We use cookies on our website to ensure we provide you with the best experience on our website. By using our website, you agree to the use of cookies for analytics and personalized content.This website uses cookies. More Information
It seems like your browser didn't download the required fonts. Please revise your security settings and try again.

Step 2 - Configure Office 365 for Inbound and Outbound Mail

  • Last updated on

You can configure Microsoft Office 365 with the Barracuda Email Security Service as your inbound and/or outbound mail gateway.

If you make changes to the settings, allow a few minutes for the changes to take effect.

Office 365 IP addresses and user interfaces can change; refer to Microsoft documentation for configuration details.

Time Requirement

After you update your MX records, you must wait at least 24-48 hours before starting work on Step 4 below, so your emails are not rejected. Plan accordingly.

You can specify the Barracuda Email Security Service as an inbound mail gateway through which all incoming mail for your domain is filtered before reaching your Office 365 account. The Barracuda Email Security Service filters out spam and viruses, then passes the mail on to the Office 365 mail servers. Use the Configure Inbound Mail Flow instructions below to configure.

You can also specify the Barracuda Email Security Service as the outbound mail gateway through which all mail is sent from your domain via your Office 365 account to the recipient. As the outbound gateway, the Barracuda Email Security Service processes the mail by filtering out spam and viruses before final delivery. By configuring Office 365 as described in Configure Outbound Mail Flow below, you instruct the Office 365 mail servers to pass all outgoing mail from your domain to the Barracuda Email Security Service (the gateway server).

Step 1. Launch the Barracuda Email Security Service Setup Wizard

Before you launch the wizard, verify you have the following:

  • Office 365 admin credentials
  • Credentials to run a PowerShell script or terminal to manually execute PowerShell scripts

  1. Log into Barracuda Cloud Control. On the left side, select Email Security

    BCC_ESS.png

    The Email Security wizard launches. Click Next.

  2. Select the Region for your Data Center. Then click Get Started.

    After you select your Region, you cannot change it.

    selectRegion.png

  3. Enter the primary email domain you want to protect with Barracuda Email Security Service. Then click Next
    primaryDomain.png
  4. The system automatically retrieves your current MX records and auto-fills that information as your Destination Server. If this is not the correct Destination Server, click Remove and add the Destination Server with the correct data. 
    If you want to add additional servers, enter data for those servers now.
    After you properly configure the Destination Server, enter a valid User Name to test the mail server connection. 
    After you have determined that the settings are correct, click Next
    specifyEmailServers.png  
  5. Select your settings, accepting the default values or making changes if needed, then click Next
    spamProtection.png
  6. Barracuda recommends waiting to configure outbound filtering until your inbound mail is fully cut over.
    You will set up your Outbound Settings later. 
    Select the second option on this screen, then click Next to continue. 
    confOutbound.png  
  7. Barracuda recommends verifying your domain via MX records with Priority 99. If you do not want to update MX records now, check the box and select a different method. 
    In the first case, click Verify MX Records. Otherwise, click Confirm Validation
    routeThroughBarracuda.png
    When the verification is successful, click Next
    success.png
    If the verification is not successful, a message appears, letting you know that the domain could not be verified. 
    If you are having DNS issues that you want to address, click Skip to exit the wizard. Behind the wizard, click the Domains tab to retry the validation.   
  8. Click Finish to finalize the setup and close the wizard.

Step 2. Add Additional Email Domains (Optional)

You configured your primary email domain in Step 3 of the wizard, above.
Use the steps in the following section if you want to protect additional domains with Barracuda Email Security Service. If you are only protecting one domain, continue below with Step 3. 

