Barracuda Spam Firewall and InterWorx?

All,

Was wondering if anyone could share their experiences using a Barracuda spam firewall in front of InterWorx (we are looking at a Barracuda 300)? I see some users, including InterWorx itself, use Barracuda products. Looking for feedback on configuration, implementation, use, caveats, etc.

Thanks in advance for your time.

–Dave Z

Hi Dave,

The company I used to work for was a massive reseller of Barracuda kit, and as such I’ve deployed very large numbers of these units over the years (still got a decent collection of the free t-shirts you get in with each unit).

When setting up they basically sit as a smart-host infront of the server you wish to protect, so they will work with InterWorx (or anything else for that matter) no problem.

You can brand the entire system (including the messages users get about quarantined messages), and they will either generate each address (user) a set of credentials each time messages need action, or you can pull a user list in via LDAP or similar. You could probably write an InterWorx account sync plugin very easily.

The systems themselves are well built, and they’re easy to manage. They do a very good job at filtering, and will often handle much more mail than they advertise on the specs. The customer service and technical support that Barracuda offer is also second to none. If your business is going to rely on the box, I’d highly recommend their instant replacement plan if they still do it.

Hope this helps.

Jon

Jon,

Thanks so much! I’m happy to say we did go with the 300 and are having GREAT success. Setup took only an hour, and we are seeing about a 90% reduction in spam with no false positives so far. And, now I have my fifth Barracuda shirt. :slight_smile:

Just for other people who are considering Barracuda:

For inbound protection, you just need to add each domain you want to protect to the 300 and update each domain’s MX record. Nothing needs to be done within InterWorx, though you may want to move your RBL list from InterWorx to the 300 and disable SpamAssassin.

For optional outbound scanning, you can set InterWorx CP->System Services->Mail Server->MTA Settings->MTA SMTP Options (outboard)->SMTP Routes to “:mxhost.yourdomain.com”. This works fine, but it’s an all-or-nothing deal, requiring all domains to be added the Outbound list in the 300. It would be great if InterWorx could allow each domain to have its own individual smarthost setting so you can choose which accounts get outbound scanning.

Best,
–Dave

Hi Dave

I hope you don’t mind but I believe you can set domain specific smart host but not from the GUI. I believe you have to set it in the conf after ssh, which if I remember correctly, is in iproute, but I could be wrong sorry.

I hope that helps

Many thanks

John

Dave, that used to be true, but for a good amount of time now this functionality has been in NodeWorx on the MTA mail page (nodeworx/mail/mta).

Bottom right corner “SMTP Routes”:

Artificial SMTP routes. If the domain matches the host, qmail-remote will connect to relay, as if host had relay as its only MX Record. The syntax for this field is [domain]:[destination server] and [domain] may be blank if you want all mail to be routed to [destination server]

Only reason I know this is I’ve been using my Iworx box to be my mail router for an Exchange server I have on a home internet connection which blocks port 25. So I route all my mail to my Iworx box and it’s then forwarded on to my exchange box on an alternate port. Similar to the way Barracudu works I think.

You just enter in there (one per line) the hostname of email to foward, the remote server, and the remote port:

mydomain.com:123.123.123.123:587

Found this thread and realized my last post might not be 100% correct.

I’m now trying to setup OUTBOUND Smart Host for one SiteWorx account and I’m not sure the SMTP Routes would work here? I still want the SiteWorx account to accept inbound emails, but I want outgoing emails to be routed through Barracuda.
Anyway to do this?

I don’t believe there is anyway to do this with SMTP routes. With a VirtualDomain active, Qmail will ignore the SMTP Route. So in order to do this, it’s got to be a lot more complex unfortunately.

Hi Justin

I hope your well

I seem to remember mikeh want this, and the resolution is in qmail, but I need to search for his posts.

I believe it is relatively easy to do, but will post link when I have time

Many thanks

John

Hi Justin

Please see this post, which is the one I referred to above.

Many thanks

John

http://forums.interworx.com/showthread.php?t=8148

I looked through this, but seems the final answer took me to an article One domain in multiple locations

This isn’t the case for me. All my emails will be stored POP3/IMAP on my InterWorx server. I just want emails being sent out SMTP through my IW server for one particular SiteWorx account to use a SmartHost.

Example
user1@domain.com
POP and SMTP server are set to the Interworx Server

  1. bob@aol.com emails user1@domain.com and it is delivered into the SiteWorx account

  2. user1@domain.com replies to bob@aol.com, when connected to the IW server Qmail determines based on the sender domain of domain.com to forward this email to a SmartHost versus doing an MX lookup and deliver the email itself.

I can’t think of a way to make this work. Even if I only had one SiteWorx account on the server, I’m not sure how Qmail can setup an outbound smart host yet still accept emails.

Hi Justin

Sorry, I must have misunderstood sorry.

There’s something in my memory, from a few years ago about setting Qmail for a siteworx account to its own IP address and then using firewall routes or IP routes to route all outgoing 25 and 587 ports to where you need it to go.

I’ll try to think a little more but I’m sure I read this on the forum and I except it would cost you an IP address but I think it would do what you want, allow incoming to the siteworx whilst routing outgoing to your outgoing server

Many thanks

John

No worries, I appreciate the input.

Yes, I think something like this is the only way to accomplish this. It happens this account is using SSL so already has a decided IPv4 address.