For more information regarding the security incident at F5, the actions we are taking to address it, and our ongoing efforts to protect our customers, click here.

Forum Discussion

Nuruddin_Ahmed_'s avatar
Nuruddin_Ahmed_
Icon for Cirrostratus rankCirrostratus
Jan 30, 2017

X-Forward for SMTP

Hi guys,   Reading through various posts here on devcentral I have a feeling I will not be able to achieve what I want but I rather ask again.   Our topology looks like: source -> firewall -> F...
application delivery
BIG-IP
LTM
Juraj's avatar
Juraj
Icon for Cirrus rankCirrus
Jul 07, 2019

I believe you're talking about this XFORWARD, right?

If your back-end SMTP server is Postfix, you can easily achieve the same via Proxy Protocol:

F5 can pass the Proxy Protocol info to Postfix via a simple iRule:

when CLIENT_ACCEPTED priority 100 {
  set proxyheader "PROXY TCP[IP::version] [IP::remote_addr] [IP::local_addr] [TCP::remote_port] [TCP::local_port]\r\n"
}
 
when SERVER_CONNECTED priority 100 {
  TCP::respond $proxyheader
}

and on Postfix side, you can edit master.cf as follows:

smtp      inet  n       -       n       -       -       smtpd
10025     inet  n       -       n       -       1       postscreen
  -o syslog_name=postfix/f5
  -o postscreen_upstream_proxy_protocol=haproxy
  -o postscreen_upstream_proxy_timeout=5s
smtpd     pass  -       -       n       -       -       smtpd

Then, create a simple TCP VS on F5, listening on port 25/tcp and forwarding all your SMTP traffic to your back-end postfix server on port 10025/tcp.

With the above, you can either talk directly to your back-end server on port 25/tcp, or talk to F5 VS on port 25/tcp. In both cases, Postfix will see real client's IP.

---

I wish F5 had a native support for SMTP protocol the same way they have it for LDAP (see Client LDAP Profile), to allow STARTTLS Activation Mode. Plus a built in support for proxy protocol in all their profiles.

mgibson85's avatar
mgibson85
Icon for Nimbostratus rankNimbostratus
Jul 29, 2021

Hi, apologies to bring up an old thread.

I'm testing out this irule with postfix and have followed your steps.

In the mail.log I still see the self IP of the F5, in this case its 192.168.75.250 however I'm connecting from 192.168.0.3.

Jul 29 08:41:12 postfix-02 postfix/smtpd[3865]: connect from unknown[192.168.75.250]
Jul 29 08:41:36 postfix-02 postfix/smtpd[3865]: 59FAA2C0AFD: client=unknown[192.168.75.250]
Jul 29 08:41:37 postfix-02 postfix/cleanup[3884]: 59FAA2C0AFD: message-id=<>
Jul 29 08:41:37 postfix-02 postfix/qmgr[3864]: 59FAA2C0AFD: from=<test@test.com>, size=174, nrcpt=1 (queue active)
Jul 29 08:41:38 postfix-02 postfix/smtp[3885]: 59FAA2C0AFD: to=<test@test.com>, relay=in-v3.mailjet.com[104.199.96.85]:587, delay=6.2, delays=5.8/0.01/0.31/0.09, dsn=2.0.0, status=sent (250 OK queued as 56d845fe-a830-47e1-8323-bbcc1c305082)
Jul 29 08:41:38 postfix-02 postfix/qmgr[3864]: 59FAA2C0AFD: removed

I also had to remove the \r\n in the iRule as I received a 502 5.5.2 Error: command not recognized upon a telnet session.

220 postfix-02 ESMTP Postfix (Ubuntu)
502 5.5.2 Error: command not recognized

I'm currently testing this on BIG-IP 14.1.4.3 Build 0.0.8 Point Release 3

Any thoughts?

Thanks, Mark.

  • Juraj's avatar
    Juraj
    Icon for Cirrus rankCirrus
    Jul 29, 2021

    Can you show me your master.conf ? Can you also tell me what port you are connecting to in your pool on F5? What is the version of your postfix?

     

    \r\n is needed. My best guess without seeing your master.conf or your pool is that you either:

    • do not have master.conf properly configured with postscreen doing the proxy protocol, and/or
    • your pool on F5 is sending the traffic to the wrong port
  • mgibson85's avatar
    mgibson85
    Icon for Nimbostratus rankNimbostratus
    Jul 29, 2021

    Thank you for the prompt response Juraj. I have attached both master.cf and main.cf as a .zip. I agree its now most likely a postfix config issue.

    The VS is configured to port 25, I just noticed you mentioned to try 10025/tcp on the backend.

    If I telnet to the postfix server on port 10025 I get:

    421 4.3.2 No system resources
Connection to host lost.

    Port 25 returns ok.

  • Juraj's avatar
    Juraj
    Icon for Cirrus rankCirrus
    Jul 29, 2021

    If your F5 talks to your postfix on port 25 then you certainly won't see the real client's IP but F5 IP instead.

     

    The configuration in master.conf is important. It tells postfix to start a listener on port 10025 and attach proxy protocol to it. You are not supposed to talk directly to 10025 via telnet in this case. F5 is supposed to talk to your postfix on port 10025 with that proxy protocol iRule enabled, not to port 25.

  • mgibson85's avatar
    mgibson85
    Icon for Nimbostratus rankNimbostratus
    Jul 29, 2021

    Perfect, thanks for the explanation. I spotted the config issue in master.conf and have resolved it. I now see the correct source IP

    Jul 29 09:42:53 postfix-02 postfix/f5/postscreen[5159]: CONNECT from [192.168.0.3]:11023 to [192.168.0.51]:25
Jul 29 09:42:59 postfix-02 postfix/f5/postscreen[5159]: PASS NEW [192.168.0.3]:11023

    Thank you for the support

  • Juraj's avatar
    Juraj
    Icon for Cirrus rankCirrus
    Jul 29, 2021

    That's great to hear it's working now. I'm glad I could help 😊