Before choosing your journaling deployment, you must configure your LDAP settings. See LDAP - Active Directory Integration for instructions.
Configure Microsoft 365 Journaling
To journal mail directly from Microsoft 365 to your Barracuda Message Archiver, you must have a public IP address and port 25 open and NATed to the Barracuda Message Archiver. Additionally, you can optionally have a public DNS record. You can test this by attempting to telnet to the Barracuda Message Archiver on port 25. You can expect one of three outcomes: Microsoft publishes a list of IP addresses used for Microsoft 365 endpoints. The endpoints are grouped into four service areas: See the TechNet article Microsoft 365 URLs and IP address ranges for further details. Note: For Microsoft 365 Germany endpoints, see the TechNet article Microsoft 365 Germany endpoints . Because this configuration requires the Barracuda Message Archiver to be public-facing, Barracuda Networks strongly recommends that you configure the Barracuda Message Archiver to only accept mail from the list of Trusted SMTP Servers. If you are also receiving mail from sources other than Microsoft 365, such as an on-premise Exchange server, make sure you add those IP addresses to the list of Trusted SMTP Servers before setting the Barracuda Message Archiver to Allow Only Trusted Hosts. To configure SMTP forwarding settings: Out of Office automatic reply types – Select None Click Next. In the New connector page, select Always use Transport Layer Security (TLS) and Any digital certificate, including self-signed certificates: Note that this step is optional and only applies if you enabled SMTP Over TLS/SSL in Step 5 . If you previously configured a certificate from a trusted certificate authority, select the Issued by a trusted certificate authority (CA) option. Before creating journal rules, specify a journal recipient for non-delivery reports (NDRs) to reduce the risk of losing journal reports: In Send undeliverable journal reports to, enter the email address of a valid user account. Note that the mailbox must be a mail user, mail contact, or external user, not an Exchange Online Mailbox. Click Save. Journal rule name – Type Barracuda Message Archiver Journal messages sent or received from – Select Apply to all Messages. Type of message to journal – Select All Messages. Select Next, review the settings, and then click Submit to create the journal rule.Step 1. Ensure Public Access to Port 25 on the Barracuda Message Archiver
Step 2. Add Microsoft 365 Endpoints to the Trusted SMTP Servers List
Step 3. Configure SMTP Forwarding Settings
Step 4. Configure Local Domains
Step 5. Configure SMTP Over TLS/SSL (Optional)
Step 6. Create a Remote Domain
Step 7. Create a Send Connector for the Remote Domain
Ensure the Turn it on check box is selected, otherwise the connector will fail to validate and will not send a test message.
Step 8. Create a Non-Delivery Report Recipient
To create an NDR recipient:
Step 9. Configure Journaling
journal@bma.int
Configure Envelope Journaling for Microsoft Exchange Server 2013 and Newer - Standard
Microsoft Exchange allows a Journal recipient to be either a mailbox or a contact. By using a contact with an email address that is part of a non-existent domain, you can create a send connector that uses SMTP to deliver journaled mail to the Barracuda Message Archiver. Use the steps in this article to configure Envelope Journaling. Use the examples in this article to simplify troubleshooting. Note that you can cut and paste the shell commands directly from this article. To ensure that archiving begins as soon as your Exchange Servers are configured to send journal copies, first register each Exchange Server that is in a Client Access Server (CAS) role as a Trusted SMTP Server with the Barracuda Message Archiver on the Mail Sources > SMTP page in the web interface. The Remote Domain must not be your normal email domain. The remote domain must be a non-existent and non-routable/unresolvable domain from either inside or outside your organization (such as In previous versions of Exchange Server, the Exchange Management Console was used to create a Remote Domain; in Exchange Server 2013 and newer, the ECP/EAC has no analogous functionality so you must use PowerShell to create the Remote Domain. To create a Remote Domain, you must enter a Name to describe the domain, and the actual Domain Name to use. In this example, The Mail Contact is the account that is to act as a "holding location" for journaled messages. The email address associated with this account is the designated recipient and must be associated with a non-existent, non-routable dummy Domain Name created above in Step 2. Create a Remote Domain From the Exchange Management PowerShell. Use the following steps to create the Mail Contact: Barracuda Networks recommends hiding the mail contact from the Global Address List. You can use the following command in Exchange Management Shell to hide the mail contact: Get-MailContact | Where {$_.Name -eq "Barracuda Journaling"} | Set-MailContact -HiddenFromAddressListsEnabled $True Enter the following command to verify the setting: Get-MailContact | Where {$_.Name -eq "Barracuda Journaling"} | Format-table Name, HiddenFromAddressListsEnabled To ensure proper mail flow, verify that the Barracuda Message Archiver send connector has a lower cost value than the send connector for outbound SMTP traffic. To route journaled mail that is sent to the contact to the Barracuda Message Archiver, use the following steps to create a Send Connector for the Remote Domain: Use the following steps to set up mailbox database journaling: You must complete all of the steps in this section for each Exchange Email Database. The configuration is now complete and journaled mail is forwarded to the Barracuda Message Archiver. Log into the Barracuda Message Archiver, and go to the Basic > Search page in the web interface to verify that new mail is being processed. Note that it may take up to 30 minutes before journaled mail is available in the search results. Barracuda Networks recommends hiding the Journal Contact, as well as any mailbox set up for undeliverable journal reports, from the Global Address List (GAL) so that mail is not sent directly to these accounts. Step 1. Register Each Exchange Server as a Trusted SMTP Server
