Deploying The BIG-IP System With SMTP Servers: Deployment Guide
Deploying The BIG-IP System With SMTP Servers: Deployment Guide
Deploying The BIG-IP System With SMTP Servers: Deployment Guide
SMTP Server Not generally applicable; see Monitor section for specifics
Deployment guide version 1.1 (see Document Revision History on page 28)
Important: Make sure you are using the most recent version of this deployment guide, available at
http://www.f5.com/pdf/deployment-guides/f5-smtp-dg.pdf.
To provide feedback about this deployment guide or other F5 solution documents, contact us at solutionsfeedback@f5.com.
DEPLOYMENT GUIDE
SMTP servers
Contents
Terminology 3
Supported Configurations 3
Configuring the BIG-IP system pools and virtual servers for SMTP 6
Scenario 1: Standard unencrypted SMTP 6
Scenario 6: SMTP with STARTTLS on the client-side, and unencrypted SMTP on the server side 11
Configuring the BIG-IP Advanced Firewall Module to secure your SMTP deployment 13
Network Firewall settings 13
2
DEPLOYMENT GUIDE
SMTP servers
Terminology
This guide uses the following terminology.
Term Definition
essage Submission Agent. Microsoft Exchange’s SMTP service is an example of this when used to receive SMTP mail for local mailbox
M
MSA
delivery.
MTA Message Transfer Agent. Common examples include Sendmail and Postfix.
DNS resource record type that indicates the SMTP destination(s) for a given domain. MX records typically resolve to A records, which
A
MX record in turn each resolve to an IP address. MX records can also include priorities, indicting the order of preference when sending mail, based
on availability.
Supported Configurations
This deployment guide provides guidance on configuring a BIG-IP LTM system to support the following scenarios. All scenarios support the
use of the Advanced Firewall Manager (AFM) module.
1. S
tandard unencrypted SMTP on the client and server side
Most domain-to-domain email transfers over the Internet—from userX@my.example.com to userY@your.example.com—occur on
unencrypted TCP port 25; the public-facing DNS MX record for your domain will resolve to the IP address you associate with the
virtual server in this scenario. Because the Internet side of the connection is unencrypted, there is usually no requirement to encrypt
the traffic between the BIG-IP system and the local SMTP MTAs.
SMTP Servers
in other domains Internet Layer 7
processing
BIG-IP Platform
SMTP Servers
2. C
lient-side: SMTP encrypted with TLS/SSL; server-side: unencrypted SMTP
We refer to this scenario as SSL Offload. Note that encrypted SMTP is often referred to as SMTPS or ESMTPS.
Clients may send mail using SMTP over an encrypted link, typically on TCP port 587 (or the deprecated port 465), with a BIG-IP
system decrypting the traffic before load balancing to SMTP MTAs or MSAs on port 25. Some business-to-business connections may
also use encrypted SMTP links over the Internet, and email providers are increasingly encrypting inter-domain email transfers.
This scenario covers standard SMTP connections encrypted with TLS/SSL only. An alternative and common encryption approach,
STARTTLS, is covered in scenario 6.
SMTP Servers Internet Layer 7
processing
BIG-IP Platform
SMTP Servers
3. C
lient-side: SMTP encrypted with TLS/SSL; server-side: SMTP encrypted with TLS/SSL
In this scenario (which we refer to as SSL Bridging), the BIG-IP system performs decryption in order to process messages or
connections, for instance to use an iRule, and then re-encrypts the connection to the back-end servers.
3
DEPLOYMENT GUIDE
SMTP servers
SSL Bridging covers many of the same scenarios as example #2, but is commonly used when organizations require that all
communication on a network connection is encrypted. Messages are forwarded to SMTP servers, typically on port 465. The BIG-IP
system can optionally use self-signed TLS/SSL certificates, or certificates with lesser key length, on internal connections.
SMTP Servers Internet Layer 7
processing
BIG-IP Platform
SMTP Servers
4. S
MTP encrypted with TLS/SSL on both client and server sides
We refer to this scenario as SSL Passthrough, because the BIG-IP system does not decrypt the traffic, and acts as a simple Layer 4
load balancer.
Although less common, this scenario is useful when you do not require the BIG-IP system to perform any advanced logging, message
handling, or other Layer 7 logic on incoming messages. The BIG-IP system does not provide any handling that is unique to SMTP
connectivity; connections are handled at the TCP layer (Layer 4 of the OSI model). All communication is typically on TCP port 465.
SMTP Servers Internet Layer 4
processing
BIG-IP Platform
SMTP Servers
5. C
lient-side: unencrypted SMTP; server-side: SMTP encrypted with TLS/SSL
This scenario, where traffic arrives unencrypted and then is encrypted before sending to the servers, is uncommon, but could be used
at the remote end of a BIG-IP WOM/AAM tunnel deployment as shown in the following diagram.
SMTP Servers
Layer 7 Layer 7
processing Internet processing
iSession tunnel
6. C
lient-side: SMTP with STARTTLS; server-side: unencrypted SMTP
In this scenario, client-side connections are normally on TCP port 587 or 25, but in this case the clients negotiate encryption using the
STARTTLS command. Server-side connections are typically on unencrypted port 25. This is very common in MSAs, for instance when
an email client submits a message to a corporate mail server for delivery. Note that STARTTLS capabilities are currently offered via an
unsupported iRule in BIG-IP version 11.4; version 11.5 natively supports STARTTLS for SMTP.
SMTP Servers or
Email Clients Internet Layer 7
processing
BIG-IP Platform
SMTP Servers
4
DEPLOYMENT GUIDE
SMTP servers
You can import SSL certificates from the Configuration utility, using the System > File Management > SSL Certificate List. For specific
information on importing or using SSL certificates on the BIG-IP system, see the SSL Certificates for Local Traffic chapter of the
BIG-IP Local Traffic Manager: Concepts guide available at http://support.f5.com.
i Important
You must NOT use SNAT on a BIG-IP system that processes traffic before sending it to an SMTP server that
performs SPAM or other filtering based on the reputation of the source address of the messages, or if you
require your SMTP servers to log the source IP address of each message, because all messages will appear to
come from the BIG-IP system.
