Forum Discussion
Irule to check if traffic SMTP is with authentication or not
I all, I'm very new here and I tryng to get help witt a new IRule that can get if the traffic SMTP it's with authentication or not.
The Idea is:
Option 1:
if the SMTP traffic it's coming with authentication---->send it to Server 1
if the SMTP traffic it's coming without authentication---->send it to Server 2
Option 2:
if the SMTP traffic it's coming with authentication---->send it to Server 1
if the SMTP traffic it's coming without authentication---->put the authentication (user, login) and send it to Server 1
Can anyone orient me how can I do this IRule Option 1 or 2?
I will be very pleasure for hyour help.
Andrés H.
- AubreyKingF5
Moderator
Are you using port 587 for Auth SMTP traffic? If you have a single all-ports vip handling both, this is not the best idea. I'm taking a guess here. If that's the case, just do a port 25 VIP and a port 587 VIP for the same IP. Two different pools.
- AHernandez
Altostratus
AubreyKingF5 many thanks for your fast answer.
With your answer I have resolved one part of my problem:
1.-New servers and that's could accept SMTP AUTH: ✔️ OK
if the SMTP traffic it's coming with authentication---->send it to the Virtual Server (port 587)-->Pool-587 ✔️OK
2.-For legacy server:❓
if the SMTP traffic it's coming without authentication---->actually send it to the Virtual Server (port 25)-->Pool-25, this pool is a postfix server.
There are any way to avoid the postfix server? I mean, can I create some IRule on Virtual Server (port 25) that can resend the traffic to the Virtual Server (port 587), with the SMTP AUTH, putting the authentication (user, login)?
If you need some flow chart in order to can explain my problem better I can attach it.
Thanks,
Andrés H.
- AHernandez
Altostratus
Anyone, knows how to do that IRule? or if this can be implemented?
As there are no SMTP iRule events you will need to use TCP::collect to capture the TCP data (for SMTP over SSL SSL::collect) and you can see https://clouddocs.f5.com/api/irules/TCP__collect.html .
- AubreyKingF5
Moderator
Ah! so.. just have the same IP address and 2 different ports. With F5, a VIP is defined as an ip/port combination. A virtual address is just an IP. They are different object types.. with a VA responsible for more L2/3 functionality, rather than L4-7 on the VIP. So a VA can have n number of VIPs attached to it.
All of your email heads toward the IP address for mail. The port 25 VIP will have a port 25 pool. The port 587 VIP handles the auth'd traffic... Still same IP address for both.
Regarding resending with auth, I'm certain there's a way to do it in iRules, but I doubt it would be worth it, as the iRule would need to collect client data, then find auth, but then it would likely need to apply the auth for MANY different clients.. you would likely need a way to process traffic per-client. I think your administration would be a nightmare and also that your BIG-IP would suffer a HEAVY load penalty from this iRule.. especially if a hacker figured out what you were doing and dropped a spam bomb on you. I was a mail administrator in a former life.. been there.
- AHernandez
Altostratus
Many Thanks to all for your answers, finally I've implemented 2 VIPs, same IP address and differents ports.
Regards,
Andrés.- Shahid5407
Nimbostratus
Dear Ahernandez,
Could you please more details how you have achieved this.
- AHernandez
Altostratus
Hi Shahid5407,
Finally I've implemented 2 Virtual server
1.-VIP1: The port 25 VIP will have a port 25 pool.
2.-VIP2: The port 587 VIP handles the auth'd traffic.
both wit the same IP Address and work with differents ports (25 and 587).
Regards,
Andrés H.
Recent Discussions
Related Content
* Getting Started on DevCentral
* Community Guidelines
* Community Terms of Use / EULA
* Community Ranking Explained
* Community Resources
* Contact the DevCentral Team
* Update MFA on account.f5.com