SMTP Load Balancing and Routing

Question

I have two SMTP mail servers. I need to load balance them for an internal network, so that they may both send SMTP outbound. However, due to some application restrictions, I only want inbound SMTP to be sent to one of them. 
&nbsp;  
&nbsp; I want to configure my F5 with two SMTP mail servers and a virtual server to be used for load-balancing from the internal network. Ideally, all SMTP services would be on its own VLAN. Mail coming from either of the mail servers would be NATted to an address on the external vlan. From the external vlan (public internet) incoming SMTP connections would be sent to only one of the mail servers. 
&nbsp;  
&nbsp; Has anyone implemented a similar configuration? 
&nbsp;  
&nbsp; Don

hoolio · Answer

Hi Don, 
&nbsp;  
&nbsp; Here are some suggestions for your scenario: 
&nbsp;  
&nbsp; I have two SMTP mail servers. I need to load balance them for an internal network, so that they may both send SMTP outbound. ... Mail coming from either of the mail servers would be NATted to an address on the external vlan. &nbsp; 
&nbsp;  
&nbsp; For connections originating from the SMTP servers themselves, you could configure a 0.0.0.0:25 or :0 VIP enabled only on their VLAN with SNAT enabled.  The SNAT could be a SNAT pool if you want to specify which IP(s) to use for the source address, or automap if you want to use the floating self IP(s) on the external VLAN.  If you want to use the routing table for the outbound SMTP connections you could use a forwarding VIP.  Else, if you have a pool of gateways you want to send the traffic to, you could add them to a pool and configure that pool as a gateway pool on the VIP. 
&nbsp;  
&nbsp; I want to configure my F5 with two SMTP mail servers and a virtual server to be used for load-balancing from the internal network&nbsp; 
&nbsp;  
&nbsp; You could configure a VIP enabled only on the internal VLAN pointing to a pool of the two SMTP servers.   
&nbsp;  
&nbsp; From the external vlan (public internet) incoming SMTP connections would be sent to only one of the mail servers.&nbsp; 
&nbsp;  
&nbsp; You could configure a second VIP enabled only on the external VLAN pointing to a pool of just one SMTP server. 
&nbsp;  
&nbsp; Aaron

don_22992 · Answer

Aaron, 
&nbsp;  
&nbsp; Thanks for your tips; I have created a similar configuration and it is working well. 
&nbsp;  
&nbsp; One question did come up. What are the pros/cons of using a "one arm" configuration for the virtual mail server? 
&nbsp;  
&nbsp; I have it like so: 
&nbsp; 10.1.101.10smtp virtual server 
&nbsp; with a pool consisting of: 
&nbsp; 10.1.101.11smtp node 1 
&nbsp; 10.1.101.12smtp node 2 
&nbsp;  
&nbsp; Compare this to: 
&nbsp; 10.1.101.20smtp virtual server 
&nbsp; with a pool consisting of two members: 
&nbsp; 10.1.202.21smtp node 1 
&nbsp; 10.1.202.22smtp node 2 
&nbsp;  
&nbsp; If there is a preferred setup, why? 
&nbsp;  
&nbsp; Thanks, 
&nbsp; Don 
&nbsp;  &nbsp;

hoolio · Answer

Hi Don, 
&nbsp;  
&nbsp; I don't see a major advantage either way from an LTM perspective.  If the servers need to see the original client IP address it's nice if you can set their default gateway to LTM.  If you have clients on the 10.1.101.0/24 subnet using the VIP, then it would be better to have the servers on a separate VLAN.  The removes the requirement to use SNAT and therefore allows you to preserve the original client IP address as the source of the connections from LTM to the servers. 
&nbsp;  
&nbsp; Aaron

hoolio · Answer

Hi Don,  
&nbsp;    
&nbsp;  SNATs, by definition only allow outbound connections.  So a client cannot connect to a SNAT address.  Only a host "behind" the SNAT can use the SNAT to initiate traffic.  If the SNAT is assigned to the VIP, then only the connections through the VIP use the SNAT.  
&nbsp;    
&nbsp;  I would avoid NATs as they're liable to cause conflicts if they're configured on the same address as other objects (not that you've done this).  You can generally get more specific control by using VIPs as VIPs can be port and protocol specific.  
&nbsp;  
&nbsp; Here are a couple of solutions which describe SNATs and NATs: 
&nbsp;  
&nbsp; SOL108: NAT and SNAT   
&nbsp; https://support.f5.com/kb/en-us/solutions/public/0000/100/sol108.html 
&nbsp;  
&nbsp; SOL7820: Overview of SNAT features   
&nbsp; https://support.f5.com/kb/en-us/solutions/public/7000/800/sol7820.html 
&nbsp;  
&nbsp;  Aaron

don_22992 · Answer

Great! 
&nbsp;  
&nbsp; Thanks, 
&nbsp; dj

Forum Discussion

AppWorld Berlin iRules Contest!

F5 AppWorld 2026 Las Vegas - iRules Contest Winners!

Recent Discussions

Catch Dynamic CRL Errors and Return Friendly Page

Priority Group Activation is not working

Why I could not post a comment

F5 Config - API Access on servers

iRule Approach to Mask Authorization Header for Bot Defense Logging – Validation Needed

Related Content

Load Balancing versus Application Routing

Route Domains

SMTP Smugglers Blues

IPv8 Would Fix My Routing Tables. It Will Never Ship.

SMTP Proxy