Sender authentication and recipient verification are a critical part of maintaining security of email flowing into and out of your organization. By identifying known trusted senders and recipients of email, you can block a large percentage of spam, viruses and malware from your network. Once you have entered information about your LDAP server, click Test Settings on the Domain Settings page to ensure that the Barracuda Email Security Service can communicate with the server. LDAP server types supported include Active Directory, Novell eDirectory, Domino Directory and OpenLDAP.
You can synchronize the Barracuda Email Security Service with your existing LDAP server to automatically create accounts for all users in the domain. For more information about user accounts, see Managing User Accounts.
LDAP lookup configuration and LDAP authentication of user logins is done by domain on the Domains > Domain Settings page. On the Domains page, click Edit in the Settings column to the right of the domain name. Once you configure your LDAP settings on the Domains > Domain Settings page, click Synchronize Now to create user accounts for all users in your LDAP server.
- Log into https://login.barracudanetworks.com/ using your account credentials, and click Email Security in the left pane.
- Go to the Domains page, and click Edit in the Settings column to the right of the domain.
- In the Domains > Domain Settings page, scroll to the Directory Services section, select LDAP, and click Save Changes at the top of the page.
- In the LDAP Configuration section, configure the following variables:
- LDAP Host – The server utilized for LDAP lookups. If this setting is a hostname, and is contained in multiple A records, then fail-over capabilities are available if the Barracuda Email Security Service is unable to connect to one of the machines listed here.
- Port – Port used to connect to the LDAP service on the specified LDAP Server. Typically port 389 is used for regular LDAP and LDAP using the STARTTLS mode for privacy. Port 636 is assigned to the LDAPS service (LDAP over SSL/TLS).
- Use SSL (LDAPS) – By default, LDAP traffic is transmitted unsecured. You can make LDAP traffic confidential and secure by using Secure Sockets Layer (SSL)/Transport Layer Security (TLS) technology by selecting Yes for this option.
- Bind DN (Username) – Username used to connect to the LDAP service on the specified LDAP Server. If in the form email@example.com, the username is transformed into a proper LDAP bind DN, for example, CN=accountname,CN=users,DC=domain,DC=com, when accessing the LDAP server. Sometimes the default transformation does not generate a proper bind DN. In such cases, a fully formed and valid bind DN must be entered.
- Bind Password – Password used to connect to the LDAP service on the specified LDAP Server.
- Base DN – Base DN for your directory. This is the starting search point in the LDAP tree. The default value looks up the
defaultNamingContexttop-level attribute and use it as the search base. For example, if your domain is test.com, your Base DN might be dc=test,dc=com.
Mail Attributes – Attribute in your LDAP directory that contains the user's email addresses.
The Barracuda Email Security Service will sync to your LDAP server from certain IP addresses. Ensure that your network and LDAP server accept connections from the IP ranges listed in Barracuda Email Security Service IP Ranges.Use the Test LDAP Configuration Settings section, enter a valid email address in the Testing Email Address field to test your LDAP settings; if left blank, LDAP settings are only tested for connection.
Click Test Settings.
- Optionally, expand the Advanced LDAP Configuration section, and set the following options:
- User Filter – Set to Yes to limit newly synchronized email users and linked email users strictly to this one domain.
- Custom User Filter – Filter used to limit the accounts that the Barracuda Email Security Service creates when an LDAP query is made. For example, you could limit the LDAP synchronization to just users in certain sub-domains using the mail= parameter, or only synchronize user-objects in a certain organizational unit (OU) using the ou= parameter. Each type of LDAP server has specific query syntax, so consult the documentation for your LDAP server. For Microsoft Exchange syntax and examples, see the TechNet article LDAP Query Basics.
Example: Your list of valid users on your directory server includes 'User1', 'User2', 'User3', 'BJones', 'RWong', and 'JDoe', and you create the User Filter (name=*User*). In this case, the service only creates accounts for 'User1', 'User2', and 'User3'.
- In the Directory Options section, specify the following options:
- Synchronize Automatically – Set to Yes if you are using LDAP and want the Barracuda Email Security Service to automatically synchronize your LDAP users to its database on a regular basis for recipient verification. With Microsoft Exchange server, the synchronization is incremental. Select No if you want to synchronize manually in case your LDAP server is not always available. To synchronize manually, click Synchronize Now.
- Use LDAP for Authentication – Set to Yes to enable LDAP for user login authentication. You can disable this setting if your LDAP server is unavailable for a period of time.
- Authentication Filter – Filter used to look up an email address and determine if it is valid for this domain. The filter consists of a series of attributes that might contain the email address. If the email address is found in any of those attributes, then the account is valid and is allowed by the Barracuda Email Security Service.