STARTTLS Proxy

Hi.

I'm trying to setup a TLSv1.0 -> TLSv1.2 proxy for STARTTLS SMTP traffic.

We need to disable TLSv1.0 and TLSv1.1, on STARTTLS sessions, for compliance reasons on our mail server. Another requirement is an "AUTH LOGIN" prompt can't displayed until a STARTTLS session has been established. Ie no credentials sent in plain text.

I have a list of known internal clients that only support TLSv1.0, things like scan-to-email printers / Office 2011 for Mac. All other clients will need use TLSv1.2.

I've created a virtual server, added clientside and serverside SSL profiles with only TLSv1.2 enabled. There's another client side SSL profile (called Legacy_Mail) with TLSv1.0, TLSv1.1 and TLSv1.2 enabled.

An iRule disables SSL on both the clientside and serverside in

CLIENT_CONNECTED

.

Once a "STARTTLS" / "220 Ready to start TLS" combination is detected, if it's a known TLSv1.0 clients, change the client side SSL profile to Legacy_Mail. However, specifying

SSL::profile Legacy_Mail

in the

SERVER_DATA

event returns a "[command is not valid in the current scope]". Seems

SSL::profile

only works in the

CLIENT_CONNECTED

event for non-HTTP traffic.

Tried other events but couldn't find one that works.

Next thought I had was to have a second virtual server, VS2, with the Legacy_Mail clientside and serverside profile with only TLSv1.2.

In

CLIENT_CONNECTED

event, it checks the known TLSv1.0 IP list and then issues a

virtual VS2

if there's a match.

VS2 then performs the "STARTTLS" / "220 Ready to start TLS" checks and enables SSL if detected.

Issue here is the there's no events fired on the iRule attached to VS2 after

virtual VS2

is issued.

Does anyone has any thoughts about:

1. How to change the

   SSL::profile

   in events other than

   CLIENT_CONNECTED

2. How to get events to fire on the VS2 virtual server after

   virtual VS2

   is issued

Thanks.