Barracuda Mail Device / Funny Accounts

[hostmedic]

Hello friends - wondering if anyone can help on this one.

We have a Barracuda Anti-Spam appliance - and love it... however one pure pain in the rear

Apparently the normal operation is when mail comes in - the barracuda will ask the cpanel server using the mailes envelope does this user exist or not -

The Barracuda will default to grabbing the email should to cpanel server not answer - so no email is lost.

The issue then becomes that the barracuda then places in a 100 or more accounts that are fake to accounts like

2340923afsdjow@domain.com - then quarantines the email.

We have the same thing happen with an Iron Port as well - so its not just Barracuda's issue.

Since we don't have ldap on the cpanel server for email - like exchange would i need to figure out how to get around this...

Is it possible to tell exim to allow more connections from 1 ip?
From what we can tell - the issue here is since there may be to many connections @ 1 time from the barracuda and/or iron port - the system ignores them for the time being...

I could not find the setting - so hoping the forum group can help

[cPanelMattCurry]

Hello,


Unfortunately it is not supported, and barracuda may have some issues. However, I am not saying it wont work, that is up to you to try

[hostmedic]

I guess my question is - how?

At present we are not allowign any mail from any ip except the barracuda device or the iron port devices.

This should get peeked at sooner than later I would think - as
Anti-Spam is a serious deal.

Being able to support something above the cpanel server to scrub email is more than just a luxury in this day and age.

Example:

We blocked 2,557,861 messages with our Barracuda Filter
5812 Virus messages
Rate Controlled 1891 messages
Quarantined 567,355 messages
Allowed with a tag: 3,071 messages
and allowed 721,466 messages

That is a total of 3,857,456 messages

cPanel doing that alone with Spam Assassin would Cry

We are far from the largest ISP using cPanel - heck we are non-profit...

That being said - if we had a way to allow the barracuda and iron port devices to ask cpanel "is this a valid user" w/o cpanel not giving a reply to the envelope request due to 2 many @ a time - that would be great.

I just don't know where to raise that limit

[edesignway]

If you can PM me or email me some more specifics I may be able to come up with a solution for you. sheehan [a t] edesignway.com

[hostmedic]

I am assuming it has something to do w/ this setting

smtp_accept_max = 100


just not sure

[hostmedic]

sadly - :fail: is not cutting the mustard here either

[BarracudaTech]

Hello,

The problem you are experiencing is due to lack of "Recipient Verification".
Our anti spam appliance, and I am assuming Ironports recipient verification go off of your final mail server or LDAP server (if configured) for the proper email addresses to create. It will use literally anything your setup says valid and responds with a 200 OK. Please turn this on on your mail server and/or configure the Barracuda Spam and Virus Firewall to use recipient verification, or call into support at 1-888-ANTI-SPAM to have us assist you!

[hostmedic]

your Barracuda tech stated

"This appears to be a problem within Exim and cPanel.
We suggest you contact them."

Furthermore - cPanel does not support ldap yet :-(

[cpanelchrish]

Realistically we'd be keen to know what methods are supported within Barracuda for populating a valid recipients list.

For us LDAP is out - do they have another method?

I don't know that there's an "officially supported" method for this, but I'd imagine a bit of elbow grease it wouldn't be too terribly painful creating a list of valid recipients on the cPanel system via script.

The question would be, once you have this list, in a flat text file (or csv, or whichever - the file format is trivial), does Barracuda have a method for importing it?

Obviously it'd be a bit of an administrative nightmare to have to manually keep these lists synchronized, so we'd be keen to know if there is a way to say, rsync the list to a spot on the Barracuda appliance for their use.

Now, I'm having a bit of trouble understanding one of the points above - it almost insinuates that they will defer their response to the external host's RCPT command until it has run this same RCPT command against Exim on the cPanel/WHM box; is there any validity to this statement, or am I misreading?

I ask because that would mean if Exim is configured to reject (e.g. "550 No Such User) mail to non-existent addresses, we'd have a resolution. Not the tidiest method for recipient validation, but more or less functional.

With regards to the mangling of the e-mail addresses, would this by any chance happen to be BATV (bounce address tag validation) ? Might check with Barracuda and see, I seem to recall them supporting this for some reason.

The way BATV works is, in very brief terms, by rewriting the return address to include a cryptographic fingeprint in an effort to cut back on the amount of NDR's received as a result of "Joe Jobs" (check wiki for definition). If an NDR goes to an address that doesn't contain this fingerprint, it didn't go outbound through the BATV system, and as such is the result of a forgery, so it will be junked.

