SMTP SNAT vs iRule header
Hello everyone, I have an issue related SMTP. This is the incoming mail topology in the organization: Internet ---> FW ---> LTM ---> Cisco ESA ----> Exchange server Between the LTM and the Cisco ESA (Email Security Appliance) is the configuration: F5 - LTM VS type: standard Port: 25 Profiles: TCP, SMTP SNAT: auto-map Pool: contains 2 members representing the ESA servers LB method: Round Robin ========================================================================== Cisco ESA Configured to recognize incoming relay form the F5 self IPs according to the "Received: from" header. ========================================================================== After looking at the email headers it seems that the "Received: from" header because of the auto-map. Disabling the auto-map is not an option, according to my customer, because the F5 cannot be the ESA's default gateway. Our other option is to try adding a new x-header containing the original IP of the sender. Does anyone know if that is even possible to add an email header using an iRule? Unfortunately didn't anything related in the F5 articles.Hybrid Exchange traffic and Starttls
we need to forward traffic from Exchange Online to the Exchange on premise server. direct connexion thru the firewall is working. We wanted to use the F5 to loadbalance the trafic on the 2 on premise exchange server. It seem that is a speciality with the starttls smtp trafic to do on the tcp port 25 😃. Thanks for your help Daniel
External SMTP monitor (written in Go)
Problem this snippet solves: We wrote an external SMTP monitor to work around K99840695. It moderatly customizable, supports STARTTLS and has builtin support to test content filtering via EICAR/GTUBE. The code is on Github, auto-generated releases are on the project's [https://github.com/hreese/f5-smtp-monitor/releases](release page). Code : https://github.com/hreese/f5-smtp-monitor Tested this on version: 11.6
Is it possible to use a WideIP to load balance connections to Mail Server (MX Records)
A customer implementation requires load balancing incoming connections to their hosted websites, that works ok. But the problem is with the mail, is it possible to configure F5 to load balance DNS responses between 2 MX records? And if not, what is the best way to load balance incoming mail connections (SMTP) not Web Mail. Thanks in advance
Just upgraded to 12.1 and getting many 'cron' emails?
I just recently upgraded from 11.3 to 12.1 and am for some reason now getting my email appliance spammed with cron job emails. Any idea how to stop this? Since yesterday I have over 2,000 emails queued because the mail server doesn't recognize the domain name. Seems to happen every minute from the two F5 appliances. Example of one email: Sender: root@f5name.fqdn.com Recipient: postmaster@f5name.fqdn.com Subject: Cron /sbin/lsusb -v -d 0451:3410 >/dev/null
Request feedback on my STMP iRule
Long story short, I have been seeing a bunch of brute force SMTP auth attacks on our exchange server. They managed to get a valid username of one of our users so now they are trying a bunch of commonly used passwords to try to break in. After 25 tries, the account gets locked out and the legitimate user cannot read his email until I unlock his account. I noticed that the EHLO command is always the same (EHLO ABC123-PC) so I made an iRule using this the SMTP proxy here but added a couple lines so that if the EHLO message shows up then the connection is dropped. I think this might be overkill for what I want to do but I want the community to weigh in and critique the iRule. My main concern is how much of the BigIP 1600's resources will this take to run? when CLIENT_ACCEPTED { set chelo "" set cfrom "" set crcpt "" TCP::respond "220\r\n" log local0. "client accepted" TCP::collect } when CLIENT_DATA { set cdata [TCP::payload] if { [ string length $cdata ] <= 0 } { return } if { not ( $cdata contains "\r\n" ) } { log local0. "get <$cdata> so far" return } if { $cdata starts_with "EHLO ABC123-pc" }{ reject } if { $cdata starts_with "HELO" } { set chelo [TCP::payload] log local0. "get helo <$cdata>" TCP::respond "250 OK\r\n" TCP::payload replace 0 [string length $chelo] "" return } if { $cdata starts_with "MAIL FROM:" } { set cfrom [TCP::payload] log local0. "get from <$cfrom>" TCP::respond "250 OK\r\n" TCP::payload replace 0 [string length $cfrom] "" return } if { $cdata starts_with "RCPT TO:" } { set crcpt "$crcpt[TCP::payload]" log