Step 2. Create a Remote Domain From the Exchange Management PowerShell
bma.int
). This domain must be used for the email address of the Mail Contact that is to be the journaled message recipient.Remote Domain
bma.int
is the dummy Domain Name that is used. You can use bma.int
or create your own dummy Domain Name. Note that this Domain Name is also used to create the Mail Contact in Step 4. Create a Send Connector for the Remote Domain.
New-RemoteDomain -DomainName bma.int -Name "Message Archiver Domain"
Get-RemoteDomain | Where {$_.DomainName -eq "bma.int"} | Set-RemoteDomain -TNEFEnabled $false -AutoForwardEnabled $true
Get-RemoteDomain | Where {$_.DomainName -eq "bma.int"} |Format-table Name, DomainName, TNEFEnabled, AutoForwardEnabled
Step 3. Create a Recipient Mail Contact/Alternate Email Address
Step 4. Create a Send Connector for the Remote Domain
) icon to edit the Send Connector properties. From the Maximum send message size (MB) drop-down list, select unlimited, and then click save:
Step 5. Set Up Mailbox Database Journaling
) icon to edit the database properties:
Configure Envelope Journaling for Microsoft Exchange Server 2013 and Newer - Premium
Microsoft Exchange allows a Journal recipient to be either a mailbox or contact. By using a contact with an email address that is part of a non-existent domain, you can create a send connector that uses SMTP to deliver journaled mail to the Barracuda Message Archiver. Also see Understanding SMTP Forwarding and Trusted Servers. By default, Health Monitor Alerts are automatically journaled in Exchange 2013. To exclude these alerts from journaling, refer to the Microsoft support article Managed Availability messages are journaled in Exchange Server 2013. Use the examples included in this article to simplify troubleshooting. Note that you can cut and paste the shell commands directly from this article. To ensure that archiving begins as soon as your Exchange Servers are configured to send journal copies, first register each Exchange Server that is in a Client Access Server (CAS) role as a Trusted SMTP Server with the Barracuda Message Archiver on the Mail Sources > SMTP page in the web interface. The Remote Domain must not be your normal email domain. The remote domain must be a non-existent and non-routable/unresolvable domain from either inside or outside your organization (such as bma.int). This domain must be used for the email address of the Mail Contact that is to be the journaled message recipient. In previous versions of Exchange Server, the Exchange Management Console was used to create a Remote Domain; in Exchange Server 2013 the ECP/EAC has no analogous functionality so you must use PowerShell to create the Remote Domain. To create a Remote Domain, you must enter a Name to describe the domain, and the actual Domain Name to use. In this example, Enter the following command to verify the settings: These commands ensure TNEF encoding is disabled and auto-forwarding is enabled. Barracuda Networks recommends disabling TNEF encoding. Auto-forwarding is enabled to allow mail for the contact to be forwarded to the Barracuda Message Archiver. The Mail Contact is the account that is to act as a "holding location" for journaled messages. The email address associated with this account is the designated recipient and must be associated with a non-existent, non-routable dummy Domain Name created above in Step 2. Create a Remote Domain From the Exchange Management PowerShell. Use the following steps to create the Mail Contact: Click save. The new contact displays in the contacts list: Hide Contact from Global Address List Barracuda Networks recommends hiding the mail contact from the Global Address List (GAL). One method to hide the mail contact is to utilize the following shell command: The setting can be verified by executing: Alternate Journaling Mailbox You can configure an additional parameter in Exchange 2013 to specify that a journal report temporarily cannot be delivered. For details, refer to the Journal Reports section of the Microsoft TechNet Journaling article. Hide Alternate Contact from GAL Barracuda Networks recommends hiding the alternate mail contact from the GAL; to do so, with the new mailbox still selected, click the Edit ( To route journaled mail that is sent to the contact to the Barracuda Message Archiver, use the following steps to create a Send Connector for the Remote Domain: The configuration is now complete and journaled mail is forwarded to the Barracuda Message Archiver. Log into the Barracuda Message Archiver, and go to the Basic > Search page in the web interface to verify that new mail is being processed. Note that it may take up to 30 minutes before journaled mail is available in the search results. Excluding Health Monitor Alerts
Step 1. Register Each Exchange Server as a Trusted SMTP Server
Step 2. Create a Remote Domain From the Exchange Management PowerShell
bma.int
is the dummy Domain Name that is used. You can use bma.int
or create your own dummy Domain Name. Note that this Domain Name is also used when creating the Mail Contact in Step 4. Create a Send Connector for the Remote Domain.
