For more information regarding the security incident at F5, the actions we are taking to address it, and our ongoing efforts to protect our customers, click here.

Forum Discussion

ajafari_2524's avatar
ajafari_2524
Icon for Nimbostratus rankNimbostratus
Nov 11, 2012

Publishing private IP in Email Header After PAT

Kindly note that we have and F5 implementation as part of a third party solution which we are having problem with.

 

 

The issue is that the F5 node is doing PAT on internal IP addresses when forwarding message to external servers using the Public IP address. Our requirement is that in case of email communication , we are trying to show the private IP address within the message header in addition to the public IP address.

 

 

A feature on F5 called (x-forwarded) has been tried for this matter with no luck . Kindly advise on:

 

Confirm if (x-forwarded) would really help in this case

 

Advise on how (x-forwarded) feature is used with PAT on F5.

 

 

THANKS!!

 

config
design

7 Replies

  • Hamish's avatar
    Hamish
    Icon for Cirrocumulus rankCirrocumulus
    Nov 11, 2012
    X-Forwarded-For is really for HTTP, although there's not alot to stop you from using it in SMTP as well. It'll get igniored as it's an X- header.

     

     

    However a more standard looking way would be to insert a fake received-from header into the SMTP headers so that the BigIP looks like an SMTP hop (i.e. Has both the realIP in one received line and the translated address will be inserted into the next one by the next hop).

     

     

    H
  • ajafari_2524's avatar
    ajafari_2524
    Icon for Nimbostratus rankNimbostratus
    Nov 11, 2012
    to insert a fake received-from header into the SMTP headers so that the BigIP looks like an SMTP hop

     

     

    Thanks for the tip hamish, however I am not sure where should this inseration happen? I mean should it be on the client side or at the Big IP side? and how?

     

     

    Thanks again

     

    AJ
  • Hamish's avatar
    Hamish
    Icon for Cirrocumulus rankCirrocumulus
    Nov 11, 2012
    Well... I can think of a couple of approaches.

     

     

    1. You could write an iRule to parse through the SMTP headers and add a new Received-From header after the last one. That'd be themost flexible, but would

     

     

    2. If the previous Received-From is fairly static (Or a limited number of entries) you could add a new one (Or even alter the existing one) via a stream profile.

     

     

    H
  • ajafari_2524's avatar
    ajafari_2524
    Icon for Nimbostratus rankNimbostratus
    Nov 11, 2012
    Hmm interseting !

     

    I wonder if High Speed Logging orusing SMTP proxy iRule be helpful in this?
  • What_Lies_Bene1's avatar
    What_Lies_Bene1
    Icon for Cirrostratus rankCirrostratus
    Nov 11, 2012
    Two things;

     

    1) Some might consider inserting this information a security risk, as you are revealing your internal addressing externally.

     

    2) I'm not sure what logging has to do with your issue?
  • ajafari_2524's avatar
    ajafari_2524
    Icon for Nimbostratus rankNimbostratus
    Nov 11, 2012
    Thanks WLB for your queries, to answer:

     

     

    1. It is a requirement to log user behaviour in case we got complaint from outside our company. Can u suggest a better option that is less of a security risk?

     

    2. HSL can be used to log the information from source IP and pass it in the SMTP header of the PAT traffic (or actually I am hoping if someone can tell me it can)
  • What_Lies_Bene1's avatar
    What_Lies_Bene1
    Icon for Cirrostratus rankCirrostratus
    Nov 11, 2012
    1.) Perhaps you could just insert the last, or last two octets of the IP address? Would that be enough to identify the source? Or perhaps a hostname, it's still revealing but not quite as bad.

     

     

    2.) HSL is for logging, you can't use it to to insert SMTP headers. But you could use it to log details about every message sent, would that be useful to you?