For more information regarding the security incident at F5, the actions we are taking to address it, and our ongoing efforts to protect our customers, click here.

Forum Discussion

Michael_Harwoo1's avatar
Michael_Harwoo1
Icon for Nimbostratus rankNimbostratus
Dec 03, 2015

Need an iRule for STARTTLS for SMTPS Server side ONLY, Not Client side.

With reference to this question i asked earlier and not had any responses for yet:   https://devcentral.f5.com/questions/smtp-starttls-server-side-only-not-client-side-on-1160-   Are there any ...
application delivery
iRules
LTM
Michael_Harwoo1's avatar
Michael_Harwoo1
Icon for Nimbostratus rankNimbostratus
Dec 23, 2015

I have recently found this post by someone else that shows an irule that works almost for what i wanted. https://devcentral.f5.com/questions/adding-starttls-functionality-to-outbound-smtp-sessions-via-irule

It just needed some tweaking of the "IF" statements to get it to accept the slightly different responses from the TLS SMTPS server we were trying to connect to.

when CLIENT_ACCEPTED {
     No SSL client side, also check no SSL running already on server side
    log local0. "client accepted"
    SSL::disable serverside 
}
when SERVER_CONNECTED {
    TCP::collect 
}
when SERVER_DATA {
     Read in responses from remote server into a variable and log to /var/log/ltm
    log local0. "server payload: [string tolower [TCP::payload]]"
    set payload [string tolower [TCP::payload]]

if {$payload starts_with "220" and $payload contains "esmtp"}
    {    
         Listen for remote servers opening 220 and esmtp message 
         NOTE the ‘if’ statement above may need to be tweaked to except what message the other 
         side is actually sending in reply. Logs should show this.
         Respond with a EHLO to server, most servers require a name after the EHLO as well.

        TCP::respond "EHLO insert.dns.certificate.server.name.here.com\r\n" 
        TCP::payload replace 0 [TCP::payload length] ""
        TCP::release
        log local0. "responded to server with EHLO"
        serverside {TCP::collect}
        }
elseif {$payload contains "250-starttls" }
    {    
         Check server responds with "250-starttls", if so, respond with a STARTTLS 
        TCP::respond "STARTTLS\r\n" 
        TCP::payload replace 0 [TCP::payload length] ""
        TCP::release
        log local0. "Sent the server a STARTTLS"
        serverside {TCP::collect}
    }
elseif {$payload contains "220 ready for tls" or $payload contains "220 2.0.0 continue"}
    {    
         if server gives a 220 response, then start server side ssl profile
         NOTE the ‘if’ statement above may need to be tweaked to except what message the other 
         side is actually sending in reply. Logs should show this.
        log local0. "server said he is ready for TLS, enable the SSL profile"
        TCP::payload replace 0 [TCP::payload length] ""
        TCP::release
        serverside {SSL::enable}
         TLS hanshake should now start, which is best seen in wireshark packet captures. 
    }
}
when SERVERSSL_HANDSHAKE {
     This will only trigger if that is completed successfully. 
         ServerSSL profile will need a certificate to match the outbound IP and DNS name, 
         and you may want to set the "Server certificate" setting to "require", 
         and the "Trusted Certificate Authorities" set to "ca-bundle".
    log local0. "SSL handshake completed."
    clientside { TCP::respond "220 SMTP ESMTP Relay F5\r\n" }
    SSL::collect
}
when SERVERSSL_DATA {
     Log the SMTP responses to see any errors.
    log local0. "server SSL payload: [SSL::payload]"
    SSL::release
    SSL::collect
}
  • JG_249184's avatar
    JG_249184
    Icon for Altocumulus rankAltocumulus
    Mar 13, 2017

    How can I use this and have it enable client said ssl when it detects starttls from the client but send clear text when it doesn't?