There are two ways you can use SNAT on the BIG-IP system: Auto Map or a SNAT Pool. With SNAT Auto Map, the BIG-IP system picks
one of its own self IP addresses and assigns it to the connections automatically. With a SNAT Pool, you pre-configure a list of one or more
IP addresses from which the BIG-IP system uses for address translation. A SNAT pool is only required if you expect more than 65,000
simultaneous SMTP connections for each of your SMTP servers.
Note
A SNAT pool can be useful when performing traffic analysis. Monitor traffic sent from a BIG-IP will always come
from a self IP address of the BIG-IP system; by using a SNAT pool for client-generated traffic, you can easily
differentiate monitor traffic from actual client traffic using Wireshark or a similar utility.
For more information on configuring SNAT on the BIG-IP system, see the SNATs chapter of the BIG-IP Local Traffic Manager:
Concepts guide available at http://support.f5.com.
This completes the initial configuration tasks. Use the guidance on the following pages to configure the BIG-IP system according to your
specific scenario.
5
DEPLOYMENT GUIDE
SMTP servers
Configuring the BIG-IP system pools and virtual servers for SMTP
Use this section to configure the remaining objects on the BIG-IP system, depending on your scenario.
• Scenario 1: Standard unencrypted SMTP on this page
• Scenario 2: SSL offload
• Scenario 3: SSL Bridging on page 8
• Scenario 4: SSL Passthrough on page 9
• Scenario 5: Encrypt on server-side only on page 10
• Scenario 6: SMTP with STARTTLS on the client-side, and unencrypted SMTP on the server side on page 11
You can continue with Configuring the BIG-IP Advanced Firewall Module to secure your SMTP deployment on page 13.
6
DEPLOYMENT GUIDE
SMTP servers
This completes the BIG-IP LTM configuration for this scenario. You can continue with Configuring the BIG-IP Advanced Firewall Module to
secure your SMTP deployment on page 13.
7
DEPLOYMENT GUIDE
SMTP servers
Important: A n External monitor uses a script on the BIG-IP system a part of the check to monitor the health of the servers (see
Configuring the External health monitors on page 18 for complete details). Before creating this type of monitor, you must
import the appropriate script onto the BIG-IP system. For this scenario, you can use the following monitors:
4) Service check for TLS/SSL encrypted SMTP with no authentication or message submission on page 21
5) Service check for TLS/SSL encrypted SMTP with authentication but without submitting a message on page 22
6) Service check for TLS/SSL encrypted SMTP submitting a message but no authentication on page 23
Health Monitor 7) Service check for TLS/SSL encrypted SMTP with authentication and submitting a message on page 24
(Local Traffic > Monitors) Name Type a unique name
Type External
Choose the health monitor
appropriate for your Interval 30 (recommended)
deployment Timeout 91 (recommended)
External Program Select the script you imported onto the BIG-IP system. See the Important note above for details.
Name Value
Variables USER (for monitor 4 and 6 only) The account name associated with a mailbox.
(Not applicable to monitor 7) PASSWORD (for monitor 4 and 6 only) The password for the user account
FROM (for monitor 5 and 6 only) The sender's email address
RCPT (for monitor 5 and 6 only) The recipient's mailbox address
Name Type a unique name
Health Monitor Select the External the monitor you created
This completes the BIG-IP LTM configuration for this scenario. You can continue with Configuring the BIG-IP Advanced Firewall Module to
secure your SMTP deployment on page 13.
8
DEPLOYMENT GUIDE
SMTP servers
Important: A n External monitor uses a script on the BIG-IP system a part of the check to monitor the health of the servers (see
Configuring the External health monitors on page 18 for complete details). Before creating this type of monitor, you must
import the appropriate script onto the BIG-IP system. For this scenario, you can use the following monitors:
- 4) Service check for TLS/SSL encrypted SMTP with no authentication or message submission on page 21
- 5) Service check for TLS/SSL encrypted SMTP with authentication but without submitting a message on page 22
- 6) Service check for TLS/SSL encrypted SMTP submitting a message but no authentication on page 23
Health Monitor - 7) Service check for TLS/SSL encrypted SMTP with authentication and submitting a message on page 24
(Local Traffic > Monitors) Name Type a unique name
Type External
Choose the health monitor
appropriate for your Interval 30 (recommended)
deployment Timeout 91 (recommended)
External Program Select the script you imported onto the BIG-IP system. See the Important note above for details.
Name Value
Variables USER (for monitor 4 and 6 only) The account name associated with a mailbox.
(Not applicable to monitor 7) PASSWORD (for monitor 4 and 6 only) The password for the user account
FROM (for monitor 5 and 6 only) The sender's email address
RCPT (for monitor 5 and 6 only) The recipient's mailbox address
Name Type a unique name
Health Monitor Select the External the monitor you created
Pools (Local Traffic
Load Balancing Method Least Connections (member)
-->Pools)
Address Type the IP Address of your SMTP server
Service Port 587 Click Add to repeat Address and Service Port for all nodes
Name Type a unique name.
Destination Address Type the IP address for this virtual server.
Virtual Servers Service Port 587
(Local Traffic If you created a SNAT Pool using the guidance in SNAT Pool considerations and configuration on
-->Virtual Servers) Source Address Translation page 5, select it here, otherwise, select Auto Map to use SNAT, or leave it at None if your SMTP
deployment performs SPAM or other source IP based reputation filtering behind the BIG-IP LTM.
Default Pool Select the pool you created
This completes the BIG-IP LTM configuration for this scenario. You can continue with Configuring the BIG-IP Advanced Firewall Module to
secure your SMTP deployment on page 13.
