Technical Forum
Ask questions. Discover Answers.
cancel
Showing results for 
Search instead for 
Did you mean: 

X-Forward for SMTP

Nuruddin_Ahmed_
Cirrostratus
Cirrostratus

Hi guys,

 

Reading through various posts here on devcentral I have a feeling I will not be able to achieve what I want but I rather ask again.

 

Our topology looks like: source -> firewall -> F5 LTM -> firewall -> router -> backend servers

 

I am trying to load balance SMTP but the server guys need to see the original source IP in order to allow or deny sending emails.

 

The problem is that I need to work with SNAT because the backend servers are far from the LB, behind another firewall and router. Their default gateway must be the one of the router.

 

If I keep the original source IPs, I would face asymmetric routing and the some firewall on the way back would kill the session.

 

We checked the backend SMTP server configuration and there is no other way to allow/deny sources there except of the IP addresses.

 

So can I load balance SMTP traffic with SNAT while somehow be able (on the backend server) to tell what was the original source IP?

 

Thanks.

 

10 REPLIES 10

IheartF5_45022
Nacreous
Nacreous

So there's no X-Forwarded-For - type trick to be used here sorry 🙂

 

Why don't you assign a specific SNAT address, to be used ONLY for your authorised SMTP virtual server (so you'd use a SNAT pool instead of automap, with one pool member), and then give the mail guys the SNAT address to configure on the Mail server?

 

Hi, how they would blacklist any specific mail gateway in this case?

 

Whoops - I hadn't read your question carefully enough. You have a few options;

 

  • reconfigure your topology so that SNAT is not required
  • configure the blacklist on the F5 (sample iRule code below)

I'm guessing that you want to avoid a topology reconfiguration so let's try with the blacklist

 

How is the blacklist configured on the SMTP server? Is it a simple IP blacklist, or do they perform a reverse lookup of the IP against an DNS server?

 

Juraj
Cirrus
Cirrus

I believe you're talking about this XFORWARD, right?

 

If your back-end SMTP server is Postfix, you can easily achieve the same via Proxy Protocol:

 

F5 can pass the Proxy Protocol info to Postfix via a simple iRule:

when CLIENT_ACCEPTED priority 100 { set proxyheader "PROXY TCP[IP::version] [IP::remote_addr] [IP::local_addr] [TCP::remote_port] [TCP::local_port]\r\n" }   when SERVER_CONNECTED priority 100 { TCP::respond $proxyheader }

and on Postfix side, you can edit master.cf as follows:

smtp inet n - n - - smtpd 10025 inet n - n - 1 postscreen -o syslog_name=postfix/f5 -o postscreen_upstream_proxy_protocol=haproxy -o postscreen_upstream_proxy_timeout=5s smtpd pass - - n - - smtpd

Then, create a simple TCP VS on F5, listening on port 25/tcp and forwarding all your SMTP traffic to your back-end postfix server on port 10025/tcp.

 

With the above, you can either talk directly to your back-end server on port 25/tcp, or talk to F5 VS on port 25/tcp. In both cases, Postfix will see real client's IP.

 

---

I wish F5 had a native support for SMTP protocol the same way they have it for LDAP (see Client LDAP Profile), to allow STARTTLS Activation Mode. Plus a built in support for proxy protocol in all their profiles.

Hi, apologies to bring up an old thread.

I'm testing out this irule with postfix and have followed your steps.

 

In the mail.log I still see the self IP of the F5, in this case its 192.168.75.250 however I'm connecting from 192.168.0.3.

Jul 29 08:41:12 postfix-02 postfix/smtpd[3865]: connect from unknown[192.168.75.250] Jul 29 08:41:36 postfix-02 postfix/smtpd[3865]: 59FAA2C0AFD: client=unknown[192.168.75.250] Jul 29 08:41:37 postfix-02 postfix/cleanup[3884]: 59FAA2C0AFD: message-id=<> Jul 29 08:41:37 postfix-02 postfix/qmgr[3864]: 59FAA2C0AFD: from=<test@test.com>, size=174, nrcpt=1 (queue active) Jul 29 08:41:38 postfix-02 postfix/smtp[3885]: 59FAA2C0AFD: to=<test@test.com>, relay=in-v3.mailjet.com[104.199.96.85]:587, delay=6.2, delays=5.8/0.01/0.31/0.09, dsn=2.0.0, status=sent (250 OK queued as 56d845fe-a830-47e1-8323-bbcc1c305082) Jul 29 08:41:38 postfix-02 postfix/qmgr[3864]: 59FAA2C0AFD: removed

I also had to remove the \r\n in the iRule as I received a 502 5.5.2 Error: command not recognized upon a telnet session.

220 postfix-02 ESMTP Postfix (Ubuntu) 502 5.5.2 Error: command not recognized

I'm currently testing this on BIG-IP 14.1.4.3 Build 0.0.8 Point Release 3

 

Any thoughts?

 

Thanks, Mark.

 

Can you show me your master.conf ? Can you also tell me what port you are connecting to in your pool on F5? What is the version of your postfix?

 

\r\n is needed. My best guess without seeing your master.conf or your pool is that you either:

  • do not have master.conf properly configured with postscreen doing the proxy protocol, and/or
  • your pool on F5 is sending the traffic to the wrong port

Thank you for the prompt response Juraj. I have attached both master.cf and main.cf as a .zip. I agree its now most likely a postfix config issue.

 

The VS is configured to port 25, I just noticed you mentioned to try 10025/tcp on the backend.

If I telnet to the postfix server on port 10025 I get:

 

421 4.3.2 No system resources Connection to host lost.

Port 25 returns ok.

If your F5 talks to your postfix on port 25 then you certainly won't see the real client's IP but F5 IP instead.

 

The configuration in master.conf is important. It tells postfix to start a listener on port 10025 and attach proxy protocol to it. You are not supposed to talk directly to 10025 via telnet in this case. F5 is supposed to talk to your postfix on port 10025 with that proxy protocol iRule enabled, not to port 25.

Perfect, thanks for the explanation. I spotted the config issue in master.conf and have resolved it. I now see the correct source IP

 

Jul 29 09:42:53 postfix-02 postfix/f5/postscreen[5159]: CONNECT from [192.168.0.3]:11023 to [192.168.0.51]:25 Jul 29 09:42:59 postfix-02 postfix/f5/postscreen[5159]: PASS NEW [192.168.0.3]:11023

Thank you for the support

That's great to hear it's working now. I'm glad I could help 😊