cancel
Showing results for 
Search instead for 
Did you mean: 
mikeshimkus_111
Historic F5 Account

Problem this snippet solves:

INITIAL RELEASE

Minimum required BIG-IP version: 11.4.0. Supported BIG-IP versions: 11.4.0-12.0

v1.0.0rc1 iApp template for configuring standard load balancing, monitoring, SSL offloading, and TCP optimization for Simple Mail Transfer Protocol (SMTP). The template also supports deploying F5's Advanced Firewall Manager (AFM), when AFM is licensed and provisioned.

v1.0.0rc2 There were no changes to the functionality in this release. Minor changes to clarify some of the questions and answers. Added inline help entries.

v1.0.0rc3 Fixed an issue with the associated cli script that could prevent users from importing iApp templates.

v1.0.0rc4 Fixed an issue with selecting password-protected encryption keys. To use a password-protected encryption key, you must create an SSL profile that uses the key and specify that profile where indicated in the iApp template.

v1.0.0rc5 Fixed an issue with incorrectly formatted external monitor scripts.

v1.0.0rc7 Fixed an issue with monitors utilized in the server-side ssl scenarios, as a result the openssl eav monitor is used in the 'no msg submitted' monitor scenarios. A fifth monitor option was presented as well to break the 'auth/no msg' option into basic and ntlm so the iApp can use openssl if Basic(auth login) is selected. - This release also allows a custom receive string to be specified(advanced must be selected).

v1.0.0rc8 Minor updates and enhancements to the monitor choices.

For the associated deployment guide, see [http://www.f5.com/pdf/deployment-guides/f5-smtp-dg.pdf]

Contributed by: F5

Code :

83126

Tested this on version:

12.0
Comments
The-messenger
Cirrostratus
Cirrostratus

does this iapp support passing source-ip to the smtp nodes - instead of the f5 ip?

 

mikeshimkus_111
Historic F5 Account

Hi The-messenger, it supports that if you disable SNAT in the iApp and set the default gateway of the SMTP servers to the self IP address of the BIG-IP.

 

The-messenger
Cirrostratus
Cirrostratus

I've seen that as a proposed solution before but I don't think setting the default gateway for your all your Exchange servers to the self-ip of the Big-IP is a viable solution. There is more going with Exchange than mail relay.

 

mikeshimkus_111
Historic F5 Account

Your other option is to use nPath: https://support.f5.com/kb/en-us/products/big-ip_ltm/manuals/product/ltm_implementations_guide_10_1/s...

 

TMK, for non-HTTP traffic, those are the only ways to get the real source IP.

 

The-messenger
Cirrostratus
Cirrostratus

Is this not possible with an irule? I don't need to change the route, just want Exchange admins to be able to see the source address for delivery troubleshooting.

 

mikeshimkus_111
Historic F5 Account

Normally you could use the HTTP profile or an iRule if the traffic is HTTP. However I just found this DC post you might try:

 

https://devcentral.f5.com/s/feed/0D51T00006j2p4ZSAQ

 

The-messenger
Cirrostratus
Cirrostratus

Mike, where is the limitation in adding x-header data to SMTP stream. I've worked with multiple email filtering systems that add x-header data.

 

This could be very valuable in managing smtp traffic.

 

patrick_hayes
Nimbostratus
Nimbostratus

We see the same error as etrust made 1 week ago. Mike?

 

JamesSevedge_23
Historic F5 Account

Hello Etrust and Patrick, This issue has been resolved. Please download the template and try again! Let us know if you have any additional feedback, thanks.

 

JamesSevedge_23
Historic F5 Account

Hello Anders, The problem here is that when doing any of the SSL scenarios it will try and create an external monitor, this requires some additional TCL commands. This should work in almost all environments, however my guess is you are using a user account that does not have the administrator role?

 

Basically the scenario where this can occur with some of the tcl commands being called in various iApps is if the user has a “non-admin” role such as resource administrator assigned to them on the big ip they can create an iApp, but if it uses certain executables within the deployment of that iApp then those get blocked as a result of a security feature on the BIG-IP.

 

If this is the case for you then the recommended solution is to run the iApp as an administrator, an alternative would possibly be to use your own monitor in the iApp which should cause those sets of commands being run to not be run, but you might run into another invalid TCL command use case as a result.

 

Let me know if this is(or isn't) the case...

 

Anders_Johansen
Nimbostratus
Nimbostratus

Thanks for confirming my suspicions. That is correct; I only have Manager permissions for a specific partition.

 

One of our Administrators also tried to change the encryption settings on my behalf and got a similar error message. Is this error also caused by lack of permissions?

