[exim] F5 with multiple EXIM servers

Hi ,

I have question about best way to set multiple EXIm servers behind F5.

*EXIM Setup:*


- 4 EXIM 4.80.1 servers.

- All mail relay clients are redhat linux , I use mailx command for testing
relay from clients specified in "hostlist" on exim.conf

- Have valid cert installed on each server on each server and defined in
tls_certificate , tls_privateke

- When I test I use command below:
>>mailx -s "Test mail" -S "smtp=exim1.domain.com" -S smtp-use-starttls -S
nss-config-dir="/etc/pki/nssdb/" testuser@??? < /root/eximtest

- I created F5 VIP eximvip.domain.com that round robin to the 4 EXIM
servers behind , installed cert for eximvip.domain.com on f5.

q1: What is the best way to have this setup working ( F5 VIP on front end
with 4 exim server behind). My mailx command connects to eximvip.domain.com
but gets

back any on of the 4 exim servers ( exim1, exim2,exim3,exim4). It errors
out because of cert mismatch between what mailx tries to connect to
"exmivip" against

what it gets back ( exim1, exim2,exim3,exim4).

q2: I am not clear on which ports are being used with client TLS. Is it 25
or 587 or 465.

q3: Is starttls on client the recommended way from client side or there is
better way to secure communication between mail relay clients and EXIM
servers.

Your feedback is highly appreciated.

Tom

Command used with F5 VIP

>>mailx -s "Test mail" -S "smtp=eximvip.domain.com" -S smtp-use-starttls -S
nss-config-dir="/etc/pki/nssdb/" testuser@??? < /root/eximtest

snippet from error

250-exim2.domain.com Hello qa.domain.com [10.20.30.40]
250-SIZE 52428800
250-8BITMIME
250-PIPELINING
250-STARTTLS
250 HELP
>>> STARTTLS
220 TLS go ahead
Comparing DNS name: "eximvip.domain.com"
Continue (y/n)? "/root/dead.letter" 11/375
. . . message not sent