Forum Discussion
Stuart_Myers_88
Nimbostratus
NimbostratusModifying SMTP traffic
We are having an issue with our spam filters sending email from their internal hostname "spamfilter.domain.com", as opposed to our externaly availible "mail.domain.com".
All SMTP traffic runs through the LTM and we have rules in place to direct traffic either to the spam filters (if the source is untrusted), on diretly to our SMTP servers (If the source is implicitly trusted, IE: reporting and monitoring servers that dont need to be filtered) or directly to the external destination (If the traffic source is an internal SMTP server or a spam filter)
The issue we are running into is that when an outside client recieves an e-mail, the "From" field shows that it is from "spam.domain.com" instead of "mail.domain.com". This causes some external spam filters to reject the mail because it doesnt match a reverse lookup.
Of course the easy fix would be to change the name on the spam filters, but they wont let us do that because it would be considered spoofing (stupid spam filters).
This is what i have so far, Im just trying to match the name and have it log, not even trying to change anything yet. but i can't seem to get this to work (Note that due to LTM setup and other iRules, this should be applied on smtp traffic coming into the LTM from the spam filters)
when CLIENT_ACCEPTED {
STREAM::expression {@spam.domain.com@spam.domain.com@}
STREAM::enable
}
when STREAM_MATCHED {
log local0. "Traffic from spam filters"
}
Any ideas why this wouldnt work? I also tried matching on a TCP::collect, but couldnt get that to happen either
7 Replies
Michael_YatesHi Stuart,
You are scanning the communication FROM the client. Not the response to the client which is where you would need to make your replacement.
See this example which is very close to what you have. He is scanning the incoming mail for unauthorized domains, but he is doing it on Incoming Mail.
SMTP Stream catching unapproved domains
Hope this helps.
Stuart_Myers_88I believe in this case our spam filters would be considered the client, Their gateway for sending mail outside our environment is the LTM.
Regardless, shouldn't i be able to match this expression either way?- Stuart_Myers_88Anyone have any ideas on this?
Mohamed_LrhaziAltocumulus
You are right, it should log when a match occurs. If does not log, no match occured!
I'd add a log statement in CLIENT_ACCEPTED, then take a tcpdump -s0, while generating the traffic you think should match, then see if your captured traffic did indeed contain the string your are looking for. make sure your traffic is indeed going through this iRule.
What_Lies_Bene1Cirrostratus
I think you also need to have a Stream Profile assigned to the Virtual Server, just in case you haven't.- Stuart_Myers_88I do have the stream profile associated with it, and it will log client accepted messages, but i cant seem to get any expressions to match.
What does the tcpdump -s0 do exactly? this is on a production system, and i don't want to risk compromising it. - Mohamed_Lrhazitcpdump is for capturing traffic, you could have it store the capture to a mycaptrue,pcap, download the file and open it with wireshark.
options I use most:
-s0: means capture the full packets, by default it truncates them.
-w /var/tmp/outpufile: dont print packets out, store them in binary format in given file
-i vlan_name: the VLAN name to listen on, find list of names with "ifconfig -a" or use "any" for all VLANs.
man tcpdump for more.