local0. "get rcpt <$crcpt>" TCP::respond "250 OK\r\n" TCP::payload replace 0 [string length [TCP::payload]] "" return } if { $cdata starts_with "DATA" } { log local0. "get data <$cdata>" TCP::payload replace 0 0 $chelo$cfrom$crcpt } log local0. "payload [TCP::payload]" TCP::release TCP::collect } when SERVER_CONNECTED { log "server connected" TCP::collect } when SERVER_DATA { set sdata [TCP::payload] if { $sdata starts_with "220" } { log local0. "get data <$sdata>" TCP::payload replace 0 [string length $sdata] "" return } if { $sdata contains "\r\n354 " } { log local0. "get data <$sdata>" TCP::payload replace 0 [string length $sdata] "354\r\n" } if { [ string length $sdata ] <= 0 } { return } log local0. "payload <[TCP::payload]>" TCP::release TCP::collect } when CLIENT_CLOSED { log local0. "client closed" }SMTP domain Whitelist Allow SMTP request based on MAIL FROM on serverside
Hello iRule experts, I am an irule beginner and I need some help.I have a datagroupe that contains more than 200 domain . I need route mail based on the domain found in the FROM header . My irule must verify if this domain has been properly Whitelisted by checking the datagroupe . My Irule Work when I'm using SMTP in cleartext without starttls activated on smtps profil . But with SMTP STARTTLS activated it's not work .So I'm want to check the mail from on Serverside because it using SMTP without Starttls . CLIENT-----:Port25(allow Starttls)F5--->SMTP(ClearText):Port25-->SERVER Here is my Irule that check MAIL FROM on CLIENT SIDE : Only Work if I use SMTP without Starttls configured on SMTPS profile when CLIENT_ACCEPTED { set cto "" set cdata "" log local0. "Connexion de [IP::remote_addr]" LB::connect TCP::collect set hsl [HSL::open -proto UDP -pool splunk.lab.local] set client_ip [IP::client_addr] } when CLIENT_DATA { log local0. "CLIENT_DATA" set cdata [TCP::payload] log local0. "cdata : $cdata" set hsl [HSL::open -proto UDP -pool splunk.lab.local] if { [string match -nocase "MAIL FROM:*" $cdata] } { log local0. "domaine : $cdata" set fromaddr [regsub -all \[\\r\\n\\s\] $cdata ""] log local0. "domaine : $fromaddr" set fromaddr [findstr $fromaddr ":" 1] log local0. "domaine : $fromaddr" set fromdomain [findstr $fromaddr "@" 1] log local0. "domaine : $fromdomain" if { [ class match [string tolower $fromdomain] contains "MailAddrList2" ] } { TCP::payload replace 0 0 $cto pool /Common/SMTP_POOL log local0. "Email Accept based on the recipient email address" log local0.info "domaine, $fromdomain, accepted , real client ip is : $client_ip" HSL::send $hsl "<190> domaine, $fromdomain , accepted, real client ip is : $client_ip \n" HSL::send $cdata "<190>domaine, $fromdomain , accepted" } else { reject log local0. "Domain not allowed please contact your administrator " HSL::send $hsl "<190> domaine, $fromdomain , not accepted, real client ip is : $client_ip \n" } } TCP::release TCP::collect } when SERVER_CONNECTED { log local0. "Connexion au serveur" TCP::collect } when SERVER_DATA { log local0. "sdata : [TCP::payload]" TCP::release `text` TCP::collect } Many thanks in advance HermannBigip mgmt port using tls 1.0 for smtp connection
Hi, We running 15.1.5.1 We did the smtp config from GUI and used the test button - we usue mgmt port for this config - it keeps using tls 1.0 but our mimecast server supports tls 1.2, how can i make the mgmt port use tls 1.0 for this connection? The client hello shows it using tls 1.0.. i cant find any option to change this!
Bit Bucket for SMTP Traffic
I'm looking for a solution that basically accepts SMTP connections, but sends all mail to a bit bucket -- almost like a /dev/null. The problem im running into, is I cant just use a simple irule that "drops" or "rejects" the traffic. I would need to accept the connection and somehow find a way to spoof the initial EHLO response from the f5. Any suggestions would be greatly appreciated.
Delegation of Address List for SMTP VIP
Our mail administrators currently manage IP lists on our SMTP servers for who is allowed to relay email within our organization. We'd like to move the SMTP servers behind our F5 (running version 16). Since this will be a one-armed config, the IP lists on the servers will no longer be respected. I am wondering if there is a way to only grant the mail admins access to manage the address list on the F5 and apply that to the VIP or if there is a way for them to manage an external address list that can be imported or called by an iRule? Thanks, Rob