Forum Discussion

Icon for Altostratus rank

Altostratus

Nov 01, 2022

Securing Client-Side and Server-Side SMTP Traffic

Dear all, I'm looking to secure my SMTP server using STARTLS, on the client-side and the server-side. The SMTP server has been configured to listen on port 25 and supports STARTTLS (using self-signe...

Icon for MVP rank

MVP

Nov 02, 2022

I found this :

https://community.f5.com/t5/codeshare/starttls-server-smtp-with-cleartext-and-starttls-client-support/ta-p/287751

it might help you.

yquirion
Altostratus
Nov 02, 2022
Hi mihaic,
Thank you for your answer. I tried to add this iRule, but it seems than SSL Forward Proxy needs a licence on the BigIP device, which I don't have:
Nov 2 08:34:44 f5-0905 crit tmm2[20835]: 01260000:2: Profile /INFRA-DEV/smtp-dev.domain.com_CS: Forward Proxy is enabled without a license.
For I think I will change my mind and let commuinication between F5 and the server unencrypted (SSL ofload).
Thank you very much for taking the time to answer me!
Regards,
Yanick
- JRahm
  Admin
  Nov 03, 2022
  The iRule itself does not require forward proxy, I think that's a profile setting that is unnecessary with the irule (see below). Sam comments on this on the linked codeshare entry, if you still want to pursue the solution you're after.
  
  Probably can disable these specific lines:
  
  ltm profile client-ssl smtp.domain.com_CS { ssl-forward-proxy enabled ssl-forward-proxy-verified-handshake enabled }
  - yquirion
    Altostratus
    Nov 04, 2022
    Hi JRahm,
    On an F5 lab appliance we have deployed, we have all available licences, but it is limited to 10Mb/s.
    I tried the iRule, but I was getting the same issue:
    
    CONNECTED(00000003) didn't found starttls in server response, try anyway... 139865767704464:error:140790E5:SSL routines:ssl23_write:ssl handshake failure:s23_lib.c:177: --- no peer certificate available --- No client certificate CA names sent --- SSL handshake has read 0 bytes and written 324 bytes --- New, (NONE), Cipher is (NONE) Secure Renegotiation IS NOT supported Compression: NONE Expansion: NONE No ALPN negotiated SSL-Session: Protocol : TLSv1.2 Cipher : 0000 Session-ID: Session-ID-ctx: Master-Key: Key-Arg : None Krb5 Principal: None PSK identity: None PSK identity hint: None Start Time: 1667338630 Timeout : 300 (sec) Verify return code: 0 (ok) ---
    
    When using openssl (in STARTTLS mode), to test the connection, I will see on the /var/log/ltm, the "CLIENT_ACCEPTED" from the iRule debug line:
    
    if { $DEBUG } { log local0. "CLIENT_ACCEPTED" }
    
    Then it took maybe 10-15 seconds and the message "Didn't find STARTTLS in server response, trying anyway..." will appear.
    I will now try your suggestion and disable ssl-proxy from the CS.
    I'll keep you posted.
    Thank you again for your reply.
    Regards,
    Yanick

Recent Discussions

Under Attack? F5 Will Help You.
Contacting F5 Support?

DevCentral Quicklinks

* Getting Started on DevCentral
* Community Guidelines
* Community Terms of Use / EULA
* Community Ranking Explained
* Community Resources
* Contact the DevCentral Team
* Update MFA on account.f5.com

Discover DevCentral Connects

* Podcasts
* Social Channels
* Video Streaming