SMTP Virtual Service Best Practices

When balancing SMTP mail requests, LoadMaster administrators will have several configuration options to choose between. While most services will use plain text SMTP via port 25, other users may insist on balancing secure SMTP payloads, utilizing either SSL or TLS. In addition to these options, you may chose to leverage Transparency as well, so that the SMTP server will see the actual client's IP address, instead of being NATed (Network Address Translated) to the LoadMaster Ethernet interface or Virtual IP address.

Many LoadMaster administrators need to see the client's IP address at the actual SMTP server. This will allow the server's original receive connector's settings to be used. In order to accomplish this, the LoadMaster's SMTP service must be configured transparently. Enabling Layer 7 or Layer 4 Transparency is a straight forward configuration change to the Virtual Service.

Transparency has a few caveats and is applicable in certain situations only:
1) The server must be local to one of the subnets that the LoadMaster has been deployed within. Transparency will not work with non-local servers.
2) Clients must not be on the same subnet as your server. There are two exceptions to this rule:
      2a) With a transparent Layer 7 service, the connection will work but transparency will not be applied.
      2b) With a transparent Layer 4 service, the connection will not work unless you are leveraging Direct Server Return (DSR).
3) With Layer 4 or Layer 7 transparency, you will be required to change your servers' default gateway to use the LoadMaster. The exception to this is Layer 4 transparency with DSR.
4) For Direct Server Return to work properly, the Virtual Service must be one-armed, i.e. the Virtual Service address and Real Server IP addresses reside within the same subnet. Also you will need to configure a loop back adapter on each Real Server, this will help ensure the client's response looks like it is coming from the LoadMaster.

Additional information about Transparency can be found in the Transparency Feature Description.

If all of the domain's incoming mail is routed through a spam filter, you may want to configure your SMTP services Access Control List (ACL) (System Config > Access Control > Packet Filter). Within the service's ACL, IP addresses or entire subnets can be added to either the whitelist or blacklist. By adding the spam filter's IP address to the SMTP Virtual Service's ACL, you will ensure that only the spam filter will be able to receive a response from the Virtual Service in question. 

LoadMaster administrators that are security conscious may also elect to support encrypted SMTP traffic. The LoadMaster supports both SMTP with SSL and SMTP with TLS. You can choose to offload the traffic over port 25 plain text SMTP or continue to contact the server using SSL or TLS. If you choose to configure your service in one of the offloaded varieties, ensure to import a proper SSL certificate to the LoadMaster (Certificates > SSL Certificates). For situations where SMTP with TLS is required on the front-end and back-end, you will want to require TLS on the server and leave the TLS configuration on the LoadMaster unset.

KEMP has created some templates with pre-configured settings for SMTP. The full list of templates is available on the KEMP Documentation page.

 

Was this article helpful?

0 out of 0 found this helpful

Comments