. Each type of LDAP server has specific query syntax, so consult the documentation for your LDAP server. See the Microsoft TechNet article LDAP Query Basics for LDAP query syntax and examples.
      Example: The list of valid users in your directory server includes 'User1', 'User2', 'User3', 'BJones', 'RWong', and 'JDoe', and you create the User Filter (name=*User*). In this case, the service only creates accounts for 'User1', 'User2', and 'User3'.
    9. Custom User Filter – Set to Yes to limit newly synchronized email users and linked email users to this one domain.
    10. Mail Attributes – Attribute in your LDAP directory that contains the user's email address.
    11. Testing Email Address – Valid email address for use in testing LDAP settings. When left blank, LDAP settings are only tested for connection.
    12. Synchronize Automatically – Set to Yes to automatically synchronize your LDAP users to the Barracuda Email Security Service database on a regular basis for recipient verification. With Microsoft Exchange server, the synchronization is incremental. When set to No, you must click Synchronize Now at the top of the section to manually synchronize your LDAP users to the Barracuda Email Security Service database.
    13. Use LDAP for Authentication – Set to Yes to enable LDAP for user login authentication. Set to No if your LDAP server will be unavailable for a period of time.
  3. In the Advanced Configurations section, set Sender Rewriting Scheme (SRS) to On to direct the Barracuda Email Security Service to rewrite the Envelope FROM address of inbound messages so that they appear to come from Barracuda Networks rather than the original sender. This is useful if you are using a hosted email service that cannot turn off Sender Policy Framework (SPF) checking. For more information, see Sender Policy Framework.
  4. Click Save Changes.

The first time the Barracuda Email Security Service receives a Not Allowed email for a valid user, the service does the following:

  • Uses the email address of the recipient as the username of the account and auto-generates a password. If Use LDAP for Authentication is set to No on the Domains > Domain Settings page, the user receives an email with the login information so they can access their quarantine account, otherwise, the user can use single sign-on via LDAP lookup.
  • Places the quarantined message in the account holder’s quarantine inbox.
  • Sends a quarantine summary report to the account holder at the specified notification interval, as set on the Users > Quarantine Notification page. If Allow users to specify interval is set to Yes on this page, then the quarantine summary report is sent to the user on the schedule specified on the Settings > Quarantine Notification page once they log into their account.

 

 

Step 4. Add Additional Email Domains (Optional)

Use the steps in this section only if you want to manually add additional email domains, otherwise, go to Step 5. Create Transport Rule.

Obtain the hostname:

  1. Log in to the Office 365 admin center.
  2. In the left pane, click Settings > Domains.
  3. In the Domains table, click on your domain.
  4. Take note of the hostname. This is the address of your destination mail server, for example, cudaware-com.mail.protection.outlook.com

Enter the hostname:

Barracuda recommends using a hostname rather than an IP address so that you can move the destination mail server and update DNS records without making changes to the Barracuda Email Security Service configuration. This address indicates where the Barracuda Email Security Service should direct inbound mail from the Internet to your Office 365 Exchange server. For example, your domain displays to the Internet as: bess-domain.mail.protection.outlook.com

  1. Log in to the Barracuda Email Security Service as administrator, and click Domains
  2. Enter the domain name and destination mail server hostname obtained from your Office 365 account:
    hostname.png 
  3. Click Add; the Domain Settings page displays.

Step 5. Create Transport Rule to Bypass Spam Filtering (Optional)

  1. Log in to the Office 365 admin center, and go to  Admin centers > Exchange.

  2. In the left pane, click mail flow, and click rules.
  3. Click the + symbol, and click Bypass spam filtering:
    BypassSpamFiltering.png
  4. In the new rule page, enter a Name to represent the rule.
  5. From the Apply this rule drop-down menu, select The sender > IP address is in any of these ranges or exactly matches:
    SenderIPAddress.png
  6. In the specify IP address ranges page, type 64.235.144.0/20 as the IP address/range for the Sender (Barracuda Email Security Service), and click the symbol.
  7. Next type 209.222.80.0/21, and click the + symbol:
    SpecifyIPranges.png 
  8. Click OK.
  9. Scroll to the Properties of this rule section, and in the Priority field, type 0.
  10. Click Save to create the transport rule.
  11. Verify the new rule displays at the top of the list of mail flow rules. If the rule is not at the top, click on the rule, and use the Up ( UpArrow.png) arrow to move the rule to the top of the list.

