• This article applies to Barracuda Message Archiver firmware version 5.0 and higher, and Microsoft 365 Enterprise cloud-based mail service, live@edu.

    See also:

    Hybrid Deployment

    Warning! Hybrid deployment can cause duplicate mails in some environments. This is an issue with Hybrid deployment and not with your Barracuda Message Archiver. Contact your Sales or Support representative for more information. If you are using a hybrid Microsoft Exchange Server / Microsoft 365 deployment, where some mailboxes are located on a physical server and some mailboxes are hosted by Microsoft 365, to properly deploy your configuration, you must journal directly to the physical Barracuda Message Archiver from your Exchange Server.

    Use the following articles to set up journaling based on the version of Exchange Server running in your environment:

    Step 1. Ensure Public Access to Port 25 on the Barracuda Message Archiver

    To journal mail directly from Microsoft 365 to your Barracuda Message Archiver, you must have a public IP address and port 25 open and NATed to the Barracuda Message Archiver. Additionally, you can optionally have a public DNS record. You can test this by attempting to telnet to the Barracuda Message Archiver on port 25. You can expect one of three outcomes:

    1. If the Barracuda Message Archiver is not accessible, either due to port 25 being blocked or incorrectly configured on the firewall, the attempt to telnet simply hangs at Trying [IP address]. In this case, troubleshoot your network settings:
      telnet_port_25_blocked.png 
    2. If the Barracuda Message Archiver is accessible and you have set Allow Only Trusted Hosts on the Mail Sources > SMTP page to No, telnet establishes a connection to the Barracuda Message Archiver:
      telnet_port_25_open_all.png
    3. If the Barracuda Message Archiver is accessible, you have set Allow Only Trusted Hosts on the Mail Sources > SMTP page to Yes, and you are attempting to telnet from an IP address not listed in the Trusted SMTP Servers section, telnet establishes a connection and the connection is immediately closed.
      telnet_port_25_openO365.png

    Step 2. Add Microsoft 365 Endpoints to the Trusted SMTP Servers List

    Microsoft publishes a list of IP addresses used for Microsoft 365 endpoints. The endpoints are grouped into four service areas:

    • Exchange Online
    • SharePoint Online and OneDrive for Business
    • Skype for Business Online and Microsoft Teams
    • Microsoft 365 Common and Office Online.

    See the TechNet article Microsoft 365 URLs and IP address ranges for further details. Note: For Microsoft 365 Germany endpoints, see the TechNet article Microsoft 365 Germany endpoints .

    1. Log into the Barracuda Message Archiver as the administrator, and go to the Mail Sources > SMTP page.
    2. Click Bulk Edit.
    3. Go to the TechNet article Microsoft 365 URLs and IP address ranges. Copy and paste the IP addresses based on your Microsoft 365 endpoints.
    4. Click Save .

    Step 3. Configure SMTP Forwarding Settings

    Because this configuration requires the Barracuda Message Archiver to be public-facing, Barracuda Networks strongly recommends that you configure the Barracuda Message Archiver to only accept mail from the list of Trusted SMTP Servers. If you are also receiving mail from sources other than Microsoft 365, such as an on-premise Exchange server, make sure you add those IP addresses to the list of Trusted SMTP Servers before setting the Barracuda Message Archiver to Allow Only Trusted Hosts.

    To configure SMTP forwarding settings:

    1. Log into the Barracuda Message Archiver as the administrator, and go to the Mail Sources > SMTP page.
    2. In the SMTP Forwarding Settings section, set Allow Only Trusted Hosts to Yes.
    3. Click Save.

    Step 4. Configure Local Domains

    1. Log into the Barracuda Message Archiver as the administrator, and go to the Basic > IP Configuration page.
    2. In the Local Domains section, add all of your mail-enabled domains including your onmicrosoft.com domain, as well as your non-routable domain, for example, bma.int.
    3. Click Add after each domain entry, and then click Save.

