X-Forwarded For equivelent for SMTP?

Question

I'm running SMTP through LTM to Exchange 2008 servers, but due to my network architecture I have to autosnat the source IP to that of the F5. My Exchange servers therefore lose visibility of the original IP address of the sender. If this were a Web service, I could use XForwarded for with an ISAPI filter to stick the original IP address into Web Server log files, and I'm wondering if anyone knows of a way to do an equivelent sort of thing for SMTP mail. Purpose is to try and catch the originator of specific emails when they arrive with malware/virus in them. 
&nbsp;  
&nbsp; I've so far set up a Clone Pool sending the mail to a server that's not listening on port 25, then monitoring that traffic with an external Packet Capture "sniffer". Very cumbersome and difficult to manage/maintain. If there was a way I could deliver the original IP address to my Exchange servers, my email guys could worry about tracking IPs that sent worms, and get my Network team out of that business. 
&nbsp;  
&nbsp; Thanks for any and all help.

jrahm · Answer

You could insert the IP in the optional comments field, assuming exchange can access it there. 
&nbsp;  
&nbsp; Comments: [IP::client_addr] 
&nbsp;  
&nbsp; Here are some links to get you started: 
&nbsp;  
&nbsp; SMTP Proxy Click here 
&nbsp; TCP::collect Click here 
&nbsp; TCP::payload Click here

slomah_85788 · Answer

hi citizen_elah, 
&nbsp;  
&nbsp; I am facing the same problem, can you explain more please, 
&nbsp;  
&nbsp; where I have to create Comments: [IP::client_addr], 
&nbsp;  
&nbsp; I appreciate your support, &nbsp;

hooleylist · Answer

Citizen_elah was suggesting you could collect the TCP payload and then modify it to insert a custom header (like Comments or X-someheader-name) which contains the original client IP address.  You'd need to be wary of collecting more than 4Mb of data though.  And this would still require the mail server to actually do something with the custom header.  It would probably be a lot easier to change the default gateway on the mail server to the BIG-IP... 
&nbsp;  
&nbsp; SOL6578: TMM will crash if an iRule collects more than 4MB of data 
&nbsp; https://support.f5.com/kb/en-us/solutions/public/6000/500/sol6578.html 
&nbsp;  
&nbsp; If you're on 9.2.5+, you could potentially do this using a stream profile and STREAM::expression iRule (Click here). 
&nbsp;  
&nbsp; SOL6741: Large payloads with use of the Stream profile cause the BIG-IP LTM system to crash (fixed in 9.2.5) 
&nbsp; https://support.f5.com/kb/en-us/solutions/public/6000/700/sol6741.html  
&nbsp;  
&nbsp; Aaron

slomah_85788 · Answer

Thanks hoolio,  
&nbsp; It looks like that I have to change to the default gateway on the mail server to the BIG-IP, or I'll try either npath or vlan group.

the-messenger · Answer

I'm still pretty new to Big-IP, only a year or so but I've worked in the messaging world for many years.  This issue of getting the original client ip is not new to the messaging world but for many reasons setting the f5 as the default gateway is not a good solution.  
&nbsp;
the source ip is needed in the message tracking logs but the ip of the f5 device is also needed in the logs.  If your logs show inaccurate information you could have trouble with email discoveries.  Messaging logs should show both the f5 and the sending server address.
We really need an x-header value!  SMTP is capable of working with x-header values, every filtering system out there uses x-headers to react to messages, log messages and more.  A stream rule could be the answer. &nbsp;

Forum Discussion

X-Forwarded For equivelent for SMTP?

5 Replies

Recent Discussions

F5 terminal - help to run commands - disk space full

import live updates from version x to version y

Tenant image upgrade

iRule editor partition button does not work

F5Access | MacOS Sonoma

Related Content

SMTP Smugglers Blues

X-Forwarded-For on L4 VS

TCP Option 28 X-Forwarded-For Header

Extracting X-Forwarded-For in Node.js

X-FORWARDED header in WAF