The Community Forums

Interact with an entire community of cPanel & WHM users!
  1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

Barracuda Mail Device / Funny Accounts

Discussion in 'E-mail Discussions' started by hostmedic, Sep 2, 2009.

  1. hostmedic

    hostmedic Well-Known Member

    Joined:
    Apr 30, 2003
    Messages:
    559
    Likes Received:
    0
    Trophy Points:
    16
    Location:
    Washington Court House, Ohio, United States
    cPanel Access Level:
    DataCenter Provider
    Hello friends - wondering if anyone can help on this one.

    We have a Barracuda Anti-Spam appliance - and love it... however one pure pain in the rear

    Apparently the normal operation is when mail comes in - the barracuda will ask the cpanel server using the mailes envelope does this user exist or not -

    The Barracuda will default to grabbing the email should to cpanel server not answer - so no email is lost.

    The issue then becomes that the barracuda then places in a 100 or more accounts that are fake to accounts like

    2340923afsdjow@domain.com - then quarantines the email.

    We have the same thing happen with an Iron Port as well - so its not just Barracuda's issue.

    Since we don't have ldap on the cpanel server for email - like exchange would i need to figure out how to get around this...

    Is it possible to tell exim to allow more connections from 1 ip?
    From what we can tell - the issue here is since there may be to many connections @ 1 time from the barracuda and/or iron port - the system ignores them for the time being...

    I could not find the setting - so hoping the forum group can help
     
  2. MattCurry

    MattCurry Well-Known Member

    Joined:
    Aug 18, 2009
    Messages:
    275
    Likes Received:
    0
    Trophy Points:
    16
    Location:
    Houston, Tx
    Barracuda and cPanel

    Hello,


    Unfortunately it is not supported, and barracuda may have some issues. However, I am not saying it wont work, that is up to you to try
     
  3. hostmedic

    hostmedic Well-Known Member

    Joined:
    Apr 30, 2003
    Messages:
    559
    Likes Received:
    0
    Trophy Points:
    16
    Location:
    Washington Court House, Ohio, United States
    cPanel Access Level:
    DataCenter Provider
    so how ?

    I guess my question is - how?

    At present we are not allowign any mail from any ip except the barracuda device or the iron port devices.

    This should get peeked at sooner than later I would think - as
    Anti-Spam is a serious deal.

    Being able to support something above the cpanel server to scrub email is more than just a luxury in this day and age.

    Example:

    We blocked 2,557,861 messages with our Barracuda Filter
    5812 Virus messages
    Rate Controlled 1891 messages
    Quarantined 567,355 messages
    Allowed with a tag: 3,071 messages
    and allowed 721,466 messages

    That is a total of 3,857,456 messages

    cPanel doing that alone with Spam Assassin would Cry

    We are far from the largest ISP using cPanel - heck we are non-profit...

    That being said - if we had a way to allow the barracuda and iron port devices to ask cpanel "is this a valid user" w/o cpanel not giving a reply to the envelope request due to 2 many @ a time - that would be great.

    I just don't know where to raise that limit
     
  4. edesignway

    edesignway Well-Known Member

    Joined:
    Dec 4, 2001
    Messages:
    96
    Likes Received:
    0
    Trophy Points:
    6
    If you can PM me or email me some more specifics I may be able to come up with a solution for you. sheehan [a t] edesignway.com
     
  5. hostmedic

    hostmedic Well-Known Member

    Joined:
    Apr 30, 2003
    Messages:
    559
    Likes Received:
    0
    Trophy Points:
    16
    Location:
    Washington Court House, Ohio, United States
    cPanel Access Level:
    DataCenter Provider
    smtp_accept_max = 100

