Prevent open mail relay

Question

We're currently running F5 LTM (11.6) for our Exchange 2013 environment. We have Source Address Translation set to Automap.
We have servers set to point to the VIP, and we are allowing the Self-IP on the receive connector. While it works, it's a security risk. I know one way to solve it, is to not use SNAT, and have the exchange servers use the F5 as their default gateway, but with the way our addressing is, I can't see this not causing routing issues.&nbsp;
As an alternative, is the best option to create a data group list, specifying the server IP addresses that should be allowed to relay. Then, create an iRule that checks the DG, if it's a match, point that to a different self IP?&nbsp;
In theory, I think this would work, but not sure how exactly how to write the iRule.&nbsp;
Any help would be appreciated&nbsp;

janek_42109 · Answer

Hello,
You can create an irule like this where SMTP_EXCHANGE_SERVERS is a Data Group List of Address
when CLIENT_ACCEPTED {
   if { not [matchclass [IP::remote_addr] equals SMTP_EXCHANGE_SERVERS] } {
   TCP::respond "554 Denied.
"      
   TCP::close
   }

I hope it helped

markn11_229516 · Answer

Hi Janek,&nbsp;
Thanks. That helps a lot! What if I wanted to have 3 different receive connectors for difference purposes, like 2 application connectors and then the default receive connector??&nbsp;
For example&nbsp;
If  IP:remote_address equals DataGroup1
snat to 10.10.10.100&nbsp;
If remote_address equals DataGroup2
snat to 10.10.10.200&nbsp;
else
snat automap (to the IP address it was using all along)&nbsp;

markn11_229516 · Answer

I tried to copy and paste the code you sent, but my F5 didn't like it. Not sure if I'm not running the right code. &nbsp;
I was able to get it to work by using this as an iRule. It works if I use client_addr or remote_addr. Not sure if one is preferred over the other.  Do you think this is acceptable?&nbsp;
when CLIENT_ACCEPTED {
set accepted_snat "10.10.10.100"&nbsp;
if { [ class exists SMTP_EXCHANGE_SERVERS ] }
{
if { [class match [IP::client_addr] equals SMTP_EXCHANGE_SERVERS] }
{
snat $accepted_snat
} else {
snat automap
}
} else {
snat automap
}
}&nbsp;

markn11_229516 · Answer

I tried to copy and paste the code you sent, but my F5 didn't like it. Not sure if I'm not running the right code. &nbsp;
I was able to get it to work by using this as an iRule. It works if I use client_addr or remote_addr. Not sure if one is preferred over the other.  Do you think this is acceptable?&nbsp;
when CLIENT_ACCEPTED {
set accepted_snat "10.10.10.100"&nbsp;
if { [ class exists SMTP_EXCHANGE_SERVERS ] }
{
if { [class match [IP::client_addr] equals SMTP_EXCHANGE_SERVERS] }
{
snat $accepted_snat
} else {
snat automap
}
} else {
snat automap
}
}&nbsp;

markn11_229516 · Answer

when CLIENT_ACCEPTED {
set accepted_snat "10.10.10.100"

if { [ class exists SMTP_EXCHANGE_SERVERS ] }
{
if { [class match [IP::client_addr] equals SMTP_EXCHANGE_SERVERS] }
{
snat $accepted_snat
} else {
snat automap
}
} else {
snat automap
}
}

text

Forum Discussion

Prevent open mail relay

6 Replies

F5 Academy at AppWorld 2026

Introducing the F5 AI Assistant for BIG-IP

Recent Discussions

Connection Rest f5

Kubernetes cert-manager + LetsEncrypt + F5

The GSLB pool is providing an incorrect IP to end users

Unable to ping from some self ip on Velos

Not seeing the latest F5OS-A when running Journeys

Related Content

Phishing, Malware, Breach and Open-Source Security

AppWorld 2024 Call For Speakers open

DevCentral Connects Recap: Open Finance, APIs, AI & Security

DHCP Relay Virtual Server

Operationlizing Online Fraud Detection, Prevention, and Response

ABOUT DEVCENTRAL

RESOURCES

SUPPORT

PARTNERS