This solution applies to the Barracuda Email Security Service.
There are three types of recipient verification we can perform for the Barracuda Email Security Service; Managed, LDAP or SMTP verification.
This method is literally creating a list of users that we should accept and scan email for. If you have dozens, hundreds or more users the task of creating and maintaining this list may become arduous and LDAP or SMTP verification may be a better solution if available.
The first step to configuring this type of recipient verification is to get a list of users that the cloud service will be filtering email for. Once this list is obtained, we need to add the accounts to the Barracuda Email Security Service configuration. You can add the accounts by going to Basic > Users > Add/Update Users > User Accounts. Addresses can be enter several at a time, but must be entered on separate lines; comma separation will not be accepted. Notify New Users will send an email to the accounts added notifying them of the presence of their new account on ESS. Enable User Quarantine will create a quarantine inbox for the created accounts.
The second step is to ensure that only the manually added (Managed) users are valid recipients for ESS. To block a user without an associated account (Unmanaged) you will want to go to Users > Default Policy > Default policy for unmanaged users (users NOT on Users list): If you set this to block, you are telling the Barracuda to block anything for a recipient that is not present in the list we just created. Note: Be aware this setting will persist even if you set up recipient verification through SMTP or LDAP, it will only scan email for someone with an account on the ESS service for the domain.
This method requires that ESS periodically communicate with your internal directory services to pull back a list of valid users to accept and scan email for before delivering to the configured destination server for the domain. This method can be configured to update periodically to accommodate newly added users and has little maintenance beyond initial setup aside from updating the password when/if company policy changes the password of the bind user name.
The first step is to configure ESS to communicate and bind to your LDAP server to retrieve a list of valid recipients to utilize for recipient verification. You can set the configuration for LDAP by going to Domains > Domain Manager > View Domain Configuration Details (For desired domain; this icon looks like a cog) > Directory Services. The settings and how we can set them up follows.
- LDAP Host: This setting is either the IP address or the DNS host name of the LDAP server. To specific the port we will want to use the following notation <Domain/IP Address>:<Port Number>; Examples: 192.168.1.1:389, domain.local:636. If you would like to configure an ACL to allow only communications from our ESS servers to the destination LDAP server, you can allow through 126.96.36.199/20 (255.255.240.0)
- Bind DN/Username: This will be the username of the account we have established for the Barracuda to utilize. This account only needs read permission to view the directory structure and determine appropriate attributes for accounts. There are several ways to input the user name and the most efficient way will vary depending on your directory service provider. For example in Active Directory this will typically be email@example.com.
- Password: This is the password associated with the Bind DN/Username listed above.
- Base DN: This is the starting point for the LDAP query. As an example if your domain is barracudanetworks.com the Base DN might be dc=barracudanetworks,dc=com.
- Authentication Filter: This filter will look up the configured attributes in the filter. The default filter contains several filters that may contain the mail attribute and can be trimmed down if you know explicitly which attribute to look for. If the email address is found in any of the configured attributes then the recipient will be considered valid.
- Mail Attributes: Enter the mail attributes you want to use.
- Synchronize Automatically: This will determine if ESS will automatically synchronize the stored list of valid recipients with the LDAP server, this will ensure that we have have an up to date copy of the valid users, including any new additions. This happens approximately every ten minutes when set to Yes.
- Use LDAP for Authentication: This will turn the LDAP authentication for recipient verification on or off.
This type of verification requires no configuration on the Email Security Service. The service will query the destination service to determine if the recipient if valid. If the recipient is valid, we will finish the SMTP session, if it is invalid the SMTP session will be ended with an Invalid Recipient error response. The destination server will need to be configured to reject invalid users and this feature if not set by default should be detailed in the vendor provided.
Link to this page: