POP3/IMAP Start TLS

Problem this snippet solves:

Summary: This iRule allows either clear text or TLS encrypted communication with the LTM initiating the encryption process if it sees the appropriate "starttls" command in the SMTP communication.

Code :

#imap#
when CLIENT_ACCEPTED {   
     SSL::disable 
 }   
 when SERVER_CONNECTED {   
     TCP::collect 
 }   
 when CLIENT_DATA {   
     set lcpayload [string tolower [TCP::payload]] 
     if { $lcpayload contains "starttls" } {  
         set tag [getfield [TCP::payload]  " " 1] 
         TCP::respond "$tag OK \"Begin TLS negotiation now\"\r\n" 
         TCP::payload replace 0 [TCP::payload length] "" 
         TCP::release 
         SSL::enable 
     } else { 
         set id [getfield [TCP::payload]  " " 1] 
         TCP::respond "$id BAD \"Must issue a STARTTLS command first\"\r\n" 
         TCP::payload replace 0 [TCP::payload length] "" 
         TCP::release 
         TCP::collect 
     }   
 }   
 when SERVER_DATA { 
     if { [TCP::payload] contains "* CAPABILITY" } { 
         TCP::payload replace 12 0 " STARTTLS" 
         TCP::release 
         clientside { TCP::collect }   
     } else { 
         TCP::release 
         TCP::collect 
     } 
} 

#pop3#

when CLIENT_ACCEPTED {   
     SSL::disable 
 }   
 when SERVER_CONNECTED {   
     TCP::collect 
 }   
 when CLIENT_DATA {   
     if { [TCP::payload] contains "STLS" } {  
         TCP::respond "+OK Begin TLS negotiation\r\n" 
         TCP::payload replace 0 [TCP::payload length] "" 
         TCP::release 
         SSL::enable 
     } else { 
         set id [getfield [TCP::payload]  " " 1] 
         TCP::respond "-ERR Must issue STLS command first\r\n" 
         TCP::payload replace 0 [TCP::payload length] "" 
         TCP::release 
         TCP::collect 
     }   
 }   
 when SERVER_DATA { 
     set lcpayload [string tolower [TCP::payload]] 
     if { $lcpayload contains "capability" } { 
         # assume last 3 bytes are .\r\n which is end of capability response 
         TCP::payload replace [expr [TCP::payload length] - 3] 0 "STLS\r\n" 
         TCP::release 
         clientside { TCP::collect }   
     } else { 
         TCP::release 
         TCP::collect 
     } 
 }
Published Mar 18, 2015
Version 1.0

Was this article helpful?