f5 issuing RSET in middle of STARTTLS - is there any irule to fix K16312

Setup up new virtual server for exchange SMTP external traffic. With a client cert and SMTPs profile applied this configuration does not work. The internal mailbox never receives the external email. In the captures I see the issue is the f5 sends a RSET to the backend server instead of completing the STARTTLS conversation. If I remove the SMTPs profile and client cert everything works (f5 does not send RSET). This appears to be known issue K16312: The BIG-IP system may fail to appropriately respond to SMTPS commands after the STARTTLS handshake https://support.f5.com/csp/article/K16312. We are on version 11.5.1. Is there any way to get around this or any irule that will work? I've used the irule in this article https://devcentral.f5.com/codeshare?sid=700 but I don't think that's going to help b/c the payload is already sending 250-STARTTLS. I could upgrade to next version but we're in a time crunch. The irule works but I'm still getting the RSET from the f5.

 

when CLIENT_ACCEPTED { set ehlo 0 SSL::disable log local0. "ehlo ssl disabled"

 

} when SERVER_CONNECTED { log local0. "server_connected collect" TCP::collect } when CLIENT_DATA { set lcpayload [string tolower [TCP::payload]] if { $lcpayload starts_with "ehlo" } { set ehlo 1 serverside { TCP::collect } TCP::release TCP::collect log local0. "CLIENT_DATA set ehlo 1" } elseif { $lcpayload starts_with "starttls" } { TCP::respond "220 Ready to start TLS\r\n" TCP::payload replace 0 [TCP::payload length] "" TCP::release SSL::enable log local0. "CLIENT_DATA 220 Ready to start TLS\r\n" } else { TCP::release log local0. "CLIENT_DATA else release" } } when SERVER_DATA { log local0. "server_data before STARTTLS" log local0. [TCP::payload] if { $ehlo == 1 and ([string tolower [TCP::payload]] contains "starttls") } { TCP::payload replace 0 0 "250-STARTTLS\r\n" log local0. "server_data STARTTLS" } TCP::release clientside { TCP::collect } log local0. "TCP release clientside collect" }

 

In the logs nothing happens after CLIENT_DATA 220 Ready to start TLS

 

Exchange_2016_STARTTLS : ehlo ssl disabled Exchange_2016_STARTTLS : server_connected collect Exchange_2016_STARTTLS : server_data before STARTTLS Exchange_2016_STARTTLS : TCP release clientside collect Exchange_2016_STARTTLS : CLIENT_DATA set ehlo 1 Exchange_2016_STARTTLS : server_data before STARTTLS Exchange_2016_STARTTLS : TCP release clientside collect Exchange_2016_STARTTLS : CLIENT_DATA 220 Ready to start TLS

 

 

I'm not really sure what the issue is at this point as far as why the f5 is not issuing the STARTTLS command to the backend server.