Syed Jahanzaib Personal Blog to Share Knowledge !

February 14, 2019

Barracuda Email Security Gateway – Short Notes

Filed under: Emails - Antispam — Tags: , — Syed Jahanzaib / Pinochio~:) @ 12:58 PM

barracuda.jpg

We are running our own email server hosted locally using IBM Lotus Domino Server. Last year we acquired Barracuda Email Security Gateway hardware device (BSFI300a) to filter spam/junk emails. It came along with 1 Year Total Protection Plus & 1 Year IR (instant replacement). Hardware quality is enterprise grade & we haven’t encountered any failure so far.

 

Barracuda usage in our organization ~

For some reasons, we are using this device to filter incoming emails only. Outgoing emails are delivered to recipient/destination email server directly from our Domino server via main gateway router (bypassing barracuda for outgoing emails). This was done for better tracking of outgoing/sent emails as domino provides more detailed log as compared to barracuda. But IMO its better to use antispam device/app as centralized gateway to filter/control both incoming/outgoing email transactions.

 

Barracuda effectiveness in filtering Spam ~

If we talk in percentage basis, it is blocking spam upto 96-97 % effectively. We regularly review its message logs and report uncatched spam to Barracuda central spam & we never receive such email from that host further, so there monitoring team is reviewing the submission actively I suppose. The biggest advantage is that it have variety of filtering options, we enabled Reverse DNS entry check up / SPF and few other rules, and our biggest headache of SPOOFED emails got solved.

 

Past experience with Symantec SMSDOM ~

Before this we were using Symantec Mail security for domino base application  for about 10 years but it got discontinued & declared EOL. SMSDOM filtering was not much effective & was a constant headache for us. on an average it was blocking just an average of 80%. spoofed emails was the biggest issue, and then it was not able to scan files inside archive, plus the famous issue of PDF archive.

Barracuda Hardware Specs for 300 Model

barracuda 300 user support

barracuda 300 user other specst


Some Snapshots …

barracuda 300 - dashboard part 1

barracuda 300 - dashboard part 2

 

barracuda 300 - dashboard part 3.PNG

 


Tip’s & Common Usage

Following are few short notes for reference purposes. First Login to Barracuda with admin account,

Device Web Management Port

  • 8000

View email messages LOG

Goto Basic > Message Log

SMTP Banner / Attachment Size Limit / SPF,Helo, Ehlo settings

Goto  ADVANCED > Email Protocol

TIP: Enabling SPF really helps ! but make sure you have proper SPF record on your domain dns server

spf.PNG

Ping/Dig/Telnet Test / View LIVE Mail process Log

Goto  ADVANCED > Troubleshooting

Firmware Update

Goto ADVANCED > Firmware Update

IP + DNS configuration / Destination Mail Server / Barracuda Hostname Page

Goto Basic > IP Configuration

Password Change / Log Management / System Management like reset logs,restart,shutdown

Goto Basic > IP Configuration > Administration

Allow/Block Domain

Goto Basic > BASIC > BLOCK/ACCEPT > Sender Filters

Blocking Marketing & Tagged emails

block mkt emails

 

Block specific extensions

Goto BASIC > BLOCK/ACCEPT > Attachment Filters

attach.PNG

Blocking particular emails using Content filter,

example If want to block emails if it have particular word in subject,header,body

content filter

Check Queued emails

Goto Advanced > Queue Management

Device Backup/Restore/Scheduled

Goto Advanced > Backups

NTP configuration

Goto Advanced >Advanced Networking

* Block SPOOFED messages *

Goto `DOMAINS` > `DOMAIN MANAGER`

under `Current Domain Count` , click on `MANAGE Domain`

then goto `ADVANCED` > `Email Protocols`

& select `YES` under `Reject messages from my domain`

spoofed block.PNG

Also read this regarding SPOOFED bypass check.


Will keep adding more information as explored or requested.


General Tips for better email acceptance at remote email servers on internet

Following are general tips every email administrator must follow to avoid there email rejection at different internet hosts.

