Help
Technical Forum
Ask questions. Discover Answers.
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Technical Forum Quicklinks: No Replies | Active-Not Solved | Recent Solutions

X-Forward for SMTP

Nuruddin_Ahmed_
Cirrostratus
Cirrostratus

‎30-Jan-2017 02:47

Hi guys,

 

Reading through various posts here on devcentral I have a feeling I will not be able to achieve what I want but I rather ask again.

 

Our topology looks like: source -> firewall -> F5 LTM -> firewall -> router -> backend servers

 

I am trying to load balance SMTP but the server guys need to see the original source IP in order to allow or deny sending emails.

 

The problem is that I need to work with SNAT because the backend servers are far from the LB, behind another firewall and router. Their default gateway must be the one of the router.

 

If I keep the original source IPs, I would face asymmetric routing and the some firewall on the way back would kill the session.

 

We checked the backend SMTP server configuration and there is no other way to allow/deny sources there except of the IP addresses.

 

So can I load balance SMTP traffic with SNAT while somehow be able (on the backend server) to tell what was the original source IP?

 

Thanks.

 

Labels:
0 Kudos
10 REPLIES 10

IheartF5_45022
Nacreous
Nacreous

‎30-Jan-2017 03:08

So there's no X-Forwarded-For - type trick to be used here sorry 🙂

 

Why don't you assign a specific SNAT address, to be used ONLY for your authorised SMTP virtual server (so you'd use a SNAT pool instead of automap, with one pool member), and then give the mail guys the SNAT address to configure on the Mail server?

 

0 Kudos

Nuruddin_Ahmed_
Cirrostratus
Cirrostratus
In response to IheartF5_45022

‎30-Jan-2017 22:21

Hi, how they would blacklist any specific mail gateway in this case?

 

0 Kudos

IheartF5_45022
Nacreous
Nacreous
In response to IheartF5_45022

‎31-Jan-2017 00:03

Whoops - I hadn't read your question carefully enough. You have a few options;

 

  • reconfigure your topology so that SNAT is not required
  • configure the blacklist on the F5 (sample iRule code below)

I'm guessing that you want to avoid a topology reconfiguration so let's try with the blacklist

 

How is the blacklist configured on the SMTP server? Is it a simple IP blacklist, or do they perform a reverse lookup of the IP against an DNS server?

 

0 Kudos

Juraj
Cirrus
Cirrus

‎06-Jul-2019 20:18 - last edited on ‎05-Jun-2023 21:45 by Fog

I believe you're talking about this XFORWARD, right?

If your back-end SMTP server is Postfix, you can easily achieve the same via Proxy Protocol:

F5 can pass the Proxy Protocol info to Postfix via a simple iRule:

when CLIENT_ACCEPTED priority 100 {
  set proxyheader "PROXY TCP[IP::version] [IP::remote_addr] [IP::local_addr] [TCP::remote_port] [TCP::local_port]\r\n"
}
 
when SERVER_CONNECTED priority 100 {
  TCP::respond $proxyheader
}

and on Postfix side, you can edit master.cf as follows:

smtp      inet  n       -       n       -       -       smtpd
10025     inet  n       -       n       -       1       postscreen
  -o syslog_name=postfix/f5
  -o postscreen_upstream_proxy_protocol=haproxy
  -o postscreen_upstream_proxy_timeout=5s
smtpd     pass  -       -       n       -       -       smtpd

Then, create a simple TCP VS on F5, listening on port 25/tcp and forwarding all your SMTP traffic to your back-end postfix server on port 10025/tcp.

With the above, you can either talk directly to your back-end server on port 25/tcp, or talk to F5 VS on port 25/tcp. In both cases, Postfix will see real client's IP.

---

I wish F5 had a native support for SMTP protocol the same way they have it for LDAP (see Client LDAP Profile), to allow STARTTLS Activation Mode. Plus a built in support for proxy protocol in all their profiles.

mgibson85
Nimbostratus
Nimbostratus
In response to Juraj

‎29-Jul-2021 01:56 - last edited on ‎04-Jun-2023 19:22 by Fog

Hi, apologies to bring up an old thread.

