SMTP ip address for VIP and relay

Question

Hi,&nbsp;
Have been reading through some SMTP setups on F5 but cannot find answer to this specific question.&nbsp;
I have a pool of mail servers (10.0.0.1, 10.0.0.2) for VIP 9.9.9.9:25. This is used for inbound mail from the internet, as well as mail relay from internal clients.
For outbound connections there is forwarding server 0.0.0.0:25 with SNAT of 9.9.9.9.&nbsp;
So logical traffic flow is:&nbsp;
Internal client 192.168.1.1 wants to send external mail, it will send request to F5 VIP 9.9.9.9:25.This is load balanced to pool member 10.0.0.1:25.Pool member then creates new connection out to remote SMTP server 202.2.2.2:25.This hits F5 and matches forwarding server 0.0.0.0:25, where it's source is translated to 9.9.9.9:xxxx.Remote server then replies back to 9.9.9.9:xxxx, F5 checks NAT table and sends this to 10.0.0.1:yyyy.
Is this a valid setup?&nbsp;
The reason I chose the same 9.9.9.9 address is I'm told forward and reverse DNS needs to match to pass mail filters. Other forum posts seems to indicate people using separate addresses, or automap?&nbsp;
Does the F5 will keep the entries in NAT table to distinguish between the inbound connections from clients and the outbound connections initiated to external mail servers?&nbsp;
I want to get this basic setup working, so I can move onto data groups to distinguish for which clients to allow relay.&nbsp;
Thanks!&nbsp;
Jay&nbsp;

theo_12742 · Answer

I'm told forward and reverse DNS needs to match to pass mail filters&nbsp;

This may be a policy set by your organization, but is not required by the technology alone.  Most mail validation is handled by SPF records (a subset of the DNS type TXT record).  It is common to have one or multiple IP addresses and DNS entries for inbound mail, but to use multiple separate IP addresses and DNS entries for outbound mail.  With a properly configured SPF record, this can be accomplished.&nbsp;
That being said, the F5 builds a new connection using many different variables.  We are specifically interested in the IP and TCP information.  Inbound mail will initiate from an external address bound for our VIP using a TCP SYN packet first.  When the mail server sends outbound mail, it will first establish a new connection on the server, sending a new TCP SYN packet to the load balancer.  The F5 interprets this as a new connection, even though it appears similar to the already existing connection.  Reference the TCP 3-way handshake (link on Wikipedia) for more information on how this works.&nbsp;

Is this a valid setup?&nbsp;

I mostly avoided this question because I'm not sure about the SNAT pool with a member as a VIP, suffice to say I would test it to see what happens.  I would trust the F5 to keep the inbound and outbound connections separate.&nbsp;

jayp_46820 · Answer

Thanks Theo,
I have tested and it works fine using the same IP for the inbound VIP and for the forwarding outbound SNAT.&nbsp;

theo_12742 · Answer

Good to know, thanks!

Forum Discussion

SMTP ip address for VIP and relay

3 Replies

Recent Discussions

Chrome V 124+ on MacOS - Virtual Server Access Issue

F5Access | MacOS Sonoma

Transaction looks successful but file not downloading

Overwriting or adding LTM SSL Traffic cert and key using iControlREST

F5 Access Guard Deprecated: ZTA APM

Related Content

Decoding the IPv4 address from the persistence cookie

F5 SMTP Fast Template - SNAT Not working as expected

CSV to Address External Datagroup File

SMTP Traffic Forward to M365 on Port 587

SNAT IP address logging