SMTP Relay iRule with SNAT not working

Hi. We have 3 exchange servers load-balanced behind a VIP on port 25.

This load balances internal email traffic.

We have the 3 exchange servers configured with a relay whitelist, to prevent them being an open relay.

However, this is not working at the moment due to the 3 servers seeing the SNAT on the F5. As a workaround we have had to whitelist the F5 SNAT address which is basically making it an open relay.

I have tried to implement 2 different iRules but when we try to telnet on port 25, it just hangs.

Rule 1:

when CLIENT_ACCEPTED { 

 set accepted_snat "X.X.X.X"

 if { [ class exists smtp_relay_allowed ] } { 

  if { [class match [IP::client_addr] equals smtp_relay_allowed] } { 

   snat $accepted_snat

  } else { 

   snat automap

  } 

 } else { 

  snat automap 

 }

}

We have a iRule Data Group list with the whitelisted IP addresses called "smtp_relay_allowed"

I setup a SNAT called "relay_smtp" with a single IP address, allowing all IP addresses, preserving source port, setting to the VLAN which everything is in, and default auto last hop.

Quick question: In my iRule, should accepted_snat be the actual IP address or refer to the SNAT name which is "relay_smtp".

Rule 2:

when CLIENT_ACCEPTED { 

  if { [class match [IP::client_addr] equals smtp_relay_allowed] } { 

   snatpool smtp_relay

  } 

  else { 

   snat automap

  }

}

Uses the same iRule Data Group list with the whitelisted IP addresses called "smtp_relay_allowed"

I setup a SNAT pool called "smtp_relay" and added a single IP address, the same as used for the first rule.

____________________________________________________________________________________________

We tested each rule in turn, but neither will connect.

We are using version 12.

Am I missing anything obvious? Everything is in same VLAN so nothing is hitting our FWs etc, all is local around the F5.