Step 6. Restrict Inbound Mail from Outside Your Organization to the Barracuda Email Security Service IP Range (Optional)

Use the following steps if you want to restrict inbound mail from outside your organization to the Barracuda Email Security Service IP address range:

  1. Log in to the Office 365 admin center, and go to Admin centers > Exchange.
  2. In the left pane, click mail flow, and click rules.
  3. Click the + symbol, and click Create a new rule.
  4. In the new rule page, enter a Name to represent the rule. For example, type: Barracuda ESS IP restriction
  5. Scroll down to and click Advanced Options.
  6. From the Apply this rule if drop-down menu, select The Sender > Is External/Internal > Outside the organization.
  7. From the Do the following drop-down menu, select Reject this message with the explanation.
  8. Enter the message you want included in the non-delivery report (NDR) that is sent to the sender. For example, enter:
    You have attempted to bypass our Email Security Service. Please ensure your DNS is up-to-date and try sending your message again.
  9. Click Add Exception.
  10. Select The Sender > Sender’s IP address is in any of these ranges or exactly matches.
  11. Enter the Barracuda Email Security Service IP range: 64.235.144.0/20  
  12. Click the + symbol.
  13. Enter the Barracuda Email Security Service IP range: 209.222.80.0/21  
  14. Click the + symbol.
  15. Click OK.
  16. Scroll to the Properties of this rule section, and in the Priority field, type: 0
  17. In the new rule page, click Stop processing more rules, and click Save to create the rule.
  18. Office 365 is now configured to block any email that does not originate from the Barracuda Email Security Service IP address ranges.
  19. Verify the new rule displays at the top of the list of mail flow rules. If the rule is not at the top, click on the rule, and use the Up ( UpArrow.png) arrow to move the rule to the top of the list.

If you complete both Step 5. Create Transport Rule to bypass Spam Filtering and Step 6. Restrict Inbound Mail from Outside Your Organization to the Barracuda Email Security Service IP Range, verify the Restrict Inbound Mail from Outside Your Organization to the Barracuda Email Security Service IP Range rule displays first in the mail flow rules list, and Transport Rule to bypass Spam Filtering displays second in the mail flow rule list.

 

Step 7. Configure Outbound Mail

  1. If you have not already done so, contact  Barracuda Technical Support  and request that  Outbound Groups  be enabled on your Barracuda Email Security Service account.
  2. Log in to the Barracuda Email Security Service, and click Domains; make note of the Outbound Hostname:
    outboundAddress_update.png
  3. Log in to the Office 365 admin center, and go to Admin centers > Exchange.

  4. In the left pane, click mail flow, and click connectors.
  5. Click the + symbol, and use the wizard to create a new connector.

  6. From the From drop-down menu, select Office 365, and from the To drop-down menu, select Partner organization:
    MailFlowScenario.png 

  7. Enter a Name and (optional) Description to identify the connector:
    NewConnector2.png 

  8. Click Next. Select Only when email messages are sent to these domains, click the + symbol, and enter an asterisk ( * ) in the add domain field:
    AddDomain.png

  9. Click OK, and click Next. Select Route email through these smart hosts, and click the + symbol.

  10. Go to the Barracuda Email Security Service, and click the Domains tab. Copy your outbound hostname from the MX records, and enter it in the add smart host page:
    AddSmartHost_Updated.png 

  11. Click Save, and click Next. Use the default setting, Always use Transport Layer Security (TLS) to secure the connection (recommended) > Issued by Trusted certificate authority (CA):
    TLS.png
  12. Click Next. In the confirmation page, verify your settings and click Next. Office 365 runs a test to verify your settings:
    confirmationUpdated.png 
  13. When the verification page displays, enter a test email address, and click Validate . Once the verification is complete, your mail flow settings are added.

Barracuda Email Security Service now accepts outbound traffic from Outlook 365.

For additional configuration options and features, log in to the web interface and click Help.

 

O365        

Last updated on