  • Make sure your ISP have IP PTR record against your email server name, example if you have acquire public IP from the ISP, ask them to create reverse DNS / PTR record for this IP against your MAIL Server public ip
    Example IP 1.2.3.4 should resolve to > mail.xyz.com
  • Setup an A record in web site DNS for the Server Name to resolve to the IP
  • example mail.xyz.com  should resolve ip to > 1.2.3.4
  • Add your SPF record with the correct details (Add all SMTP relays in it if you are using SMTP relay of your ISP)
  • SMTP welcome banner should be your email server FQDN
  • Make sure you have valid SPF record to avoid spoofing your domain name bys pammers, Gmail highly recommend it as well.
  • Adding DKIM/DMARC against your domain name is a good addition.
  • Try using your ISP SMTP as relay as first line,

Some online tools to check for email server


The most effective way to check your domain and email server health is to visit following URL

https://mxtoolbox.com/domain

A good looking record should be something like this

Domain name MX Record Test

mxtools ms record test.PNG

EMAIL Server TEST

mxtools emails test record test.PNG

Domain Name SPF Record Test

mxtools spf record test.PNG

 


PROBLEMS & Their workarounds/solutions !

This happened second time that barracuda SMTP Transaction response were getting very slow, & inbound emails were arriving very slowly with 3-5 minutes of delay. example if we test it from outside, (mxtools)

“SMTP Transaction Time 18.341 seconds – Not good! on Transaction Time”

It starts to work fine after a reboot & the smtp transaction times drops to 2-3 seconds only. also if we bypass barracuda (routing rules) it works fine.

Other Details: our Internet connectivity: very good
Firmware Latest : v8.1.0.003 [as of march 2019]
Performance Statistics
HelpIn/Out Queue Size: 0/0
Average Latency: 88 seconds 
Last Message: 1 minute ago 
Unique Recipients: 276 
System Load: 2% 
CPU 1 Fan Speed: 4143 RPM 
System Fan 1 Speed: 8333 RPM 
CPU 1 Temperature: 28.0°C 
System Temperature 2: 23.0°C
Temperature 1: 27.8°C 
Temperature 2: 29.8°C 
Firmware Storage: 62% 
Mail/Log Storage: 18%

Yesterday we contacted barracuda support, and they did some tuneup late night via tunnel support & replied “they have allocated more resources to the appliance to give it more to work with, which will help the device process emails

and from this morning we are seeing normal response in smtp transaction time. we will keep monitoring & update.

March 2019 Updates: It seems that tuning done by barracuda support team have solved the issue. there is no more extra delays in INBOUND smtp transaction.


Configuring ATP , Advanced Threat protection along with CPL [cloud protection layer]

WE acquired the barracuda device along with Total Protection Plus that included ATP also. initially we thought that ATP is built in feature in this device that is enabled by the Total threat protection bundle package , but after 10 months of usage, it came to our knowledge that you need to enable ATP viac configuring CPL option in the device , for this you need account and device registration at

https://login.barracudanetworks.com/account

in Barracuda ESG ,

  • Goto Advance
  • Cloud Control
  • & select YES for Connect to Barracuda Cloud Control

Enter account details and press SAVE, and shortly it will connect with the barracuda Cloud.

You can then see your appliance “https://bcc.barracudanetworks.com/cgi-mod/index.cgi”

barracuda cloud control cp;.PNG

Some points to be noted.

  • In your website domain panel, make sure you modify MX entries, so that all inbound emails should first arrive on barracuda data center (depends on what region data center you selected) , then in CPL , DOMAINS, add your domain and email server there,

we selected US Region when setting up CPL online, and used following in our web site domain dns MX records.

  • Primary: d180739a.ess.barracudanetworks.com
  • Backup: d180739b.ess.barracudanetworks.com

this way all inbound will arrive on barracuda , filter/scan and it will forward them to your mail server IP, where barracuda must be in front which will then forward it to your local server.

barracuda domain setting.PNG

  • Under your Barracuda ESG device, make sure to exempt traffic coming from barracuda cloud ip range list,  under rate control .

