Booches.nl

Barracuda – Mail Protocol Violation

A customer updated the firmware from a Barracuda SPAM &Virus 300 firewall. The firmware was upgraded from version 3.4 to version 3.5.12.024. After the upgrade no email was coming in or going out through the Barracuda firewall.

All email was blocked and the following reason was visible in the message log:

Mail Protocol Violation

At first I couldn’t find a reason why all mail was blocked, so I contacted Barracuda and established a remote connection with Barracuda for remote troubleshooting. (I really like that feature). Finally the engineer found the problem. The Maximum Message Size value under Advanced – Email Protocol – SMTP Configuration was set to:

100000000000000000000000000000000000000 bytes

Yep, you read that correctly. I have no idea where that value came from. So I changed it back to the recommended value of 100 MB. After changing the value, mail started coming in and going out again through the Barracuda.

Secret Barracuda Spam firewall options

While troubleshooting a Barracuda Spam Firewall 300 I found a forum on internet, which shows you how to get an extra tab under the Advanced configuration of the Barracuda Spam Firewall. The “secret” configuration page is enabled with the following steps:

1. Logon to the Barracude Spam Firewall 300;
2. Click on the Advanced tab;
3. Add &expert=1 at the end of the URL and hit enter;

You will now get the extra tab Expert Variables like shown below.

PDA Active Sync – Invalid Certificate

The usage of Pocket PCs (PDAs) becomes more and more a default feature for business. The last months I have installed quit some Windows ISA 2006 servers for Reverse Proxy purposes. I have installed them normally for webmail only, but lately I have added the Microsoft Active Sync feature.

The Pocket PCs connect to the organization via UMTS, GPRS, USB with laptop or whatever with an internet connection. Today I had the same job on the schedule: Enable Active Sync for Pocket PCs.

I thought by myself: EASY JOB, but NOT. After configuring the ISA reverse proxy I used a Pocket PC emulator to test the Active Sync features. I received the following error message when synchronizing:

I found this a strange message, because clients use the same URL as the Pocket PC for accessing their webmail and they never receive an error message for an untrusted certificate.

The used certificated is issued by Equifax Secure Global eBusiness CA-1. This is a common and one of the better CA’s.

I had to dig deeper into the problem. I tried to install the certificate on the Pocket PC, but no luck. I searched the internet and found a tool called Microsoft Exchange Server Disable Certificate Verification. You can find an executable here, which can be used when using the Pocket PC in conjunction with a PC through USB. I also found a similar tool to install on the pocket PC, this is called AS_Cert_OFF.cab. The tool wasn’t the solution to the problem, so I had to dig deeper.

I was thinking way to complex, the problem was fixed by requesting a new certificate. The used certificate didn’t support Pocket PC. Comparing the different SSL certificates on QuickSSL.com I noticed I had to use a QuickSSL Premium certificate. This certificate supports popular mobile devices and smartphones.

After generating a CSR, requesting the certificate and installing the certificate on the ISA server, the connection and synchronization works like a charm. At least for the most PDA’s. Some PDA’s received the following error 80072f7d. After searching some forums, I found the solution in adding a registry key. I added the following registry key:

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows CE Services]
“AllowLSP”=dword:00000000

After adding the key to the registry, all Pocket PC’s synchronized perfectly.

LDAP and eSafe Gateway

eSafe Gateway can be used for scanning incoming and outgoing SMTP connections for virusses and SPAM. Normally eSafe Gateway doesn’t check incoming mail addresses against a directory like Active Directory or Novell Directory Services.

This means that all mail addresses for a trusted domain are forwarded to the internal mail server. In the most ideal situation unknown mail addresses should be blocked at the eSafe Gateway. This feature will take away load off the internal mail server, because this mail server doesn’t have to generate NDR (Non-Delivery Reports) messages. Beside that, the eSafe Gateway also doesn’t have to process the NDR’s. LDAP (Lightweight Directory Access Protocol) provides this functionality.

With LDAP configured, the eSafe Gateway will synchronize all known mail objects from the directory services with the eSafe Gateway. By this, the eSafe Gateway knows all valid mail objects and can block invalid mail objects. There are some issues when configuring a LDAP query with Active Directory. By default Active Directory only allows 1000 objects in one query. Some customers have more mail object, so this settings needs to be added. Inside Active Directory, you should edit the LDAP Policy setting MaxPageSize. Look here for more information about editing the MaxPageSize variable.

Some organizations use PublicFolders in conjunction with Microsoft. These PublicFolders can be mail-enabled and should be added in the LDAP filter configuration inside eSafe Gateway. This is done by changing the default filter

(&(|(objectClass=person)(objectClass=contact)(objectClass=organizationalPerson))(!(objectClass=computer)))

in

(&(|(objectClass=person)(objectClass=contact)(objectClass=organizationalPerson)(objectClass=publicFolder))(!(objectClass=computer)))

This results in adding the mail object PublicFolder to the LDAP query.

Barracuda User Creation

I have a customer running a Barracuda SPAM firewall 300. The customer has the specific request that only the administrator can look at Quarantine messages and users shouldn’t get their own Quarantine inbox. To accomplish this I have configured the Quarantine Type: Global.

I see that all Quarantine messages are delivered in the globally configured mailbox. But sometimes the Barracadu still automatically creates an Account Address under the Users tab. The user from that Account has than the ability to look at their own quarantine messages. I thought it would help to configure the option New User Quarantine State to No, but this has no affect.

Does somebody know who to disable the function to automatically create User Accounts on the Barracuda SPAM firewall 300…??