Forum Discussion
Adding STARTTLS functionality to outbound SMTP sessions via iRule
Note: I am not the author of this iRule, but I thought that this was a very useful trick, and the author of it has given me permission to share it here. This iRule will take outbound SMTP connections which pass through a LTM and will add full STARTTLS functionality. In other words -- how to add encryption to your outbound SMTP sessions without having to upgrade or otherwise fiddle with your SMTP server. :)
Comments and/or suggestions welcome.
when CLIENT_ACCEPTED {
log local0. "client accepted"
SSL::disable serverside
}
when SERVER_CONNECTED {
TCP::collect
}
when SERVER_DATA {
log local0. "server payload: [string tolower [TCP::payload]]"
set payload [string tolower [TCP::payload]]
if {$payload contains "220 smtp esmtp relay"}
{
respond with a EHLO to server
TCP::respond "EHLO\r\n"
TCP::payload replace 0 [TCP::payload length] ""
TCP::release
log local0. "responded to server with EHLO"
serverside {TCP::collect}
}
elseif {$payload contains "250-starttls" }
{
respond with a STARTTLS to server
TCP::respond "STARTTLS\r\n"
TCP::payload replace 0 [TCP::payload length] ""
TCP::release
log local0. "Sent the server a STARTTLS"
serverside {TCP::collect}
}
elseif {$payload contains "220 2.0.0 ready to start tls"}
{
start ssl profile with server
log local0. "server said he is ready for TLS, enable the SSL profile"
TCP::payload replace 0 [TCP::payload length] ""
TCP::release
serverside {SSL::enable}
}
}
when SERVERSSL_HANDSHAKE {
log local0. "SSL handshake completed."
clientside { TCP::respond "220 SMTP ESMTP Relay\r\n" }
SSL::collect
}
when SERVERSSL_DATA {
log local0. "server SSL payload: [SSL::payload]"
SSL::release
SSL::collect
}
bdavisNimbostratus
Does this get applied to a forwarding Virtual Server? Our is there another way to see the outbound traffic to apply this code?
nitassEmployee
i understand it is standard virtual server because of serverssl profile.- bdavisWhere I am confused is, if this is for the outbound traffic initiated from your mail relay to a distant end mail relay. How are you seeing the traffic that is being initiated from the mail relay to the Internet without a forwarding VS or something that can see outbound traffic?
- nitassi understand it is wildcard standard virtual server e.g. 0.0.0.0:25/0 and its pool is default gateway. actually, if pool is not defined, bigip will forward traffic based on routing even it is not ip forwarding virtual server.
Michael_Harwoo1I have recently also been trying to do the same, server side STARTTLS and SSL only, not clientside, and found this article a month or so ago. I managed to use your irule suggestions to get it working on mine as well.
I had to make some adjustments to the EHLO message, to add a server name on the end, otherwise the other end refused to start the TLS handshake (SERVER HELLO error), and also had to tweak the if statements to match some different response strings from the other side. But otherwise it works well.
Here is my devcentral post on the same thing, were i have posted my version of the irule:
If you've learned any other lessons using this irule since and have any further advice then let me know. As far as i can tell, even 11.6.0 still doesn't allow you do configure STARTTLS for the Serverside in the GUI or config files, and irule still seems to be the only way. Hopefully they will improve this in later versions.