IP range can be found here.

https://campus.barracuda.com/product/emailsecuritygateway/doc/78807368/cloud-protection-layer-ip-ranges

Now we have enabled the barracuda cloud control and in our web site public dns, we have changed MX record from 1.2.3.4 to use barracuda cloud x.x.x.x, so all of our inbound emails are now first arriving on barracuda cloud which then filter and send it to our 1.2.3.4 which filter and forward it to ESG (via our firewall router)

  • To enhance more security on smtp port on firewall router, we have no altered the smtp forward rule and accept smtp traffic only from barracuda cloud ip ranges, this way we have got rid od many authentication / hacking / knocking request on SMTP port

🙂


Regard’s
Syed Jahanzaib

 

February 6, 2019

Unable to access Windows 2003 shared folder from Windows 10

Filed under: Microsoft Related — Tags: , , , , — Syed Jahanzaib / Pinochio~:) @ 1:04 PM

smb1.png


We have some folders shared on old windows 2003 box, while trying to access them from windows 10 workstation, we are seeing following error …

w2003 error for w10.PNG

 

In Windows 10 Fall Creators Update and Windows Server, version 1709 (RS3) and later versions, the Server Message Block version 1 (SMBv1) network protocol is no longer installed by default. To enable it ,

Start powershell with privilege mode (on your windows 10 workstation) by >

Open CMD in privilege mode, and start powershell 

powershell

Now get status of ​SMB1Protocol

Get-WindowsOptionalFeature –Online –FeatureName SMB1Protocol

Probably it will be in Disabled State, change it to enable using following cmd,

Enable-WindowsOptionalFeature -Online -FeatureName SMB1Protocol

Afterwards, it may ask you to reboot machine, Do it to restart so that changes can take effect.

Status after enabling SMB1Protocol

PS C:\> Get-WindowsOptionalFeature –Online –FeatureName SMB1Protocol

FeatureName : SMB1Protocol
DisplayName : SMB 1.0/CIFS File Sharing Support
Description : Support for the SMB 1.0/CIFS file sharing protocol, and the Computer Browser protocol.
RestartRequired : Possible
State : Enabled
CustomProperties :
ServerComponent\Description : Support for the SMB 1.0/CIFS file sharing protocol, and the Computer
Browser protocol.
ServerComponent\DisplayName : SMB 1.0/CIFS File Sharing Support
ServerComponent\Id : 487
ServerComponent\Type : Feature
ServerComponent\UniqueName : FS-SMB1
ServerComponent\Deploys\Update\Name : SMB1Protocol

Now try to access windows 2003 sharing folder & hopefully it will work fine.


Disable SMB v1 in Windows

Open powershell cmd, and issue

Set-ItemProperty -Path "HKLM:\SYSTEM\CurrentControlSet\Services\LanmanServer\Parameters" SMB1 -Type DWORD -Value 0 –Force

Disable SMB1 using Windows registry

You can also tweak the Windows Registry to disable SMB1.

Run regedit and navigate to the following registry key:

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\LanmanServer\Parameters

In the right side, the DWORD SMB1 should not be present or should have a value of 0.

The values for enabling and disabling it are as follows:

0 = Disabled
1 = Enabled


Regard’s
Syed Jahanzaib

February 1, 2019

Forced routing of selective emails to ISP SMTP via Mikrotik Routing

Filed under: IBM Related, Mikrotik Related — Tags: , , — Syed Jahanzaib / Pinochio~:) @ 10:06 AM

isp.jpeg


Scenario:

We have a LAN environment with our own email server [IBM Lotus Domino] hosted locally. Mikrotik router is acting as our gateway router with /29 public pool & port forwarding from mikrotik public ip to email server is configured. Barracuda Antispam gateway is in place as well.

Problem & Challenges :

Sometimes there are few email servers on the internet that does not accept our emails, either they bounce back or silently drop our emails despite our public IP is not listed in any of blacklisting on the internet[It happens commonly with microsoft hosted email servers as they silently drop our emails without informing any reason]. If we use our ISP SMTP as relay in the DOMINO configuration, then the emails delivers to those particular servers without problem. But we cannot use ISP SMTP for all emails routing/relaying as they have per day sending limit, and we donot get proper reports for delivered or hold emails.

Another BIG problem is that sometimes ISP’s SMTP server IP gets ban/added in the spamhaus or likewise SPAM blacklist database & when this happens 80-90% emails bounces back.

