Forum Discussion

yquirion's avatar
yquirion
Icon for Altostratus rankAltostratus
Nov 01, 2022

Securing Client-Side and Server-Side SMTP Traffic

Dear all,

I'm looking to secure my SMTP server using STARTLS, on the client-side and the server-side. The SMTP server has been configured to listen on port 25 and supports STARTTLS (using self-signed certificate on the server itself). From the F5-LTM, I can create a SMTPS profile to enable the TLS feature on port 25 on the client-side, but I can't do it on the server-side. 

Here is my SMTPS profile config:

 

 

ltm profile smtps smtp-tls-25_smtps {
    activation-mode allow
    app-service none
    defaults-from /Common/smtps
}

 

 

Here is my Client-SSL config:

 

 

ltm profile client-ssl smtp.domain.com_CS {
    app-service none
    cert-key-chain {
        smtp.domain_Sectigo_cert_chain_0 {
            cert smtp.domain.com
            chain /Common/Sectigo_cert_chain.crt
            key smtp.domain.com
        }
        smtp.domain_Sectigo_cert_chain_1 {
            cert smtp.domain.com
            chain /Common/Sectigo_cert_chain.crt
            key smtp.domain.com
            usage CA
        }
    }
    defaults-from /Common/udes-default-clientssl_profile
    inherit-ca-certkeychain false
    inherit-certkeychain false
    ssl-forward-proxy enabled
    ssl-forward-proxy-verified-handshake enabled
}

 

 

Here is my Server-SSL config:

 

 

ltm profile server-ssl smtp.domain.com-proxy-fwd_SS {
    app-service none
    defaults-from /Common/udes-default-serverssl_profile
    revoked-cert-status-response-control ignore
    ssl-forward-proxy enabled
    ssl-forward-proxy-verified-handshake enabled
}

 

 

Here's my Pool config:

 

 

ltm pool smtp-25_pool {
    description "Test de passerelles SMTP sur le port 25"
    members {
        smtpi-dev01_node:25 {
            address 10.32.160.127
            session monitor-enabled
            state up
        }
    }
    monitor /Common/gateway_icmp and smtp-25_hm
    partition INFRA-DEV
}

 

 

Here's my Virtual Server config:

 

 

ltm virtual smtp-25_vs {
    destination 1.1.1.1%1:smtp
    ip-protocol tcp
    last-modified-time 2022-11-01:17:36:56
    mask 255.255.255.255
    partition INFRA-DEV
    pool smtp-25_pool
    profiles {
        /Common/tcp { }
        smtp-tls-25_smtps { }
        smtp.domain.com-proxy-fwd_SS {
            context serverside
        }
        smtp.domain.com_CS {
            context clientside
        }
    }
    rules {
        /Common/logging_clients_tcp_v3
    }
    serverssl-use-sni disabled
    source 0.0.0.0/0
    source-address-translation {
        pool natpool-inside-vlan6
        type snat
    }
    translate-address enabled
    translate-port enabled
    vs-index 36
}

 

 

When I issue the command:

openssl s_client -showcerts -starttls smtp -connect smtp-dev.domain.com:25

I got this result:

 

 

CONNECTED(00000003)
didn't found starttls in server response, try anyway...
139865767704464:error:140790E5:SSL routines:ssl23_write:ssl handshake failure:s23_lib.c:177:
---
no peer certificate available
---
No client certificate CA names sent
---
SSL handshake has read 0 bytes and written 324 bytes
---
New, (NONE), Cipher is (NONE)
Secure Renegotiation IS NOT supported
Compression: NONE
Expansion: NONE
No ALPN negotiated
SSL-Session:
    Protocol  : TLSv1.2
    Cipher    : 0000
    Session-ID: 
    Session-ID-ctx: 
    Master-Key: 
    Key-Arg   : None
    Krb5 Principal: None
    PSK identity: None
    PSK identity hint: None
    Start Time: 1667338630
    Timeout   : 300 (sec)
    Verify return code: 0 (ok)
---

 

 

 Doing the same command directly on the backend server, I got:

 

 

