Forum Discussion
NimbostratusHow to reject IMAPS session if client IP is contained within a data list.
Quite simply, I want to have a data group list with IPs I want to disallow IMAPS access.
I have the following code on an IMAPS VIP- port 993 SSL, which does disconnect the session;
when CLIENT_CONNECTED {
if { [class match [IP::client_addr] equals imap_blocked_ips] } {
TCP::respond "* BYE; Service Denied"
}
}However, it disconnectes due to being unable to negotiate SSL. I really want to send the error message back to the client rather than just dropping the connection due to an SSL failure.
I believe I need it to negotiate SSL first and then Send the BYE notice back.
I have tried some other code, but when I add it here, and try to post it tells me my content is SPAM..
Can anyone advise if there is a rule I can use to achieve this, or point me in the right direction?
Thanks
- Kai_Wilke
MVP
Hi Brad,
you need to change the iRule event to CLIENTSSL_HANDSHAKE (event triggered after TLS handshake is complete) and then use SSL::respond to respond your message through the established TLS channel.
when CLIENTSSL_HANDSHAKE { if { [class match [IP::client_addr] equals imap_blocked_ips] } { SSL::respond "* BYE; Service Denied" drop } }Cheers, Kai
