Connect. Communicate. Collaborate. Securely.

Home » Kerio User Forums » Kerio Connect » General Opinions wanted on Spam Appliances used with Kerio Mailserver
  •  
bhenderson

Messages: 12
Karma: 0
Send a private message to this user
All:

We've run into a problem that is definitely "out of scope" for technical support from Kerio, and I have my own opinions on this, but I want to make sure that the issue is what it is, and that maybe someone has come across a solution they're willing to share. First, some background:

We've recently migrated from Exchange 5.5 to KMS 6.4.1. So far, everything is working great with the Kerio and the KOC.

The company I work for is still using a 3 year-old Barracuda Spam Appliance (www.barracudanetworks.com) that was configured to work with the Exchange server, and it works well. However, the company still wants to use this spam appliance to do the majority of the spam filtering, with Kerio acting as a secondary spam filter. So, the spam appliance is configured to sit between the 'net and Kerio Mailserver on port 25. BUT....

We've also invested in a Verisign certificate to support SSL, so we could have roaming users (re: road warriors with laptops) connect to Kerio via the KOC and Outlook over broadband. The reason for doing so was to allow remote, encrypted access to the mail server without having any dependencies on a VPN connection, for the main reason of saving on bandwidth and support hassles. So far, Kerio was worked like a champ, and I can connect reliably from home to the office over my cable connection without a VPN, with one major snag:

Outlook cannot send e-mails via the SMTP port.

I've rationalized the reason for this as follows (layman's explanation):

I strongly believe that the Barracuda spam appliance is behaving like a sessional proxy. What I mean by this is that the spam appliance intercepts SMTP connections from other mail servers, good or bad, and receives the complete e-mail from the foreign mail server on behalf of Kerio (or whatever e-mail server it is configured to work with). After inspecting the e-mail and not dropping it if it is not spam, the appliance then "forwards" it on to Kerio. This has been tested by "telnetting" into port 25 at the public side IP address of the server's connection.

However, when a KOC connection attempts to send e-mail via Kerio outside of the local network, the spam appliance again intercepts the connection on port 25, except that the behavior of the appliance does not match the behavior of Kerio as expected by the KOC. In other words, I think that one of the following three things is happening:

1. The KOC is expecting a "more stateful connection" to Kerio that the spam appliance is inherently designed not to provide,

2. The appliance can't handle ESMTP connections (highly unlikely), OR,

3. Kerio's SMTP server is not a defacto ESMTP server, and there is something going on with the KOC that only Kerio MailSever can provide.

In any case, I'm not out to reverse engineer either product - I'm just looking for a explanation I can give to the boss as to why these two products don't want to work together. I do realize that the web interface is there too, but that is not what I'm trying to figure out here.

Anyways, I've laid out 2 policy options for the boss to consider in order to put the issue to rest:

a. Retire the Barracuda Spam appliance, and let Kerio do all of the SPAM filtering. Then users can have remote access via the KOC, as there is no longer any proxy.

or

b. Users must use the web interface, and KOC is strictly for the office or VPNs.

Because I am new to Kerio, I'm not sure if my understanding on this is 100% accurate. If anyone has any thoughts on this, I'd be glad to hear them.

  •  
winkelman

Messages: 2119
Karma: 3
Send a private message to this user
For what it's worth: I too cannot send email with KOC anymore since we've installed a SSL certificate and set the security to "require secure authentication" (in Admin Console, Advanced, Security Policy). If I lift this restriction KOC sends just fine.

Mind you: I have nothing sitting in between KMS and KOC, so could very well be your problems have nothing to do with your spam-appliance.

- Do you by any chance have the same restriction set?
- Can you send with KOC if the spam appliance is not in between (when sending from the local LAN for example)?

I have been in contact with Kerio about this, but so far they've been unable to provide a solution (no worries there [yet], they are waiting for me to send some debug info and I haven't pursued this recently since we do not really use KOC).

I'm sure this problem can be solved, I mean, there must be hundreds of sites with KOC, certificates and requiring secure authentication.

  •  
RHarmsen.nl

Messages: 186

Karma: 0
Send a private message to this user
It seems that the Barracuda Spam appliance "malforms" the SMTP connection from KOC to the Mail server.

Perhaps you could conduct a test by switching off the Barracuda Spam appliance, or temporarily use a different port (26?) to bypass the barracuda for a test.

With this you are able to check if it really is the Barracuda Spam appliance in combination with the setup you want, or that it is something else.

Good luck with it.
  •  
sedell

Messages: 1168
Karma: 1
Send a private message to this user
We have a similar setup - KMS with a Barracuda. I set it up with two public IPs. One that's in the MX record for receiving mail that points to the Barracuda, and one that points directly to the mail server for external users to send/check mail, access webmail, etc. That way, there are no hassles about trying to authenticate through a gateway appliance.

I could be wrong, but I don't believe the Barracuda will proxy the connection through to the mailserver if authentication of some sort is required, it just accepts all connections that come in on port 25, and either accepts or rejects the message/connection. I've never had a Barracuda running with Exchange, but if it worked for you before with Exchange, it may have only worked because of their Exchange tie-in with Active Directory. There seem to be a few features that only work with Exchange because of the tie-in they have available.

Scott
  •  
winkelman

Messages: 2119
Karma: 3
Send a private message to this user
sedell wrote on Tue, 04 September 2007 13:45

... I set it up with two public IPs. One that's in the MX record for receiving mail that points to the Barracuda, and one that points directly to the mail server for external users to send/check mail, access webmail, etc. ...

