Jump to content


Photo

Behavior Change to Quarantine Notification Emails in Firmware Release 8.0.3.003


  • Please log in to reply
35 replies to this topic

#1 Stephen Gee

Stephen Gee
  • Moderators
  • 83 posts

Posted 18 January 2018 - 03:30 PM

Barracuda will be rolling out a new EA firmware version, 8.0.3.003 beginning the week of January 22nd.  As a result of a security vulnerability, customers updating to firmware version 8.0.3.003 will experience a change in behavior to quarantine notification emails.  End users will no longer have the ability to click on a link in the quarantine notification email to log directly into a quarantine inbox without the use of a password.  Please notify your end users of this change before updating the firmware on your Email Security Gateway.  

 

 



#2 Dave

Dave
  • Members
  • 4 posts

Posted 23 January 2018 - 01:46 PM

Does this include each 'Action' link as well (Deliver | Whitelist | Delete | View )?

How are password managed/supplied for each user?

 

Seems like this could be a lot of work for the end user to view/delete quarantine messages.



#3 Michael Manning

Michael Manning
  • Members
  • 185 posts
  • LocationOhio, USA

Posted 24 January 2018 - 09:47 AM

I like the idea in concept, but I think in practice it will just make my super lazy coworkers just never bother to clean out/maintain their quarantine folder.



#4 Jaybone

Jaybone
  • Members
  • 106 posts

Posted 25 January 2018 - 09:44 AM

Something break the update server?  Appears to be down.



#5 firstburleson

firstburleson
  • Members
  • 1 posts

Posted 29 January 2018 - 04:15 PM

It's January 29, and I haven't seen anything on the Early Release on my appliance yet, but I get the message about the update when I log in:

 

"As a result of a security vulnerability, customers updating to firmware version 8.0.3.003 will experience a change in behavior..."

 

What is the ETA for the Email Security Gateway 300 series?



#6 Amir Mohammed Zakaria

Amir Mohammed Zakaria
  • Members
  • 1 posts

Posted 31 January 2018 - 08:12 AM

Hi There,

 

normally password automatically generated by Barracuda spam filter, after upgrading to the new firmware users have to enter there active directory passwords or we have to rest all users passwords and send it to them.

 

regards.



#7 Michael Manning

Michael Manning
  • Members
  • 185 posts
  • LocationOhio, USA

Posted 06 February 2018 - 11:32 AM

Any idea when this will roll out as a general release? Still seeing nothing on our 300.

 

EDIT and it just showed up as an early release on my 300



#8 tmenke

tmenke
  • Members
  • 5 posts

Posted 07 February 2018 - 04:43 AM

Hi There,

 

normally password automatically generated by Barracuda spam filter, after upgrading to the new firmware users have to enter there active directory passwords or we have to rest all users passwords and send it to them.

 

regards.

Is there a way, that Users use their ad Accounts? I searched in the stable release and found no way to configure that. Our users an helpdesk will go nuts if they have to set or use a different password just for Spam filtering.

 

EDIT: We have a 300 if this matters in any way.



#9 Jason Smidt

Jason Smidt
  • Members
  • 1 posts

Posted 07 February 2018 - 04:49 PM

i wonder why i stil have no early release or new release available ?



#10 Peggy MacLeod

Peggy MacLeod
  • Members
  • 7 posts

Posted 09 February 2018 - 04:14 PM

 Also waiting.  We have 2 model 300's, with no sign of an update on either unit.



#11 rootNWD

rootNWD
  • Members
  • 21 posts

Posted 14 February 2018 - 12:09 AM

1. How about Distribution Group Email Address, that only have member mailboxes to deliver mail to, but no AD account ? Use Alias Linking ?

2. How about for Exchange linked mailbox, which the AD account is disabled ? Again use Alias Linking ?

 

Thanks!



#12 Peggy MacLeod

Peggy MacLeod
  • Members
  • 7 posts

Posted 14 February 2018 - 11:36 AM

We never did see 8.0.3.003, but update 8.0.3.004 appeared as an Early Release on the Firmware Update page overnight -- just in time for Valentine's Day!



#13 Michael Manning

Michael Manning
  • Members
  • 185 posts
  • LocationOhio, USA

Posted 14 February 2018 - 03:54 PM

yep, we now see .004 as the early release as well. I'm going to sit tight and wait until it's a general release, and then some.



#14 Gunter Schindler

Gunter Schindler
  • Members
  • 1 posts

Posted 15 February 2018 - 05:59 AM

I believe this is a very big drawback in usability!

Please add an option to disable this feature!

 

Users won't accept it...



#15 Ben Serebin

Ben Serebin
  • Members
  • 4 posts

Posted 22 February 2018 - 06:44 PM

Holy smokes this is INSANE. The appliance to the email server is one hop typically. If Barracuda is concerned about this security issue, why not force TLS 1.2 between appliance to email server and keep the auto login functionality? I told that to Barracuda support, and the tech said, "I never thought of that. Good idea." Sigh... he confided they've been fielding calls from irate people. So....

 

CALL IN TO SUPPORT AND DEMAND THEY OFFER ABILITY TO DISABLE THIS "FEATURE"



#16 Marcus Gabler

Marcus Gabler
  • Members
  • 1 posts

Posted 27 February 2018 - 09:09 AM

I believe this is a very big drawback in usability!

Please add an option to disable this feature!

 

Users won't accept it...

 

Indeed, public folders and distribution lists on exchange servers aren't usable with quarantine atm, you should revert this behavior immediatly.The use of passwords isn't a solution and ad integration of the appliance isn't 

sophisticated enough to understand group membership, so links will be the only working thing.



#17 JRE

JRE
  • Members
  • 2 posts

Posted 06 March 2018 - 01:41 PM

We updated last week, and all I can say is that Barracuda did a horrible job testing this in anything but the most basic scenarios. 

 

For example, if a user has multiple email accounts they are responsible for, the browser gets confused about which account is being accessed at any given time.  Making sure the user clicks 'Sign out' fixes this *sometimes*, but the only sure way to get things to work is to clear the browser cookies before changing accounts - which is beyond most users.

 

I fully understand and support the reasoning behind the change, but as-is, the solution is poorly conceived, poorly tested, and poorly implemented.

 

Due to all of the problems and the user backlash, I've been forced to revert to the previous firmware, and I will remain on it until Barracuda gets this fixed correctly.



#18 Johnny Lee Conroy

Johnny Lee Conroy
  • Members
  • 25 posts

Posted 07 March 2018 - 01:59 PM

We seem to have lucked out on this one.  We use Global Quarantine instead of Per-User and one user within our department manages all of the quarantined messages, forwarding them on to users as needed.  (We're a small shop and only get a couple of messages a week being quarantined, on average.)

 

If we were set up for Per-User, this change would be a mess for us.  We're on a model 300, which doesn't do LDAP integration, so we'd need to set up new users and manage them within the appliance.  Thankfully that's not the case.

 

Johnny Lee



#19 Larry French

Larry French
  • Members
  • 5 posts

Posted 19 March 2018 - 03:11 PM

This is unreal..really..what a bone head move.  Like end users can do this after years of not having to do it.  The whining will be non stop.  So therefore I am here whining first because I can't upgrade to this nightmare.



#20 Larry French

Larry French
  • Members
  • 5 posts

Posted 19 March 2018 - 03:13 PM

Does this include each 'Action' link as well (Deliver | Whitelist | Delete | View )?

How are password managed/supplied for each user?

 

Seems like this could be a lot of work for the end user to view/delete quarantine messages.

These are great questions that no one can answer?