Use this article to deploy the Barracuda Email Security Service and Advanced Threat Protection (ATP) for Exchange 2013 and Newer in your environment.
Evaluate Barracuda Email Security for Exchange 2013 and Newer for 14 days, after which you can purchase and link the services to your account.
Step 1. Ensure Connectivity and Redundancy
- Open your firewall ports to allow the IP address ranges based on your Barracuda Email Security Service instance; see Barracuda Email Security Service IP Ranges for a list of ranges based on your Barracuda Email Security Service instance
- Where relevant, verify your network subnet is granted access to your mail server ACL and LDAP server
- Block all port 25 traffic except for that originating from the Barracuda Email Security Service IP address ranges based on your Barracuda Email Security Service instance
Step 2. Launch the Barracuda Email Security Service Setup Wizard
- Log into Barracuda Email Security Service, and click Enter Linking Code and Serial Number to activate your subscription:
- Enter the Serial Number and Linking Code, and click Activate Subscription.
- In the setup page, click Set up to the right of Email Security:
- In the setup wizard, click Get Started. The Specify Primary Email Domain page displays.
- Enter the primary Exchange domain you want to filter, for example:
cudaware.com
Click Next. The Specify Email Servers page displays. Enter the mail server hostname (FQDN) or IP address for the domain entered in the previous step,
- Click Add. Enter an email address to test the server configuration, and click Test All Mail Servers.
- Once the mail server is verified, the Verified () icon displays in the status column and a confirmation message displays at the top of the page.
- Click Next. The Configure Settings page displays. Select from the following options:
- Virus Protection – Set to On to direct the Barracuda Email Security Service to detect and block viruses on inbound email.
- Spam Protection – Set to On to direct the Barracuda Email Security Service to evaluate inbound mail for spam based on a score assigned to each processed message. When set to Off inbound mail is not scanned for spam.
Spam Scoring – Set Spam Protection to On to enable Spam Scoring. Scoring ranges from 1 (definitely not spam) to 10 (definitely spam). Setting a score of '1' will likely block legitimate messages while setting a score of '10' will allow more messages through the system. Based on this score the Barracuda Email Security Service blocks messages that appear to be spam and logs these messages in the user's Message Log with Score as the reason for the block.
Click Next. The Route Email Through Barracuda page displays.
To verify your domain, replace your current MX records with the Barracuda Email Security Service Primary and Backup MX records displayed on the page:
- If you choose not to change your MX records, you can use another method to verify your domain. Select I do not want to route my e-mail through Barracuda at this time:
- Select the verification option:
- CNAME Records – To use the CNAME records method to verify the domain ownership:
Log into your DNS Server and, under this domain, create a subdomain whose name is created by concatenating 'barracuda' and the CNAME token shown in the Route Email Through Barracuda page. For example: barracuda30929916985.corpdomain.com
Point the CNAME record of that subdomain to ess.barracuda.com
Click Confirm Validation in the Route Email Through Barracuda page.
Email to Technical Contact – This method sends a verification email to the technical contact email address, if it exists, listed on your domain's WHOIS entry.
Email to the postmaster – This method sends a verification email to the postmaster email address for your domain. The confirmation email includes a link that the recipient must click to verify the domain.
- CNAME Records – To use the CNAME records method to verify the domain ownership:
Click Next, and click Next again.
On the Select Data Center Region page, select the data center for your locale, and click Get Started.
Complete the wizard pages.
The Confirmation page displays. Confirm domain ownership, and then click Done.
Step 3. Set Up User Accounts
You can add users manually, or use your organization's LDAP server or Azure AD service to automatically synchronize the Barracuda Email Security Service with your active directory server. To create a few test accounts during the evaluation period, use the Manually Add Users steps below.
Decide whether or not you want to enable user quarantine. When enabled, users have quarantine accounts and can decide whether or not mail is spam. Users can also create their own sender allow list and block list. Manually add a few test accounts on the Users > Add/Update Users page, and set Enable User Quarantine to Yes. The first time the Barracuda Email Security Service receives an email for that user and the message is quarantined, the user receives a quarantine notification email at the scheduled quarantine notification interval.
