Forum Discussion

kpiti_52215's avatar
Icon for Nimbostratus rankNimbostratus
Apr 01, 2012

Selecting a POP3 pool




I'm trying to create a migration strategy for out mail system. The migration will take some time so some users will be on the old system and some on the new one. I'm thinking of an iRule that would check if the user already exists on the new LDAP and direct him to the new system or else the old one. This applies to POP3 access (and eventually IMAP but the concept is the same).



The way POP3 conversation goes is:


S:+OK POP3 server ready.




S:+OK Capability list follows






C: USER foo


S:+OK please send PASS command


C: PASS aSecret


S: ...



So my idea is that LTM would pretend to be the POP3 server to the point where it gets USER and PASS and try to authenticate it against the new LDAP and then select the appropriate pool. Here is where I'd need a bit of direction. If you just direct the client to the pool and do nothing, the _real_ server will start the conversation from the start but the client will think he's already done the auth part and there will be confusion. I also shouldn't TCP::release the conversation before I get confirmation if the default pool is the right one otherwise I end on the same point as before. So I think I have to do the conversation the client had with "LTM POP3 server" again to the appropriate server before I release the client to the real server.



So the logic would be:


1. LTM pretends to be POP3 server and speaks POP3 until it gets the user's credentials


2. it checks if the user exists in the LDAP and picks the correct pool


3. LTM replays the client part of POP3 conversation to the correct pool


4. release the client to the correct pool



Is the logic correct?


What would be the right way to do that? Save client responses or just generate them? Any ideas on this?








4 Replies

  • I have a similar need for both POP3 and IMAP. At high level the logic is the same.



    I think the best way to handle the flow once the traffic is mapped to the proper pool is to return an "authentication failed" which should start the process all over but this time involving the the back end server.



    An entry in the session table would also be required and a check to see if the session already exists needs to be done so it wouldn't loop infinitely



    Given F5 does not have any support from an iRule perspective for IMAP and POP3, I suspect this project would involve a lot of byte scans and string manipulations.
  • Actually I managed to solve the problem.. There are a couple of flaws in the above logic regarding the way iRules go. I'll post the full solution early next week..



    But you are right, you need to reimplement the protocol in the iRule but as these are plaintext protocols not much byte scanning is involved..STLS parts might prove to be an additional effort but as I don't need it at the moment I haven't implemented it.. But shouldn't be too hard I presume..
  • Hmm, this line got funny in the post, perhaps this will show it like it should (after AUTH CHECK)


    if { [llength $authCred] == 2 & $authDone == 0 }
  • replace the corrupted line with



    if { [llength $authCred] == 2 & $authDone == 0 } {