Forum Discussion
yquirion
Altostratus
AltostratusSecuring Client-Side and Server-Side SMTP Traffic
Dear all, I'm looking to secure my SMTP server using STARTLS, on the client-side and the server-side. The SMTP server has been configured to listen on port 25 and supports STARTTLS (using self-signe...
yquirionAltostratus
AltostratusHi mihaic,
Thank you for your answer. I tried to add this iRule, but it seems than SSL Forward Proxy needs a licence on the BigIP device, which I don't have:
Nov 2 08:34:44 f5-0905 crit tmm2[20835]: 01260000:2: Profile /INFRA-DEV/smtp-dev.domain.com_CS: Forward Proxy is enabled without a license.For I think I will change my mind and let commuinication between F5 and the server unencrypted (SSL ofload).
Thank you very much for taking the time to answer me!
Regards,
Yanick
JRahm
Admin
AdminThe iRule itself does not require forward proxy, I think that's a profile setting that is unnecessary with the irule (see below). Sam comments on this on the linked codeshare entry, if you still want to pursue the solution you're after.
Probably can disable these specific lines:
ltm profile client-ssl smtp.domain.com_CS {
ssl-forward-proxy enabled
ssl-forward-proxy-verified-handshake enabled
}
- yquirion
Hi JRahm,
On an F5 lab appliance we have deployed, we have all available licences, but it is limited to 10Mb/s.
I tried the iRule, but I was getting the same issue:
CONNECTED(00000003) didn't found starttls in server response, try anyway... 139865767704464:error:140790E5:SSL routines:ssl23_write:ssl handshake failure:s23_lib.c:177: --- no peer certificate available --- No client certificate CA names sent --- SSL handshake has read 0 bytes and written 324 bytes --- New, (NONE), Cipher is (NONE) Secure Renegotiation IS NOT supported Compression: NONE Expansion: NONE No ALPN negotiated SSL-Session: Protocol : TLSv1.2 Cipher : 0000 Session-ID: Session-ID-ctx: Master-Key: Key-Arg : None Krb5 Principal: None PSK identity: None PSK identity hint: None Start Time: 1667338630 Timeout : 300 (sec) Verify return code: 0 (ok) ---When using openssl (in STARTTLS mode), to test the connection, I will see on the /var/log/ltm, the "CLIENT_ACCEPTED" from the iRule debug line:
if { $DEBUG } { log local0. "CLIENT_ACCEPTED" }Then it took maybe 10-15 seconds and the message "Didn't find STARTTLS in server response, trying anyway..." will appear.
I will now try your suggestion and disable ssl-proxy from the CS.
I'll keep you posted.
Thank you again for your reply.
Regards,
Yanick- yquirion
Hi again!
I did the test, and I have the same result. Here is the config I have:ltm profile client-ssl smtp-dev.domain.com-proxy-fwd_CS { app-service none cert-key-chain { smtp-dev.domain_Sectigo_cert_chain_0 { cert smtp-dev.domain.com_SECTIGO chain /Common/Sectigo_cert_chain.crt key smtp-dev.domain.com_SECTIGO } } defaults-from /Common/udes_clientssl_profile inherit-ca-certkeychain true inherit-certkeychain false }ltm profile server-ssl smtp-dev.domain.com-proxy-fwd_SS { allow-expired-crl enabled app-service none defaults-from /Common/udes_serverssl_profile peer-cert-mode ignore revoked-cert-status-response-control ignore unknown-cert-status-response-control ignore }ltm virtual smtp-dev-25_vs { creation-time 2022-11-02:10:30:50 destination 1.1.1.1%6:smtp ip-protocol tcp last-modified-time 2022-11-04:09:07:59 mask 255.255.255.255 partition INFRA-DEV pool smtp-dev-25_pool profiles { /Common/tcp { } smtp-dev.domain.com-proxy-fwd_CS { context clientside } smtp-dev.domain.com-proxy-fwd_SS { context serverside } } rules { smtp-starttls_rule } serverssl-use-sni disabled source 0.0.0.0/0 translate-address enabled translate-port enabled vs-index 20 }I'm using the iRules from the article postes by mihaic. Have the same behavior as described on my last post.
So, I think we will just use the F5 in passthru mode (no SSL) and install the certificate directly on the servers.
If someone has any suggestion I will be happy to test.Thank you again for your help!
Yanick