Forum Discussion

graytt's avatar
graytt
Icon for Nimbostratus rankNimbostratus
May 11, 2018

X-Forwarded Rule for SMTP

Hello All,

 

We have an SMTP virtual server on our f5 Big IP VE 13.1.0 platform. It works without any issues. However, we would like to add a feature. Effectively, the auto-SNAT means the server owners lose visibility of the real client source IP addresses. We would like to implement an SMTP equivalent of X-forwarded in the header & was wondering if anybody had experience of creating the necessary iRule for this please?

 

Thanks & Regards, Graham.

 

application delivery
devops
LTM
  • Chase_Abbott's avatar
    Chase_Abbott
    Icon for Employee rankEmployee
    May 11, 2018

    Well.... I did do this with a pair of Ironports so to preserve source IP, we used the BIG-IP as the external gateway. The removed the need for SNAT preserving source to destination. Worked great. Separate interfaces did the internal SMTP forwarding to Exchange CAS/Transport servers.

     

    If you cannot do this for architectural reasons then I'll defer to the rest of the community. I haven't configured SMTP with SNAT to date.

     

  • Faruk_AYDIN's avatar
    Faruk_AYDIN
    Icon for Nimbostratus rankNimbostratus
    May 11, 2018

    There is an example of the sending client ip to the smtp server: https://devcentral.f5.com/questions/irule-for-smtp-passing-client-ip-addr-to-backend-mail-servers

    when CLIENT_ACCEPTED {
    set c-addr [IP::client_addr]
    log local0. "Client addr: $c-addr"
    STREAM::expression {@^EHLO.*\r\n@@ @^HELO.*\r\n@@}
    STREAM::enable
}

when STREAM_MATCHED {
    set mstring [STREAM::match]
    log local0. "STREAM_MATCHED: string: $mstring"
    set replacment [string range $mstring 0 1]
    append replacment "LO $c-addr\r\n"
    log local0. "STREAM_MATCHED: replacement string: $replacement"
    STREAM::replace "$mstring/$replacment"
    event STREAM_MATCHED disable
}

when SERVER_CONNECTED {
    STREAM::disable
}
  • timvd_372046's avatar
    timvd_372046
    Icon for Nimbostratus rankNimbostratus
    Jan 24, 2019

    Hi, did you ever get this script working? Does the source IP appear in the SMTP-header and can you see it with Wireshark like with an XFF? I just ran a test with the above script and I'm not seeing any changes in the SMTP header...

     

    • Misty_Spillers's avatar
      Misty_Spillers
      Icon for Nimbostratus rankNimbostratus
      Jan 24, 2019

      I never got it working. On my system it just hangs smtp. This is the script I ended up with but I don't really have a dev background, Just correct syntax/spelling and adjusted for have route domains on my system

          when CLIENT_ACCEPTED {
    set caddr [getfield [IP::client_addr] % 1]
    log local0. "Client addr: $caddr"
    STREAM::expression {@^EHLO.*\r\n@@ @^HELO.*\r\n@@}
    STREAM::enable
}

when STREAM_MATCHED {
    set mstring [STREAM::match]
    log local0. "STREAM_MATCHED: string: $mstring"
    set replacement [string range $mstring 0 1]
    append replacement "LO $caddr\r\n"
    log local0. "STREAM_MATCHED: replacement string: $replacement"
    STREAM::replace "$mstring $replacement"
    event STREAM_MATCHED disable
}
      • Stefan_Engel's avatar
        Stefan_Engel
        Icon for Cirrus rankCirrus
        Apr 21, 2020

        Hi, can you may post the code which worked for you? The link above doesnt work/anymore.

        Thanks