Forum Discussion

JG's avatar
JG
Icon for Cumulonimbus rankCumulonimbus
May 18, 2014

iRule for SMTP: Passing Client IP Addr to backend mail servers

When SNATs are used for a virtual server, the backend SMTP servers cannot get the client IP address. This irule is intended to replace the string after "EHLO" or "HELO" in mail client initiation with...
application delivery
deployment
devops
iRules
LTM
security
JG's avatar
JG
Icon for Cumulonimbus rankCumulonimbus
May 26, 2014

I have finally had a chance to actually test an SMTP irule using the stream profile, and here's my latest version, which seems to work, at least under v10.2.4:

when RULE_INIT {
    set static::smtp_debug 1
}

when CLIENT_ACCEPTED {
    set caddr [IP::client_addr]
    if { ${static::smtp_debug} } { log local0. "Client addr: $caddr" }
    STREAM::expression {@[hH][eE][lL][oO] @@ @[eE][hH][lL][oO] @@ @354 End data with @354 End data with @ @250 2.0.0 Ok: queued as @250 2.0.0 Ok: queued as @}
    STREAM::enable
    set end_data_with_seen 0
}

when STREAM_MATCHED {
    set mstring [STREAM::match]
    if { ${static::smtp_debug} } { log local0. "STREAM_MATCHED: string: \"$mstring\"" }

    if { $mstring contains "354 End data with " } {
        if { ${static::smtp_debug} } { log local0. "STREAM_MATCHED: end_data_with_seen incremented." }
        incr end_data_with_seen
        return
    } elseif { $mstring starts_with "250 2.0.0 Ok: queued as " } {
        if { ${static::smtp_debug} } { log local0. "STREAM_MATCHED: seen queued_as: closing conn." }
        TCP::close
        return
    } else {
        if { $end_data_with_seen < 1 } {
            if { ${static::smtp_debug} } { log local0. "STREAM_MATCHED: init string seen: end_data_with_seen is 0." }
            set replacement [string range $mstring 0 1]
            append replacement "LO \[$caddr\]"

            if { ${static::smtp_debug} } { log local0. "STREAM_MATCHED: replacement string: \"$replacement\"" }
            STREAM::replace $replacement
        } else {
            if { ${static::smtp_debug} } { log local0. "STREAM_MATCHED: end_data_with_seen: not 0: stream disabled." }
            STREAM::disable
        }
    }
}

when SERVER_CONNECTED {
    STREAM::expression {@[hH][eE][lL][oO] @@ @[eE][hH][lL][oO] @@ @354 End data with @354 End data with @ @250 2.0.0 Ok: queued as @250 2.0.0 Ok: queued as @}
    STREAM::enable
}

Of course it is not perfect, and I don't think it can be perfect, as it seems we have run into the limitations of the BRE library the stream profile uses, or of my understanding of how to use the stream functionality.

As a result, I have to terminate the connection after a mail message is delivered to the backend SMTP server in this irule.

Some of the text strings in the regex expressions are specific to my mail server in order to minimize the chances of unexpected/incorrect/unwanted matching.