Forum Discussion
AltocumulusPreserve original source IP with SNAT for SMTP
Hi guys,
Reading through various posts here on devcentral I have a feeling I will not be able to achieve what I want but I rather ask again.
Our topology looks like: source -> firewall -> F5 LTM -> firewall -> router -> backend servers
I am trying to load balance SMTP but the server guys need to see the original source IP in order to allow or deny sending emails.
The problem is that I need to work with SNAT because the backend servers are far from the LB, behind another firewall and router. Their default gateway must be the one of the router.
If I keep the original source IPs, I would face asymmetric routing and the some firewall on the way back would kill the session.
We checked the backend SMTP server configuration and there is no other way to allow/deny sources there except of the IP addresses.
So can I load balance SMTP traffic with SNAT while somehow be able (on the backend server) to tell what was the original source IP?
Thanks.
13 Replies
- The-messenger
Cirrostratus
It is possible to write headers to the smtp conversation, most every email filtering system does this. This can be done outside the "Data" piece.
- Kevin_Davies
Nacreous
haproxy's PROXY protocol https://www.haproxy.org/download/1.8/doc/proxy-protocol.txt provides the solution to this problem.
This presents the clients real IP address as a line of data when establishing a connection to the SMTP server. The SMTP server has to support v1 of protocol and an iRule is written emulate the protocol on the backend connection.
This is the code for initiating a back-end connection to the SMTP server using this protocol
https://devcentral.f5.com/codeshare/proxy-protocol-initiatorThis is not required but listed for reference. If you ever need to receive PROXY protocol connections then this handles that as well.
https://devcentral.f5.com/codeshare/proxy-protocol-receiver
NatDoyleAltostratus
Gonna give this a go now thanks Kev
