Forum Discussion
bman_12685
Nimbostratus
Nimbostratussmtp irule for access control
Hello,
I am trying to either preserve the source ip information so that existing smtp rules and greylists continue to work but ensure fault tolerance by placing smtp servers befind an f5 vip, I have a test pair of f5's and have tried the following
setup vip with irule posted below
when CLIENT_ACCEPTED {
if { [matchclass [IP::remote_addr] equals smtp_relay_allowed] } {
pool mail_pool
} else {
reject
}
}
the part that says "equals smtp_relay_allowed" is a data group list which has the ip ranges for some of my networks.
the behavior is that it is simply rejecting connections when the irule is in place if a telnet connection is issued to the lb, this would seem to be in line with the rule since it would connect to the lb and then since have the src ip of the lb reject the connection however is there a way to verify this? is this type of rule being used or is there a better way?
hooleylistCirrostratus
Hi bman,
Your iRule seems like a good approach. Does it work for your scenario?
Aaron- hooleylistAre you saying that when you tested from a client IP in the smtp_relay_allowed data group, the connection was reset? Can you add a debug statement with the client IP?
when CLIENT_ACCEPTED { log local0. "[IP::client_addr]:[TCP::client_port]: Connection to [virtual name] [IP::local_addr]:[TCP::local_port]" if { not [matchclass [IP::remote_addr] equals smtp_relay_allowed] } { log local0. "[IP::client_addr]:[TCP::client_port]: Rejecting client IP" reject } }
Aaron 
bman_12685actually it looks like it may be working have to test more but for debugging i am doing this variation of it
when RULE_INIT {
debug logging to /var/log/ltm (local0)? 0 = no, 1 = yes
set static::debug 1
}
if { [matchclass [IP::remote_addr] equals smtp_relay_allowed] } {
when CLIENT_ACCEPTED {
if { [IP::addr [IP::remote_addr] equals $ip_of_lb ] } {
log local0. "Node IP address is: [IP::remote_addr] and sent to SMTP_clients_from_ltm_addr"
} else {
log local0. "Node IP address is: [IP::remote_addr]"
if { [class match [IP::client_addr] equals smtp_relay_allowed] } {
pool mail.dcname
} else {
reject
}
}
}- bman_12685basically I have a new rule set that implements a whitelist, a blacklist and a greylist however one part I am missing is the dnsrbl ability in milter-greylist that now I have to figure out any one have any ideas?
My irule is as sowhen RULE_INIT { set static::debug 1 } when CLIENT_ACCEPTED { if { [class match [IP::remote_addr] equals smtp_relay_allowed ] } { log local0. "Node IP address is: [IP::remote_addr] whitelisted as smtp_relay_allowed" snatpool smtp_mailpool } if { [class match [IP::remote_addr] equals smtp_spambot_reject] } { log local0. "Node IP address is: [IP::remote_addr] rejecting due to data group smtp_spambot_reject" reject } else { snatpool untrust_smtp_mailpool } }
so the above allows smtp to pass into a whitelist from internal sources, to drop bad known spammers and then pass anyone else to a snatpool ip range that gets evauled by milter-greylist, however I would like to also account for stuff like
dnsrbl "PBL" zen.spamhaus.org
acl greylist dnsrbl "PBL" delay 66m