9
DEPLOYMENT GUIDE
SMTP servers
Important: A n External monitor uses a script on the BIG-IP system a part of the check to monitor the health of the servers (see
Configuring the External health monitors on page 18 for complete details). Before creating this type of monitor, you must
import the appropriate script onto the BIG-IP system. For this scenario, you can use the following monitors:
- 4) Service check for TLS/SSL encrypted SMTP with no authentication or message submission on page 21
- 5) Service check for TLS/SSL encrypted SMTP with authentication but without submitting a message on page 22
- 6) Service check for TLS/SSL encrypted SMTP submitting a message but no authentication on page 23
Health Monitor - 7) Service check for TLS/SSL encrypted SMTP with authentication and submitting a message on page 24
(Local Traffic > Monitors) Name Type a unique name
Type External
Choose the health monitor
appropriate for your Interval 30 (recommended)
deployment Timeout 91 (recommended)
External Program Select the script you imported onto the BIG-IP system. See the Important note above for details.
Name Value
Variables USER (for monitor 4 and 6 only) The account name associated with a mailbox.
(Not applicable to monitor 7) PASSWORD (for monitor 4 and 6 only) The password for the user account
FROM (for monitor 5 and 6 only) The sender's email address
RCPT (for monitor 5 and 6 only) The recipient's mailbox address
Name Type a unique name
Health Monitor Select the External the monitor you created
Pools
Load Balancing Method Least Connections (member)
(Local Traffic -->Pools)
Address Type the IP Address of your SMTP server
Service Port 587 Click Add to repeat Address and Service Port for all nodes
This completes the BIG-IP LTM configuration for this scenario. You can continue with Configuring the BIG-IP Advanced Firewall Module to
secure your SMTP deployment on page 13.
10
DEPLOYMENT GUIDE
SMTP servers
Scenario 6: SMTP with STARTTLS on the client-side, and unencrypted SMTP on the server side
In this scenario, client-side connections are on port 25, but the clients negotiate encryption using the STARTTLS command. On the
server-side, connections are on unencrypted port 25.
This table contains a list of configuration objects along with any non-default settings you should configure as a part of this deployment.
Settings not mentioned in the table can be configured as applicable for your configuration. For specific instructions on configuring individual
objects, see the online help or product manuals.
Variables USER (for monitor 9 only) The account name associated with a mailbox.
(Not applicable to monitor 8) PASSWORD (for monitor 9 only) The password for the user account
FROM (for monitor 10 only) The sender's email address
RCPT (for monitor 10 only) The recipient's mailbox address
Name Type a unique name
Health Monitor Select either the SMTP or External the monitor you created
Pools
Load Balancing Method Least Connections (member)
(Local Traffic -->Pools)
Address Type the IP Address of your SMTP server
Service Port 25 Click Add to repeat Address and Service Port for all nodes
Name Type a unique name
Client SSL profile
Parent Profile clientssl
(Local Traffic -->Profiles)
Certificate and Key Select the Certificate and Key you imported in Importing SSL certificates on page 5 from the lists.
Note: T he SMTPS profile for STARTTLS support is only available in BIG-IP v11.5 and later. For an unsupported workaround for v11.4, see
Using STARTTLS in BIG-IP v11.4 following this table.
SMTPS Profile Name Type a unique name
(Local Traffic > Profiles >
Parent Profile smtps
Services > SMTPS)
STARTTLS Activation Mode Require (recommended). If necessary, you can change the activation mode, however in most cases,
you should leave the value at Require (default) which forces clients to only connect using STARTTLS.
11
DEPLOYMENT GUIDE
SMTP servers
12
DEPLOYMENT GUIDE
SMTP servers
Configuring the BIG-IP Advanced Firewall Module to secure your SMTP deployment
This section describes how to use BIG-IP AFM, F5's Network Firewall module, to secure your SMTP deployment. BIG-IP AFM is particularly
useful if you want to restrict SMTP access to specific clients or networks.
SMTP servers that relay internal traffic might have firewall rules to prevent them from being used as open relays, to allow traffic only from
management or security devices and systems, or otherwise prevent unauthorized or undesirable traffic.
Dedicated business-to-business or similar SMTP connections will typically be configured to only allow connections from a single IP address,
or a small range of addresses, known and verified to be the trusted remote email servers.
The following instructions cover a basic firewall configuration that is effective for the most common scenario of wanting to allow connections
from a single trusted network. If you have complex requirements, such as the need to schedule different policies for different times of the
day, or you want to create complicated rule or address lists, consult the BIG-IP AFM documentation. The basic steps for Policy and Rule
creation apply to all scenarios.
To configure the BIG-IP AFM to allow connections from a single trusted network
b. In the Name field, type a unique name for the policy, such as SMTP Policy.
c. Click Finished.
c. In the Rule section (below the General Properties section), click the Add button.
e. From the Order list, select First. The Order list only appears in version 11.5 and later. In 11.4.x, you must reorder the rules
from the Policy General Properties page.
f. In the Name field, type a unique name, for instance SMTP Allowed.
h. From the Protocol list, select TCP. Leave the box to the right of TCP set to 6.
i. In the Source section, from the Address/Region list, select Specify.
You are now able to list the trusted source addresses for your connection.
In the following example, we will configure a single subnet as trusted.
• Select Address.
• In the box, type the network address you want to allow, including netmask if more than a single host. Specify a network
using CIDR notation, such as 10.0.0.0/24.
13
DEPLOYMENT GUIDE
SMTP servers
j. In the Destination section, leave the Address/Region and Port set to Any. Because you will be applying your policy to a
virtual server that listens only on a single desired address and port, do not specify that information here.
l. ptional: If you have configured a logging profile and want to log connections, from the Logging list, select Enabled. Typically,
O
allowed connections do not need to be logged.
m. Click Finished.