So we needed a solution where we should not use ISP SMTP relay all the time but only particular destination email server’s mails should be routed to ISP smtp. & it should all be controlled by our Mikrotik RouterOS dynamically/centrally.


Solution:

First created a address list which should contain IP addresses of remote email servers [that donot accept our emails directly]

/ip firewall address-list
add address=smtp.remotemail.server.com comment="remote company mail server X IP" list=few_mails_routing_2_primary_ISP_smtp

Now using NAT rule, we will forcefully route all emails [port 25 traffic] going to above address list, will be routed to ISP SMTP , with below rule …

# 1.2.3.4 is the ISP SMTP IP

/ip firewall nat
add action=dst-nat chain=dstnat comment="Few Mails Routing 2 primary ISP smtp" dst-address-list=few_mails_routing_2_primary_ISP_smtp dst-port=25 protocol=tcp to-addresses=1.2.3.4 to-ports=25

It’s done.

BUT next challenge is to overcome issue when ISP changes it’s SMTP IP address for whatsoever reason, so we need to schedule a script that will keep checking the ISP SMTP IP by resolving it via google dns, and update the ISP SMTP IP in the NAT rule. [As per my knowledge we cannot put DNS name in TO-ADDRESS field, this is why putting IP is necessary, & update it dynamically is also essential to avoid bouncing email dueot blacklisting for ISP old SMTP IP]

the Script !

or workaround I suggest for very particular problem?

# Mikrotik routerOS script to resolve ISP SMTP, and add it to variables & in NAT rules
# Useful in scneario where ISP change its smtp IP frequently (to avoid SMTP Blacklisting)
# Script by Syed Jahanzaib / aacable at hotmail dot com / https : // aacable . wordpress . com
# 31-January-2019
# Find rule with following comments
:local COMMENT "few_mails_routing_2_primary_ISP_smtp";
# DNS Name of SMTP for resolving
:local ISP1SMTPDNSNAME "smtp.multi.net.pk";
# Which DNS server to be used for resolving
:local DNSSERVER "8.8.8.8";
# Below is Default IP of SMTP Server, so that if resolving cannot be done for what so ever reason, set this IP as DEFAULT SMTP
:local DEFAULTSMTP "202.141.224.89";
# Destination port that need to be redirected
:local DSTPORT "25";
# Dat time variables
:local i 0;
:local F 0;
:local date;
:local time;
:local sub1 ([/system identity get name])
:local sub2 ([/system clock get time])
:local sub3 ([/system clock get date])
:set date [/system clock get date];
:set time [/system clock get time];
# Set script last execution date time
:global SMTPLastCheckTime;
:set SMTPLastCheckTime ($time . " " . $date);

# Set global variables to store for ISP SMTP & its last resolved status
:global ISP1ACTIVEIP4SMTP;
:global ISP1SMTPLASTRESOLVERESULT;

# Check if resolving is doable, then act accordingly
:local RESOLVELIST {"$ISP1SMTPDNSNAME"}
:foreach addr in $RESOLVELIST do={
:do {:resolve server=$DNSSERVER $addr} on-error={
:set ISP1ACTIVEIP4SMTP "$DEFAULTSMTP";
:set ISP1SMTPLASTRESOLVERESULT "FAILED";
:log error "$ISP1SMTPDNSNAME resolved result: FAILED @ $date $time !";
/ip firewall nat set to-addresses=$DEFAULTSMTP to-ports=$DSTPORT [find comment="$COMMENT"] }}

# If resolving is ok from above results then set resolved address as default SMTP ip
:if ($SP1SMTPLASTRESOLVERESULT !="FAILED") do={
:log warning "$ISP1SMTPDNSNAME resolved result: SUCCESS @ $date $time !";
:set ISP1ACTIVEIP4SMTP [:resolve "$ISP1SMTPDNSNAME"];
:set ISP1SMTPLASTRESOLVERESULT "SUCCESS";
/ip firewall nat set to-addresses=$ISP1ACTIVEIP4SMTP to-ports=$DSTPORT [find comment="$COMMENT"]
}

We can add dynamic names in the ISP SMTP address list.


Regard’s
SYED JAHANZAIB

 

 

 

%d bloggers like this: