Forum Discussion
Eino_Tuominen_2
Nimbostratus
NimbostratusOffloading Imap STARTTLS
Hello everybody,
The irule:
when CLIENT_ACCEPTED {
SSL::disable
}
when SERVER_CONNECTED {
log local0.info "New connection"
TCP::collect
}
when CLIENT...
Daniel_56161Nimbostratus
NimbostratusHello. Bellow you can find a working code for imap starttls. It can force the clients to use only TLS connection(require_starttls = 1) or it can allow unencrypted communication. The irule was tested with Thunderbird, Outlook and also openssl s_client and the backend for this irule was Dovecot.
Code
when CLIENT_ACCEPTED {
set require_starttls 0
SSL::disable
}
when SERVER_CONNECTED {
TCP::collect
}
when CLIENT_DATA {
set lcpayload [string tolower [TCP::payload]]
if { $lcpayload contains "starttls" } {
set tag [getfield [TCP::payload] " " 1]
TCP::respond "$tag OK Begin TLS negotiation now\r\n"
TCP::payload replace 0 [TCP::payload length] ""
TCP::release
SSL::enable
}
elseif { $lcpayload contains "capability" } {
serverside { TCP::collect }
TCP::release
TCP::collect
}
else {
if { $require_starttls } {
set id [getfield [TCP::payload] " " 1]
TCP::respond "BAD \"Must issue a STARTTLS command first\"\r\n"
TCP::payload replace 0 [TCP::payload length] ""
TCP::release
TCP::collect
} else {
TCP::release
}
}
}
when SERVER_DATA {
if { [TCP::payload] contains "* OK \[CAPABILITY" } {
TCP::payload replace 16 0 " STARTTLS"
TCP::release
clientside { TCP::collect }
} elseif { [TCP::payload] contains "* CAPABILITY" } {
TCP::payload replace 12 0 " STARTTLS"
TCP::release
clientside { TCP::collect }
} else {
TCP::release
TCP::collect
}
}