3. C
reating a firewall rule to block all other traffic
The next task is to create a firewall rule to block all other traffic that you have not allowed. Although this is not a required step if your
BIG-IP system is set to default deny (Firewall mode), it is required in default-accept (ADC mode), and is a good practice to always
configure such a rule.
a. Click Security > Network Firewall > Policies.
c. In the Rule section (below the General Properties section), click the Add button.
f. In the Name field, type a unique name, for example SMTP Prohibited.
h. From the Protocol list, select TCP. Leave the box to the right of TCP set to 6.
i. In the Source section, leave all the lists set to Any
j. From the Action list, select either Drop (to silently discard incoming connections) or Reject (to send a Destination
Unreachable message to the sender).
k. If you configured a logging profile as described in Optional: Configuring the BIG-IP system to log network firewall events on
page 15, from the Logging list, select Enabled.
m. O
n the Policy Properties page, in the Rules section, ensure the rule with the Action of Accept comes before the Drop or Reject
rule you just created. If it does not, use the Reorder button and drag the rules into the correct order.
b. In the Rule section (below the General Properties section), click the Add button.
c. From the Context list, select Virtual Server, and then select the virtual server you created for your SMTP traffic.
d. From the Type list, select Policy, and then select the firewall policy you created.
14
DEPLOYMENT GUIDE
SMTP servers
f. Click Finished.
After you have enabled and configured an IP Intelligence policy, use the following procedure to assign the policy to your SMTP virtual server:
4. Next to IP Intelligence, select Enabled, then select the IP intelligence policy to apply to traffic on the virtual server.
5. Click Update. The list screen and the updated item are displayed.
The specified IP Intelligence policy is applied to traffic on the selected virtual server.
• R
emote High-Speed Logging:
https://support.f5.com/kb/en-us/products/big-ip_ltm/manuals/product/tmos-implementations-11-5-0/22.html
• Local logging:
https://support.f5.com/kb/en-us/products/big-ip_ltm/manuals/product/tmos-concepts-11-5-0/11.html
6. U
se the following table for guidance on configuring the iApp template. Questions not mentioned in the table can be configured as
applicable for your implementation.
15
DEPLOYMENT GUIDE
SMTP servers
Do you want to create a new pool of remote logging servers, Unless you have already created a pool on the BIG-IP system for your remote logging servers,
or use an existing one? select Create a new pool.
Which servers should be included in this pool? Specify the IP addresses of your logging servers. Click Add to include more servers.
What port do the pool members use? Specify the port used by your logging servers, typically 514.
Do the pool members expect UDP or TCP connections? Specify whether your logging servers expect incoming connections to be TCP or UDP.
Do you want to create a new monitor for this pool, or use an Unless you have already created a health monitor for your pool of logging servers, select Use a
existing one? simple ICMP (ping) monitor.
Do your log pool members require a specific log format? If your logging servers require a specific format, select the appropriate format from the list.
7. Click Finished.
8. On the Main tab, click Local Traffic > Virtual Servers. The Virtual Server List screen opens.
11. Next to Log Profile, select Enabled, then select the Logging profile you created.
12. Click Update. The list screen and the updated item are displayed.
Note
The iApp template creates a log publisher and attaches it to the logging profile. If the publisher does not appear
in the BIG-IP Configuration utility (GUI), you can verify the configuration by running the following command
from the Traffic Management shell (tmsh): list security log profile <your profile name>.
2. Log into the BIG-IP system using the command line. Enter the tmsh shell, by typing tmsh from the prompt.
16
DEPLOYMENT GUIDE
SMTP servers
4. If you have a specific log format requirement, create a format-specific log destination, and forward that to the previously-created HSL
destination:
(tmos)# create / sys log-config destination [splunk|arcsight|remote-high-speed-log] [name] forward-to [HSL name]
6. C
reate the logging profile to tie everything together.
If you chose to log allowed connections, include the green text (as in step 2 substep l in To configure the BIG-IP AFM to allow
connections from a single trusted network on page 13).
If you set the rule to drop incoming connections, include the text in blue.
If you chose to log IP intelligence events, include the text in red to add the parameter that sets the log publisher.
(tmos)# create / security log profile [name] network add { [name] { filter { log-acl-match-accept enabled log-acl-match-
drop enabled log-acl-match-reject enabled } format { field-list { date_time action drop_reason protocol src_ip src_port
dest_ip dest_port } type field-list } publisher [logpublisher name] } } ip-intelligence { log-publisher [logpublisher
name] }
1. On the Main tab, click Local Traffic > Virtual Servers. The Virtual Server List screen opens.
4. Next to Log Profile, select Enabled, then select the Logging profile you created.
5. Click Update. The list screen and the updated item are displayed.
17
DEPLOYMENT GUIDE
SMTP servers
1) Service check for unencrypted SMTP requiring authentication but without submitting a message
Use the following script if you want the BIG-IP system to perform a health check to the SMTP servers that requires authentication. This
monitor does not submit a message as a part of the health check. The monitor is successful if the mail server successfully authenticates the
connection.
This monitor is also available from http://www.f5.com/pdf/deployment-guides/unencrypted-smtp-auth-no-message.zip.
You must make sure to enter the Name/Value pairs as described in the configuration tables.
To import the file, go to System > File Management > External Monitor Program File List and then click Import. On the Import File
page, choose the monitor script file, and give the file a unique name. You choose this name when configuring the monitor. Click Import.
1 #!/bin/sh
2 # These arguments supplied automatically for all external monitors:
3 # $1 = IP (nnn.nnn.nnn.nnn notation)
4 # $2 = port (decimal, host byte order)
5 #
6 # This script expects the following Name/Value pairs:
7 # USER = the username associated with a mailbox
8 # PASSWORD = the password for the user account
9 #
10 # Remove IPv6/IPv4 compatibility prefix (LTM passes addresses in IPv6 format)
11
12 NODE='echo ${1} | sed 's/::ffff://''
13 if [[ $NODE =~ ^[0-9]{1,3}.[0-9]{1,3}.[0-9]{1,3}.[0-9]{1,3}$ ]]; then
14 # node is v4
15 NODE=${NODE}
16 else
17 # node is v6
18 NODE=[${NODE}]
19 fi
20 PORT=${2}
21 ##FOLDER="INBOX"
22 PIDFILE="/var/run/'basename ${0}'.${IP}_${PORT}.pid",RECV='250'
23
24 # kill of the last instance of this monitor if hung and log current pid
25 if [ -f $PIDFILE ]
26 then
27 echo "EAV exceeded runtime needed to kill ${NODE}:${PORT}" | logger -p local0.error
28 kill -9 'cat $PIDFILE' > /dev/null 2>&1
29 fi
30 echo "$$" > $PIDFILE
31 /usr/bin/curl-apd -k -v smtp://${NODE}:${PORT} -u ${USER}:${PASSWORD} 2>&1 | grep "${RECV}" > /dev/null
