Forum Discussion

AHernandez's avatar
AHernandez
Icon for Altostratus rankAltostratus
Oct 18, 2022

Irule to check if traffic SMTP is with authentication or not

I all, I'm very new here and I tryng to get help witt a new IRule that can get if the traffic SMTP it's with authentication or not.

The Idea is:

Option 1:

if the SMTP traffic it's coming with authentication---->send it to Server 1 

if the SMTP traffic it's coming without authentication---->send it to Server 2

 

Option 2:

if the SMTP traffic it's coming with authentication---->send it to Server 1 

if the SMTP traffic it's coming without authentication---->put the authentication (user, login) and send it to Server 1

 

Can anyone orient me how can I do this IRule Option 1  or 2?

I will be very pleasure for hyour help.

Andrés H.

10 Replies

  • Are you using port 587 for Auth SMTP traffic? If you have a single all-ports vip handling both, this is not the best idea. I'm taking a guess here. If that's the case, just do a port 25 VIP and a port 587 VIP for the same IP. Two different pools.

     

     

    • AHernandez's avatar
      AHernandez
      Icon for Altostratus rankAltostratus

      AubreyKingF5  many thanks for your fast answer.

      With your answer I have resolved one part of my problem:

      1.-New servers and that's could accept SMTP AUTH: ✔️ OK

      if the SMTP traffic it's coming with authentication---->send it to the Virtual Server (port 587)-->Pool-587 ✔️OK

      2.-For legacy server:

      if the SMTP traffic it's coming without authentication---->actually send it to the Virtual Server (port 25)-->Pool-25, this pool is a postfix server.

      There are any way to avoid the postfix server? I mean, can I create some IRule on Virtual Server (port 25) that can resend the traffic to the Virtual Server (port 587), with the SMTP AUTH,  putting the authentication (user, login)?

      If you need some flow chart in order to can explain my problem better I can attach it.

       

      Thanks,

      Andrés H.

    • AubreyKingF5's avatar
      AubreyKingF5
      Icon for Admin rankAdmin

      Ah! so.. just have the same IP address and 2 different ports. With F5, a VIP is defined as an ip/port combination. A virtual address is just an IP.  They are different object types.. with a VA responsible for more L2/3 functionality, rather than L4-7 on the VIP. So a VA can have n number of VIPs attached to it.

       

      All of your email heads toward the IP address for mail. The port 25 VIP will have a port 25 pool. The port 587 VIP handles the auth'd traffic... Still same IP address for both.

       

      Regarding resending with auth, I'm certain there's a way to do it in iRules, but I doubt it would be worth it, as the iRule would need to collect client data, then find auth, but then it would likely need to apply the auth for MANY different clients.. you would likely need a way to process traffic per-client. I think your administration would be a nightmare and also that your BIG-IP would suffer a HEAVY load penalty from this iRule.. especially if a hacker figured out what you were doing and dropped a spam bomb on you. I was a mail administrator in a former life.. been there.

  • Many Thanks to all for your answers, finally I've implemented 2 VIPs, same IP address and differents ports.

    Regards,
    Andrés.

    • Shahid5407's avatar
      Shahid5407
      Icon for Nimbostratus rankNimbostratus

      Dear Ahernandez,

      Could you please more details how you have achieved this.

      • AHernandez's avatar
        AHernandez
        Icon for Altostratus rankAltostratus

        Hi Shahid5407,

        Finally I've implemented 2 Virtual server

        1.-VIP1: The port 25 VIP will have a port 25 pool.

        2.-VIP2: The port 587 VIP handles the auth'd traffic.

        both wit the same IP Address and work with differents ports (25 and 587).

        Regards,

        Andrés H.