Forum Discussion

Franky-frank-reg7's avatar
Franky-frank-reg7
Icon for Altocumulus rankAltocumulus
Jul 18, 2023

SMTP outbound F5 Design

Hello all, I've been unable to find a clear answer for SMTP outbound configuration with F5 Inline. Currently, I have SMTP and other Exchange services working inbound just fine. From the Internet, we...
application delivery
CA_Valli's avatar
CA_Valli
Icon for MVP rankMVP
Jul 18, 2023

The easiest way would be to route this traffic through F5. 
SMTP server --> gateway (routes destination x.x.x.x via F5) --> F5 (routes destination x.x.x.x via external router) --> router --> destination x.x.x.x 

Or, you could proxy it via F5 by hiding the x.x.x.x address behind a y.y.y.y virtual server.
SMTP server --> gateway (routes y.y.y.y via F5) --> F5 (translates y.y.y.y to x.x.x.x and routes x.x.x.x via external router) --> router --> destination x.x.x.x 

Second option works well for a single x.x.x.x application, or for a x.x.x.x/xx network. First option is better if x.x.x.x is actually a large number of networks (a.a.a.a/aa + b.b.b.b/bb + c.c.c.c/cc etc.) 
In both cases, F5 needs to be configured to accept and forward this traffic. This object is usually a virtual server - I've detailed the setup in my previous message. 

  • Franky-frank-reg7's avatar
    Franky-frank-reg7
    Icon for Altocumulus rankAltocumulus
    Jul 18, 2023

    The issue I have is the default gw on the F5 is a core switch on the inside network, so the traffic flow from an internal client is -> F5 inside VIP -> exchange servers -> F5 self IP -> internal core switch, then outside. 

    For external mail flow, we want the traffic to route from internal client -> F5 internal VIP -> Exchange servers -> default route to F5 and exit DMZ to the outside. The problem with current design is default GW on the F5 is a core switch on the internal network. If I create the IP forwarding VIP as you mentioned and change the gateway of the server to the forwarding VIP, youre saying I can SNAT the source of exchange servers to self IP on the DMZ? 

    Key thing is I need outbound traffic to exit the DMZ, right now I don't have a default route on the DMZ network on the F5. The destinations will be many networks as Exchange talks to O365 and this as you're aware are many public destination networks.