Very brief explanation, not complete, but this is generally the reason you see content-filtering systems rewriting addresses to something that seems indecipherable on outbound e-mail.

[taenkarth]

Hmmm...I am having the exact same issues. However, maybe this could be a thought on how to fix the issue.

Ok the setup would be this.

1. Barracuda/Ironport accepting ALL incoming mail and then routing it to the cPanel server for delivery.

2. cPanel server only accepts inbound mail from the Barracuda/Ironport (even by firewall policies)

Now with both of those in place there should be no other system in the world that can gain SMTP(25) access to your cPanel server to attempt to deliver mail.

If that is the case can we not turn off in cPanel whatever it is that is used to prevent dicionary attacks? I understand that dictionary attacks are precisely why mail server now accept all inbound messages, and then do something with them (fail). In this case though you should not be getting any dictionary attacks since the only thing attempting to route to it is the Barracuda/Ironport.

What am I missing? Is it even possible to turn something like that off in Exim in a cPanel configuration?

Taen

[mtindor]

Realistically we'd be keen to know what methods are supported within Barracuda for populating a valid recipients list.

For us LDAP is out - do they have another method?

In the Barracuda you can manually add a list of "valid" addresses and then tell it to only scan incoming mail destined for a valid email address [and I believe it will reject all others]. I don't know of any way to "send" a list to the barracuda. You can't just log into the Barracuda and fudge around with things via ssh or ftp. This is a crappy way to do things, but it isn't uncommon. This method IS useful though in some cases, especially if you aren't giving people unlimited filtered email accounts and want to charge a fee per email account filtered through a barracuda. If the email address isn't added by the admin to the barracuda, the enduser domain doesn't get to use the email account.

Now, I'm having a bit of trouble understanding one of the points above - it almost insinuates that they will defer their response to the external host's RCPT command until it has run this same RCPT command against Exim on the cPanel/WHM box; is there any validity to this statement, or am I misreading?

I ask because that would mean if Exim is configured to reject (e.g. "550 No Such User) mail to non-existent addresses, we'd have a resolution. Not the tidiest method for recipient validation, but more or less functional.

I believe this is the case. We have a barracuda handling a lot of mail for domains whose final destination is an Imail server. A connection comes in to the barracuda for a specific domain, the barracuda contacts the Imail server to see if the user is valid - if the user is not valid, the barracuda rejects the message.

The sample logfile from an Imail server would seem to verify this. 192.168.1.3 is the Imail server. 110.110.110.110 is the barracuda.

Sep 5 18:56:54 hostme SMTPD (ecad0d87004cd5f6) [110.110.110.110] connect 192.168.1.3 port 60966
Sep 5 18:56:54 hostme SMTPD (ecad0d87004cd5f6) [192.168.1.3] EHLO barracuda2.fictitiousdomain.com
Sep 5 18:56:54 hostme SMTPD (ecad0d87004cd5f6) [192.168.1.3] MAIL FROM:<postmaster@barracudanetworks.com>
Sep 5 18:56:54 hostme SMTPD (ecad0d87004cd5f6) [192.168.1.3] RCPT TO:<by@yousuck.com>
Sep 5 18:56:54 hostme SMTPD (ecad0d87004cd5f6) [192.168.1.3] ERR yousuck.com invalid user <by@yousuck.com
Sep 5 18:56:55 hostme SMTPD (ecad0d87004cd5f6) [192.168.1.3] RCPT TO:<by@yousuck.com>
Sep 5 18:56:55 hostme SMTPD (ecad0d87004cd5f6) [192.168.1.3] ERR yousuck.com invalid user <by@yousuck.com
Sep 5 18:56:57 hostme SMTPD (ecad0d87004cd5f6) [192.168.1.3] RCPT TO:<by@yousuck.com>
Sep 5 18:56:57 hostme SMTPD (ecad0d87004cd5f6) [192.168.1.3] ERR yousuck.com invalid user <by@yousuck.com

As you can see, the barracuda connected to the Imail server to see if the account existed, when it did not it then did not proceed any further with an attempt to deliver.

The barracuda would return this if bob@notavaliddomain.com sent an email to by@yousuck.com:

550 cuda_nsu unknown user <by@yousuck.com>

The barracuda would return the above message after first contacting the Imail server handling yousuck.com mail and finding out that it is an invalid recipient.

NOTE: the barracuda, when checking the final mailserver for existence of the email account, will always use the same FROM address (which was postmaster@barracudanetworks.com in the above example - which should be configured properly to be something else in a real world environment) when checking if the final recipient is a valid recipient in that domain.

