Technical Forum
Ask questions. Discover Answers.
Showing results for 
Search instead for 
Did you mean: 

Irule to check if traffic SMTP is with authentication or not


I all, I'm very new here and I tryng to get help witt a new IRule that can get if the traffic SMTP it's with authentication or not.

The Idea is:

Option 1:

if the SMTP traffic it's coming with authentication---->send it to Server 1 

if the SMTP traffic it's coming without authentication---->send it to Server 2


Option 2:

if the SMTP traffic it's coming with authentication---->send it to Server 1 

if the SMTP traffic it's coming without authentication---->put the authentication (user, login) and send it to Server 1


Can anyone orient me how can I do this IRule Option 1  or 2?

I will be very pleasure for hyour help.

Andrés H.


Community Manager
Community Manager

Are you using port 587 for Auth SMTP traffic? If you have a single all-ports vip handling both, this is not the best idea. I'm taking a guess here. If that's the case, just do a port 25 VIP and a port 587 VIP for the same IP. Two different pools.



@AubreyKingF5  many thanks for your fast answer.

With your answer I have resolved one part of my problem:

1.-New servers and that's could accept SMTP AUTH: ✔️ OK

if the SMTP traffic it's coming with authentication---->send it to the Virtual Server (port 587)-->Pool-587 ✔️OK

2.-For legacy server:

if the SMTP traffic it's coming without authentication---->actually send it to the Virtual Server (port 25)-->Pool-25, this pool is a postfix server.

There are any way to avoid the postfix server? I mean, can I create some IRule on Virtual Server (port 25) that can resend the traffic to the Virtual Server (port 587), with the SMTP AUTH,  putting the authentication (user, login)?

If you need some flow chart in order to can explain my problem better I can attach it.



Andrés H.


Anyone, knows how to do that IRule? or if this can be implemented?

As there are no SMTP iRule events you will need to use TCP::collect to capture the TCP data (for SMTP over SSL SSL::collect) and you can see .




Ah! so.. just have the same IP address and 2 different ports. With F5, a VIP is defined as an ip/port combination. A virtual address is just an IP.  They are different object types.. with a VA responsible for more L2/3 functionality, rather than L4-7 on the VIP. So a VA can have n number of VIPs attached to it.


All of your email heads toward the IP address for mail. The port 25 VIP will have a port 25 pool. The port 587 VIP handles the auth'd traffic... Still same IP address for both.


Regarding resending with auth, I'm certain there's a way to do it in iRules, but I doubt it would be worth it, as the iRule would need to collect client data, then find auth, but then it would likely need to apply the auth for MANY different clients.. you would likely need a way to process traffic per-client. I think your administration would be a nightmare and also that your BIG-IP would suffer a HEAVY load penalty from this iRule.. especially if a hacker figured out what you were doing and dropped a spam bomb on you. I was a mail administrator in a former life.. been there.


Many Thanks to all for your answers, finally I've implemented 2 VIPs, same IP address and differents ports.