For more information regarding the security incident at F5, the actions we are taking to address it, and our ongoing efforts to protect our customers, click here.

Forum Discussion

jfrizzell_43066's avatar
jfrizzell_43066
Icon for Nimbostratus rankNimbostratus
Dec 08, 2014
Solved

iRule SMTP Help

I am in need of a little help preventing an open SMTP Relay with the F5. I will give you some background information to the setup. We currently have a pool of 10 servers in our farm and it's currentl...
application delivery
deployment
design
devops
iRules
LTM
  • nitass_89166's avatar
    nitass_89166
    Dec 08, 2014

    So in an effort to correct this problem, I changed the snat automap in the iRule to reject and drop. This however didn't correct the issue and everyone inside and outside of the data groups can connect.

    i think it should work. can you try this?

    when CLIENT_ACCEPTED {  
  if { [ class match [IP::client_addr] equals smtp_all_allowed ] } {
    snatpool smtp_allowed
  } elseif { [ class match [IP::client_addr] equals smtp_internal_only ] } {
    snatpool smtp_internal
  } else {
    reject
  }
}
nitass's avatar
nitass
Icon for Employee rankEmployee
Dec 08, 2014

So in an effort to correct this problem, I changed the snat automap in the iRule to reject and drop. This however didn't correct the issue and everyone inside and outside of the data groups can connect.

i think it should work. can you try this?

when CLIENT_ACCEPTED {  
  if { [ class match [IP::client_addr] equals smtp_all_allowed ] } {
    snatpool smtp_allowed
  } elseif { [ class match [IP::client_addr] equals smtp_internal_only ] } {
    snatpool smtp_internal
  } else {
    reject
  }
}
  • jfrizzell_43066's avatar
    jfrizzell_43066
    Icon for Nimbostratus rankNimbostratus
    Dec 11, 2014
    Just tested it and it appears to be working. Thanks for the help.