    I am assuming it has something to do w/ this setting

    smtp_accept_max = 100


    just not sure
     
  6. hostmedic

    hostmedic Well-Known Member

    Joined:
    Apr 30, 2003
    Messages:
    559
    Likes Received:
    0
    Trophy Points:
    16
    Location:
    Washington Court House, Ohio, United States
    cPanel Access Level:
    DataCenter Provider
    :fail: not cutting the cake

    sadly - :fail: is not cutting the mustard here either
     
  7. BarracudaTech

    BarracudaTech Registered

    Joined:
    Sep 2, 2009
    Messages:
    1
    Likes Received:
    0
    Trophy Points:
    1
    Hello,

    The problem you are experiencing is due to lack of "Recipient Verification".
    Our anti spam appliance, and I am assuming Ironports recipient verification go off of your final mail server or LDAP server (if configured) for the proper email addresses to create. It will use literally anything your setup says valid and responds with a 200 OK. Please turn this on on your mail server and/or configure the Barracuda Spam and Virus Firewall to use recipient verification, or call into support at 1-888-ANTI-SPAM to have us assist you!
     
  8. hostmedic

    hostmedic Well-Known Member

    Joined:
    Apr 30, 2003
    Messages:
    559
    Likes Received:
    0
    Trophy Points:
    16
    Location:
    Washington Court House, Ohio, United States
    cPanel Access Level:
    DataCenter Provider
    tickets already opened

    your Barracuda tech stated

    "This appears to be a problem within Exim and cPanel.
    We suggest you contact them."

    Furthermore - cPanel does not support ldap yet :-(
     
  9. chrish.

    chrish. Member

    Joined:
    Jun 30, 2009
    Messages:
    24
    Likes Received:
    0
    Trophy Points:
    1
    Realistically we'd be keen to know what methods are supported within Barracuda for populating a valid recipients list.

    For us LDAP is out - do they have another method?

    I don't know that there's an "officially supported" method for this, but I'd imagine a bit of elbow grease it wouldn't be too terribly painful creating a list of valid recipients on the cPanel system via script.

    The question would be, once you have this list, in a flat text file (or csv, or whichever - the file format is trivial), does Barracuda have a method for importing it?

    Obviously it'd be a bit of an administrative nightmare to have to manually keep these lists synchronized, so we'd be keen to know if there is a way to say, rsync the list to a spot on the Barracuda appliance for their use.

    Now, I'm having a bit of trouble understanding one of the points above - it almost insinuates that they will defer their response to the external host's RCPT command until it has run this same RCPT command against Exim on the cPanel/WHM box; is there any validity to this statement, or am I misreading?

    I ask because that would mean if Exim is configured to reject (e.g. "550 No Such User) mail to non-existent addresses, we'd have a resolution. Not the tidiest method for recipient validation, but more or less functional.

    With regards to the mangling of the e-mail addresses, would this by any chance happen to be BATV (bounce address tag validation) ? Might check with Barracuda and see, I seem to recall them supporting this for some reason.

    The way BATV works is, in very brief terms, by rewriting the return address to include a cryptographic fingeprint in an effort to cut back on the amount of NDR's received as a result of "Joe Jobs" (check wiki for definition). If an NDR goes to an address that doesn't contain this fingerprint, it didn't go outbound through the BATV system, and as such is the result of a forgery, so it will be junked.

    Very brief explanation, not complete, but this is generally the reason you see content-filtering systems rewriting addresses to something that seems indecipherable on outbound e-mail.
     
  10. taenkarth

    taenkarth Member

    Joined:
    Sep 5, 2008
    Messages:
    8
    Likes Received:
    0
    Trophy Points:
    1
    Hmmm...I am having the exact same issues. However, maybe this could be a thought on how to fix the issue.

    Ok the setup would be this.

    1. Barracuda/Ironport accepting ALL incoming mail and then routing it to the cPanel server for delivery.

    2. cPanel server only accepts inbound mail from the Barracuda/Ironport (even by firewall policies)

    Now with both of those in place there should be no other system in the world that can gain SMTP(25) access to your cPanel server to attempt to deliver mail.

