Forum Discussion
kraigk_52257
Mar 31, 2009Nimbostratus
iRule for TLS SMTP encryption (Colin's code)
I'm trying to figure out how to implement this. So far I've had no success. I am currently terminating SSL/SMTP on port 465 which load balances to a pool on a non-standard port. That pool is Exchange 2007 Hub Transport servers. This works fine. When I try use this rule and do the same with a client using SSL and port 587 I get nowhere. I have this VIP load balancing to the Hub Transport servers in a different pool/port. Anyone used this successfully? It is a fine bit of code and it is kiiling me not to have it working.
when CLIENT_ACCEPTED {
SSL::disable
}
when SERVER_CONNECTED {
TCP::collect
}
when CLIENT_DATA {
set lcpayload [string tolower [TCP::payload]]
if { $lcpayload starts_with "ehlo" } {
TCP::respond "250-STARTTLS\r\n250 OK\r\n"
TCP::payload replace 0 [TCP::payload length] ""
TCP::release
TCP::collect
} elseif { $lcpayload starts_with "starttls" } {
TCP::respond "220 Ready to start TLS\r\n"
TCP::payload replace 0 [TCP::payload length] ""
TCP::release
SSL::enable
} else {
TCP::respond "530 Must issue a STARTTLS command first\r\n"
TCP::payload replace 0 [TCP::payload length] ""
TCP::release
TCP::collect
}
}
when SERVER_DATA {
TCP::release
clientside { TCP::collect }
}
- Nat_ThirasuttakornEmployeeit should be working in 9.4.4.
- kraigk_52257NimbostratusI'm using 9.4.6. Will get logs but I'm curious about how this should be utilized. Should my mail servers (hub transports) be doing TLS negotiation or is that all happening on the LTM? Basic authentication then on the mail server? You see where I'm going.. I just don't know what the working setup should be.
- kraigk_52257NimbostratusThanks for the reply natty. I have tried exactly what you suggest ( client ---tls---> LTM ----normal smtp---> server ) . I will play with authentication methods on my SMTP servers. This setup works fine for SSL/SMTP via port 465 but I've had a time with TLS.
- kraigk_52257NimbostratusMy apoligies to you natty. And my compliments too. Whether I can make it work with my SMTP servers or not is irrelevant. Damn nice iRule either way.
- Nat_ThirasuttakornEmployeeYou don't need to apologize. Please don't say that.
- Spencer_Day_867Nimbostratusnot sure about 9.4.6 but definitely does not work with 9.4.5 (TMM crash) I have upgraded to 10.0.1 and with a few minor mods this works fine.
- kraigk_52257NimbostratusI'm about to embark on using this again. We have our 1600's on 10.1.1. A question or two if I may..
Recent Discussions
Related Content
DevCentral Quicklinks
* Getting Started on DevCentral
* Community Guidelines
* Community Terms of Use / EULA
* Community Ranking Explained
* Community Resources
* Contact the DevCentral Team
* Update MFA on account.f5.com
Discover DevCentral Connects