ONNECTED(00000003)
depth=0 CN = smtpi-dev01.domain.com
verify error:num=18:self signed certificate
verify return:1
depth=0 CN = smtpi-dev01.domain.com
verify return:1
---
Certificate chain
 0 s:/CN=smtpi-dev01.domain.com
   i:/CN=smtpi-dev01.domain.com
---
Server certificate
-----BEGIN CERTIFICATE-----
MIIFbDCCA1SgAwIBAgIUVujZu3QKSfTguvw+U67aQDl8d4swDQYJKoZIhvcNAQEL
...
-----END CERTIFICATE-----
subject=/CN=smtpi-dev01.domain.com
issuer=/CN=smtpi-dev01.domain.com
---
No client certificate CA names sent
Peer signing digest: SHA256
Server Temp Key: ECDH, P-256, 256 bits
---
SSL handshake has read 2647 bytes and written 450 bytes
---
New, TLSv1/SSLv3, Cipher is ECDHE-RSA-AES256-GCM-SHA384
Server public key is 4096 bit
Secure Renegotiation IS supported
Compression: NONE
Expansion: NONE
No ALPN negotiated
SSL-Session:
    Protocol  : TLSv1.2
    Cipher    : ECDHE-RSA-AES256-GCM-SHA384
    Session-ID: E9C2D4E06675C447B026017E368AE3148F25A4118DB2D09FC53A1A97AD22165B
    Session-ID-ctx: 
    Master-Key: E12AFB816901DAABAA5BC25F7CF144138E1F1FAF82FA62A3CB734B445FC7420616B571E6377FE2E08257D08DD2B1B651
    Key-Arg   : None
    Krb5 Principal: None
    PSK identity: None
    PSK identity hint: None
    TLS session ticket lifetime hint: 1 (seconds)
    TLS session ticket:
    0000 - 90 89 7c db d6 aa b9 18-5a bf 98 35 04 c0 8f 5c   ..|.....Z..5...\
    0010 - 74 29 37 2e 30 5b 97 98-11 84 51 6e c2 57 90 e4   t)7.0[....Qn.W..
    0020 - 18 33 fc 1b 64 be 35 2f-15 0a 2c b1 f2 7b f1 5b   .3..d.5/..,..{.[
    0030 - 2b 6f 69 da 5a 58 26 42-db 74 61 7e 63 f0 4c 75   +oi.ZX&B.ta~c.Lu
    0040 - 85 d5 11 ae 0c a3 d4 69-cf 23 35 ad 58 05 40 44   .......i.#5.X.@D
    0050 - 89 32 50 af c7 36 65 35-48 3e 1c c2 31 f3 d8 84   .2P..6e5H>..1...
    0060 - 3a b6 3c 52 2f 3c 94 90-3f c6 77 e1 b4 9a 01 54   :.<R/<..?.w....T
    0070 - 90 6a 0a c3 6e e3 20 1c-71 aa 66 7e bb 07 60 fe   .j..n. .q.f~..`.
    0080 - f3 41 e2 73 94 0f 25 f9-70 92 9c ac 01 ef 26 d2   .A.s..%.p.....&.
    0090 - 42 c9 bd aa 84 41 79 21-05 09 a7 16 cd 31 7c 2c   B....Ay!.....1|,

    Start Time: 1667339374
    Timeout   : 300 (sec)
    Verify return code: 18 (self signed certificate)
---
250 HELP

 

 

So I'm wondering how to have thin working. We are using port 25 for the client because we want to allow user to connect to the server in plain text (no SSL) as well as TLS (starttls). The communication to the backend servers can always be encrypted. I tried use the port 465 into the pool definition (SMTP server has been configured to listen on that port), but I got the same answer (didn't found starttls in server response, try anyway...) .

I think I will need to use some iRules to enable STARTTLS on server side, but I'm not sure how to configure it.

Thank you all in advance for your help!

Best Regards,
Yanick

security
    • yquirion's avatar
      yquirion
      Icon for Altostratus rankAltostratus
      Nov 02, 2022

      Hi mihaic,

      Thank you for your answer. I tried to add this iRule, but it seems than SSL Forward Proxy needs a licence on the BigIP device, which I don't have:

      Nov  2 08:34:44 f5-0905 crit tmm2[20835]: 01260000:2: Profile /INFRA-DEV/smtp-dev.domain.com_CS: Forward Proxy is enabled without a license.

      For I think I will change my mind and let commuinication between F5 and the server unencrypted (SSL ofload).

      Thank you very much for taking the time to answer me!

      Regards,
      Yanick

      • JRahm's avatar
        JRahm
        Icon for Admin rankAdmin
        Nov 03, 2022

        The iRule itself does not require forward proxy, I think that's a profile setting that is unnecessary with the irule (see below). Sam comments on this on the linked codeshare entry, if you still want to pursue the solution you're after.

        Probably can disable these specific lines:

         

        ltm profile client-ssl smtp.domain.com_CS {
    ssl-forward-proxy enabled
    ssl-forward-proxy-verified-handshake enabled
}