Forum Discussion
SMTP STARTTLS iRule
I need help with getting a STARTTLS iRule working for SMTP on our 1600's. We are on version 10.2.1. And to be clear it is working but there are a few tweaks I can't figure out. The main issue is that when I telnet to the VIP I can't do an SMTP conversation. It throws "530 Must issue a STARTTLS command first". If I fire up Outlook Express I am able to use port 25/TLS just fine and the smtp.log with Outlook Express shows a normal conversation. How to get the conversation to work? Here is the code:
when CLIENT_ACCEPTED {
SSL::disable
}
when SERVER_CONNECTED {
TCP::collect
}
when CLIENT_DATA {
set lcpayload [string tolower [TCP::payload]]
if { $lcpayload starts_with "ehlo" } {
TCP::respond "250-STARTTLS\r\n250 OK\r\n"
TCP::payload replace 0 [TCP::payload length] ""
TCP::release
TCP::collect
} elseif { $lcpayload starts_with "starttls" } {
TCP::respond "220 Ready to start TLS\r\n"
TCP::payload replace 0 [TCP::payload length] ""
TCP::release
SSL::enable
} else {
TCP::respond "530 Must issue a STARTTLS command first\r\n"
TCP::payload replace 0 [TCP::payload length] ""
TCP::release
TCP::collect
}
}
when SERVER_DATA {
TCP::release
clientside { TCP::collect }
}
- kraigk_52257NimbostratusBelow is a succesful STARTTLS transaction from the Outlook Express log. Thought this might provide some expert a clue. I am very weak on these iRules. I added [SERVER] and [CLIENT]+ for easy identification.
- Nat_ThirasuttakornEmployeeif I am not wrong telnet may send one or two character at a time, and that may not work with this iRule.
- kraigk_52257NimbostratusGood point NAT. Telnet isn't a mail client and not behaving like one. The reality is the iRule works. TLS is working as supposed to but it was a matter of having an easy means of testing via telnet. I'll have to sniff the traffic. Thanks.
- DamionCirrusDid you get this working and is this essentially the iRule to offload the workload of TLS encryption to the F5 for SMTP->SMTPS over port 25
- DamionCirrusTried it and it seems like the logic is wrong. Because shouldn't this enable clear text pass through if starttls is never requested by client?
- Nat_ThirasuttakornEmployeeHi Damion,
} else { TCP::respond "530 Must issue a STARTTLS command first\r\n" comment below line (the below line swallow client data...) TCP::payload replace 0 [TCP::payload length] "" TCP::release release and never collect again TCP::collect }
- Nat_ThirasuttakornEmployeeumm...
- kraigk_52257NimbostratusI'll test this out and let you know.. You are right Damion - clear text is not working.
- DamionCirrusWell it doesn't seem if even the original does the proper pass through of information let alone enabling ssl
- kraigk_52257NimbostratusThis yielded a 503 5.5.2 error "Send Hello First"
Recent Discussions
Related Content
* Getting Started on DevCentral
* Community Guidelines
* Community Terms of Use / EULA
* Community Ranking Explained
* Community Resources
* Contact the DevCentral Team
* Update MFA on account.f5.com