    Step 5. Configure SMTP Over TLS/SSL (Optional)

    1. Log into the Barracuda Message Archiver as the administrator, and go to the Advanced > SMTP Configuration page.
    2. In the SMTP Over TLS/SSL section, set Enable SMTP over TLS/SSL to Yes.
    3. Click Save.

    Step 6. Create a Remote Domain

    1. Log into the Exchange admin center (EAC), and click mail flow > remote domains:
      365_02.png
    2.  Click the symbol, and in the new remote domain dialog box, configure the following options:
      1. Name – Type Barracuda Message Archiver
      2. Remote Domain – Type BMA.int or any non-routable domain
      3. Out of Office automatic reply types – Select None

      4. Automatic replies – Select Allow automatic forwarding
      5. Message reporting – Clear all options
      6. Use rich-text format – Select Never
      7. MIME Character Set – Select None
      8. Non-MIME Character Set – Select None
        CreateRemoteDomain.png
    3. Click Save.

    Step 7. Create a Send Connector for the Remote Domain

    1. Log into EAC, and click mail flow > connectors.
    2. Click the symbol. In the Select your mail flow scenario page, configure the following options:
      1. From – Select Office 365
      2. To – Select Your organization's email server
        SelectMailFlow.png 
    3. Click Next. In the New connector page, Configure the following options:
      1. Name – Type Barracuda Message Archiver
      2. What do you want to do after connector is saved – Select both Turn it on and Retain internal Exchange email headers (recommended):
        Ensure the Turn it on check box is selected, otherwise the connector will fail to validate and will not send a test message.
        NewConnector.png
    4. Click Next. In the New Connector page, select Only when email message are sent to these domains.
    5. Click the symbol. Enter the non-routable domain configured in Step 6 (for example, bma.int), and click OK:
      AddDomain.png 
    6. Click Next. In the New connector page, click the symbol. Type your public FQDN or IP Address assigned to your Message Archiver. For example, archiver.getcuda.com. Click Save:
      GetCuda.png
    7. Click Next. In the New connector page, select Always use Transport Layer Security (TLS) and Any digital certificate, including self-signed certificates:

      Note that this step is optional and only applies if you enabled SMTP Over TLS/SSL in Step 5 .

      If you previously configured a certificate from a trusted certificate authority, select the Issued by a trusted certificate authority (CA) option.

      Certificate.png

    8. Click Next. Verify your settings in the summary page, and click Next.
    9. Click the + symbol in the Validate this connector page, type test@[non-routable domain] , and click OK:
      Validate.png 
    10. Click Validate.
    11. In the New connector validation results page, verify the connector Status displays as Succeeded, and click Finish.

    Step 8. Create a Non-Delivery Report Recipient

    Before creating journal rules, specify a journal recipient for non-delivery reports (NDRs) to reduce the risk of losing journal reports:
    ndr_warning.png 

     To create an NDR recipient:
    1. Log into the Microsoft Purview compliance portal, navigate to Solutions > Data lifecycle management > Exchange (legacy).
    2. Click the Settings icon.
    3. In Send undeliverable journal reports to, enter the email address of a valid user account. Note that the mailbox must be a mail user, mail contact, or external user, not an Exchange Online Mailbox.

    4. Click Save.

    Step 9. Configure Journaling

    1. Log into the Microsoft Purview compliance portal, navigate to Solutions > Data lifecycle management > Exchange (legacy) > Journal rules, and then select + New rule.
    2. On the Define journal rule settings page, provide a name for the journal rule and then configure the following options:
      1. Send journal reports to – Type journal@[non-routable domain]. For example, type: journal@bma.int
      2. Journal rule name – Type Barracuda Message Archiver

      3. Journal messages sent or received from – Select Apply to all Messages.

      4. Type of message to journal – Select All Messages.

    3. Select Next, review the settings, and then click Submit to create the journal rule.