For more information regarding the security incident at F5, the actions we are taking to address it, and our ongoing efforts to protect our customers, click here.

Forum Discussion

Nuruddin_Ahmed_'s avatar
Nuruddin_Ahmed_
Icon for Cirrostratus rankCirrostratus
Jan 30, 2017

X-Forward for SMTP

Hi guys,

 

Reading through various posts here on devcentral I have a feeling I will not be able to achieve what I want but I rather ask again.

 

Our topology looks like: source -> firewall -> F5 LTM -> firewall -> router -> backend servers

 

I am trying to load balance SMTP but the server guys need to see the original source IP in order to allow or deny sending emails.

 

The problem is that I need to work with SNAT because the backend servers are far from the LB, behind another firewall and router. Their default gateway must be the one of the router.

 

If I keep the original source IPs, I would face asymmetric routing and the some firewall on the way back would kill the session.

 

We checked the backend SMTP server configuration and there is no other way to allow/deny sources there except of the IP addresses.

 

So can I load balance SMTP traffic with SNAT while somehow be able (on the backend server) to tell what was the original source IP?

 

Thanks.

 

application delivery
BIG-IP
LTM

10 Replies

  • IheartF5_45022's avatar
    IheartF5_45022
    Icon for Nacreous rankNacreous
    Jan 30, 2017

    So there's no X-Forwarded-For - type trick to be used here sorry :-)

     

    Why don't you assign a specific SNAT address, to be used ONLY for your authorised SMTP virtual server (so you'd use a SNAT pool instead of automap, with one pool member), and then give the mail guys the SNAT address to configure on the Mail server?

     

    • Nuruddin_Ahmed_'s avatar
      Nuruddin_Ahmed_
      Icon for Cirrostratus rankCirrostratus
      Jan 31, 2017

      Hi, how they would blacklist any specific mail gateway in this case?

       

    • IheartF5_45022's avatar
      IheartF5_45022
      Icon for Nacreous rankNacreous
      Jan 31, 2017

      Whoops - I hadn't read your question carefully enough. You have a few options;

       

      • reconfigure your topology so that SNAT is not required
      • configure the blacklist on the F5 (sample iRule code below)

      I'm guessing that you want to avoid a topology reconfiguration so let's try with the blacklist

       

      How is the blacklist configured on the SMTP server? Is it a simple IP blacklist, or do they perform a reverse lookup of the IP against an DNS server?

       

  • Juraj's avatar
    Juraj
    Icon for Cirrus rankCirrus
    Jul 07, 2019

    I believe you're talking about this XFORWARD, right?

    If your back-end SMTP server is Postfix, you can easily achieve the same via Proxy Protocol:

    F5 can pass the Proxy Protocol info to Postfix via a simple iRule:

    when CLIENT_ACCEPTED priority 100 {
  set proxyheader "PROXY TCP[IP::version] [IP::remote_addr] [IP::local_addr] [TCP::remote_port] [TCP::local_port]\r\n"
}
 
when SERVER_CONNECTED priority 100 {
  TCP::respond $proxyheader
}

    and on Postfix side, you can edit master.cf as follows:

    smtp      inet  n       -       n       -       -       smtpd
10025     inet  n       -       n       -       1       postscreen
  -o syslog_name=postfix/f5
  -o postscreen_upstream_proxy_protocol=haproxy
  -o postscreen_upstream_proxy_timeout=5s
smtpd     pass  -       -       n       -       -       smtpd

    Then, create a simple TCP VS on F5, listening on port 25/tcp and forwarding all your SMTP traffic to your back-end postfix server on port 10025/tcp.

    With the above, you can either talk directly to your back-end server on port 25/tcp, or talk to F5 VS on port 25/tcp. In both cases, Postfix will see real client's IP.

    ---

    I wish F5 had a native support for SMTP protocol the same way they have it for LDAP (see Client LDAP Profile), to allow STARTTLS Activation Mode. Plus a built in support for proxy protocol in all their profiles.

    • mgibson85's avatar
      mgibson85
      Icon for Nimbostratus rankNimbostratus
      Jul 29, 2021

      Hi, apologies to bring up an old thread.

      I'm testing out this irule with postfix and have followed your steps.

      In the mail.log I still see the self IP of the F5, in this case its 192.168.75.250 however I'm connecting from 192.168.0.3.

      Jul 29 08:41:12 postfix-02 postfix/smtpd[3865]: connect from unknown[192.168.75.250]
Jul 29 08:41:36 postfix-02 postfix/smtpd[3865]: 59FAA2C0AFD: client=unknown[192.168.75.250]
Jul 29 08:41:37 postfix-02 postfix/cleanup[3884]: 59FAA2C0AFD: message-id=<>
Jul 29 08:41:37 postfix-02 postfix/qmgr[3864]: 59FAA2C0AFD: from=<test@test.com>, size=174, nrcpt=1 (queue active)
Jul 29 08:41:38 postfix-02 postfix/smtp[3885]: 59FAA2C0AFD: to=<test@test.com>, relay=in-v3.mailjet.com[104.199.96.85]:587, delay=6.2, delays=5.8/0.01/0.31/0.09, dsn=2.0.0, status=sent (250 OK queued as 56d845fe-a830-47e1-8323-bbcc1c305082)
Jul 29 08:41:38 postfix-02 postfix/qmgr[3864]: 59FAA2C0AFD: removed

      I also had to remove the \r\n in the iRule as I received a 502 5.5.2 Error: command not recognized upon a telnet session.

      220 postfix-02 ESMTP Postfix (Ubuntu)
502 5.5.2 Error: command not recognized

      I'm currently testing this on BIG-IP 14.1.4.3 Build 0.0.8 Point Release 3

      Any thoughts?

      Thanks, Mark.

      • Juraj's avatar
        Juraj
        Icon for Cirrus rankCirrus
        Jul 29, 2021

        Can you show me your master.conf ? Can you also tell me what port you are connecting to in your pool on F5? What is the version of your postfix?

         

        \r\n is needed. My best guess without seeing your master.conf or your pool is that you either:

        • do not have master.conf properly configured with postscreen doing the proxy protocol, and/or
        • your pool on F5 is sending the traffic to the wrong port