F5 is upgrading its customer support chat feature on My.F5.com. Chat support will be unavailable from 6am-10am PST on 1/20/26. Refer to K000159584 for details.

Forum Discussion

yquirion's avatar
yquirion
Icon for Altostratus rankAltostratus
Nov 01, 2022

Securing Client-Side and Server-Side SMTP Traffic

Dear all, I'm looking to secure my SMTP server using STARTLS, on the client-side and the server-side. The SMTP server has been configured to listen on port 25 and supports STARTTLS (using self-signe...
security
  • yquirion's avatar
    yquirion
    Icon for Altostratus rankAltostratus
    Nov 02, 2022

    Hi mihaic,

    Thank you for your answer. I tried to add this iRule, but it seems than SSL Forward Proxy needs a licence on the BigIP device, which I don't have:

    Nov  2 08:34:44 f5-0905 crit tmm2[20835]: 01260000:2: Profile /INFRA-DEV/smtp-dev.domain.com_CS: Forward Proxy is enabled without a license.

    For I think I will change my mind and let commuinication between F5 and the server unencrypted (SSL ofload).

    Thank you very much for taking the time to answer me!

    Regards,
    Yanick

    • JRahm's avatar
      JRahm
      Icon for Admin rankAdmin
      Nov 03, 2022

      The iRule itself does not require forward proxy, I think that's a profile setting that is unnecessary with the irule (see below). Sam comments on this on the linked codeshare entry, if you still want to pursue the solution you're after.

      Probably can disable these specific lines:

       

      ltm profile client-ssl smtp.domain.com_CS {
    ssl-forward-proxy enabled
    ssl-forward-proxy-verified-handshake enabled
}

       

      • yquirion's avatar
        yquirion
        Icon for Altostratus rankAltostratus
        Nov 04, 2022

        Hi JRahm,

        On an F5 lab appliance we have deployed, we have all available licences, but it is limited to 10Mb/s.

        I tried the iRule, but I was getting the same issue:

         

        CONNECTED(00000003)
didn't found starttls in server response, try anyway...
139865767704464:error:140790E5:SSL routines:ssl23_write:ssl handshake failure:s23_lib.c:177:
---
no peer certificate available
---
No client certificate CA names sent
---
SSL handshake has read 0 bytes and written 324 bytes
---
New, (NONE), Cipher is (NONE)
Secure Renegotiation IS NOT supported
Compression: NONE
Expansion: NONE
No ALPN negotiated
SSL-Session:
    Protocol  : TLSv1.2
    Cipher    : 0000
    Session-ID: 
    Session-ID-ctx: 
    Master-Key: 
    Key-Arg   : None
    Krb5 Principal: None
    PSK identity: None
    PSK identity hint: None
    Start Time: 1667338630
    Timeout   : 300 (sec)
    Verify return code: 0 (ok)
---

         

        When using openssl (in STARTTLS mode), to test the connection, I will see on the /var/log/ltm, the "CLIENT_ACCEPTED" from the iRule debug line:

         

        if { $DEBUG } { log local0. "CLIENT_ACCEPTED" }

         

        Then it took maybe 10-15 seconds and the message "Didn't find STARTTLS in server response, trying anyway..." will appear.

        I will now try your suggestion and disable ssl-proxy from the CS.

        I'll keep you posted.

        Thank you again for your reply.

        Regards,
        Yanick