Forum Discussion
jnowlin_44976
Nimbostratus
NimbostratusLoad Balance SMTP for Exchange 2007 relay
i am needing to load balance the SMTP relay traffic to my exchange 2007 hub transport servers. i can set this up using auto snat but i have discovered the issue that exchange sees the traffic from my internal bigip ip address (and not the clients) and therefore is allowing any relay sent to the Exchange virtual server to relay (not secure).
preferably i would like the bigip to load balance SMTP and the exchange servers to see the traffic as the client ip addresses for logging and security.
is there any way to accomplish this without changing the default gateway on the exchange servers?
slomah_85788jnowlin,
Did you solve this problem?
jnowlin_44976no i havent. it looks like my only option is to not use bigip and use windows NLB.
i would rather utilize the bigip appliance but havent found a way.
it seems like my only options to use bigip are:
1. change default gateway on the exchange servers
2. use snat and not allow exchange to see client ip
any other options would be greatly appreciated.- Put the BigIP in in-line bridging mode. The bigip would still be physically between the servers and their default gateway but it would be bridging.
Search support.f5.com for info on this mode.
HTH - jnowlin_44976sounds interesting but i have not found any info on enabling bridging mode. can you point me to a link or somthing? is this going to affect my other load balanced nodes or is this something i can turn on only for my excahnge hub transport nodes?
Rich_77297I am having this exact same issue with Exchange 2010. I contacted support recently about this and they don't officially have a solution. I may have to use Windows Network Load Balancing just for SMTP to resolve this issue.- JRahm
Admin
This isn't an exchange problem or an LTM problem, it's a limitation with the smtp protocol in that there isn't support for an x-forwarded-for header like http has. So your choices are to a) set the LTM as your default gateway on your mail servers b) bridge the traffic through LTM or c) insert the client IP in some sort of mail header that you can then configure your mail server to read, act, and sanitize on. 
hoolioCirrostratus
I think SMTP does support X- like headers like HTTP does though. Here is an example of how to do it using .NET:
http://tools.ietf.org/html/rfc5321section-3.7.1
http://www.google.com/search?q=smtp+x+headers
http://www.add-in-express.com/forum/read.php?FID=5&TID=1480
The issue is that we can't use native iRule commands like SMTP::header to insert an SMTP header. I wonder if you could use a stream profile and STREAM::expression iRule to insert the original client IP in an X-Forwarded-For header...
Aaron- JRahmTrue, the rfc lays the framework, but how many implementations are there that won't require legwork? My point was x-forwarded-for is well-supported in http implementations, but not so much with smtp. There have been enough questions on this front that it might be worthwhile to try to get a working solution with sendmail and Exchange and look at LTM implementations with stream or an smtp proxy.
- jnowlin_44976so you mentioned bridge mode and this seems like the only option besides configuring NLB and not using the bigip at all. i have not found any info on enabling bridging mode. can you point me to a link or somthing? is this going to affect my other load balanced nodes or is this something i can turn on only for my exchange hub transport nodes only?
- JRahmbridging is configured by creating vlan groups.