Manually Add Users
Automatically Add Users
You can configure user authentication via your organization's LDAP server or Azure AD service. For complete setup details, see the following articles:
Step 4. Configure Outbound Mail Scanning
- Log into the Barracuda Email Security Service, and go to Outbound Settings > Sender IP Address Ranges.
- Enter the IP Address and Domain Name (logging domain) and optional Comment for IP address ranges allowed to send outgoing email from your domains. Click Add. Note that each mail server must contain a reverse DNS PTR record.
Add all IP addresses from which outgoing mail is allowed to flow through the Barracuda Email Security Service. The Logging Domain is the domain name that appears in the Message Log as the sending domain for the associated IP address.
Step 5. Configure Sender Policy Framework for Outbound Mail
To assure Barracuda Networks is the authorized sending mail service of outbound mail from your Barracuda Email Security Service, add the following to the Sender Policy Framework (SPF) record INCLUDE line of the SPF record for your sending mail server for each domain sending outbound mail. Select the relevant SPF INCLUDE based on the region you selected for your Barracuda Email Security Service:
AU (Australia)
include:spf.ess.au.barracudanetworks.com -all
CA (Canada)
include:spf.ess.ca.barracudanetworks.com -all
DE (Germany)
include:spf.ess.de.barracudanetworks.com -all
UK (United Kingdom)
include:spf.ess.uk.barracudanetworks.com -all
US (United States)
include:spf.ess.barracudanetworks.com -all
See Sender Authentication for more information.
- If you have an SPF record set up for your domain, edit the existing record, and add the following to the INCLUDE line for each domain sending outbound mail based on your Barracuda Email Security Service instance. For example:
include:spf.ess.barracudanetworks.com -all
- If you do not have an SPF record set up for your domain, use the following value to create a TXT record that creates a HARDFail SPF for your domain based on your Barracuda Email Security Service instance. For example:
v=spf1 include:spf.ess.barracudanetworks.com -all
Step 6. Configure Your Exchange Mail Server
Before you begin, log into the Barracuda Email Security Service, and go to Domains > Domain Manager. Note the Outbound Hostname for the domain that is to relay outbound mail. You will use this information in Step 4c below.
Log into your Exchange Admin Center.
In the left navigation panel, select Mail Flow, then Send Connectors.
Click the Plus icon to create a new send connector. Enter the following information:
- Name: Outbound to Barracuda
- Type: Custom
- Name: Outbound to Barracuda
- Click Next.
Select Route mail through smart hosts.
Click the Plus icon.
Enter the Outbound Smart Host for the domain that is to relay outbound mail. This is the Outbound Hostname you noted earlier from the Domain Manager in Barracuda Email Security Service.
- Click Next. Ensure that the Authentication is set to None. Click Next again.
- Click the Plus icon and type an asterisk for the FQDN. Click Save, then click Next.
- Click the Plus icon and add your source servers. These are any servers that will be sending email.
- Click Finish.
Step 7. Verify Mail is Flowing
- Log into the Barracuda Email Security Service.
In the Dashboard page, verify inbound and outbound messages are being logged for the selected domain.
Step 8. Enable Advanced Threat Protection
Files blocked by ATP display on the Dashboard.
- Go to ATP Settings, and select the desired option:
- Deliver First, then Scan – Attachments are delivered with the message to the recipient and then scanned by the ATP service; if a virus is detected, an email notification is sent to the email recipient. Additionally, if Notify Admin is set to Yes, and a virus is detected in the scanned attachment, an email is sent to the administrator.
- Scan First, then Deliver – Attachments are scanned by the ATP service before delivery. If a virus is detected in the attachment the message is blocked, otherwise it is delivered to the recipient.
- Select whether to Notify Admin if a virus is detected in a scanned attachment. When set to Yes, enter the ATP Notification Email address in the associated field.