Forum Discussion

prk_73508's avatar
prk_73508
Icon for Nimbostratus rankNimbostratus
Jan 31, 2011

POP & IMAP Username Re-writes

Hi all,

 

 

We're trying to re-write the username on an incoming POP3, IMAP, POP3S or IMAPS (using SSL offload for the POP3S & IMAPS) to append a domain to the username if none exists.

 

 

EG, if the customer's POP3 client sends: "user username" when authenticating we'd rewrite to "user username@domain.name" and pass on to the mail server, preserving any case. If they already had a domain name in the username, we wouldn't touch it.

 

 

Ditto with IMAP, where it sends "auth login username password", we'd re-write to "auth login username@domain.name password", but "auth login username@any.string password" wouldn't be touched.

 

 

I've had a search through the existing rules, but nothing shows up.

 

 

Any ideas on how we'd do this?

 

 

Thanks,

 

 

prk.

 

application delivery
dev
devops
iRules

3 Replies

Sort By
  • hooleylist's avatar
    hooleylist
    Icon for Cirrostratus rankCirrostratus
    Feb 01, 2011
    Hi PRK,

     

     

    You could potentially do this with a stream profile and STREAM::expression iRule. You'd probably need to match more than "user username" in the stream expression so that you could only append the domain name when it's not there already.

     

     

    http://devcentral.f5.com/wiki/default.aspx/iRules/STREAM__expression.html

     

     

    If you try this and get stuck, reply back with the rule you're testing and debug logging from the rule to /var/log/ltm.

     

     

    Aaron
  • prk_73508's avatar
    prk_73508
    Icon for Nimbostratus rankNimbostratus
    Feb 01, 2011
    Thanks Hoolio,

     

     

    Is there a list of the various parameters we can match on, such as HTTP_REQUEST & HTTP_RESPONSE ?

     

     

    In particular, ones which would apply to POP3 & IMAP?

     

     

    From a pseudocode perspective, I think we'll need something like:

     

     

    Match start of POP3 / IMAP session.

     

    Loop:

     

    Check for username line, and check for @

     

    If no @:

     

    enable stream, and append domain.

     

    Check for authentication successful / failed

     

    Disable stream & continue.

     

    EndIf

     

    EndLoop

     

    Rest of POP/IMAP session occurs without Stream

     

     

    prk.

     

     

     

  • hooleylist's avatar
    hooleylist
    Icon for Cirrostratus rankCirrostratus
    Feb 01, 2011
    LTM doesn't currently support native parsing of POP or IMAP, so you'd need to handle this as raw TCP traffic. If you'd like to see F5 add this support, you could open a request for enhancement case. It would certainly make this scenario easier to handle if there were native events and commands for POP and IMAP.

     

     

    You could potentially enable the stream filter in CLIENT_ACCEPTED, use a regex in the stream expression which matches on user and ends with either @ or what would come after the user name if it didn't have the proper termination and then rewrite that in STREAM_MATCHED using STREAM::replace if the domain wasn't already there. I'm not sure you could disable the stream filter if multiple rewrites per connection are potentially required. I can't think of a simple way to trigger re-enabling of it after the first match.

     

     

    If the stream filter/iRule doesn't work, another option might be to collect the payloads using TCP::collect (for cleartext traffic) or SSL::collect. Spark posted an example of SSL::collect recently in this post:

     

     

    http://devcentral.f5.com/Community/GroupDetails/tabid/1082223/aff/5/afv/topic/aft/1174753/afc/1201203/Default.aspx

     

     

    Aaron