Forum Discussion

Ram_75183's avatar
Icon for Nimbostratus rankNimbostratus
Feb 15, 2012

BIG-IP LTM to Exchange 2010 starttls not working for clients




I have a pair of exchange servers behind a pair of BIG-IP LTM servers. When connecting clients directly to the exchange servers they can connect to SMTP 25 using TLS and send email.




When I point the client to the LTM, The client gets an error saying that a secure connection is not available.




Has anyone got this working?




I have the virtual server setup to pass through any ssl (ie. no clientssl or serverssl ) I have defined persistence using source_addr and I can see some traffic coming into the exch servers




The end game is to get Office 365/FOPE talking inbound to the on premise exchange servers.




FOPE insists on talking on port 25 and securing the session with TLS. The error i see in the Message trace summary goes like this:




In Deferral: 451 4.4.0 Primary target IP address responded with: "451 5.7.3 Must issue a STARTTLS command first." Attempted failover to alternate host, but that did not succeed. Either there are no al




It seems like the F5's are intercepting the STARTTLS commands?












2 Replies

  • Turns out that the cisco firewalls where using smtp inspection to disable starttls. I managed to get this turned off and al the emails went through.



    If you are seeing XXXX's in your smtp logs then theres a good chance you have a cisco firewall inspecting your traffic and removing non rfc compliant smtp commands.
  • Helen_Johnson_1's avatar
    Historic F5 Account
    Hi Ram,



    Thank you for sharing the outcome of your issue with the community at large. I'm sure it will help someone else should they run into the same issue.



    Have a good day.