Forum Discussion

bman_12685's avatar
bman_12685
Icon for Nimbostratus rankNimbostratus
Jun 01, 2012

smtp irule for access control

Hello,

 

 

I am trying to either preserve the source ip information so that existing smtp rules and greylists continue to work but ensure fault tolerance by placing smtp servers befind an f5 vip, I have a test pair of f5's and have tried the following

 

 

 

setup vip with irule posted below

 

 

when CLIENT_ACCEPTED {

 

if { [matchclass [IP::remote_addr] equals smtp_relay_allowed] } {

 

pool mail_pool

 

} else {

 

reject

 

}

 

}

 

 

the part that says "equals smtp_relay_allowed" is a data group list which has the ip ranges for some of my networks.

 

 

the behavior is that it is simply rejecting connections when the irule is in place if a telnet connection is issued to the lb, this would seem to be in line with the rule since it would connect to the lb and then since have the src ip of the lb reject the connection however is there a way to verify this? is this type of rule being used or is there a better way?

 

application delivery
dev
devops
iRules

4 Replies

Sort By
  • hooleylist's avatar
    hooleylist
    Icon for Cirrostratus rankCirrostratus
    Jun 01, 2012
    Hi bman,

     

     

    Your iRule seems like a good approach. Does it work for your scenario?

     

     

    Aaron
  • hooleylist's avatar
    hooleylist
    Icon for Cirrostratus rankCirrostratus
    Jun 01, 2012
    Are you saying that when you tested from a client IP in the smtp_relay_allowed data group, the connection was reset? Can you add a debug statement with the client IP? 

    
when CLIENT_ACCEPTED {
   log local0. "[IP::client_addr]:[TCP::client_port]: Connection to [virtual name] [IP::local_addr]:[TCP::local_port]"
   if { not [matchclass [IP::remote_addr] equals smtp_relay_allowed] } {
      log local0. "[IP::client_addr]:[TCP::client_port]: Rejecting client IP"
      reject
   }
}

    Aaron
  • bman_12685's avatar
    bman_12685
    Icon for Nimbostratus rankNimbostratus
    Jun 01, 2012
    actually it looks like it may be working have to test more but for debugging i am doing this variation of it

     

     

    when RULE_INIT {

     

    debug logging to /var/log/ltm (local0)? 0 = no, 1 = yes

     

    set static::debug 1

     

    }

     

     

    if { [matchclass [IP::remote_addr] equals smtp_relay_allowed] } {

     

     

    when CLIENT_ACCEPTED {

     

    if { [IP::addr [IP::remote_addr] equals $ip_of_lb ] } {

     

    log local0. "Node IP address is: [IP::remote_addr] and sent to SMTP_clients_from_ltm_addr"

     

    } else {

     

    log local0. "Node IP address is: [IP::remote_addr]"

     

    if { [class match [IP::client_addr] equals smtp_relay_allowed] } {

     

    pool mail.dcname

     

    } else {

     

    reject

     

    }

     

    }

     

    }
  • bman_12685's avatar
    bman_12685
    Icon for Nimbostratus rankNimbostratus
    Jun 07, 2012
    basically I have a new rule set that implements a whitelist, a blacklist and a greylist however one part I am missing is the dnsrbl ability in milter-greylist that now I have to figure out any one have any ideas?

    My irule is as so 

     
when RULE_INIT {
  set static::debug 1
}

when CLIENT_ACCEPTED {

if { [class match [IP::remote_addr] equals  smtp_relay_allowed ] } {
    log local0. "Node  IP address is: [IP::remote_addr] whitelisted as smtp_relay_allowed"
    snatpool smtp_mailpool
   }
if { [class match [IP::remote_addr] equals  smtp_spambot_reject] } {
    log local0. "Node IP address is: [IP::remote_addr] rejecting due to data group smtp_spambot_reject"
    reject
   } else {
   snatpool untrust_smtp_mailpool
   }
}

    so the above allows smtp to pass into a whitelist from internal sources, to drop bad known spammers and then pass anyone else to a snatpool ip range that gets evauled by milter-greylist, however I would like to also account for stuff like

    dnsrbl "PBL" zen.spamhaus.org

    acl greylist dnsrbl "PBL" delay 66m