Mike

[cpanelchrish]

yeah, that I don't get

If you're already providing a list of valid addresses to the Barracuda device, why should it poll another system?

Rather, if it already knows foo@bar.com is invalid because you've already provided it with a list of valid addresses, and that aint on the list....why is it trying to validate it a second time against the backend MTA? You already know it's an invalid address, don't waste connections to the backend MTA, bounce the thing, and carry on my wayward son.

If it's going to connect to your backend MTA anyway, you're not saving any processing time or resources by providing it with a list of valid recipients.

I'm not saying it does this, I've never worked with their appliance (and it's been a while since I've touched IronPort), this is an assumption based upon the behaviour being described in this thread.

So hopping off of that tangent for a moment, assuming their recipient validation works by connecting to the backend MTA and checking the response to RCPT, all we need to do is have Exim 550 a message if it's an invalid user - which I'd think you could do by simply setting default action for non-existent to :fail

[mtindor]

yeah, that I don't get

If you're already providing a list of valid addresses to the Barracuda device, why should it poll another system?

You misunderstood me, or I didn't state the facts clearly.

If you manually add a list of recipients and tell Barracuda to check only those addresses, it doesn't poll the final MTA for the existence of the account. If you do NOT add the list of accounts manually to the Barracuda, or if you have but you have not instructed the Barracuda to only scan for those addresses, it will poll the final MTA.

BTW, Carry On My Warward Son is an awesome tune

So hopping off of that tangent for a moment, assuming their recipient validation works by connecting to the backend MTA and checking the response to RCPT, all we need to do is have Exim 550 a message if it's an invalid user - which I'd think you could do by simply setting default action for non-existent to :fail

That is correct - that is all that needs done, and it's easily accomplished in the fashion you stated - set default action to :fail

Mike

[hostmedic]

If only :fail worked.

We are seeing that :fail does not work.
In short - if cpanel takes to long to get back - then the mail just pulls in.
Also - when a client creates a "catch all" - then it causes that not to work as well.

Again - if ldap were to be in play - then this would not happen.

We have instructed our clients not to use catch alls - and even have :fail replacements setup on cron every hour.

We get a report on what got replaced in that hour - and sadly even have clients who put it back in place even after we say don't.

So - 2 things.

1. how to get ldap (openldap maybe? ) into cPanel is a potential fix .
2. how to remove that silly "default email addy" option from the template :-) is kinda another option

bottom line - both are excellent products - but could be made so much better if they worked well together

[mtindor]

If only :fail worked.

We are seeing that :fail does not work.
In short - if cpanel takes to long to get back - then the mail just pulls in.
Also - when a client creates a "catch all" - then it causes that not to work as well.

Again - if ldap were to be in play - then this would not happen.

We have instructed our clients not to use catch alls - and even have :fail replacements setup on cron every hour.

We get a report on what got replaced in that hour - and sadly even have clients who put it back in place even after we say don't.

So - 2 things.

1. how to get ldap (openldap maybe? ) into cPanel is a potential fix .
2. how to remove that silly "default email addy" option from the template :-) is kinda another option

bottom line - both are excellent products - but could be made so much better if they worked well together

File a feature request for OpenLDAP then. I'm sure somebody probably already has one open. Requesting here in the forums isn't going to do any good.

1. :fail does work

I set up my personal domain (on a Cpanel machine) to have its mail scrubbed by our barracuda. i set up my personal domain in the barracuda (I didn't manually add addresses to teh barracuda).

I then sent an email to bobdog@mypersonaldomain.com from my gmail account.

- the email hit the barracuda
- the barracuda connected to the cpanel server to see if bobdog@mypersonaldomain.com existed
- the cpanel server issued a 550
- the barracuda then rejected (during SMTP) the message from my Gmail account
- Gmail sent me a notification that the email was not delivered

2009-09-08 13:44:19 H=(barracuda.mycompany.com) [xx.xxx.xxx.xxx] F=<postmaster@barracudanetworks.com> rejected RCPT <bobdog@mypersonaldomain.com>: No such user here

I got this message back in my Gmail account:

This is an automatically generated Delivery Status Notification

Delivery to the following recipient failed permanently:

bobdog@mypersonaldomain.com

Technical details of permanent failure:
Google tried to deliver your message, but it was rejected by the recipient domain. We recommend contacting the other email provider for further information about the cause of this error. The error that the other server returned was: 550 550 cuda_nsu No such user here (state 14).

Mike

PS: I have the following in my /etc/valiases/mypersonaldomain.com:

*: :fail: No such user here