32 STATUS=$?
33 rm -f $PIDFILE
34 if [ $STATUS -eq 0 ]
35 then
36 echo "UP"
37 fi
38 exit
18
DEPLOYMENT GUIDE
SMTP servers
2) Service check for unencrypted SMTP submitting a message but not requiring authentication
Use the following script if you want the BIG-IP system to perform a service check to the SMTP servers that does not require authentication,
but submits a message to the servers as part of the health check. The server is considered available if it accepts and queues the message
for delivery.
This monitor is also available from http://www.f5.com/pdf/deployment-guides/unencrypted-smtp-message-no-auth.zip.
For this monitor, you must import two files: the monitor script file, and the message file the script uses to test the servers. You must also
make sure to enter the Name/Value pairs as described in the configuration tables.
To import the file, go to System > File Management > External Monitor Program File List and then click Import. On the Import File
page, choose the monitor script file, and give the file a unique name. You choose this name when configuring the monitor. Click Import.
Message code
1 ## MONITORBODY.txt is a separate file with the following format:
2 Subject: BIG-IP Monitor
3
4 # Optional body text could go here
5 .
Monitor code
1 #!/bin/sh
2 # These arguments supplied automatically for all external monitors:
3 # $1 = IP (nnn.nnn.nnn.nnn notation)
4 # $2 = port (decimal, host byte order)
5 #
6 # This script expects the following Name/Value pairs:
7 # FROM = sender's email address
8 # RCPT = recipient mailbox address
9 #
10 # Remove IPv6/IPv4 compatibility prefix (LTM passes addresses in IPv6 format)
11
12 NODE='echo ${1} | sed 's/::ffff://''
13 if [[ $NODE =~ ^[0-9]{1,3}.[0-9]{1,3}.[0-9]{1,3}.[0-9]{1,3}$ ]]; then
14 # node is v4
15 NODE=${NODE}
16 else
17 # node is v6
18 NODE=[${NODE}]
19 fi
20 PORT=${2}
21 PIDFILE="/var/run/'basename ${0}'.${IP}_${PORT}.pid"
22 RECV='250'
23
24 # kill of the last instance of this monitor if hung and log current pid
25 if [ -f $PIDFILE ]
26 then
27 echo "EAV exceeded runtime needed to kill ${NODE}:${PORT}" | logger -p local0.error
28 kill -9 'cat $PIDFILE' > /dev/null 2>&1
29 fi
30 echo "$$" > $PIDFILE
31 /usr/bin/curl-apd -k -v smtp://${NODE}:${PORT} --mail-from ${FROM} --mail-rcpt ${RCPT} 2>&1 -t MONITORBODY.txt | grep "${RECV}" > /dev/null
32 STATUS=$?
33 rm -f $PIDFILE
34 if [ $STATUS -eq 0 ]
35 then
36 echo "UP"
37 fi
38 exit
19
DEPLOYMENT GUIDE
SMTP servers
3) Service check for unencrypted SMTP submitting a message and requiring authentication
Use the following script if you want the BIG-IP system to perform a service check to the SMTP servers that requires authentication and
submits a message to the servers as part of the health check. The server is considered available if it authenticates the connection, then
accepts and queues the message for delivery.
This monitor is also available from http://www.f5.com/pdf/deployment-guides/unencrypted-smtp-message-auth.zip.
For this monitor, you must import two files: the monitor script file, and the message file the script uses to test the servers. You must also
make sure to enter the Name/Value pairs as described in the configuration tables.
To import the file, go to System > File Management > External Monitor Program File List and then click Import. On the Import File
page, choose the monitor script file, and give the file a unique name. You choose this name when configuring the monitor. Click Import.
Message code
1 ## MONITORBODY.txt is a separate file with the following format:
2 Subject: BIG-IP Monitor
3
4 # Optional body text could go here
5 .
Monitor code
1 #!/bin/sh
2 # These arguments supplied automatically for all external monitors:
3 # $1 = IP (nnn.nnn.nnn.nnn notation)
4 # $2 = port (decimal, host byte order)
5 #
6 # This script expects the following Name/Value pairs:
7 # USER = the username associated with a mailbox
8 # PASSWORD = the password for the user account
9 # FROM = sender's email address
10 # RCPT = recipient mailbox address
11 #
12 # Remove IPv6/IPv4 compatibility prefix (LTM passes addresses in IPv6 format)
13
14 NODE='echo ${1} | sed 's/::ffff://''
15 if [[ $NODE =~ ^[0-9]{1,3}.[0-9]{1,3}.[0-9]{1,3}.[0-9]{1,3}$ ]]; then
16 # node is v4
17 NODE=${NODE}
18 else
19 # node is v6
20 NODE=[${NODE}]
21 fi
22 PORT=${2}
23 SUBJECT="BIG-IP monitor"
24 PIDFILE="/var/run/'basename ${0}'.${IP}_${PORT}.pid"
25 RECV='250'
26
27 # kill of the last instance of this monitor if hung and log current pid
28 if [ -f $PIDFILE ]
29 then
30 echo "EAV exceeded runtime needed to kill ${NODE}:${PORT}" | logger -p local0.error
31 kill -9 'cat $PIDFILE' > /dev/null 2>&1
32 fi
33 echo "$$" > $PIDFILE
34 /usr/bin/curl-apd -k -v smtp://${NODE}:${PORT} -u ${USER}:${PASSWORD} --mail-from ${FROM} --mail-rcpt ${RCPT} -t MONITORBODY.txt 2>&1 | grep "${RECV}" > /dev/null
35 STATUS=$?
36 rm -f $PIDFILE
37 if [ $STATUS -eq 0 ]
38 then
39 echo "UP"
40 fi
41 exit
20
DEPLOYMENT GUIDE
SMTP servers
4) Service check for TLS/SSL encrypted SMTP with no authentication or message submission
Use the following script if clients are connecting to the BIG-IP system with SMTP encrypted with TLS or SSL. In this case, the monitor does
not account for authentication or message submission.