I'm testing out this irule with postfix and have followed your steps.

In the mail.log I still see the self IP of the F5, in this case its 192.168.75.250 however I'm connecting from 192.168.0.3.

Jul 29 08:41:12 postfix-02 postfix/smtpd[3865]: connect from unknown[192.168.75.250]
Jul 29 08:41:36 postfix-02 postfix/smtpd[3865]: 59FAA2C0AFD: client=unknown[192.168.75.250]
Jul 29 08:41:37 postfix-02 postfix/cleanup[3884]: 59FAA2C0AFD: message-id=<>
Jul 29 08:41:37 postfix-02 postfix/qmgr[3864]: 59FAA2C0AFD: from=<test@test.com>, size=174, nrcpt=1 (queue active)
Jul 29 08:41:38 postfix-02 postfix/smtp[3885]: 59FAA2C0AFD: to=<test@test.com>, relay=in-v3.mailjet.com[104.199.96.85]:587, delay=6.2, delays=5.8/0.01/0.31/0.09, dsn=2.0.0, status=sent (250 OK queued as 56d845fe-a830-47e1-8323-bbcc1c305082)
Jul 29 08:41:38 postfix-02 postfix/qmgr[3864]: 59FAA2C0AFD: removed

I also had to remove the \r\n in the iRule as I received a 502 5.5.2 Error: command not recognized upon a telnet session.

220 postfix-02 ESMTP Postfix (Ubuntu)
502 5.5.2 Error: command not recognized

I'm currently testing this on BIG-IP 14.1.4.3 Build 0.0.8 Point Release 3

Any thoughts?

Thanks, Mark.

0 Kudos

Juraj
Cirrus
Cirrus
In response to mgibson85

‎29-Jul-2021 02:10

Can you show me your master.conf ? Can you also tell me what port you are connecting to in your pool on F5? What is the version of your postfix?

 

\r\n is needed. My best guess without seeing your master.conf or your pool is that you either:

  • do not have master.conf properly configured with postscreen doing the proxy protocol, and/or
  • your pool on F5 is sending the traffic to the wrong port
0 Kudos

mgibson85
Nimbostratus
Nimbostratus
In response to mgibson85

‎29-Jul-2021 02:30 - last edited on ‎04-Jun-2023 19:21 by Fog

Thank you for the prompt response Juraj. I have attached both master.cf and main.cf as a .zip. I agree its now most likely a postfix config issue.

The VS is configured to port 25, I just noticed you mentioned to try 10025/tcp on the backend.

If I telnet to the postfix server on port 10025 I get:

421 4.3.2 No system resources
Connection to host lost.

Port 25 returns ok.

0 Kudos

Juraj
Cirrus
Cirrus
In response to mgibson85

‎29-Jul-2021 02:36

If your F5 talks to your postfix on port 25 then you certainly won't see the real client's IP but F5 IP instead.

 

The configuration in master.conf is important. It tells postfix to start a listener on port 10025 and attach proxy protocol to it. You are not supposed to talk directly to 10025 via telnet in this case. F5 is supposed to talk to your postfix on port 10025 with that proxy protocol iRule enabled, not to port 25.

0 Kudos

mgibson85
Nimbostratus
Nimbostratus
In response to mgibson85

‎29-Jul-2021 02:45 - last edited on ‎04-Jun-2023 19:21 by Fog

Perfect, thanks for the explanation. I spotted the config issue in master.conf and have resolved it. I now see the correct source IP

Jul 29 09:42:53 postfix-02 postfix/f5/postscreen[5159]: CONNECT from [192.168.0.3]:11023 to [192.168.0.51]:25
Jul 29 09:42:59 postfix-02 postfix/f5/postscreen[5159]: PASS NEW [192.168.0.3]:11023

Thank you for the support

0 Kudos

Juraj
Cirrus
Cirrus
In response to mgibson85

‎29-Jul-2021 02:51

That's great to hear it's working now. I'm glad I could help 😊

0 Kudos
Copyright © 2023 Khoros, LLC