Forum Discussion
Not receiving emails from O365/Outlook.com companies with Barracuda email security
Hello,
Have an odd email delivery issue, which was working up until about 5/27.
We are no longer receiving emails from companies using O365/Outlook.com and Barracuda email security it appears (based on past working headers). Our internal org has Exchange 2016 on-prem behind SonicWall firewall/anti-spam.
The working headers showed usually 8-9 hops, before delivering the email. Now we are only seeing the first two hops from the senders orgs, typically just the outlook.com servers. The senders are getting NDR's with this error:
Remote Server returned '550 5.4.300 Message expired -> 421 temporary failure for one or more recipients (*****.**********@*********.org:451 Proxy timed out)'
Remote Server returned '550 5.4.300 Message expired -> 451 Proxy timed out'
Not sure where the proxy in question resides. We are not seeing emails reaching our firewall, or Exchange 2016 SMTP receive logs.
We've tested both orgs inbound/outbound SMTP for O365 and Exchange, via Microsoft Remote Connectivity Analyzer.
Seems like a sender side issue, but they are reporting no issues from O365/Barracuda.
Any thoughts?
Thanks.
- BemmelenPatrickIron ContributorHello bmerri19,
If the senders only see 2 hops in the NDR this sounds like it's the proxy configured on their mail server that's timing out.
Could you maybe post a NDR so we can have a look?- bmerri19Copper Contributor
BemmelenPatrick Here are two from separate organizations:
As well as headers from when it was working in April/May,
and now no longer working:
It's just weird that is a handful of external organizations with O365/Barracuda all of the sudden emails don't arrive. Curious if something changed at the end of May on O365 or Barracuda?
-Brian
- BemmelenPatrickIron ContributorHi Brian,
Are you allowing both SMTP and ESMTP traffic from the outside? So ports 25 and 587?
And do you have a SonicWall that has a SSL certificate check possibility?
To me it looks like your firewall is blocking SMTP traffic with unsigned certificates as normal SMTP traffic is accepted but ESMTP is not.
It could be that the other side is using self signed certificates on the Barracuda...
- Lewis-HIron ContributorBarracuda offers two cloud-based services that protect all your business email in Office 365 with zero impact on email performance. Barracuda Essentials for Office 365 is a comprehensive email security suite that filters every inbound and outbound email to stop spam, viruses, data leaks, and malware. Barracuda Sentinel goes a step further to use an AI engine to inspect all the emails already in your in box to block against impersonation-based fraud such as phishing. Together, they provide the industry’s best and most cost-effective protection for Office 365 users.
- ExMSW4319Iron Contributor
A question for the community:
If the OP adds the Barracuda cloud ranges to his Connection filter Allowed list, does that just turn off filtering based on the source IP or does it also deactivate any other EOP defences for mail from those ranges?
https://campus.barracuda.com/product/essentials/doc/78809995/add-the-barracuda-email-security-service-ip-ranges-to-your-office-365-account/ - page links on to the current Barracuda ranges.
The other concern with this tactic is whether the Barracuda cloud customer corpus as a whole would be meritorious of such a listing. It only takes a few bad apples, though I do not have an abuse folder on them.
- athorne2995Copper Contributor
Hello Brian,
We are having the same exact issue to the "T". We have been working this one for the past three weeks with Microsoft, SonicWall and Barracuda. We have pretty much gone through the same steps as you have to troubleshoot with no success. Have you found a resolution.
Thanks.
Averell
- ExMSW4319Iron Contributor
Have just re-read OP; had previously missed the fact that the Sonicwall was more than just a simple FW. Is it one of the ones with a tarpitting function (in amongst the Directory Harvest settings, on one set of documentation I found) and if so then is this feature turned on?
Observing the recent post, a clear distinction needs to be noted between senders using Barracuda cloud and Barracuda on-premises appliances. The latter do have a certain notoriety for both sending and receiving issues if not properly maintained. The former send from a large pool of IP addresses so an unrelated Barracuda customer may sully a particular IP for an unfortunate sender.
- athorne2995Copper Contributor
Hello,
We did get a solution. Our situation involved incoming mail from several O365 clients hosted on barracuda network servers, coming to our Exchange server that is behind our SonicWall Firewall and using the SonicWall anti-spam filter CASS 2.0 version. In our case if we turned the spam filter off the mail would come in. What we ended up doing was whitelisting in a sense. Simple whitelisting of the domains in the anti-spam did not work. In the SonicWall firewall we did the following.
- We identified the IP addresses of the barracuda servers hosting the O365 clients.
- In the SonicWall under the Network option we added the IP address entries as address objects
- We added barracudanetworks.com resolving to *.barracudanetworks.com to cover the whole domain in case the IP address entry changed.
- We also added the domains of the O365 clients to the address objects.
- Going to the Anti-Spam selection we went to Settings and then User defined Access List and added the entries from the address objects to the Allow Client List.
This solution has worked for us allowing the O365 mail to come in. I don’t know if your situation matches mine with the SonicWall involved but hopefully this may help.
Thanks.
Averell