This monitor is also available from http://www.f5.com/pdf/deployment-guides/encrypted-smtp-no-message-no-auth.zip.
To import the file, go to System > File Management > External Monitor Program File List and then click Import. On the Import File
page, choose the monitor script file, and give the file a unique name. You choose this name when configuring the monitor. Click Import.
Monitor code
1 #!/bin/sh
2 # These arguments supplied automatically for all external monitors:
3 # $1 = IP (nnn.nnn.nnn.nnn notation)
4 # $2 = port (decimal, host byte order)
5 #
6 # Remove IPv6/IPv4 compatibility prefix (LTM passes addresses in IPv6 format)
7
8 NODE='echo ${1} | sed 's/::ffff://''
9 if [[ $NODE =~ ^[0-9]{1,3}.[0-9]{1,3}.[0-9]{1,3}.[0-9]{1,3}$ ]]; then
10 # node is v4
11 NODE=${NODE}
12 else
13 # node is v6
14 NODE=[${NODE}]
15 fi
16 PORT=${2}
17 ##FOLDER="INBOX"
18 PIDFILE="/var/run/'basename ${0}'.${IP}_${PORT}.pid"
19 RECV='250'
20
21 # kill of the last instance of this monitor if hung and log current pid
22 if [ -f $PIDFILE ]
23 then
24 echo "EAV exceeded runtime needed to kill ${NODE}:${PORT}" | logger -p local0.error
25 kill -9 'cat $PIDFILE' > /dev/null 2>&1
26 fi
27 echo "$$" > $PIDFILE
28 /usr/bin/curl-apd -k -v smtps://${NODE}:${PORT} 2>&1 | grep "${RECV}" > /dev/null
29 STATUS=$?
30 rm -f $PIDFILE
31 if [ $STATUS -eq 0 ]
32 then
33 echo "UP"
34 fi
35 exit
21
DEPLOYMENT GUIDE
SMTP servers
5) Service check for TLS/SSL encrypted SMTP with authentication but without submitting a message
Use the following script if clients are connecting to the BIG-IP system with SMTP encrypted with TLS or SSL. In this case, the monitor does
perform authentication, but does not submit a message.
This monitor is also available from http://www.f5.com/pdf/deployment-guides/encrypted-smtp-auth-no-message.zip.
You must make sure to enter the Name/Value pairs as described in the configuration tables.
To import the file, go to System > File Management > External Monitor Program File List and then click Import. On the Import File
page, choose the monitor script file, and give the file a unique name. You choose this name when configuring the monitor. Click Import.
Monitor code
1 #!/bin/sh
2 # These arguments supplied automatically for all external monitors:
3 # $1 = IP (nnn.nnn.nnn.nnn notation)
4 # $2 = port (decimal, host byte order)
5 #
6 # This script expects the following Name/Value pairs:
7 # USER = the username associated with a mailbox
8 # PASSWORD = the password for the user account
9 #
10 # Remove IPv6/IPv4 compatibility prefix (LTM passes addresses in IPv6 format)
11
12 NODE='echo ${1} | sed 's/::ffff://''
13 if [[ $NODE =~ ^[0-9]{1,3}.[0-9]{1,3}.[0-9]{1,3}.[0-9]{1,3}$ ]]; then
14 # node is v4
15 NODE=${NODE}
16 else
17 # node is v6
18 NODE=[${NODE}]
19 fi
20 PORT=${2}
21 ##FOLDER="INBOX"
22 PIDFILE="/var/run/'basename ${0}'.${IP}_${PORT}.pid"
23 RECV='250'
24
25 # kill of the last instance of this monitor if hung and log current pid
26 if [ -f $PIDFILE ]
27 then
28 echo "EAV exceeded runtime needed to kill ${NODE}:${PORT}" | logger -p local0.error
29 kill -9 'cat $PIDFILE' > /dev/null 2>&1
30 fi
31 echo "$$" > $PIDFILE
32 /usr/bin/curl-apd -k -v smtps://${NODE}:${PORT} -u {USER}:${PASSWORD} 2>&1 | grep "${RECV}" > /dev/null
33 STATUS=$?
34 rm -f $PIDFILE
35 if [ $STATUS -eq 0 ]
36 then
37 echo "UP"
38 fi
39 exit
22
DEPLOYMENT GUIDE
SMTP servers
6) Service check for TLS/SSL encrypted SMTP submitting a message but no authentication
Use the following script if clients are connecting over TLS/SSL and you want the BIG-IP system to perform a service check to the SMTP
servers that requires a message to the servers as part of the health check but does not include authentication. The server is considered
available if it accepts and queues the message for delivery.
This monitor is also available from http://www.f5.com/pdf/deployment-guides/encrypted-smtp-message-no-auth.zip.
For this monitor, you must import two files: the monitor script file, and the message file the script uses to test the servers. You must also
make sure to enter the Name/Value pairs as described in the configuration tables.
To import the file, go to System > File Management > External Monitor Program File List and then click Import. On the Import File
page, choose the monitor script file, and give the file a unique name. You choose this name when configuring the monitor. Click Import.
Message code
1 ## MONITORBODY.txt is a separate file with the following format:
2 Subject: BIG-IP Monitor
3
4 # Optional body text could go here
5 .