Isn't your mail server's 'direct' IP address known by now in the spammers community (through port scans, etc.) and isn't spam being delivered on that IP thus bypassing the Barracuda?
  •  
sedell

Messages: 1168
Karma: 1
Send a private message to this user
Since KMS doesn't have an option to only allow non-authenticated mail from a set IP address, I used the blacklist. I added two ranges to the local blacklist - 1.0.0.0 to 192.168.0.254 and 192.168.2.1 to 255.255.255.255. Anything that connects directly from the outside without authenticating gets rejected, but it still leaves me leeway from within the network.

When I first set this up, I used to get tons of blacklist entries in the security log connecting from the outside directly. Now that it's been set this way for a while, and the smtp scanners realized the server won't accept mail, I only get a few blacklist entries a day.

Scott
  •  
My IT Indy

Messages: 1262
Karma: 40
Send a private message to this user
I use/recommend/resell Katharion's hosted filtering service and it works great with KMS. I've even started hosting KMS for some clients and bundle Katharion filtering with it. I host 4 companies (roughly 35 users) on my server and everybody loves the filtering.

I use a Thawte SSL123 SSL cert with KMS and have it configured to only accept SMTP connections from Katharion's domain and authenticated users and have no problems at all.

-
My IT Indy
Kerio Certified Reseller and Hosted Provider
http://www.myitindy.com
  •  
bhenderson

Messages: 12
Karma: 0
Send a private message to this user
This is all good (thanks for the info), but just to be clear:

- The previous Exchange setup was on an NT4 Domain, and in fact is still being used. Active Directory is not involved because it does not exist here.

- Outlook does not fail fast when sending an e-mail - the Send/Receive dialogs stalls whenever an e-mail is sent. To me, this means that the KOC is struggling to communicate with the Barracuda spam appliance. After a few seconds (like 30), the dialog box reports:

Task 'Kerio MailServer - Sending' reported error (0x80042109) : 'Outlook is unable to connect to your outgoing (SMTP) e-mail server. If you continue to receive this message, contact your server administrator or Internet service provider (ISP).'

...which is classic behaviour for the KOC to fail on an SMTP connection. Barracuda malforming the connection also sounds like a reasonable explanation.

The dual public IPs for Kerio and the Barracuda sounds like a good option, and can be easily rigged at the cost of an additional IP address with the ISP and the following DNS config:

1. Setup an A record for mail.company.com.
2. Setup an MX record for mail.company com.
3. Put the barracuda on the same IP as mail.company.com.
4. Setup a second IP and A record for kms.company.com.
5. Configure the KOC to use kms.company.com.

So what should happen is when an inbound e-mail is received, the mx record should direct it to the spam appliance, while all other comms should connect on the unfiltered IP.

  •  
winkelman

Messages: 2119
Karma: 3
Send a private message to this user
I'd make sure first if it's actually the Barracuda that's causing the problems. Did you try connecting KOC to KMS without Barracuda 'in the way'?

As I said: for me KMS is giving this problem all by itself (without anything else that could possibly be interfering).
  •  
elias

Messages: 114
Karma: 0
Send a private message to this user
I own a Barracuda and have it in front of my KMS server and I can assure you its not causing this problem. The Barracuda is nothing more than a simple SMTP relay; you point your MX record to it and tell it what your KMS server's IP is, and that's it. It scans inbound email, follows whatever rules you've supplied it for spam and antivirus handling, and then it passes the email on to your KMS box. That's it.

Unless you've specifically given the KOC the IP address of your Barracuda, there's no way it can interfere with communication between the KOC and your KMS server.

That said, you should definitely keep the Barracuda. Its an awesome product; its absolutely worth renewing your maintenance agreement on and upgrading its software to the latest version.

-Elias

[Updated on: Thu, 06 September 2007 00:11]

  •  
papason

Messages: 32
Karma: 0
Send a private message to this user
rugby wrote on Tue, 04 September 2007 14:59

I use/recommend/resell Katharion's hosted filtering service and it works great with KMS. I've even started hosting KMS for some clients and bundle Katharion filtering with it. I host 4 companies (roughly 35 users) on my server and everybody loves the filtering.

I use a Thawte SSL123 SSL cert with KMS and have it configured to only accept SMTP connections from Katharion's domain and authenticated users and have no problems at all.

-

We host for companies with a Barracuda in front of our KMS server with out issues. The internal cert is fine for use and the Barracuda is fixing the SPAM/Virus problem for most users, but also having the builtin SA in Kerio has made this a very nice MTA against SPAM.


Cheers
Previous Topic: nondelivery copy to postmaster
Next Topic: KOC and remote access
Goto Forum:
  


Disclaimer:
Kerio discussion forums are intended for open communication between forum members and may contain information and material posted by members which may be useful in learning about Kerio products. The discussion forums are not intended to provide technical support for any specific product. Any information implied or expressed in the discussion forums is that of the posting member. Kerio is in no way responsible for the information posted in the forums, or its accuracy. Kerio employees may participate in the discussions, but their postings do not represent an offical position of the company on any issues raised or discussed. Kerio reserves the right to monitor and maintain the forums to promote free and accurate exchange of information.

Current Time: Tue Nov 21 22:34:53 CET 2017

Total time taken to generate the page: 0.00447 seconds
.:: Contact :: Home ::.
Powered by: FUDforum 3.0.4.