Obtain the hostname:
  1. Log into the Office 365 admin center.
  2. In the left pane, click Settings > Domains.
  3. In the Domains table, click on your domain.
  4. Take note of the hostname. This is the address of your destination mail server, for example, cudaware-com.mail.protection.outlook.com
Enter the hostname:

Barracuda recommends using a hostname rather than an IP address so that you can move the destination mail server and update DNS records without making changes to the Barracuda Email Security Service configuration. This address indicates where the Barracuda Email Security Service should direct inbound mail from the Internet to your Office 365 Exchange server. For example, your domain displays to the Internet as: bess-domain.mail.protection.outlook.com

  1. Log into the Barracuda Cloud Control as administrator. In the left panel, click Email Security. Select the Domains tab, then click Add Domain.
  2. Enter the domain name and destination mail server hostname obtained from your Office 365 account:
    AddDomain.png
  3. Click Add Domain; the Domain Settings page displays, listing the new domain.
  4. Verify that the domain is yours. Follow the instructions in How to Set Up MX Records for Domain Verification. Make sure that you see that the domain is successfully verified, then return to this page. 

Repeat these steps, as needed, for additional Office 365 domains before continuing with Step 3 below. 

Step 3. Create Transport Rule to Bypass Spam Filtering

  1. Log into the Office 365 admin center, and go to Admin centers > Exchange.

  2. In the left pane, click mail flow, and click rules.
  3. Click the + symbol, and click Bypass spam filtering:
    BypassSpamFiltering.png
  4. In the new rule page, enter a Name to represent the rule.
  5. From the Apply this rule drop-down menu, select The sender > IP address is in any of these ranges or exactly matches:
    SenderIPAddress.png
  6. In the specify IP address ranges page, enter the IP address/range for the Sender (Barracuda Email Security Service). For example, if you are in the US region, type 64.235.144.0/20.
    For other regions, refer to the IP addresses listed in Barracuda Email Security Service IP Ranges. If your region has only one IP address range, you can skip ahead to Step 8 below. 
  7. If there is more than one IP address or range, click the symbol, then type the next IP address or range. For example, for the US region, type 209.222.80.0/21, and click the + symbol:
    SpecifyIPranges.png 

  8. Click OK, and click Save to create the transport rule.
  9. Click the Edit icon for the rule, scroll to the Properties of this rule section, and in the Priority field, type 0.
  10. Click Save.
  11. Verify the new rule displays at the top of the list of mail flow rules. If the rule is not at the top, edit the rule and manually change its priority to zero (0).  
    If you create a mail flow rule to restrict access, as described at the bottom of Step 4 below, the priorities are:

    • Spam Bypass Rule – priority 1

    • Inbound Restriction Rule – priority 0

Step 4. Restrict Inbound Mail to the Barracuda Email Security Service IP Range

Time Requirement

It is essential that you wait at least 24-48 hours after you update your MX records before you begin working on the steps in this section. That time is needed for the records to propagate so your email will not be rejected.

The steps in this section enhance the security of the connection between Barracuda Email Security Service and Office 365. It will only allow inbound email to come from the Barracuda system.

Select the PowerShell script to restrict inbound mail to the Barracuda Email Security Service based on the region selected when setting up the your service. Refer to the Barracuda Email Security Service IP Ranges for the IP ranges corresponding to your region. 

Run the appropriate script from Exchange Online PowerShell.  

