On 07.07.2015 23:36, 3YSTech Services wrote: > Hi , > > I have question about best way to set multiple EXIm servers behind F5. [...] > - Have valid cert installed on each server on each server and defined in > tls_certificate , tls_privateke > > - When I test I use command below: >>> mailx -s "Test mail" -S "smtp=exim1.domain.com" -S smtp-use-starttls -S > nss-config-dir="/etc/pki/nssdb/" [email protected] < /root/eximtest > > - I created F5 VIP eximvip.domain.com that round robin to the 4 EXIM > servers behind , installed cert for eximvip.domain.com on f5. > > q1: What is the best way to have this setup working ( F5 VIP on front end > with 4 exim server behind). My mailx command connects to eximvip.domain.com > but gets > > back any on of the 4 exim servers ( exim1, exim2,exim3,exim4). It errors > out because of cert mismatch between what mailx tries to connect to > "exmivip" against > > what it gets back ( exim1, exim2,exim3,exim4). you got two options and somehow mixed them. ;-)
You can have the F5 distribute the traffic like you do, but then all the backend-servers have to provide the certificate for eximvip.domain.com instead of server-specific certificates. Advantage: you avoid load on the F5, which could turn out to be a bottleneck for two reasons: TLS-encryption/decryption and more traffic passing through the F5. Second option: F5 gets a certificate and the exims get server-specific certificates. F5 has to be configured as MITM, accepting the TLS-traffic with exmivip.domain.con, decrypting it and passing it on to a backend-connection to one of your exims. All answers of your exims have to pass back through the F5 again. > > q2: I am not clear on which ports are being used with client TLS. Is it 25 > or 587 or 465. I guess you are talking about Submission? Then you need 587 with TLS and I'd suggest do add 465 with SSL. > > q3: Is starttls on client the recommended way from client side or there is > better way to secure communication between mail relay clients and EXIM > servers. There is no better way. > > Your feedback is highly appreciated. > > Tom > > Command used with F5 VIP > >>> mailx -s "Test mail" -S "smtp=eximvip.domain.com" -S smtp-use-starttls -S > nss-config-dir="/etc/pki/nssdb/" [email protected] < /root/eximtest > > snippet from error > > 250-exim2.domain.com Hello qa.domain.com [10.20.30.40] > 250-SIZE 52428800 > 250-8BITMIME > 250-PIPELINING > 250-STARTTLS > 250 HELP >>>> STARTTLS > 220 TLS go ahead > Comparing DNS name: "eximvip.domain.com" > Continue (y/n)? "/root/dead.letter" 11/375 > . . . message not sent > -- Karlsruher Institut für Technologie (KIT) Steinbuch Centre for Computing (SCC) Patrick von der Hagen Zirkel 2, Gebäude 20.21, Raum 004.2 76131 Karlsruhe Telefon: +49 721 608-46433 E-Mail: [email protected] Web: http://www.scc.kit.edu KIT - Universität des Landes Baden-Württemberg und nationales Forschungszentrum in der Helmholtz-Gemeinschaft
smime.p7s
Description: S/MIME Cryptographic Signature
-- ## List details at https://lists.exim.org/mailman/listinfo/exim-users ## Exim details at http://www.exim.org/ ## Please use the Wiki with this list - http://wiki.exim.org/
