Issue with Barracuda Spam firewalls and Cisco PIX/ASA

I was working on a client’s barracuda to receive mail directly through the barracuda rather than their current setup.

I was able to remove it from the ASA adding the following to the config via cli: no fixup protocol smtp 25

For more on this you can read: https://blogs.it.ox.ac.uk/networks/2009/11/26/cisco-firewall-smtp-fixup-considered-harmful/

 

(1) “Why can’t anyone send mail to my Barracuda Spam & Virus Firewall over TLS, even though I have it enabled?”
—————————————————————————-

Solution #00003659

Scope:
All Barracuda Spam & Virus Firewalls in use with Cisco network hardware, all firmware versions.

Answer:
If enabled, the Barracuda Spam & Virus Firewall will advertise TLS (secure connection availability) for all incoming SMTP connections (for information on configuring this, see Solution #00000992). It’s possible the sending mail servers aren’t electing to send mail over TLS.

 

If it’s been configured correctly and the sending servers are trying to send mail over TLS, the problem could be that a device between the sending servers and the Barracuda Spam & Virus Firewall is interfering. For instance, a Cisco PIX firewall with the “SMTP Fixup protocol” enabled will mask the 250-STARTTLS echo reply from the Barracuda Spam & Virus Firewall, preventing the sending mail server from realizing that sending mail using a secure connection is an option. The only solution in this case is to disable the “SMTP Fixup protocol” on the Cisco PIX firewall (for instructions on how to do this, click here).

 

Cisco ASA firewalls may also interfere with the 250-STARTTLS SMTP response, but they can be explicitly configured to support ESMTP over TLS. If you are using a Cisco ASA firewall, click here for instructions on how to enable this functionality.

 

Additional Notes:

The Cisco PIX “SMTP Fixup protocol” can cause other problems when used with the Barracuda Spam & Virus Firewall. For more information, see Solution #00001728.

 

Link to This Page:
http://www.barracuda.com/kb?id=50160000000HQ7J

Barracuda Web Filter Whitelisting

The trick is that all explicitly whitelisted sites need to be at the top of the Exceptions list. That or before the blocked Content Filter categories.

1. In the Block/Accept page, go to Custom Categories.

2. Create a Custom Category. Give it a Category name. In the “Domains to be included put in the url’s to be whitelisted. So that would be:

*.hyatt.com

lillytremont.com

columbus.regency.hyatt.com

hyatt.com

Click Add.

3. Go to Exceptions. In the Add Exception. Click Allow. In the “Applies To:” choose All Users. In the “Exception Type:” choose Content Filter. In the “Sub Category:” choose the Custom Categories section and the new one you made (in this case Hotels). Click Add.

4. No move that rule all the way to the top or before any blocked Content Filter rules. This is key to allow custom URL’s to be Whitelisted.