The LoadMaster can be used to load balance SMTP, SMTPS and SMTP-STARTLS.
Some of the common issues are described below.
SMTPS and SMTP-STARTLS
The LoadMaster can be used to SSL-offload SMTPS and SMTP-STARTLS to SMTP but it cannot re-encrypt SMTP-STARTLS.
If you want to load balance SMTP-STARTLS, the service type must be set to Generic or you must change the Real Server to accept SMTP.
Figure 1: Straight through Virtual Service for SMTPS-STARTLS
Figure 2: Virtual Service for SMTPS-STARTLS offloaded to SMTP
Figure 3: Option for STARTTLS on Exchange server
From the Real Server's point of view, the LoadMaster must be allowed to connect to the receive connector.
Figure 4: Receive connector on Exchange 2016
Figure 5: Allowed IP addresses on receive connector - Exchange 2016
In this scenario, the address that must be added to the receive connector is dependent on the LoadMaster options.
Figure 6: Virtual Service routing options
If you have Transparency enabled, this would be the IP address of the client.
If you have Subnet Originating Requests enabled, this would be the IP address of the LoadMaster interface (this would be the shared IP for a High Availability (HA) pair).
If you have Transparency and Subnet Originating Requests disabled, this would be the IP address of the Virtual Service.
If you want the Exchange server to allow or deny client access to the receive connector based on the IP address, enable transparency on the LoadMaster.
For more details, refer to the Transparency Feature Description.
If you cannot use transparency, the alternative is to use Access Control Lists (ACLs) on the LoadMaster to allow or deny client access to the receive connector.
For more details, refer to this article: Creating an Access Control List (ACL).