    If that is the case can we not turn off in cPanel whatever it is that is used to prevent dicionary attacks? I understand that dictionary attacks are precisely why mail server now accept all inbound messages, and then do something with them (fail). In this case though you should not be getting any dictionary attacks since the only thing attempting to route to it is the Barracuda/Ironport.

    What am I missing? Is it even possible to turn something like that off in Exim in a cPanel configuration?

    Taen
     
  11. mtindor

    mtindor Well-Known Member

    Joined:
    Sep 14, 2004
    Messages:
    1,281
    Likes Received:
    37
    Trophy Points:
    48
    Location:
    inside a catfish
    cPanel Access Level:
    Root Administrator
    In the Barracuda you can manually add a list of "valid" addresses and then tell it to only scan incoming mail destined for a valid email address [and I believe it will reject all others]. I don't know of any way to "send" a list to the barracuda. You can't just log into the Barracuda and fudge around with things via ssh or ftp. This is a crappy way to do things, but it isn't uncommon. This method IS useful though in some cases, especially if you aren't giving people unlimited filtered email accounts and want to charge a fee per email account filtered through a barracuda. If the email address isn't added by the admin to the barracuda, the enduser domain doesn't get to use the email account.

    I believe this is the case. We have a barracuda handling a lot of mail for domains whose final destination is an Imail server. A connection comes in to the barracuda for a specific domain, the barracuda contacts the Imail server to see if the user is valid - if the user is not valid, the barracuda rejects the message.

    The sample logfile from an Imail server would seem to verify this. 192.168.1.3 is the Imail server. 110.110.110.110 is the barracuda.

    Sep 5 18:56:54 hostme SMTPD (ecad0d87004cd5f6) [110.110.110.110] connect 192.168.1.3 port 60966
    Sep 5 18:56:54 hostme SMTPD (ecad0d87004cd5f6) [192.168.1.3] EHLO barracuda2.fictitiousdomain.com
    Sep 5 18:56:54 hostme SMTPD (ecad0d87004cd5f6) [192.168.1.3] MAIL FROM:<postmaster@barracudanetworks.com>
    Sep 5 18:56:54 hostme SMTPD (ecad0d87004cd5f6) [192.168.1.3] RCPT TO:<by@yousuck.com>
    Sep 5 18:56:54 hostme SMTPD (ecad0d87004cd5f6) [192.168.1.3] ERR yousuck.com invalid user <by@yousuck.com
    Sep 5 18:56:55 hostme SMTPD (ecad0d87004cd5f6) [192.168.1.3] RCPT TO:<by@yousuck.com>
    Sep 5 18:56:55 hostme SMTPD (ecad0d87004cd5f6) [192.168.1.3] ERR yousuck.com invalid user <by@yousuck.com
    Sep 5 18:56:57 hostme SMTPD (ecad0d87004cd5f6) [192.168.1.3] RCPT TO:<by@yousuck.com>
    Sep 5 18:56:57 hostme SMTPD (ecad0d87004cd5f6) [192.168.1.3] ERR yousuck.com invalid user <by@yousuck.com

    As you can see, the barracuda connected to the Imail server to see if the account existed, when it did not it then did not proceed any further with an attempt to deliver.

    The barracuda would return this if bob@notavaliddomain.com sent an email to by@yousuck.com:

    550 cuda_nsu unknown user <by@yousuck.com>

    The barracuda would return the above message after first contacting the Imail server handling yousuck.com mail and finding out that it is an invalid recipient.

    NOTE: the barracuda, when checking the final mailserver for existence of the email account, will always use the same FROM address (which was postmaster@barracudanetworks.com in the above example - which should be configured properly to be something else in a real world environment) when checking if the final recipient is a valid recipient in that domain.

    Mike
     
  12. chrish.

    chrish. Member

    Joined:
    Jun 30, 2009
    Messages:
    24
    Likes Received:
    0
    Trophy Points:
    1
    yeah, that I don't get

    If you're already providing a list of valid addresses to the Barracuda device, why should it poll another system?

