Forum Discussion
Stuart_Myers_88
Sep 14, 2012Nimbostratus
Modifying SMTP traffic
We are having an issue with our spam filters sending email from their internal hostname "spamfilter.domain.com", as opposed to our externaly availible "mail.domain.com".
All SMTP traffic runs through the LTM and we have rules in place to direct traffic either to the spam filters (if the source is untrusted), on diretly to our SMTP servers (If the source is implicitly trusted, IE: reporting and monitoring servers that dont need to be filtered) or directly to the external destination (If the traffic source is an internal SMTP server or a spam filter)
The issue we are running into is that when an outside client recieves an e-mail, the "From" field shows that it is from "spam.domain.com" instead of "mail.domain.com". This causes some external spam filters to reject the mail because it doesnt match a reverse lookup.
Of course the easy fix would be to change the name on the spam filters, but they wont let us do that because it would be considered spoofing (stupid spam filters).
This is what i have so far, Im just trying to match the name and have it log, not even trying to change anything yet. but i can't seem to get this to work (Note that due to LTM setup and other iRules, this should be applied on smtp traffic coming into the LTM from the spam filters)
when CLIENT_ACCEPTED {
STREAM::expression {@spam.domain.com@spam.domain.com@}
STREAM::enable
}
when STREAM_MATCHED {
log local0. "Traffic from spam filters"
}
Any ideas why this wouldnt work? I also tried matching on a TCP::collect, but couldnt get that to happen either
- Michael_YatesNimbostratusHi Stuart,
- Stuart_Myers_88NimbostratusI believe in this case our spam filters would be considered the client, Their gateway for sending mail outside our environment is the LTM.
- Stuart_Myers_88NimbostratusAnyone have any ideas on this?
- Mohamed_LrhaziAltocumulusYou are right, it should log when a match occurs. If does not log, no match occured!
- What_Lies_Bene1CirrostratusI think you also need to have a Stream Profile assigned to the Virtual Server, just in case you haven't.
- Stuart_Myers_88NimbostratusI do have the stream profile associated with it, and it will log client accepted messages, but i cant seem to get any expressions to match.
- Mohamed_LrhaziAltocumulustcpdump is for capturing traffic, you could have it store the capture to a mycaptrue,pcap, download the file and open it with wireshark.
Recent Discussions
Related Content
DevCentral Quicklinks
* Getting Started on DevCentral
* Community Guidelines
* Community Terms of Use / EULA
* Community Ranking Explained
* Community Resources
* Contact the DevCentral Team
* Update MFA on account.f5.com
Discover DevCentral Connects