Forum Discussion

kraigk_52257's avatar
kraigk_52257
Icon for Nimbostratus rankNimbostratus
Mar 31, 2009

iRule for TLS SMTP encryption (Colin's code)

I'm trying to figure out how to implement this. So far I've had no success. I am currently terminating SSL/SMTP on port 465 which load balances to a pool on a non-standard port. That pool is Exchange 2007 Hub Transport servers. This works fine. When I try use this rule and do the same with a client using SSL and port 587 I get nowhere. I have this VIP load balancing to the Hub Transport servers in a different pool/port. Anyone used this successfully? It is a fine bit of code and it is kiiling me not to have it working.

 

  
 when CLIENT_ACCEPTED {  
 SSL::disable   
 }  
 when SERVER_CONNECTED {  
 TCP::collect  
 }  
 when CLIENT_DATA {  
 set lcpayload [string tolower [TCP::payload]]  
 if { $lcpayload starts_with "ehlo" } {  
 TCP::respond "250-STARTTLS\r\n250 OK\r\n"  
 TCP::payload replace 0 [TCP::payload length] ""  
 TCP::release  
 TCP::collect  
 } elseif { $lcpayload starts_with "starttls" } {  
 TCP::respond "220 Ready to start TLS\r\n"  
 TCP::payload replace 0 [TCP::payload length] ""  
 TCP::release  
 SSL::enable  
 } else {  
 TCP::respond "530 Must issue a STARTTLS command first\r\n"  
 TCP::payload replace 0 [TCP::payload length] ""  
 TCP::release  
 TCP::collect  
 }  
 }  
 when SERVER_DATA {  
 TCP::release  
 clientside { TCP::collect }  
 }   
 
  • it should be working in 9.4.4.

     

    what version are you using?

     

    can you post related message from /var/log/ltm and tcpdump?

     

     

  • I'm using 9.4.6. Will get logs but I'm curious about how this should be utilized. Should my mail servers (hub transports) be doing TLS negotiation or is that all happening on the LTM? Basic authentication then on the mail server? You see where I'm going.. I just don't know what the working setup should be.
  • Thanks for the reply natty. I have tried exactly what you suggest ( client ---tls---> LTM ----normal smtp---> server ) . I will play with authentication methods on my SMTP servers. This setup works fine for SSL/SMTP via port 465 but I've had a time with TLS.

     

  • My apoligies to you natty. And my compliments too. Whether I can make it work with my SMTP servers or not is irrelevant. Damn nice iRule either way.
  • You don't need to apologize. Please don't say that.

     

     

    One thing that might be worth mentioning, 465 is usually used for implicit SSL (which means it starts SSL negotiation right after TCP handshake)

     

    this irule is for "explicit SSL" which usually on port 25. After TCP handshake and basic SMTP greeting, client sends "STARTTLS" command to tell server that it is going to start SSL negotiation in the same TCP connection. Wireshark or tcpdump can tell when SSL negotiation starts.

     

     

    I am not Microsoft Exchange expert at all. So I might be wrong. (I tested this iRule with outlook express. I used port 25 and enable SSL)

     

     

    btw, thanks Colin.
  • not sure about 9.4.6 but definitely does not work with 9.4.5 (TMM crash) I have upgraded to 10.0.1 and with a few minor mods this works fine.
  • I'm about to embark on using this again. We have our 1600's on 10.1.1. A question or two if I may..

     

     

    clientssl - should I be using the clientssl profile or a valid cert profile?

     

    iRules - I have a SNAT rule on the VIP where I would implement this, should the TLS iRule be processed before or after SNAT?

     

     

    Anything else special to do?

     

     

    thanks