Forum Discussion
kraigk_52257
Nimbostratus
NimbostratusSMTP STARTTLS iRule
I need help with getting a STARTTLS iRule working for SMTP on our 1600's. We are on version 10.2.1. And to be clear it is working but there are a few tweaks I can't figure out. The main issue is that when I telnet to the VIP I can't do an SMTP conversation. It throws "530 Must issue a STARTTLS command first". If I fire up Outlook Express I am able to use port 25/TLS just fine and the smtp.log with Outlook Express shows a normal conversation. How to get the conversation to work? Here is the code:
when CLIENT_ACCEPTED {
SSL::disable
}
when SERVER_CONNECTED {
TCP::collect
}
when CLIENT_DATA {
set lcpayload [string tolower [TCP::payload]]
if { $lcpayload starts_with "ehlo" } {
TCP::respond "250-STARTTLS\r\n250 OK\r\n"
TCP::payload replace 0 [TCP::payload length] ""
TCP::release
TCP::collect
} elseif { $lcpayload starts_with "starttls" } {
TCP::respond "220 Ready to start TLS\r\n"
TCP::payload replace 0 [TCP::payload length] ""
TCP::release
SSL::enable
} else {
TCP::respond "530 Must issue a STARTTLS command first\r\n"
TCP::payload replace 0 [TCP::payload length] ""
TCP::release
TCP::collect
}
}
when SERVER_DATA {
TCP::release
clientside { TCP::collect }
}
DamionCirrus
One question: if we get activate the Message Security Module, will we still be able to use this iRule?
http://www.f5.com/solutions/security/anti-spam/
Thank you kraigk for the original question and Nat for working to solve it.- I don't see why MSM would interfere with this. MSM is dealing with the rating of inbound senders, this is dealing with people connecting directly to send/retrieve mail. The two should play nicely together, but I suppose I'd have to test them to be sure.
Colin - Damionfound neat command to test ssl connection using openssl
openssl s_client -connect smtptestssl:25 -starttls smtp 
kraigk_52257Are any of you using MSM? Just curious how well it works. I have borrowed code that we use to maintain datagroup lists of rate controlled and blocked IP's. Works great with all our virtual servers (SMTP, POP, IMAP, OWA). Better done in a firewall but a different group manages those so it isn't easy. FW -> LB -> spam FW -> to mail servers. Anywho I ssuspect MSM works well but at a price?- DamionI have the same question as kraigk about MSM.
Another question, I just wanted to verify that under the Profile -> SSL -> Client -> Properties that "Non-SSL Connections" is Enabled?
Are there any other smtp specific settings under the Virtual Server or SSL profile that would help this iRule?
Thanks in advance - kraigk_52257Damion - Non-SSL Connections" is not enabled on my profile. The only other items I have defined are pretty basic - Parent profile = clientssl (and it is default), Certificate, Key, Chain and Trusted Certificate Authority. That's it.
- kraigk_52257Damion - Non-SSL Connections" is not enabled on my profile. The only other items I have defined are pretty basic - Parent profile = clientssl (and it is default), Certificate, Key, Chain and Trusted Certificate Authority. That's it.
asharicz_6648Thanks to all in this thread I got SMTP TLS offloaded to our BIGIP! Works great.
I was frustrated for a bit though, the "stock" iRule in the codeshare did not work for me, best I could tell is that it would never match the payload on "starttls". Forgive me if my terminology is off, I am just a Windows guy 😉
I had this issue testing from telnet, which I figured is the way that telnet submits every character which would cause the match not to happen on the "s" and the rule would then release TCP. I was merely testing to try a "ehlo" and then "starttls" to see if I got a "not implemented" (i.e. it didn't work) or a "220 Ready to start TLS" response which meant it was working.
I then tried using "checktls.com"receiver test to rule out the telnet issues, but that did not work either, which led me to believe there may be some SMTP sending servers out there that will not work with the stock iRule.
I ended up rearchitecting as such:Good lord if someone can tell me how to post the code without the editor removing the spaces and carriage returns? I tried pasting from iRule editor, notepad, wordpad...I even watched the video but he didn't paste in any code he just typed it in... If you want to see the iRule just let me know how to do it and I can post it...
Anyways I had also written a rule to mask SMTP server names, so that one SMTP server can be multiple greeting names through the BIGIP, and I had the same issue, I needed a "if { not ( $lcpayload contains "\r\n" ) } { return }" in order to get the BIGIP to "hold off" until there is a carriage return to do the string matching. At least that is how I think it is working. It wouldn't work without in telnet or testing real SMTP servers with it.- asharicz_6648Well for crying out loud it looks like the "quick reply" works, so here it is:
when CLIENT_ACCEPTED { set ehlo 0 SSL::disable } when SERVER_CONNECTED { TCP::collect } when CLIENT_DATA { set lcpayload [string tolower [TCP::payload]] if { not ( $lcpayload contains "\r\n" ) } { return } if { $lcpayload starts_with "ehlo" } { set ehlo 1 serverside { TCP::collect } TCP::release TCP::collect } if { $lcpayload starts_with "starttls" } { TCP::respond "220 Ready to start TLS\r\n" TCP::payload replace 0 [TCP::payload length] "" TCP::release SSL::enable } else { TCP::release } } when SERVER_DATA { if { $ehlo == 1 and not([string tolower [TCP::payload]] contains "starttls") } { TCP::payload replace 0 0 "250-STARTTLS\r\n" } TCP::release clientside { TCP::collect } } - Sorry for the troubles with the editor...glad you got it working finally. And thanks for the submission!
Colin
