1

Do spam appliances have to sit behind a 'firewall appliance' such as an ASA Cisco device(s). Being the fact it is a spam/firewall would it cause problems behind a firewall and need to be public facing due to the fact it would be nat'd to the firewall's IP address?

I am looking at moving the Barracuda's to another IP range and have them public facing, the bounce back message from 'unknown recipients' is reporting the Cisco ASA nat IP address.

This leads me to believe this would be a form of backscatter am I correct?

Any help or advice would be great.

user128098
  • 11

3 Answers3

1

The Barracuda is only a "firewall" in name. It is really just a filtering appliance. Being behind an ASA should not affect its operability as long as you allow the correct ports open.

Being behind a firewall is generally best, since you don't want someone to connect to the web interface from outside, for example.

Your follow up question:

This leads me to believe this would be a form of backscatter am I correct?

does not make sense to me. Barracuda will send an "unknown recipients" reply whether you're behind a NAT or not. I believe that this is configurable, and can be disabled.

Hyppy
  • 15,686
  • I was under the impression that it should show the ip address of the spam/firewall device matched in dns correct. If it is showing the ip address of the nat firewall could this lead to getting this ip blacklisted? Should the devices not be able to face the public internet regardless, since they are designed to handle abuse? – user128098 Jul 12 '12 at 16:59
  • People doing malicious activities can still connect to the devices via port 25 since it is open. What has happened in the past is with back-scatter detection on it caused a big problem with the ip not matching against dns. It was not sourced correctly and with back-scatter it uses a key to terminate the email from going berzerko all over the place. – user128098 Jul 12 '12 at 17:01
1

I run my Barracuda Spam Filters behind my Cisco ASA firewalls. The Barracuda is just a device; a server sitting on a private IP, NAT'ed behind the firewall.

I give the Barracuda device its own public IP and point the domain's MX records to it. E.g. spam.domain.com.

Depending on how your Cisco ASA's NAT is setup, you may end up showing the PAT address on outbound traffic from the Barracuda. Fix this.

Edit:

Most Barracuda Spam Filter models (300 and up) can tap into Active Directory or LDAP to validate email addresses before delivering to the mail server. That's the real solution to your problem as I understand it.

ewwhite
  • 198,150
  • The devices only have external ip addresses on them. So you could show the PAT address on outbound traffic and this would show the correct public ip address on each Barracuda device correct. I know back-scatter can cause a lot of problems with thousands of email accounts. – user128098 Jul 12 '12 at 17:11
  • See edit about LDAP/AD integration. – ewwhite Jul 13 '12 at 01:09
0

I'll start off by saying I'm not a cisco guy so as much as ewwhite's suggestion about PAT seems good, I can't really say yes or no to that.

Next, if the spam filter is behind a firewall I can see two options. One is using a public ip for the spam filter. The other would be to port forward the traffic from the firewall to the spam filter. Spam filters are highly dependant on seeing the correct sender IP of each email to enable DNSBL's to work, but both these scenarios will work fine.

One thing not to do is to have any form of mailserver running on the firewall that stores and forwards mail, as then the spam filter will see the sender ip of the email as the internal ip of your firewall which will seriously hamper the anti spam function. (Probably not relevant for cisco but included for completeness)

Now, backscatter is created when your Barracuda (or any other device capable of storing and forwarding emails) will accept emails for recpients that are not valid. When it tries to forward these on to say your Exchange server, that will only accept emails for valid recpients if configured right. Then NDR's are sent for all the emails sent to invalid recpients. The thing is crafty people have realised if they forge the from header (e.g if I put my personal email address as the spoofed from address), then al the NDR's will be sent to that person (e.g. my personal email address) as opposed to the actual spammer/sender.

Backscatter commonly presents when a device such as a Barracuda (or a MTA) is set up to accept all emails for a particular domain(s) without an actual list of valid users. Before you disable NDR's, check RFC2821 which says this is not to be done.

Robin Gill
  • 2,513