Alright.. thank you for explaining my questions (always handy to learn new
things).
Then for most loadbalancing techniques that I can think of (at least in our
case) should be using NAT or our security protocols will start banning the
loadbalancers duo to the IP issue.
Putting it on our gateway (firewall) I guess would not be that much of an issue
(we use CentOS as a base) however as long as it's using sNAT it won't change
anything from what I understand so far (right?).
My questions is mostly curiousity - as I'm always eager to learn new things...
I do like zenLoadbalancer as a product (and understand it's still under heavy
development) ^^
Which is why I ask those questions and of course trying to figure out a
solution - without dropping zenloadbalancer (dropping products is easy.. but
figuring out a way to get it to work proper.. is way more fun )
However it does seem that at the moment zenLoadbalancer cannot be used in our
environment (we require NAT - as far as I understand the protocols - for all
our services duo to our security protocols).
So hopefully this will be developed soon (same as the port range question
earlier :-) )
Regards,
Marco
Van: Emilio Campos [mailto:[email protected]]
Verzonden: woensdag 7 december 2011 17:02
Aan: [email protected]
Onderwerp: Re: [Zenloadbalancer-support] SMTP Picks up on zenLoadbalancer IP
Read my lines down.
Tell us if we can help you.
Regards
2011/12/7 Marco Tiggelaar - Key4ce
<[email protected]<mailto:[email protected]>>
Alright.. but doesn't this mean zenloadbalancer can not be used on any SMTP
server with anti-spam? (any kind of anti-spam).
Of course, can be used, but you could lose functionalities on some sceneries.
this case for example.
As all anti-spams lookup the external send server, spf record.. etc.. (and on
mailbombs, reported servers etc - block the ip for a period of time).
I'm not sure what exactly is the difference between NAT and sNAT (as all
servers are already behind a NAT firewall - this doesn't bother antispam.)
NAT Network Address Translation - Standard load balancing technique that
changes the destination of packets to and from the VIP (external subnet to
internal cluster subnet)
SNAT Source Network Address Translation - Load balancer acts as a proxy for all
incoming & outgoing traffic.
Maybe some picture can help us to understand the diference:
NAT:
http://uk.loadbalancer.org/images/nat.jpg
SNAT:
http://uk.loadbalancer.org/images/snat.jpg
*check the gw configured on both pictures, with this on NAT method the backend
know the real ip client, but not on SNAT, that know the load balancer IP.
At this moment and to solve you problem you have diferents ways: or configure
dns (used method on this cases) or the load balancing can be executed on your
gateway (not yet implemented on zen)
The MX "failover" is unfortunately far from bulletproof.. as DNS really does
not do failover.. it basically attempts the first record it finds - some SMTP
servers will find the secondary MX.
The real problem is that this method has a lot of glitches (as we experienced a
lot of issues with customers, and our own mail servers even if secondary MX is
set and mailserver functioning --> mail still fails to arrive on some errors..
where loadbalancer would be ideal as you can make it check for function).
I also see other issues with this kind of load balancing.. for example
fail2ban.. and other security protocols that have no effect if they pick the
loadbalancer ip.
(which are required these days - so many bruteforce hacking attempts even on
VOIP servers.)
And, yes this method it's not useful 100%, for this reason we are working on
new developments and improvements.
Regards,
Marco
Van: Emilio Campos
[mailto:[email protected]<mailto:[email protected]>]
Verzonden: woensdag 7 december 2011 15:10
Aan:
[email protected]<mailto:[email protected]>
Onderwerp: Re: [Zenloadbalancer-support] SMTP Picks up on zenLoadbalancer IP
Hi Marco, Zen works on sNAT method, if you need a transparent load balancer the
loadbalancer need to be the gw of your mail gateways, and at the moment this
isn't implemented. If it's a problem for INPUT mails, on this case I
recommend you use dns load balancing with priorities, this is the method used
on this cases, something like this:
#host -t mx mydomain.com<http://mydomain.com>
mydomain.com<http://mydomain.com> mail is handled by 10
mx2.mydomain.com<http://mx2.mydomain.com>. (your mail gateway)
mydomain.com<http://mydomain.com> mail is handled by 10
mx.mydomain.com<http://mx.mydomain.com>. (your other mail gateway)
On this case, configure the HA that offer your mail gateway .
Regards
2011/12/7 Marco Tiggelaar - Key4ce
<[email protected]<mailto:[email protected]>>
Hello,
I came cross another small issue.. but in this case quite importand:
When I use loadbalancer to balance our SMTP the anti-spam actually thinks the
loadbalancer send the email.