New-RemoteDomain -DomainName bma.int -Name "Message Archiver Domain" Get-RemoteDomain | Where {$_.DomainName -eq "bma.int"} | Set-RemoteDomain -TNEFEnabled $false -AutoForwardEnabled $true
Get-RemoteDomain | Where {$_.DomainName -eq "bma.int"} |Format-table Name, DomainName, TNEFEnabled, AutoForwardEnabledStep 3. Create a Recipient Mail Contact/Alternate Email Address
Get-MailContact | Where {$_.Name -eq "Journal Contact"} | Set-MailContact -HiddenFromAddressListsEnabled $True
Get-MailContact | Where {$_.Name -eq "Journal Contact"} | Format-table Name, HiddenFromAddressListsEnabled
) icon. In the general page, turn on Hide from address lists:
Step 4. Create a Send Connector for the Remote Domain
bma.int
(see Step 2. Create a Remote Domain From the Exchange Management PowerShell):
) icon to edit the Send Connector properties. From the Maximum send message size (MB) drop-down list, select unlimited:
Step 5. Create a Journal Rule
bma.int
):
Configure Envelope Journaling for Microsoft Exchange Server 2007 and 2010
Depending on your Client Access Licenses (CALs), you may need to apply these rules at the mail server level rather than the hub transport level. For more information, see the Microsoft TechNet article Overview of Compliance Features. To ensure that journaled message archiving begins as soon as your Exchange Servers are configured to send them, register each Exchange Server as a Trusted SMTP Server with the Barracuda Message Archiver (on the Mail Sources > SMTP page) prior to configuring your Exchange Servers. Also see Understanding SMTP Forwarding and Trusted Servers. Once the Barracuda Message Archiver is configured to receive SMTP traffic, you must complete the following from the Exchange Management Console (EMC) of each Exchange Server that will be journaling directly into the Barracuda Message Archiver: On the Barracuda Message Archiver, use the the following steps to enable SMTP forwarding: The Remote Domain must be a non-existent or externally non-routable and unresolvable domain, from either inside or outside your organization, and must match the Mail Contact that is the recipient of journaled messages as it is used by the Exchange Server for routing all SMTP Journal traffic. Use the following steps to create a remote domain: In the Exchange rich-text format section, select Never Use: Verify that only Never use and Allow automatic forward are selected in the dialog box. The Mail Contact is the account that is to act as a "holding location" for journaled messages. The email address associated with this account is the designated recipient, and should be associated with a non-routable "dummy" domain name. Use the following steps to create a Mail Contact: Click Edit to the right of the External e-mail address field, and in the SMTP Address dialog, enter the delivery email address, for example, BMA_Journal@bma.int: The account name can be anything you want, but the domain name must match what you created in the preceding section, Create a Remote Domain. Both the Standard and Enterprise versions of Microsoft Exchange Server 2007 and 2010 support Standard and Premium Journaling. Open the EMC, and complete the following steps to add a journaling rule:Register Each Exchange Server as a Trusted SMTP Server
Configure the Barracuda Message Archiver
Create a Remote Domain
Create a Mail Contact
Create a Send Connector
Create a Journaling Rule
Configure Google Workspace Journaling
Use the steps in this article to configure Google Workspace to send journal mail to the Barracuda Message Archiver.
