Help
Technical Forum
Ask questions. Discover Answers.
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Technical Forum Quicklinks: No Replies | Active-Not Solved | Recent Solutions

Logging SMTP traffic info via HSL to remote log server.

JG
Cumulonimbus
Cumulonimbus

‎16-May-2014 20:01 - last edited on ‎22-Nov-2022 07:31 by Fog

Our SMTP servers need info about mail messages being sent in order to identify the mail sending devices (and thereby the mail sending users) but are not able to do so due to the use of SNATs on the ltm. I have put together an irule based on some existing shared code to log relevant info to a remote log server, as shown below. I'd appreciate it if anybody can let me know if there is anything missing/incorrect in it:

 

when CLIENT_ACCEPTED {
    set hsl [HSL::open -proto UDP -pool /APPLICATION/test_logserver]
    set tstamp [clock format [clock seconds] -format "%d/%m/%Y %H:%M:%S %z"]
    HSL::send $hsl "<22> $tstamp [IP::client_addr]:[TCP::client_port]->[IP::local_addr]:[TCP::local_port] CLIENT_ACCEPTED\n"
TCP::collect
}

when CLIENT_DATA {
    set cdata [TCP::payload]

    if { [ string length $cdata ] <= 0 } {
        return
    }
    if { not ( $cdata contains "\r\n" ) } {
        return
    }
    if { $cdata starts_with "MAIL FROM:" } {
        set cfrom [TCP::payload]
        set tstamp [clock format [clock seconds] -format "%d/%m/%Y %H:%M:%S %z"]
        HSL::send $hsl "<22> $tstamp [IP::client_addr]:[TCP::client_port]->[IP::local_addr]:[TCP::local_port] $cfrom\n"
        return
    }
    if { $cdata starts_with "RCPT TO:" } {
        set crcpt "$crcpt[TCP::payload]"
        set tstamp [clock format [clock seconds] -format "%d/%m/%Y %H:%M:%S %z"]
        HSL::send $hsl "<22> $tstamp [IP::client_addr]:[TCP::client_port]->[IP::local_addr]:[TCP::local_port] $crcpt\n"
        return
    }
    TCP::release
    TCP::collect
}

when CLIENT_CLOSED {
    set tstamp [clock format [clock seconds] -format "%d/%m/%Y %H:%M:%S %z"]
    HSL::send $hsl "<22> $tstamp [IP::client_addr]:[TCP::client_port]->[IP::local_addr]:[TCP::local_port] CLIENT_CLOSED\n"
}

Another question is if an SMTP security profile in ASM is enabled, will this irule run first or after the security profile is assessed first?

 

5 REPLIES 5

JG
Cumulonimbus
Cumulonimbus

‎17-May-2014 19:43

It tuns out that it is probably not worth it trying to capture/filter SMTP data using TCP::collect as there may be too much data from the client side for the irule to handle it. That is probably why there hasn't been much feature enhancement, at least in the area of passing client IP addr to the backend, in irule for SMTP for many years.

 

0 Kudos

nitass
F5 Employee
F5 Employee

‎17-May-2014 20:46

have you tried stream profile/irule (i.e. STREAM_MATCHED)? just thinking it might be better (than TCP::collect) in term of performance.

 

i might be wrong anyway.

 

0 Kudos

JG
Cumulonimbus
Cumulonimbus

‎02-Oct-2014 14:28

As the objective is really to stop spamming, a different approach is adopted: instead of logging client information, an irule (with the stream profile) is used to validate the client declared ID through a DNS lookup; those that fail the test will have their connections dropped.

 

The irule is available at An irule to validate client ID via DNS lookup using the stream profile

 

0 Kudos

Nikoolayy1
MVP
MVP
In response to JG

‎29-Jun-2021 10:35

Can you again reshare the link?

0 Kudos

LiefZimmerman
Community Manager
Community Manager
In response to JG

‎13-Jul-2021 13:18

Updated link to new Codeshare.

0 Kudos
Copyright © 2023 Khoros, LLC