Here's the mail headers WITH Loadbalancer:
Received: from
col0-omc3-s2.col0.hotmail.com<http://col0-omc3-s2.col0.hotmail.com>
(192.168.0.34) by
MAIL2.mail4ce.com<http://MAIL2.mail4ce.com> (192.168.0.35) with Microsoft SMTP
Server id 14.1.355.2;
Tue, 6 Dec 2011 18:42:00 +0100
Received: from
col0-omc3-s2.col0.hotmail.com<http://col0-omc3-s2.col0.hotmail.com>
([192.168.0.81]
helo=col0-omc3-s2.col0.hotmail.com<http://col0-omc3-s2.col0.hotmail.com>) by
spam.mail4ce.com<http://spam.mail4ce.com> with ESMTP (2.1.2); 6
Dec 2011 17:42:06 +0000
Received: from COL116-W27 ([65.55.34.135]) by
col0-omc3-s2.col0.hotmail.com<http://col0-omc3-s2.col0.hotmail.com>
with Microsoft SMTPSVC(6.0.3790.4675<tel:%286.0.3790.4675>); Tue, 6
Dec 2011 09:42:04 -0800
X-Assp-Message/IP-Score: 10 (PTR missing)
X-Assp-ID: spam.mail4ce.com<http://spam.mail4ce.com> m1-93326-06050
X-Assp-Detected-RIP: 88.159.83.162, 65.55.34.135
X-Assp-Source-IP: 88.159.83.162
Mailheaders WITHOUT loadbalancer:
Received: from
col0-omc3-s6.col0.hotmail.com<http://col0-omc3-s6.col0.hotmail.com>
(192.168.0.34) by
MAIL2.mail4ce.com<http://MAIL2.mail4ce.com> (192.168.0.35) with Microsoft SMTP
Server id 14.1.355.2;
Wed, 7 Dec 2011 06:54:14 +0100
Received: from
col0-omc3-s6.col0.hotmail.com<http://col0-omc3-s6.col0.hotmail.com>
([65.55.34.144]
helo=col0-omc3-s6.col0.hotmail.com<http://col0-omc3-s6.col0.hotmail.com>) by
spam.mail4ce.com<http://spam.mail4ce.com> with ESMTP (2.1.2); 7
Dec 2011 05:54:20 +0000
Received: from COL116-W16 ([65.55.34.136]) by
col0-omc3-s6.col0.hotmail.com<http://col0-omc3-s6.col0.hotmail.com>
with Microsoft SMTPSVC(6.0.3790.4675<tel:%286.0.3790.4675>); Tue, 6
Dec 2011 21:54:19 -0800
X-Assp-Message/IP-Score: -10 (SPF pass)
X-Assp-ID: spam.mail4ce.com<http://spam.mail4ce.com> m1-37260-12158
X-Assp-Detected-RIP: 113.90.23.123, 65.55.34.136
X-Assp-Source-IP: 113.90.23.123
Explenation of ip's:
192.168.0.34 = Anti-spam Gateway (primary)
192.168.0.35 = Microsoft Exchange Cluster (with Windows NLB for CAS)
192.168.0.81 = zenLoadbalancer (local)
88.159.83.162 = zenloadbalancer (External)
Now as you can understand.. for an anti-spam gateway it's VITAL to receive the
real originating ip.
Is there a way to solve this with Loadbalancer?
Regards,
Marco
------------------------------------------------------------------------------
Cloud Services Checklist: Pricing and Packaging Optimization
This white paper is intended to serve as a reference, checklist and point of
discussion for anyone considering optimizing the pricing and packaging model
of a cloud services business. Read Now!
http://www.accelacomm.com/jaw/sfnl/114/51491232/
_______________________________________________
Zenloadbalancer-support mailing list
[email protected]<mailto:[email protected]>
https://lists.sourceforge.net/lists/listinfo/zenloadbalancer-support
--
Load balancer distribution - Open Source Project
http://www.zenloadbalancer.com
Distribution list (subscribe):
[email protected]<mailto:[email protected]>
------------------------------------------------------------------------------
Cloud Services Checklist: Pricing and Packaging Optimization
This white paper is intended to serve as a reference, checklist and point of
discussion for anyone considering optimizing the pricing and packaging model
of a cloud services business. Read Now!
http://www.accelacomm.com/jaw/sfnl/114/51491232/
_______________________________________________
Zenloadbalancer-support mailing list
[email protected]<mailto:[email protected]>
https://lists.sourceforge.net/lists/listinfo/zenloadbalancer-support
--
Load balancer distribution - Open Source Project
http://www.zenloadbalancer.com
Distribution list (subscribe):
[email protected]<mailto:[email protected]>
------------------------------------------------------------------------------
Cloud Services Checklist: Pricing and Packaging Optimization
This white paper is intended to serve as a reference, checklist and point of
discussion for anyone considering optimizing the pricing and packaging model
of a cloud services business. Read Now!
http://www.accelacomm.com/jaw/sfnl/114/51491232/
_______________________________________________
Zenloadbalancer-support mailing list
[email protected]
https://lists.sourceforge.net/lists/listinfo/zenloadbalancer-support