Step 1. Ensure Public Access to Port 25 on the Barracuda Message Archiver
To Journal mail directly from Google Workspace to your Barracuda Message Archiver, you must have a public IP address and port 25 open and NATed to the Barracuda Message Archiver. Additionally, you can optionally have a public DNS record. You can test this by attempting to telnet to the Barracuda Message Archiver on port 25. You can expect one of three outcomes:
- If the Barracuda Message Archiver is not accessible, either due to port 25 being blocked or incorrectly configured on the firewall, the attempt to telnet simply hangs at Trying [IP address]. In this case you need to troubleshoot your network settings:
- If the Barracuda Message Archiver is accessible and you have set Allow Only Trusted Hosts on the Mail Sources > SMTP page to No, telnet establishes a connection to the Barracuda Message Archiver:
- If the Barracuda Message Archiver is accessible, you have set Allow Only Trusted Hosts on the Mail Sources > SMTP page to Yes, and you are attempting to telnet from an IP address not listed in the TRUSTED SMTP SERVERS section, telnet establishes a connection and the connection is immediately closed:
Step 2. Add Google IP Address Ranges to the Trusted SMTP Servers List
Google Workspace mail servers use a large range of IP addresses which may change. To determine the current Google IP address range, see the Google IP address ranges for outbound SMTP in the Google Workspace Administrator Help .
- Use the steps outlined in the Google IP address ranges for outbound SMTP article.
- Log in to the Barracuda Message Archiver as the administrator, and go to the Mail Sources > SMTP page.
- Click Bulk Edit.
- Copy and paste the IP addresses based on your region, and click Save .
Step 3. Configure SMTP Forwarding Settings
Because this configuration requires the Barracuda Message Archiver to be public-facing, Barracuda Networks strongly recommends that you configure the Barracuda Message Archiver to only accept mail from the list of Trusted SMTP Servers. If you are also receiving mail from sources other than Google Workspace, make sure you add those IP addresses to the list of Trusted SMTP Servers before setting the Barracuda Message Archiver to Allow Only Trusted Hosts.
To configure SMTP forwarding settings,
1. Log into the Barracuda Message Archiver as the administrator, and go to the Mail Sources > SMTP page.
2. In the SMTP Forwarding Settings section, set Allow Only Trusted Hosts to Yes.
3. Click Save.
Step 4. Configure Local Domains
- Log into the Barracuda Message Archiver as the administrator, and go to the Basic > IP Configuration page.
- In the Local Domains section, add all of your mail-enabled domains.
- Click Add after each domain entry, and click Save.
Step 5. Configure SMTP Over TLS/SSL (Optional)
- Log into the Barracuda Message Archiver as the administrator, and go to the Advanced > SMTP Configuration page.
- In the SMTP Over TLS/SSL section, set Enable SMTP over TLS/SSL to Yes.
- Click Save.
Step 6. Add Route
-
Sign into the Google Workspace domain console, and go to Apps > Google Workspace > Gmail > Hosts .
- Click Add Route.
- In the Add mail route page, enter your Barracuda Message Archiver settings:
- Type Barracuda Message Archiver in the Name field.
-
In the Specify email server section, enter your Barracuda Message Archiver public IP address or public DNS record.
You can optionally select Require secure transport (TLS). When selected, you must set Enable SMTP over TLS/SSL to Yes on the Advanced > SMTP Configuration page in the Barracuda Message Archiver web interface (see STEP 5 above).
If you are using a self-signed certificate, clear Require CA signed certificate.
- Click Save.
-
Go to Apps > Google Workspace > Gmail > Routing. Click Configure or Add Another Rule.
- Enter a unique name to identify the setting, and select all of the check boxes under Messages to affect:
- Scroll to Also deliver to, click Add more recipients, and click Add.
- Under Recipients, select Advanced from the drop-down menu.
- Select Change route and Barracuda Message Archiver.
- Clear Do not deliver spam to this recipient and select Suppress bounces from this recipient.
- Click Save, and click Add Setting.
- Click Save:
Additional Deployment Options
The deployment mode is dependent on the email server configuration at your site as well as the number of domains you want to archive. See Deployment Options for a complete list of supported deployment options.