PowerShell Script for the Australia Region
Set-ExecutionPolicy unrestricted
$UserCredential = Get-Credential
$Session = New-PSSession -ConfigurationName Microsoft.Exchange -ConnectionUri https://outlook.office365.com/powershell-liveid/ -Credential $UserCredential -Authentication Basic -AllowRedirection
Import-PSSession $Session
New-InboundConnector -Name "Barracuda Inbound Connector" -RequireTls $true -SenderDomains * -SenderIPAddresses 3.24.133.128/25 -RestrictDomainstoIPAddresses $true
PowerShell Script for the Canada Region
Set-ExecutionPolicy unrestricted
$UserCredential = Get-Credential
$Session = New-PSSession -ConfigurationName Microsoft.Exchange -ConnectionUri https://outlook.office365.com/powershell-liveid/ -Credential $UserCredential -Authentication Basic -AllowRedirection
Import-PSSession $Session
New-InboundConnector -Name "Barracuda Inbound Connector" -RequireTls $true -SenderDomains * -SenderIPAddresses 15.222.16.128/25 -RestrictDomainstoIPAddresses $true
PowerShell Script for the German Region
Set-ExecutionPolicy unrestricted
$UserCredential = Get-Credential
$Session = New-PSSession -ConfigurationName Microsoft.Exchange -ConnectionUri https://outlook.office365.com/powershell-liveid/ -Credential $UserCredential -Authentication Basic -AllowRedirection
Import-PSSession $Session
New-InboundConnector -Name "Barracuda Inbound Connector" -RequireTls $true -SenderDomains * -SenderIPAddresses 35.157.190.224/27 -RestrictDomainstoIPAddresses $true
PowerShell Script for the UK Region
Set-ExecutionPolicy unrestricted
$UserCredential = Get-Credential
$Session = New-PSSession -ConfigurationName Microsoft.Exchange -ConnectionUri https://outlook.office365.com/powershell-liveid/ -Credential $UserCredential -Authentication Basic -AllowRedirection
Import-PSSession $Session
New-InboundConnector -Name "Barracuda Inbound Connector" -RequireTls $true -SenderDomains * -SenderIPAddresses 35.176.92.96/27 -RestrictDomainstoIPAddresses $true
PowerShell Script for the US Region
Set-ExecutionPolicy unrestricted 
$UserCredential = Get-Credential
$Session = New-PSSession -ConfigurationName Microsoft.Exchange -ConnectionUri https://outlook.office365.com/powershell-liveid/ -Credential $UserCredential -Authentication Basic -AllowRedirection 
Import-PSSession $Session
New-InboundConnector -Name "Barracuda Inbound Connector" -RequireTls $true -SenderDomains * -SenderIPAddresses 64.235.144.0/24,64.235.145.0/24,64.235.146.0/24,64.235.147.0/24,64.235.148.0/24,64.235.149.0/24,64.235.150.0/24,64.235.151.0/24,64.235.152.0/24,64.235.153.0/24,64.235.154.0/24,64.235.155.0/24,64.235.156.0/24,64.235.157.0/24,64.235.158.0/24,64.235.159.0/24,209.222.80.0/24,209.222.81.0/24,209.222.82.0/24,209.222.83.0/24,209.222.84.0/24,209.222.85.0/24,209.222.86.0/24,209.222.87.0/24 -RestrictDomainstoIPAddresses $true

Alternatively, you can use mail flow rules. Click below for instructions.

Time Requirement

After updating your MX records, allow at least 24-48 hours before completing the steps in this section to allow the records to propagate.

 

  1. Log into the Office 365 admin center, and go to Admin centers > Exchange.
  2. In the left pane, click mail flow, and click rules.
  3. Click the + symbol, and click Create a new rule.
  4. In the new rule page, enter a Name to represent the rule. For example, type: Barracuda ESS IP restriction
  5. Scroll down to and click More Options.
  6. From the Apply this rule if drop-down menu, select The Sender > Is External/Internal > Outside the organization.
  7. From the Do the following drop-down menu, select Reject this message with the explanation.
  8. Enter the message you want included in the non-delivery report (NDR) that is sent to the sender. For example, enter:
    You have attempted to bypass our Email Security Service. Please ensure your DNS is up-to-date and try sending your message again.
  9. Click Add Exception.
  10. Select The Sender > Sender’s IP address is in any of these ranges or exactly matches, and enter the Barracuda Email Security Service IP range based on your Barracuda Email Security Service instance.

  11. Enter the Barracuda Email Security Service IP range based on your region, for example: 64.235.144.0/20  
  12. Click the + symbol.
  13. Enter the Barracuda Email Security Service IP range based on your region, for example: 209.222.80.0/21
  14. Click the + symbol.
  15. Click OK.
  16. Scroll to the Properties of this rule section, and in the Priority field, type: 0
  17. Under Match sender address in message, select Envelope.
  18. In the new rule page, click Stop processing more rules, and click Save to create the rule.
  19. Office 365 is now configured to block any email that does not originate from the Barracuda Email Security Service IP address ranges.
  20. Verify the new rule displays at the top of the list of mail flow rules. If the rule is not at the top, edit the rule and manually change its priority to zero (0).