    Rather, if it already knows foo@bar.com is invalid because you've already provided it with a list of valid addresses, and that aint on the list....why is it trying to validate it a second time against the backend MTA? You already know it's an invalid address, don't waste connections to the backend MTA, bounce the thing, and carry on my wayward son.

    If it's going to connect to your backend MTA anyway, you're not saving any processing time or resources by providing it with a list of valid recipients.

    I'm not saying it does this, I've never worked with their appliance (and it's been a while since I've touched IronPort), this is an assumption based upon the behaviour being described in this thread.

    So hopping off of that tangent for a moment, assuming their recipient validation works by connecting to the backend MTA and checking the response to RCPT, all we need to do is have Exim 550 a message if it's an invalid user - which I'd think you could do by simply setting default action for non-existent to :fail
     
  13. mtindor

    mtindor Well-Known Member

    Joined:
    Sep 14, 2004
    Messages:
    1,281
    Likes Received:
    37
    Trophy Points:
    48
    Location:
    inside a catfish
    cPanel Access Level:
    Root Administrator
    You misunderstood me, or I didn't state the facts clearly.

    If you manually add a list of recipients and tell Barracuda to check only those addresses, it doesn't poll the final MTA for the existence of the account. If you do NOT add the list of accounts manually to the Barracuda, or if you have but you have not instructed the Barracuda to only scan for those addresses, it will poll the final MTA.

    BTW, Carry On My Warward Son is an awesome tune :)

    That is correct - that is all that needs done, and it's easily accomplished in the fashion you stated - set default action to :fail

    Mike
     
  14. hostmedic

    hostmedic Well-Known Member

    Joined:
    Apr 30, 2003
    Messages:
    559
    Likes Received:
    0
    Trophy Points:
    16
    Location:
    Washington Court House, Ohio, United States
    cPanel Access Level:
    DataCenter Provider
    :fail Barracuda (funny sounds like a twitter posting)

    If only :fail worked.

    We are seeing that :fail does not work.
    In short - if cpanel takes to long to get back - then the mail just pulls in.
    Also - when a client creates a "catch all" - then it causes that not to work as well.

    Again - if ldap were to be in play - then this would not happen.

    We have instructed our clients not to use catch alls - and even have :fail replacements setup on cron every hour.

    We get a report on what got replaced in that hour - and sadly even have clients who put it back in place even after we say don't.

    So - 2 things.

    1. how to get ldap (openldap maybe? ) into cPanel is a potential fix .
    2. how to remove that silly "default email addy" option from the template :) is kinda another option

    bottom line - both are excellent products - but could be made so much better if they worked well together
     
  15. mtindor

    mtindor Well-Known Member

    Joined:
    Sep 14, 2004
    Messages:
    1,281
    Likes Received:
    37
    Trophy Points:
    48
    Location:
    inside a catfish
    cPanel Access Level:
    Root Administrator
    File a feature request for OpenLDAP then. I'm sure somebody probably already has one open. Requesting here in the forums isn't going to do any good.

    1. :fail does work

    I set up my personal domain (on a Cpanel machine) to have its mail scrubbed by our barracuda. i set up my personal domain in the barracuda (I didn't manually add addresses to teh barracuda).

    I then sent an email to bobdog@mypersonaldomain.com from my gmail account.

    - the email hit the barracuda
    - the barracuda connected to the cpanel server to see if bobdog@mypersonaldomain.com existed
    - the cpanel server issued a 550
    - the barracuda then rejected (during SMTP) the message from my Gmail account
    - Gmail sent me a notification that the email was not delivered

    2009-09-08 13:44:19 H=(barracuda.mycompany.com) [xx.xxx.xxx.xxx] F=<postmaster@barracudanetworks.com> rejected RCPT <bobdog@mypersonaldomain.com>: No such user here

    I got this message back in my Gmail account:

    This is an automatically generated Delivery Status Notification

    Delivery to the following recipient failed permanently:

    bobdog@mypersonaldomain.com

    Technical details of permanent failure:
    Google tried to deliver your message, but it was rejected by the recipient domain. We recommend contacting the other email provider for further information about the cause of this error. The error that the other server returned was: 550 550 cuda_nsu No such user here (state 14).


