Re: [exim] F5 with multiple EXIM servers

Etusivu
Poista viesti
Vastaa
Lähettäjä: Patrick von der Hagen
Päiväys:  
Vastaanottaja: exim-users
Aihe: Re: [exim] F5 with multiple EXIM servers
On 07.07.2015 23:36, 3YSTech Services wrote:
> Hi ,
>
> I have question about best way to set multiple EXIm servers behind F5.

[...]
> - Have valid cert installed on each server on each server and defined in
> tls_certificate , tls_privateke
>
> - When I test I use command below:
>>> mailx -s "Test mail" -S "smtp=exim1.domain.com" -S smtp-use-starttls -S
> nss-config-dir="/etc/pki/nssdb/" testuser@??? < /root/eximtest
>
> - I created F5 VIP eximvip.domain.com that round robin to the 4 EXIM
> servers behind , installed cert for eximvip.domain.com on f5.
>
> q1: What is the best way to have this setup working ( F5 VIP on front end
> with 4 exim server behind). My mailx command connects to eximvip.domain.com
> but gets
>
> back any on of the 4 exim servers ( exim1, exim2,exim3,exim4). It errors
> out because of cert mismatch between what mailx tries to connect to
> "exmivip" against
>
> what it gets back ( exim1, exim2,exim3,exim4).

you got two options and somehow mixed them. ;-)

You can have the F5 distribute the traffic like you do, but then all the
backend-servers have to provide the certificate for eximvip.domain.com
instead of server-specific certificates. Advantage: you avoid load on
the F5, which could turn out to be a bottleneck for two reasons:
TLS-encryption/decryption and more traffic passing through the F5.

Second option: F5 gets a certificate and the exims get server-specific
certificates. F5 has to be configured as MITM, accepting the TLS-traffic
with exmivip.domain.con, decrypting it and passing it on to a
backend-connection to one of your exims. All answers of your exims have
to pass back through the F5 again.


>
> q2: I am not clear on which ports are being used with client TLS. Is it 25
> or 587 or 465.

I guess you are talking about Submission? Then you need 587 with TLS and
I'd suggest do add 465 with SSL.


>
> q3: Is starttls on client the recommended way from client side or there is
> better way to secure communication between mail relay clients and EXIM
> servers.

There is no better way.


>
> Your feedback is highly appreciated.
>
> Tom
>
> Command used with F5 VIP
>
>>> mailx -s "Test mail" -S "smtp=eximvip.domain.com" -S smtp-use-starttls -S
> nss-config-dir="/etc/pki/nssdb/" testuser@??? < /root/eximtest
>
> snippet from error
>
> 250-exim2.domain.com Hello qa.domain.com [10.20.30.40]
> 250-SIZE 52428800
> 250-8BITMIME
> 250-PIPELINING
> 250-STARTTLS
> 250 HELP
>>>> STARTTLS
> 220 TLS go ahead
> Comparing DNS name: "eximvip.domain.com"
> Continue (y/n)? "/root/dead.letter" 11/375
> . . . message not sent
>


--
Karlsruher Institut für Technologie (KIT)
Steinbuch Centre for Computing (SCC)

Patrick von der Hagen

Zirkel 2, Gebäude 20.21, Raum 004.2
76131 Karlsruhe
Telefon: +49 721 608-46433
E-Mail: hagen@???
Web: http://www.scc.kit.edu

KIT - Universität des Landes Baden-Württemberg und
nationales Forschungszentrum in der Helmholtz-Gemeinschaft