SMTP STARTTLS iRule

Below is a succesful STARTTLS transaction from the Outlook Express log. Thought this might provide some expert a clue. I am very weak on these iRules. I added [SERVER] and [CLIENT]+ for easy identification.

 

 

[SERVER] 220 mail.company.com Microsoft ESMTP MAIL Service ready at

 

[CLIENT]+EHLO

 

[SERVER] 250-STARTTLS

 

[SERVER] 250 OK

 

[CLIENT]+STARTTLS

 

[SERVER] 220 Ready to start TLS

 

[CLIENT]+EHLO

 

[SERVER] 250-mail.company.com Hello

 

[SERVER] 250-SIZE 36700160

 

[SERVER] 250-PIPELINING

 

[SERVER] 250-DSN

 

[SERVER] 250-ENHANCEDSTATUSCODES

 

[SERVER] 250-AUTH GSSAPI NTLM LOGIN

 

[SERVER] 250-8BITMIME

 

[SERVER] 250-BINARYMIME

 

[SERVER] 250 CHUNKING

 

[SERVER] AUTH NTLM

 

[SERVER] 334 NTLM supported

 

[CLIENT]+TXXXXXBXX4IXIogAAAAAAAAAAAAAAAAAAAAFAs4OAAAADw==

 

[SERVER] 334 TXXXXXBXX4IXIogAAAAAAAAAAAAAAAAAAFAs4OAAAADw==

 

[SERVER] 235 2.7.0 Authentication successful

 

[CLIENT]+MAIL FROM:

 

[SERVER] 250 2.1.0 Sender OK

 

[CLIENT]+RCPT TO:

 

[SERVER] 250 2.1.5 Recipient OK

 

[CLIENT]+DATA

 

[SERVER] 354 Start mail input; end with .

 

[CLIENT]+ .

 

[SERVER] 250 2.6.0 <3FDBD313125DE@company.com> [InternalId=322182] Queued mail for delivery

 

[CLIENT]+QUIT

 

[SERVER] 221 2.0.0 Service closing transmission channel

if I am not wrong telnet may send one or two character at a time, and that may not work with this iRule.

 

you may try using netcat and or openssl (s_client)

 

 

another alternative is using outlook express client and tcpdump/wireshark to see how it works after you put your tweak in the iRule

Good point NAT. Telnet isn't a mail client and not behaving like one. The reality is the iRule works. TLS is working as supposed to but it was a matter of having an easy means of testing via telnet. I'll have to sniff the traffic. Thanks.

Did you get this working and is this essentially the iRule to offload the workload of TLS encryption to the F5 for SMTP->SMTPS over port 25

Tried it and it seems like the logic is wrong. Because shouldn't this enable clear text pass through if starttls is never requested by client?

Hi Damion,

As I remember, this iRule enforce the encryption. So it does not allow clear text.

if you want clear text pass through, the iRule may need to be modified.

you might try changing last "else" condition to be something like below.

I am not sure if it might help or not, I didn't test üôÇ

    } else {
          TCP::respond "530 Must issue a STARTTLS command first\r\n"
          comment below line (the below line swallow client data...)
         TCP::payload replace 0 [TCP::payload length] ""
         TCP::release
          release and never collect again
         TCP::collect
   }

Thanks,

Nat

umm...

 

the "TCP::respond" should be commented out as well

I'll test this out and let you know.. You are right Damion - clear text is not working.

Well it doesn't seem if even the original does the proper pass through of information let alone enabling ssl

 

 

telnet smtptestssl 25

 

Trying x.x.x.x...

 

Connected to smtptestssl.domain.com (x.x.x.x).

 

Escape character is '^]'.

 

220 pmx1.domain.com ESMTP Postfix

 

ehlo myhost-b.domain.com

 

250-STARTTLS

 

250 OK

 

starttls

 

220 Ready to start TLS

 

mail from: myemail@domain.com

 

503 5.5.1 Error: send HELO/EHLO first

 

This yielded a 503 5.5.2 error "Send Hello First"

 

 

} else {

 

TCP::respond "530 Must issue a STARTTLS command first\r\n"

 

comment below line (the below line swallow client data...)

 

TCP::payload replace 0 [TCP::payload length] ""

 

TCP::release

 

release and never collect again

 

TCP::collect

 

}

 

 

 

I then tried to uncomment this TCP::respond "530 Must issue a STARTTLS command first\r\n" with this:

 

 

TCP::respond "EHLO\r\n"

 

 

and got an error I forgot to write down.

 

 

SSL/TLS on port 25 does work with my original code but I get no telnet and as Damion pointed out no clear text.