Step 5. Configure Sender Policy Framework for Outbound Mail

To assure Barracuda Networks is the authorized sending mail service of outbound mail from your Barracuda Email Security Service, add the following to the Sender Policy Framework (SPF) record INCLUDE line of the SPF record for your sending mail server for each domain sending outbound mail. Select the relevant SPF INCLUDE based on the region you selected for your Barracuda Email Security Service. See Sender Policy Framework for Outbound Mail for INCLUDE values based on your Barracuda Email Security Service instance.

For example, if you are using Office 365, your record would look similar to:

v=spf1 include:spf.protection.outlook.com include:spf.ess.barracudanetworks.com -all

See Sender Authentication for more information.

  • If you have an SPF record set up for your domain, edit the existing record, and add the following to the INCLUDE line for each domain sending outbound mail based on your Barracuda Email Security Service instance. For example: include:spf.ess.barracudanetworks.com -all
  • If you do not have an SPF record set up for your domain, use the following value to create a TXT record that creates a HARD Fail SPF for your domain based on your Barracuda Email Security Service instance. For example: v=spf1 include:spf.ess.barracudanetworks.com -all

Step 6. Configure User Accounts and User Lists

Expand and complete the steps in the appropriate section, based on your organization's setup.

 

 

Step 7. Configure Outbound Mail

If you have more than one domain on your tenant (e.g., x.com and y.com) and you only want to filter one of the domains (like x.com), refer to How to Configure Office 365 to Scan Only Selected Domains Outbound. The instructions in this section below describe how to filter for all domains for outbound mail.

Notes

If you have multiple outgoing account domains for Office 365, you only need to make one send connector in Office 365. You can use any one of the outbound smarthosts to make the send connector.

Each of your domains that you want to be able to send email must be added to Barracuda Email Security Service. Be sure to add all of your accepted Office 365 domains into Barracuda Email Security Service before configuring outgoing email in this section.

 

  1. Log into your Barracuda Cloud Control account. On the left side, select Email Security. Select the Domains tab. For the appropriate domain, click Edit.
  2. On the Domain Settings page, locate the Outbound Smarthost Configuration section and make note of the Hostname:
    outboundHost.png
  3. Log into the Office 365 admin center, and go to Admin centers > Exchange.

  4. In the left pane, click mail flow, and click connectors.
  5. Click the + symbol, and use the wizard to create a new connector.

  6. From the From drop-down menu, select Office 365, and from the To drop-down menu, select Partner organization:
    MailFlowScenario.png

  7. Enter a Name and (optional) Description to identify the connector:
    NewConnector2.png

  8. Click Next. Select Only when email messages are sent to these domains, click the + symbol, and enter an asterisk ( * ) in the add domain field:

  9. Click OK, and click Next. Select Route email through these smart hosts, and click the + symbol.

  10. Go to the Barracuda Email Security Service, and click the Domains tab. Copy your outbound hostname from the MX records, and enter it in the add smart host page:
    AddSmartHost_Updated.png

  11. Click Save, and click Next. Use the default setting, Always use Transport Layer Security (TLS) to secure the connection (recommended) > Issued by Trusted certificate authority (CA):
    TLS.png
  12. Click Next. In the confirmation page, verify your settings and click Next. Office 365 runs a test to verify your settings:
    confirmationUpdated.png
  13. When the verification page displays, enter a test email address, and click Validate. For this test, it is important to use an email address from outside your organization, like a gmail or yahoo email address. 
    There are two parts of the validation:
    1. Test Connectivity – If this test fails, Outbound Groups is not enabled. Contact Barracuda Technical Support and request that Outbound Groups be enabled on your Barracuda Email Security Service account.
    2. Send Test Email – If the test fails, there is no cause for concern. The test email comes from a Microsoft domain, not from your domain, so it is rejected. If you changed your domain away from onmicrosoft.com, the test should work. 
  14. Click Save. Your mail flow settings are added.

Barracuda Email Security Service now accepts outbound traffic from Outlook 365.

For additional configuration options and features, log into the Barracuda Email Security Service web interface, and click Help.


 Continue with Step 3 - Complete Service Configuration.    

Last updated on