    Mike

    PS: I have the following in my /etc/valiases/mypersonaldomain.com:

    *: :fail: No such user here
     
  16. mtindor

    mtindor Well-Known Member

    Joined:
    Sep 14, 2004
    Messages:
    1,281
    Likes Received:
    37
    Trophy Points:
    48
    Location:
    inside a catfish
    cPanel Access Level:
    Root Administrator
    Read my message above.

    Make sure that in the Exim Configuration Editor you have whitelisted the barracuda IP address(es) from rate limiting!

    Mike
     
  17. hostmedic

    hostmedic Well-Known Member

    Joined:
    Apr 30, 2003
    Messages:
    559
    Likes Received:
    0
    Trophy Points:
    16
    Location:
    Washington Court House, Ohio, United States
    cPanel Access Level:
    DataCenter Provider
    Been there done that -
    now back to the original question

    How can we make it so that exim does not take a dump when it has x amount of requests from the same ip.

    We have 60 cpanel boxes 4 barracudas and 2 ironports w/ this issue

    It might be working if you don't have the large level of email hitting -
    when we test box to box - low #'s of email - works like a charm

    Now for the box stats

    Quad Xeon 3 Ghz 8GB Ram
    - hardly childs play machines
     
  18. mtindor

    mtindor Well-Known Member

    Joined:
    Sep 14, 2004
    Messages:
    1,281
    Likes Received:
    37
    Trophy Points:
    48
    Location:
    inside a catfish
    cPanel Access Level:
    Root Administrator
    Did you do this? If you don't whitelist the Barracuda servers or if you don't disable ratelimiting completely, you're going to have the Cpanel server ratelimiting if you are sending a ton of mail to it from the same IP address - especially if some of the recipients are invalid recipients.

    And I can guarantee that if you aren't manually adding the valid email addresses to the Barracuda and specifically telling the Barracuda to only scan for valid email accounts that you have added, then the Barracuda is going to be checking each of your Cpanel servers for the existence of plenty of nonexistent addresses - and the Cpanel servers are going to ratelimit.

    Mike
     
  19. hostmedic

    hostmedic Well-Known Member

    Joined:
    Apr 30, 2003
    Messages:
    559
    Likes Received:
    0
    Trophy Points:
    16
    Location:
    Washington Court House, Ohio, United States
    cPanel Access Level:
    DataCenter Provider
    yes ratelimited disabled

    yes - thanks mike for working through this -

    each box is not ratelimiting - as we have whitelisted the barracudas and ironports

    since we see it on both - tells me its more than just ratelimit :-/
    wondering if we can get exim to allow more than just x connections perhaps

    we today have blocked over 1 million emails / spam and its only 2PM

    busy little clusters -

    I am willing to bet yours may show much less - so it might just be a deal of 2 many connections period -

    thus back to the question - how can we raise the # of connections we allow from the barracuda to cpanel's exim.

    I am convinced the issue is on the side of exim - not the barracuda - or ironport would be working
     
  20. chrish.

    chrish. Member

    Joined:
    Jun 30, 2009
    Messages:
    24
    Likes Received:
    0
    Trophy Points:
    1
    taking a shot in the dark here, might be looking for something like

    smtp_accept_max
    smtp_accept_max_per_host

    within exim.conf via the advanced configuration editor menu

    (NOTE: with all direct mods, i think the official tag line is "we totally don't formally support it, but here's how you do it anyway...")

    I feel silly and paranoid giving that disclaimer, but it's a must I reckon.
     
Loading...

Share This Page