For more information regarding the security incident at F5, the actions we are taking to address it, and our ongoing efforts to protect our customers, click here.

Forum Discussion

Josh_Hildebran1's avatar
Josh_Hildebran1
Icon for Nimbostratus rankNimbostratus
Jul 11, 2006

SMTP EHLO response

I'd like to make an iRule that looks for a "EHLO " command and simply responds w/ a particular error message. I've tried to piece together something, but I've come up short, apparently. Can anyon...
application delivery
dev
devops
iRules
rapmaster_c_127's avatar
rapmaster_c_127
Historic F5 Account
Jul 13, 2006
You also would get generally better performance (at the cost of missing an EHLO if it's not the 1st command from the client) by doing this:


rule FixUP-SMTP {
   when SERVER_CONNECTED {
        peer { TCP::collect 4 }
    }
    when CLIENT_DATA {
        if { [TCP::payload] starts_with "EHLO" } {
            TCP::respond "500 5.3.3 Unrecognized command\r\n"
            TCP::payload replace 0 [TCP::payload length] ""
        }
        TCP::release
    }
}

This is probably the common case you're trying to resolve.

Comments:

1. We use SERVER_CONNECTED instead of CLIENT_ACCEPTED because SMTP is a banner protocol. Many clients will not send their first HELO/EHLO until they see the banner from the server. So we wait for the server connection prior to starting our client side collection.

2. Since the event is on the server side, we need to collect on the client side. Thus the use of the peer command.

3. We want to make sure we have at least 4 bytes of payload in our collect.

4. starts_with is more efficient than contains.

5. reject/discard/etc result in operations on the connection. You don't want this; you simply want the payload in that particular segment to be ignored. So we replace it with nothing and continue.

Hope this helps.