SMTP iApp Template - Early Release
Problem this snippet solves:
INITIAL RELEASE
Minimum required BIG-IP version: 11.4.0. Supported BIG-IP versions: 11.4.0-12.0
v1.0.0rc1 iApp template for configuring standard load balancing, monitoring, SSL offloading, and TCP optimization for Simple Mail Transfer Protocol (SMTP). The template also supports deploying F5's Advanced Firewall Manager (AFM), when AFM is licensed and provisioned.
v1.0.0rc2 There were no changes to the functionality in this release. Minor changes to clarify some of the questions and answers. Added inline help entries.
v1.0.0rc3 Fixed an issue with the associated cli script that could prevent users from importing iApp templates.
v1.0.0rc4 Fixed an issue with selecting password-protected encryption keys. To use a password-protected encryption key, you must create an SSL profile that uses the key and specify that profile where indicated in the iApp template.
v1.0.0rc5 Fixed an issue with incorrectly formatted external monitor scripts.
v1.0.0rc7 Fixed an issue with monitors utilized in the server-side ssl scenarios, as a result the openssl eav monitor is used in the 'no msg submitted' monitor scenarios. A fifth monitor option was presented as well to break the 'auth/no msg' option into basic and ntlm so the iApp can use openssl if Basic(auth login) is selected. - This release also allows a custom receive string to be specified(advanced must be selected).
v1.0.0rc8 Minor updates and enhancements to the monitor choices.
For the associated deployment guide, see [http://www.f5.com/pdf/deployment-guides/f5-smtp-dg.pdf]
Contributed by: F5
Code :
83126
Tested this on version:
12.0- Brian_MintonNimbostratus
I'd like to second the request to be able to add X-headers in an iRule.
- JamesSevedge_23Historic F5 Account
Hey benjamin_gate, So a couple things to note in regards to your comment. 1. You can add custom iRules to be applied to the VS without disabling strict updates in the iApp by selecting advanced and then adding your iRules in the multichoice question labeled "Do you want to add any custom iRules to the SMTP virtual server?" 2. SSL Bridging as it currently stands in the iApp is meant to bridge tls on both client and server, where the server side tls is established directly (meaning no STARTTLS). This option is meant for the legacy port 465 (SMTPS) that establishes tls directly and does NOT use STARTTLS. The iApp currently does not bridge tls to a serverside port using tls by virtue of STARTTLS (25, 587). So the short answer is for port 25 you should select SSL offload and set up the SMTP server to not "require TLS" on the relay IP:port BIG-IP is using as pool members (at least when coming from BIG-IP).
- benjamin_gateAltostratus
Hi James, Yep! That's now working. Thanks. I have another question though.
Background * I've built my vSrv using your iApp to do SSL bridging on port 25 for four Exchange nodes (scenario 3 in your Deployment guide for this iApp).
-
In order to not have it as an open relay, I followed this article.
-
N.B. In order to add this iRule, I turned off strict edits on the iApp.
-
The gist of how I added the explicit SNAT IP was to create a floating self-ip (because I have an HA pair) in the same range as my Exchange nodes, locked down to TCP port 25.
-
Then in my iRule I used my own name for the data list of IPs and edited the iRule accordingly.
-
I've built my receive connector on my Exchange nodes to accept network connections only from that floating self-ip (shown as green in diagram in the article)
Question
- My Exchange nodes are not coming online. No matter what monitor type I use - and I've left it with the 'No authentication, no message submitted' monitor - What am I missing?
On another SMTP vSrv I built using the SMTP iApp for my internal relay that has no SMTP encryption (scenario 1 on your Deployment guide), & without using the article cited above, and just having an open relay for internal servers, with the IPs of all F5 self-IPs in the Exchange receive connectors, the monitors come up.
-
- JamesSevedge_23Historic F5 Account
Hello Benjamin_gate, I believe i located the issue and this is resolved in rc8 of the smtp iapp, which i have now uploaded here. Please test out and let me know if you still run into this error.
- benjamin_gateAltostratus
I'm on a VE; 12.1.2. build 0.0.249 Final
Can't deploy - get this message:
script did not successfully complete: (can't read "::app_health__monitor_body": no such variable while executing "set map " \"$::app_health__monitor_body\""" (procedure "create_monitor_message" line 5) invoked from within "create_monitor_message smtp_message_body" (procedure "configure_smtp" line 22) invoked from within "configure_smtp" line:522)
Tried manually importing the external monitors but that didn't help; using manually created Client SSL profile; running as an admin; SMTP message submitted (no auth).
Any suggestions on how to fix this?
P.S. Does work with No message submitted(no auth).
- JamesSevedge_23Historic F5 Account
Interesting... I am able to run the iApp just fine on a BIG-IP running 12.1.0. What happens if you try to create an external monitor from tmsh? At this point I would suggest opening a case to see what is going on.
create sys file external-monitor monitor_name source-path file:/config/monitors/some_file NOTE: Will need to create a file in the appropriate source-path, but goal is to figure out why it doesn't like "external-monitor" on your BIG-IP.
- Anders_JohansenNimbostratus
We are running BIG-IP 12.1.0 Build 1.0.1447 HF1
- JamesSevedge_23Historic F5 Account
Hmm.. that error is new to me, the syntax of the command is correct. What version of BIG-IP are you running on?
- Anders_JohansenNimbostratus
Thanks for confirming my suspicions. That is correct; I only have Manager permissions for a specific partition.
One of our Administrators also tried to change the encryption settings on my behalf and got a similar error message. Is this error also caused by lack of permissions?
script did not successfully complete: ("external-monitor" unexpected argument while executing "tmsh::create [string range $args 7 end] " ("create" arm line 1) invoked from within "switch -exact -- [string range $args 0 5] { create { tmsh::create [string range $args 7 end] } modify { tmsh::modify [string r..." (procedure "iapp_conf" line 14) invoked from within "iapp_conf create sys file external-monitor smtp_tls_eav source-path file:[create_eav_script tls_monitor_eav_script]" invoked from within "iapp_conf create ltm monitor external ${app}_smtp_tls_eav run [iapp_conf create sys file external-monitor smtp_tls_eav source-path file:[create_eav_..."
- JamesSevedge_23Historic F5 Account
Hello Anders, The problem here is that when doing any of the SSL scenarios it will try and create an external monitor, this requires some additional TCL commands. This should work in almost all environments, however my guess is you are using a user account that does not have the administrator role?
Basically the scenario where this can occur with some of the tcl commands being called in various iApps is if the user has a “non-admin” role such as resource administrator assigned to them on the big ip they can create an iApp, but if it uses certain executables within the deployment of that iApp then those get blocked as a result of a security feature on the BIG-IP.
If this is the case for you then the recommended solution is to run the iApp as an administrator, an alternative would possibly be to use your own monitor in the iApp which should cause those sets of commands being run to not be run, but you might run into another invalid TCL command use case as a result.
Let me know if this is(or isn't) the case...