Forum Discussion

jfrizzell_43066's avatar
jfrizzell_43066
Icon for Nimbostratus rankNimbostratus
Dec 08, 2014

iRule SMTP Help

I am in need of a little help preventing an open SMTP Relay with the F5. I will give you some background information to the setup. We currently have a pool of 10 servers in our farm and it's currently being software load balanced. We want to move this functionality to the F5, but the problem is with the open relay. I have some devices that need to send only internally and others that need to send internally/externally. I have followed the setup from this site to do the base configuration and iRule http://clintboessen.blogspot.com/2011/11/load-balance-smtp-with-f5-big-ip.html Here is the current iRule:

when CLIENT_ACCEPTED {  
    if { [ class exists smtp_all_allowed ] }
    {
        if { [ class match [IP::client_addr] equals smtp_all_allowed ] }
        {
            snatpool smtp_allowed
                }
                elseif { [ class exists smtp_internal_only ] }
                {
                  if { [ class match [IP::client_addr] equals smtp_internal_only ] }
                  {
                        snatpool smtp_internal
                  }
        } else {
            snat automap
        }
    } else {
        snat automap
    }
}

I have locked down the receive connectors to the SNAT Pool members. Currently each SNAT pool has only one IP address in use. The IP address for the VS is 192.168.20.25, SNAT All is 192.168.20.210, and SNAT Internal is 192.168.20.211. This setup as described works great and only those members inside both data groups are allowed to make a successful connection. The problem however is the SMTP monitor fails on the SMTP pool because the self-IPs do not have access to the receive connectors. When I add the self-ip addresses (192.18.20.201, 192.168.20.202, 192.168.20.203) to the connectors, all traffic can connect to on port 25. So in an effort to correct this problem, I changed the snat automap in the iRule to reject and drop. This however didn't correct the issue and everyone inside and outside of the data groups can connect.

Any ideas on how I can solve this particular problem?

  • So in an effort to correct this problem, I changed the snat automap in the iRule to reject and drop. This however didn't correct the issue and everyone inside and outside of the data groups can connect.

    i think it should work. can you try this?

    when CLIENT_ACCEPTED {  
      if { [ class match [IP::client_addr] equals smtp_all_allowed ] } {
        snatpool smtp_allowed
      } elseif { [ class match [IP::client_addr] equals smtp_internal_only ] } {
        snatpool smtp_internal
      } else {
        reject
      }
    }
    
  • So in an effort to correct this problem, I changed the snat automap in the iRule to reject and drop. This however didn't correct the issue and everyone inside and outside of the data groups can connect.

    i think it should work. can you try this?

    when CLIENT_ACCEPTED {  
      if { [ class match [IP::client_addr] equals smtp_all_allowed ] } {
        snatpool smtp_allowed
      } elseif { [ class match [IP::client_addr] equals smtp_internal_only ] } {
        snatpool smtp_internal
      } else {
        reject
      }
    }
    
  • So in an effort to correct this problem, I changed the snat automap in the iRule to reject and drop. This however didn't correct the issue and everyone inside and outside of the data groups can connect.

    i think it should work. can you try this?

    when CLIENT_ACCEPTED {  
      if { [ class match [IP::client_addr] equals smtp_all_allowed ] } {
        snatpool smtp_allowed
      } elseif { [ class match [IP::client_addr] equals smtp_internal_only ] } {
        snatpool smtp_internal
      } else {
        reject
      }
    }