Monitor code
1 #!/bin/sh
2 # These arguments supplied automatically for all external monitors:
3 # $1 = IP (nnn.nnn.nnn.nnn notation)
4 # $2 = port (decimal, host byte order)
5 #
6 # This script expects the following Name/Value pairs:
7 # FROM = sender's email address
8 # RCPT = recipient mailbox address
9 #
10 # Remove IPv6/IPv4 compatibility prefix (LTM passes addresses in IPv6 format)
11
12 NODE='echo ${1} | sed 's/::ffff://''
13 if [[ $NODE =~ ^[0-9]{1,3}.[0-9]{1,3}.[0-9]{1,3}.[0-9]{1,3}$ ]]; then
14 # node is v4
15 NODE=${NODE}
16 else
17 # node is v6
18 NODE=[${NODE}]
19 fi
20 PORT=${2}
21 SUBJECT="BIG-IP monitor"
22 PIDFILE="/var/run/'basename ${0}'.${IP}_${PORT}.pid"
23 RECV='250'
24
25 # kill of the last instance of this monitor if hung and log current pid
26 if [ -f $PIDFILE ]
27 then
28 echo "EAV exceeded runtime needed to kill ${NODE}:${PORT}" | logger -p local0.error
29 kill -9 'cat $PIDFILE' > /dev/null 2>&1
30 fi
31 echo "$$" > $PIDFILE
32 /usr/bin/curl-apd -k -v smtps://${NODE}:${PORT} --mail-from ${FROM} --mail-rcpt ${RCPT} -t MONITORBODY.txt 2>&1 | grep "${RECV}" > /dev/null
33 STATUS=$?
34 rm -f $PIDFILE
35 if [ $STATUS -eq 0 ]
36 then
37 echo "UP"
38 fi
39 exit
23
DEPLOYMENT GUIDE
SMTP servers
7) Service check for TLS/SSL encrypted SMTP with authentication and submitting a message
Use the following script if clients are connecting over TLS/SSL and you want the BIG-IP system to perform a service check to the SMTP
servers that requires authentication and submits a message to the servers as part of the health check. The server is considered available if it
authenticates the connection, then accepts and queues the message for delivery.
This monitor is also available from http://www.f5.com/pdf/deployment-guides/encrypted-smtp-message-auth.zip.
For this monitor, you must import two files: the monitor script file, and the message file the script uses to test the servers. You must also
make sure to enter the Name/Value pairs as described in the configuration tables.
To import the file, go to System > File Management > External Monitor Program File List and then click Import. On the Import File
page, choose the monitor script file, and give the file a unique name. You choose this name when configuring the monitor. Click Import.
Message code
1 ## MONITORBODY.txt is a separate file with the following format:
2 Subject: BIG-IP Monitor
3
4 # Optional body text could go here
5 .
Monitor code
1 #!/bin/sh
2 # These arguments supplied automatically for all external monitors:
3 # $1 = IP (nnn.nnn.nnn.nnn notation)
4 # $2 = port (decimal, host byte order)
5 #
6 # This script expects the following Name/Value pairs:
7 # USER = the username associated with a mailbox
8 # PASSWORD = the password for the user account
9 # FROM = sender's email address
10 # RCPT = recipient mailbox address
11 #
12 # Remove IPv6/IPv4 compatibility prefix (LTM passes addresses in IPv6 format)
13
14 NODE='echo ${1} | sed 's/::ffff://''
15 if [[ $NODE =~ ^[0-9]{1,3}.[0-9]{1,3}.[0-9]{1,3}.[0-9]{1,3}$ ]]; then
16 # node is v4
17 NODE=${NODE}
18 else
19 # node is v6
20 NODE=[${NODE}]
21 fi
22 PORT=${2}
23 PIDFILE="/var/run/'basename ${0}'.${IP}_${PORT}.pid"
24 RECV='250'
25
26 # kill of the last instance of this monitor if hung and log current pid
27 if [ -f $PIDFILE ]
28 then
29 echo "EAV exceeded runtime needed to kill ${NODE}:${PORT}" | logger -p local0.error
30 kill -9 'cat $PIDFILE' > /dev/null 2>&1
31 fi
32 echo "$$" > $PIDFILE
33 /usr/bin/curl-apd -k -v smtps://${NODE}:${PORT} -u ${USER}:${PASSWORD} --mail-from ${FROM} --mail-rcpt ${RCPT} -t MONITORBODY.txt 2>&1 | grep "${RECV}" > /dev/null
34 STATUS=$?
35 rm -f $PIDFILE
36 if [ $STATUS -eq 0 ]
37 then
38 echo "UP"
39 fi
40 exit
24
DEPLOYMENT GUIDE
SMTP servers
8) Service check for SMTP with STARTTLS with no authentication or message submission
Use the following script if clients are connecting to the BIG-IP system with SMTP encrypted using the STARTTLS command. In this case,
the monitor does not account for authentication or message submission.
This monitor is also available from http://www.f5.com/pdf/deployment-guides/smtp-starttls-no-auth-no-message.zip.
To import the file, go to System > File Management > External Monitor Program File List and then click Import. On the Import File
page, choose the monitor script file, and give the file a unique name. You choose this name when configuring the monitor. Click Import.
Monitor code
1 #!/bin/sh
2 # These arguments supplied automatically for all external monitors:
3 # $1 = IP (nnn.nnn.nnn.nnn notation)
4 # $2 = port (decimal, host byte order)
5 #
6 # Remove IPv6/IPv4 compatibility prefix (LTM passes addresses in IPv6 format)
7
8 NODE='echo ${1} | sed 's/::ffff://''
9 if [[ $NODE =~ ^[0-9]{1,3}.[0-9]{1,3}.[0-9]{1,3}.[0-9]{1,3}$ ]]; then
10 # node is v4
11 NODE=${NODE}
12 else
13 # node is v6
14 NODE=[${NODE}]
15 fi
16 PORT=${2}
17 ##FOLDER="INBOX"
18 PIDFILE="/var/run/'basename ${0}'.${IP}_${PORT}.pid"
19 RECV='250'
20
21 # kill of the last instance of this monitor if hung and log current pid
22 if [ -f $PIDFILE ]
23 then
24 echo "EAV exceeded runtime needed to kill ${NODE}:${PORT}" | logger -p local0.error
25 kill -9 'cat $PIDFILE' > /dev/null 2>&1
26 fi
27 echo "$$" > $PIDFILE
28 /usr/bin/curl-apd -k -v smtp://${NODE}:${PORT} 2>&1 | grep "${RECV}" > /dev/null
29 STATUS=$?
30 rm -f $PIDFILE
31 if [ $STATUS -eq 0 ]
32 then
33 echo "UP"
34 fi
35 exit
25
DEPLOYMENT GUIDE
SMTP servers
9) Service check for SMTP with STARTTLS and authentication, but without submitting a message
Use the following script if clients are connecting to the BIG-IP system with SMTP encrypted using the STARTTLS command. In this case,
the monitor performs authentication as a part of the health check but does not submit a message.
