iRule for TLS SMTP encryption (Colin's code)

Question

I'm trying to figure out how to implement this.  So far I've had no success.  I am currently terminating SSL/SMTP on port 465 which load balances to a pool on a non-standard port.  That pool is Exchange 2007 Hub Transport servers. This works fine. When I try use this rule and do the same with a client using SSL and port 587 I get nowhere.  I have this VIP load balancing to the Hub Transport servers in a different pool/port.  Anyone used this successfully?  It is a fine bit of code and it is kiiling me not to have it working.  
&nbsp;   
 when CLIENT_ACCEPTED {  
 SSL::disable   
 }  
 when SERVER_CONNECTED {  
 TCP::collect  
 }  
 when CLIENT_DATA {  
 set lcpayload [string tolower [TCP::payload]]  
 if { $lcpayload starts_with "ehlo" } {  
 TCP::respond "250-STARTTLS
250 OK
"  
 TCP::payload replace 0 [TCP::payload length] ""  
 TCP::release  
 TCP::collect  
 } elseif { $lcpayload starts_with "starttls" } {  
 TCP::respond "220 Ready to start TLS
"  
 TCP::payload replace 0 [TCP::payload length] ""  
 TCP::release  
 SSL::enable  
 } else {  
 TCP::respond "530 Must issue a STARTTLS command first
"  
 TCP::payload replace 0 [TCP::payload length] ""  
 TCP::release  
 TCP::collect  
 }  
 }  
 when SERVER_DATA {  
 TCP::release  
 clientside { TCP::collect }  
 }

nat_thirasuttakorn · Answer

it should be working in 9.4.4.  
&nbsp; what version are you using?  
&nbsp; can you post related message from /var/log/ltm and tcpdump? 
&nbsp;  &nbsp;

kraigk_52257 · Answer

I'm using 9.4.6.  Will get logs but I'm curious about how this should be utilized.  Should my mail servers (hub transports) be doing TLS negotiation or is that all happening on the LTM?  Basic authentication then on the mail server? You see where I'm going..  I just don't know what the working setup should be.

kraigk_52257 · Answer

Thanks for the reply natty. I have tried exactly what you suggest ( client ---tls---> LTM ----normal smtp---> server ) . I will play with authentication methods on my SMTP servers. This setup works fine for SSL/SMTP via port 465 but I've had a time with TLS.

kraigk_52257 · Answer

My apoligies to you natty.  And my compliments too.  Whether I can make it work with my SMTP servers or not is irrelevant.  Damn nice iRule either way.

nat_thirasuttakorn · Answer

You don't need to apologize. Please don't say that.  
&nbsp;  
&nbsp; One thing that might be worth mentioning, 465 is usually used for implicit SSL (which means it starts SSL negotiation right after TCP handshake) 
&nbsp; this irule is for "explicit SSL" which usually on port 25. After TCP handshake and basic SMTP greeting, client sends "STARTTLS" command to tell server that it is going to start SSL negotiation in the same TCP connection. Wireshark or tcpdump can tell when SSL negotiation starts. 
&nbsp;  
&nbsp; I am not Microsoft Exchange expert at all. So I might be wrong. (I tested this iRule with outlook express. I used port 25 and enable SSL) 
&nbsp;  
&nbsp; btw, thanks Colin.

Forum Discussion

iRule for TLS SMTP encryption (Colin's code)

7 Replies

Recent Discussions

Provisioning r2600 equipment

Could not connect to SMTP host.

Telemetry streaming to Elasticsearch

Block CBC

active/active Support Declarative Onboarding

Related Content

Cookie Encryption

How to install lets encrypt on BIG IP

Encrypted cookies on strict uri

Client Side SSL Encryption while response from F5

SSL decryption/re-encryption w/iRule feeding into HTTPS load balance