NimbostratusSMTP Relay iRule with SNAT not working
Hi. We have 3 exchange servers load-balanced behind a VIP on port 25.
This load balances internal email traffic.
We have the 3 exchange servers configured with a relay whitelist, to prevent them being an open relay.
However, this is not working at the moment due to the 3 servers seeing the SNAT on the F5. As a workaround we have had to whitelist the F5 SNAT address which is basically making it an open relay.
I have tried to implement 2 different iRules but when we try to telnet on port 25, it just hangs.
Rule 1:
when CLIENT_ACCEPTED {
set accepted_snat "X.X.X.X"
if { [ class exists smtp_relay_allowed ] } {
if { [class match [IP::client_addr] equals smtp_relay_allowed] } {
snat $accepted_snat
} else {
snat automap
}
} else {
snat automap
}
}
We have a iRule Data Group list with the whitelisted IP addresses called "smtp_relay_allowed"
I setup a SNAT called "relay_smtp" with a single IP address, allowing all IP addresses, preserving source port, setting to the VLAN which everything is in, and default auto last hop.
Quick question: In my iRule, should accepted_snat be the actual IP address or refer to the SNAT name which is "relay_smtp".
Rule 2:
when CLIENT_ACCEPTED {
if { [class match [IP::client_addr] equals smtp_relay_allowed] } {
snatpool smtp_relay
}
else {
snat automap
}
}
Uses the same iRule Data Group list with the whitelisted IP addresses called "smtp_relay_allowed"
I setup a SNAT pool called "smtp_relay" and added a single IP address, the same as used for the first rule.
____________________________________________________________________________________________
We tested each rule in turn, but neither will connect.
We are using version 12.
Am I missing anything obvious? Everything is in same VLAN so nothing is hitting our FWs etc, all is local around the F5.