For more information regarding the security incident at F5, the actions we are taking to address it, and our ongoing efforts to protect our customers, click here.

Forum Discussion

Huwaihi_195804's avatar
Huwaihi_195804
Icon for Nimbostratus rankNimbostratus
Jul 29, 2015

SMTP inline load balancing with no SMTP greeting

We currently have two cisco IronPort Email Security Appliances that are load balances using the BIG IP. These appliances are placed behind the BIG IP (the BIG IP is their default gateway). When configuring the virtual server with no snat, when the client is initially connected, he is not presented with an SMTP greeting. Once snat is configured as automap, the SMTP greeting would appear to the client. We want to pass the client IP address to the IronPort appliances so we do not want to configure SNAT.

 

We are facing some issues with web servers that send emails using java. When they try to communicate with the Virtual IP load balancing the IronPort appliances, while no snat is configured, an error would appear and the message delivery would fail. Once the snat is configured as automap, the mail delivery would be successful. We want to perform some access control on the IronPort based on IP addresses, so we want to pass the actual server IP address.

 

As a workaround, we have created an irule that turns on snat automap if it matches a list of IP addresses (of web servers). Otherwise, snat is disabled for other clients.

 

Is there a way we can pass the SMTP greeting to the client without configuring snat automap?

 

application delivery
deployment
design
devops
iRules
LTM
TMSH

4 Replies

  • Vernon_97235's avatar
    Vernon_97235
    Historic F5 Account
    Jul 29, 2015

    How do you have the Virtual Server configured? If it's a Standard TCP (with no higher layer profiles) or fastL4, then any response made by the server should be proxied through the BIG-IP. Have you had a chance to tcpdump to verify that the server is sending the greeting (I assume you mean the 220 initial message?) in both cases (i.e., with and without SNAT)?

     

    • Huwaihi_195804's avatar
      Huwaihi_195804
      Icon for Nimbostratus rankNimbostratus
      Jul 30, 2015
      The virtual server is configured with standard TCP. I do not understand the point regarding tcpdump (I know what tcpdump is, but I am not sure how to utilize it here). Yes, I am referring to the 220 initial message. This message is only appearing when snat is configured as automap.
  • VernonWells's avatar
    VernonWells
    Icon for Employee rankEmployee
    Jul 29, 2015

    How do you have the Virtual Server configured? If it's a Standard TCP (with no higher layer profiles) or fastL4, then any response made by the server should be proxied through the BIG-IP. Have you had a chance to tcpdump to verify that the server is sending the greeting (I assume you mean the 220 initial message?) in both cases (i.e., with and without SNAT)?

     

    • Huwaihi_195804's avatar
      Huwaihi_195804
      Icon for Nimbostratus rankNimbostratus
      Jul 30, 2015
      The virtual server is configured with standard TCP. I do not understand the point regarding tcpdump (I know what tcpdump is, but I am not sure how to utilize it here). Yes, I am referring to the 220 initial message. This message is only appearing when snat is configured as automap.