 

script did not successfully complete: ("external-monitor" unexpected argument while executing "tmsh::create [string range $args 7 end] " ("create" arm line 1) invoked from within "switch -exact -- [string range $args 0 5] { create { tmsh::create [string range $args 7 end] } modify { tmsh::modify [string r..." (procedure "iapp_conf" line 14) invoked from within "iapp_conf create sys file external-monitor smtp_tls_eav source-path file:[create_eav_script tls_monitor_eav_script]" invoked from within "iapp_conf create ltm monitor external ${app}_smtp_tls_eav run [iapp_conf create sys file external-monitor smtp_tls_eav source-path file:[create_eav_..."
JamesSevedge_23
Historic F5 Account

Hmm.. that error is new to me, the syntax of the command is correct. What version of BIG-IP are you running on?

 

Anders_Johansen
Nimbostratus
Nimbostratus

We are running BIG-IP 12.1.0 Build 1.0.1447 HF1

 

JamesSevedge_23
Historic F5 Account

Interesting... I am able to run the iApp just fine on a BIG-IP running 12.1.0. What happens if you try to create an external monitor from tmsh? At this point I would suggest opening a case to see what is going on.

 

create sys file external-monitor monitor_name source-path file:/config/monitors/some_file NOTE: Will need to create a file in the appropriate source-path, but goal is to figure out why it doesn't like "external-monitor" on your BIG-IP.

 

benjamin_gate
Altostratus
Altostratus

I'm on a VE; 12.1.2. build 0.0.249 Final

 

Can't deploy - get this message:

 

script did not successfully complete: (can't read "::app_health__monitor_body": no such variable while executing "set map " \"$::app_health__monitor_body\""" (procedure "create_monitor_message" line 5) invoked from within "create_monitor_message smtp_message_body" (procedure "configure_smtp" line 22) invoked from within "configure_smtp" line:522)

 

Tried manually importing the external monitors but that didn't help; using manually created Client SSL profile; running as an admin; SMTP message submitted (no auth).

 

Any suggestions on how to fix this?

 

P.S. Does work with No message submitted(no auth).

 

JamesSevedge_23
Historic F5 Account

Hello Benjamin_gate, I believe i located the issue and this is resolved in rc8 of the smtp iapp, which i have now uploaded here. Please test out and let me know if you still run into this error.

 

benjamin_gate
Altostratus
Altostratus

Hi James, Yep! That's now working. Thanks. I have another question though.

 

Background * I've built my vSrv using your iApp to do SSL bridging on port 25 for four Exchange nodes (scenario 3 in your Deployment guide for this iApp).

 

  • In order to not have it as an open relay, I followed this article.

     

  • N.B. In order to add this iRule, I turned off strict edits on the iApp.

     

  • The gist of how I added the explicit SNAT IP was to create a floating self-ip (because I have an HA pair) in the same range as my Exchange nodes, locked down to TCP port 25.

     

  • Then in my iRule I used my own name for the data list of IPs and edited the iRule accordingly.

     

  • I've built my receive connector on my Exchange nodes to accept network connections only from that floating self-ip (shown as green in diagram in the article)

     

Question

 

  • My Exchange nodes are not coming online. No matter what monitor type I use - and I've left it with the 'No authentication, no message submitted' monitor - What am I missing?

On another SMTP vSrv I built using the SMTP iApp for my internal relay that has no SMTP encryption (scenario 1 on your Deployment guide), & without using the article cited above, and just having an open relay for internal servers, with the IPs of all F5 self-IPs in the Exchange receive connectors, the monitors come up.

 

JamesSevedge_23
Historic F5 Account

Hey benjamin_gate, So a couple things to note in regards to your comment. 1. You can add custom iRules to be applied to the VS without disabling strict updates in the iApp by selecting advanced and then adding your iRules in the multichoice question labeled "Do you want to add any custom iRules to the SMTP virtual server?" 2. SSL Bridging as it currently stands in the iApp is meant to bridge tls on both client and server, where the server side tls is established directly (meaning no STARTTLS). This option is meant for the legacy port 465 (SMTPS) that establishes tls directly and does NOT use STARTTLS. The iApp currently does not bridge tls to a serverside port using tls by virtue of STARTTLS (25, 587). So the short answer is for port 25 you should select SSL offload and set up the SMTP server to not "require TLS" on the relay IP:port BIG-IP is using as pool members (at least when coming from BIG-IP).

 

Brian_Minton
Nimbostratus
Nimbostratus

I'd like to second the request to be able to add X-headers in an iRule.

Version history
Last update:
‎30-Apr-2015 12:35
Updated by:
Contributors