Microsoft 365 Journaling

Last updated on 2025-07-15 14:46:52

This article applies to Barracuda Message Archiver firmware version 5.0 and higher, and Microsoft 365 Enterprise cloud-based mail service, live@edu.

Hybrid Deployment

In a Hybrid deployment, where some mailboxes are on-premise Exchange Server and some Microsoft 365 Exchange Online, you must set up a journaling rule on both the on-premise Exchange Server and Microsoft 365 to capture inbound, outbound, and internal mail.

Warning! Hybrid deployment can cause duplicate mails in some environments. This is an issue with Hybrid deployment and not with your Barracuda Cloud Archiving Service. For more information, see the following Microsoft article https://learn.microsoft.com/en-us/exchange/security-and-compliance/journaling/journaling#troubleshooting.

Use the following articles to set up journaling based on the version of Exchange Server running in your environment:

Step 1. Ensure Public Access to Port 25 on the Barracuda Message Archiver

To journal mail directly from Microsoft 365 to your Barracuda Message Archiver, you must have a public IP address and port 25 open and NATed to the Barracuda Message Archiver. Additionally, you can optionally have a public DNS record. You can test this by attempting to telnet to the Barracuda Message Archiver on port 25. You can expect one of three outcomes:

If the Barracuda Message Archiver is not accessible, either due to port 25 being blocked or incorrectly configured on the firewall, the attempt to telnet simply hangs at Trying [IP address]. In this case, troubleshoot your network settings:
If the Barracuda Message Archiver is accessible and you have set Allow Only Trusted Hosts on the Mail Sources > SMTP page to No, telnet establishes a connection to the Barracuda Message Archiver:
If the Barracuda Message Archiver is accessible, you have set Allow Only Trusted Hosts on the Mail Sources > SMTP page to Yes, and you are attempting to telnet from an IP address not listed in the Trusted SMTP Servers section, telnet establishes a connection and the connection is immediately closed.

Step 2. Add Microsoft 365 Endpoints to the Trusted SMTP Servers List

Microsoft publishes a list of IP addresses used for Microsoft 365 endpoints. The endpoints are grouped into four service areas:

Exchange Online
SharePoint Online and OneDrive for Business
Skype for Business Online and Microsoft Teams
Microsoft 365 Common and Office Online.

See the Microsoft article Microsoft 365 URLs and IP address ranges for further details. Note: For Microsoft 365 Germany endpoints, see the Microsoft article Microsoft 365 Germany endpoints.

Log into the Barracuda Message Archiver as the administrator, and go to the Mail Sources > SMTP page.
Click Bulk Edit.
Go to the Microsoft article Microsoft 365 URLs and IP address ranges. Copy and paste the IP addresses based on your Microsoft 365 endpoints.
Click Save.

Step 3. Configure SMTP Forwarding Settings

Because this configuration requires the Barracuda Message Archiver to be public-facing, Barracuda Networks strongly recommends that you configure the Barracuda Message Archiver to only accept mail from the list of Trusted SMTP Servers. If you are also receiving mail from sources other than Microsoft 365, such as an on-premise Exchange server, make sure you add those IP addresses to the list of Trusted SMTP Servers before setting the Barracuda Message Archiver to Allow Only Trusted Hosts.

To configure SMTP forwarding settings:

Log into the Barracuda Message Archiver as the administrator, and go to the Mail Sources > SMTP page.
In the SMTP Forwarding Settings section, set Allow Only Trusted Hosts to Yes.
Click Save.

Step 4. Configure Local Domains

Log into the Barracuda Message Archiver as the administrator, and go to the Basic > IP Configuration page.
In the Local Domains section, add all of your mail-enabled domains including your onmicrosoft.com domain, as well as your non-routable domain, for example, bma.int.
Click Add after each domain entry, and then click Save.

Step 5. Configure SMTP Over TLS/SSL (Optional)

Log into the Barracuda Message Archiver as the administrator, and go to the Advanced > SMTP Configuration page.
In the SMTP Over TLS/SSL section, set Enable SMTP over TLS/SSL to Yes.
Click Save.

Step 6. Create a Remote Domain

Log into the Exchange admin center (EAC), and click mail flow > remote domains:
Click the + symbol, and in the new remote domain dialog box, configure the following options:
1. Name – Type Barracuda Message Archiver
2. Remote Domain – Type BMA.int or any non-routable domain
3. Out of Office automatic reply types – Select None
4. Automatic replies – Select Allow automatic forwarding
5. Message reporting – Clear all options
6. Use rich-text format – Select Never
7. MIME Character Set – Select None
8. Non-MIME Character Set – Select None
Click Save.

Step 7. Create a Send Connector for the Remote Domain

Log into EAC, and click mail flow > connectors.
Click the + symbol. In the Select your mail flow scenario page, configure the following options:
1. From – Select Office 365
2. To – Select Your organization's email server
Click Next. In the New connector page, Configure the following options:
1. Name – Type Barracuda Message Archiver
2. What do you want to do after connector is saved – Select both Turn it on and Retain internal Exchange email headers (recommended):
  Ensure the Turn it on check box is selected, otherwise the connector will fail to validate and will not send a test message.
Click Next. In the New Connector page, select Only when email message are sent to these domains.
Click the + symbol. Enter the non-routable domain configured in Step 6 (for example, bma.int), and click OK:
Click Next. In the New connector page, click the + symbol. Type your public FQDN or IP Address assigned to your Message Archiver. For example, archiver.getcuda.com. Click Save:
Click Next. In the New connector page, select Always use Transport Layer Security (TLS) and Any digital certificate, including self-signed certificates:
Note that this step is optional and only applies if you enabled SMTP Over TLS/SSL in Step 5.
If you previously configured a certificate from a trusted certificate authority, select the Issued by a trusted certificate authority (CA) option.
Click Next. Verify your settings in the summary page, and click Next.
Click the + symbol in the Validate this connector page, type test@[non-routable domain] , and click OK:
Click Validate.
In the New connector validation results page, verify the connector Status displays as Succeeded, and click Finish.

Step 8. Create a Non-Delivery Report Recipient

Before creating journal rules, specify a journal recipient for non-delivery reports (NDRs) to reduce the risk of losing journal reports:

To create an NDR recipient:

Log into the Microsoft Purview compliance portal, navigate to Solutions > Data lifecycle management > Exchange (legacy).
Click the Settings icon.
In Send undeliverable journal reports to, enter the email address of a valid user account. Note that the mailbox must be a mail user, mail contact, or external user, not an Exchange Online Mailbox.
Click Save.

Step 9. Configure Journaling

Log into the Microsoft Purview compliance portal, navigate to Solutions > Data lifecycle management > Exchange (legacy) > Journal rules, and then select + New rule.
On the Define journal rule settings page, provide a name for the journal rule and then configure the following options:
1. Send journal reports to – Type journal@[non-routable domain]. For example, type: journal@bma.int
2. Journal rule name – Type Barracuda Message Archiver
3. Journal messages sent or received from – Select Apply to all Messages.
4. Type of message to journal – Select All Messages.
Select Next, review the settings, and then click Submit to create the journal rule.