Modifying SMTP traffic

Question

We are having an issue with our spam filters sending email from their internal hostname "spamfilter.domain.com", as opposed to our externaly availible "mail.domain.com".&nbsp;
&nbsp;
&nbsp;
All SMTP traffic runs through the LTM and we have rules in place to direct traffic either to the spam filters (if the source is untrusted), on diretly to our SMTP servers (If the source is implicitly trusted, IE: reporting and monitoring servers that dont need to be filtered) or directly to the external destination (If the traffic source is an internal SMTP server or a spam filter)&nbsp;
&nbsp;
&nbsp;
The issue we are running into is that when an outside client recieves an e-mail, the "From" field shows that it is from "spam.domain.com" instead of "mail.domain.com". This causes some external spam filters to reject the mail because it doesnt match a reverse lookup.&nbsp;
&nbsp;
Of course the easy fix would be to change the name on the spam filters, but they wont let us do that because it would be considered spoofing (stupid spam filters).&nbsp;
&nbsp;
&nbsp;
This is what i have so far, Im just trying to match the name and have it log, not even trying to change anything yet. but i can't seem to get this to work (Note that due to LTM setup and other iRules, this should be applied on smtp traffic coming into the LTM from the spam filters)&nbsp;
&nbsp;
&nbsp;
&nbsp;
when CLIENT_ACCEPTED {&nbsp;
    STREAM::expression {@spam.domain.com@spam.domain.com@}&nbsp;
    STREAM::enable&nbsp;
}&nbsp;
when STREAM_MATCHED {&nbsp;
        log local0. "Traffic from spam filters"&nbsp;
}&nbsp;
&nbsp;
Any ideas why this wouldnt work? I also tried matching on a TCP::collect, but couldnt get that to happen either&nbsp;

michael_yates · Answer

Hi Stuart, 
&nbsp;  
&nbsp; You are scanning the communication FROM the client.  Not the response to the client which is where you would need to make your replacement. 
&nbsp;  
&nbsp; See this example which is very close to what you have.  He is scanning the incoming mail for unauthorized domains, but he is doing it on Incoming Mail. 
&nbsp; SMTP Stream catching unapproved domains 
&nbsp;  
&nbsp; Hope this helps.

stuart_myers_88 · Answer

I believe in this case our spam filters would be considered the client, Their gateway for sending mail outside our environment is the LTM. 
&nbsp;   
&nbsp; Regardless, shouldn't i be able to match this expression either way?

stuart_myers_88 · Answer

Anyone have any ideas on this?

mohamed_lrhazi · Answer

You are right, it should log when a match occurs. If does not log, no match occured! 
&nbsp; I'd add a log statement in CLIENT_ACCEPTED, then take a tcpdump -s0, while generating the traffic you think should match, then see if your captured traffic did indeed contain the string your are looking for. make sure your traffic is indeed going through this iRule.

what_lies_bene1 · Answer

I think you also need to have a Stream Profile assigned to the Virtual Server, just in case you haven't.

Forum Discussion

Modifying SMTP traffic

7 Replies

Recent Discussions

F5Access | MacOS Sonoma

enable tls1.2 on management interface on F5 ltm running version 10.x

[ASM] - what is "Browser Challenge file" ?

SMS server with BIGIP

F5 terminal - help to run commands - disk space full

Related Content

SMTP Smugglers Blues

iRule to modify a content-security-policy header

SMTP Proxy

What is SMTP Smuggling and how can you deal with it?

fellow traffic