This monitor is also available from http://www.f5.com/pdf/deployment-guides/smtp-starttls-auth-no-message.zip.
You must make sure to enter the Name/Value pairs as described in the configuration tables.
To import the file, go to System > File Management > External Monitor Program File List and then click Import. On the Import File
page, choose the monitor script file, and give the file a unique name. You choose this name when configuring the monitor. Click Import.
Monitor code
1 #!/bin/sh
2 # These arguments supplied automatically for all external monitors:
3 # $1 = IP (nnn.nnn.nnn.nnn notation)
4 # $2 = port (decimal, host byte order)
5 #
6 # This script expects the following Name/Value pairs:
7 # USER = the username associated with a mailbox
8 # PASSWORD = the password for the user account
9 #
10 # Remove IPv6/IPv4 compatibility prefix (LTM passes addresses in IPv6 format)
11
12 NODE='echo ${1} | sed 's/::ffff://''
13 if [[ $NODE =~ ^[0-9]{1,3}.[0-9]{1,3}.[0-9]{1,3}.[0-9]{1,3}$ ]]; then
14 # node is v4
15 NODE=${NODE}
16 else
17 # node is v6
18 NODE=[${NODE}]
19 fi
20 PORT=${2}
21 ##FOLDER="INBOX"
22 PIDFILE="/var/run/'basename ${0}'.${IP}_${PORT}.pid"
23 RECV='250'
24
25 # kill of the last instance of this monitor if hung and log current pid
26 if [ -f $PIDFILE ]
27 then
28 echo "EAV exceeded runtime needed to kill ${NODE}:${PORT}" | logger -p local0.error
29 kill -9 'cat $PIDFILE' > /dev/null 2>&1
30 fi
31 echo "$$" > $PIDFILE
32 /usr/bin/curl-apd -k -v smtp://${NODE}:${PORT} -u {USER}:${PASSWORD} 2>&1 | grep "${RECV}" > /dev/null
33 STATUS=$?
34 rm -f $PIDFILE
35 if [ $STATUS -eq 0 ]
36 then
37 echo "UP"
38 fi
39 exit
26
DEPLOYMENT GUIDE
SMTP servers
10) Service check for SMTP with STARTTLS, submitting a message but no authentication
Use the following script if clients are connecting to the BIG-IP system with SMTP encrypted using the STARTTLS command. In this case,
the monitor does not account for authentication but submits a message as a part of the health check.
This monitor is also available from http://www.f5.com/pdf/deployment-guides/smtp-starttls-message-no-auth.zip.
You must make sure to enter the Name/Value pairs as described in the configuration tables.
To import the file, go to System > File Management > External Monitor Program File List and then click Import. On the Import File
page, choose the monitor script file, and give the file a unique name. You choose this name when configuring the monitor. Click Import.
Monitor code
1 #!/bin/sh
2 # These arguments supplied automatically for all external monitors:
3 # $1 = IP (nnn.nnn.nnn.nnn notation)
4 # $2 = port (decimal, host byte order)
5 #
6 # This script expects the following Name/Value pairs:
7 # FROM = sender's email address
8 # RCPT = recipient mailbox address
9 #
10 # Remove IPv6/IPv4 compatibility prefix (LTM passes addresses in IPv6 format)
11
12 NODE='echo ${1} | sed 's/::ffff://''
13 if [[ $NODE =~ ^[0-9]{1,3}.[0-9]{1,3}.[0-9]{1,3}.[0-9]{1,3}$ ]]; then
14 # node is v4
15 NODE=${NODE}
16 else
17 # node is v6
18 NODE=[${NODE}]
19 fi
20 PORT=${2}
21 PIDFILE="/var/run/'basename ${0}'.${IP}_${PORT}.pid"
22 RECV='250'
23 SMTPCMDS="EHLO localhost\n\
24 MAIL FROM: ${FROM}\n\
25 RCPT TO: ${RCPT}\n\
26 DATA\n\
27 Subject: F5 BIG-IP monitor\n\
28 \n\
29 This email was generated by a BIG-IP monitor.\n\
30 .\n\
31 quit\n"
32
33 # kill of the last instance of this monitor if hung and log current pid
34 if [ -f $PIDFILE ]
35 then
36 echo "EAV exceeded runtime needed to kill ${NODE}:${PORT}" | logger -p local0.error
37 kill -9 'cat $PIDFILE' > /dev/null 2>&1
38 fi
39 echo "$$" > $PIDFILE
40 echo -e ${SMTPCMDS} | openssl s_client -starttls smtp -crlf -quiet -connect ${NODE}:${PORT} 2>&1 | grep "${RECV}" > /dev/null
41 STATUS=$?
42 rm -f $PIDFILE
43 if [ $STATUS -eq 0 ]
44 then
45 echo "UP"
46 fi
47 exit
27
28
DEPLOYMENT GUIDE
SMTP servers
F5 Networks, Inc. 401 Elliott Avenue West, Seattle, WA 98119 888-882-4447 www.f5.com
©2014 F5 Networks, Inc. All rights reserved. F5, F5 Networks, the F5 logo, and IT agility. Your way., are trademarks of F5 Networks, Inc. in the U.S. and in certain other countries. Other F5 trademarks are identified
at f5.com. Any other products, services, or company names referenced herein may be trademarks of their respective owners with no endorsement or affiliation, express or implied, claimed by F5. 0412