Forum Discussion
JGCovalt
Nimbostratus
NimbostratusSMTP Traffic Forward to M365 on Port 587
We're working on tranisitioning away from using our internal Exchange servers for SMTP, and instead pointing to M365 directly via the F5. I have had success sending anonymous traffic on port 25, but have not been able to get the secure/port 587 traffic to send. We have some applications that require this, as they're sending e-mails outside our domain, which fails via anonymous port 25 SMTP.
We have a pool pointed to smtp.office365.com that shows it is able to send traffic on port 587 and get a handshake response, and I've confirmed our firewall should be allowing through traffic. However, when attempting to send test traffic on port 587 with authentication (via Powershell's Send-MailMessage command), I get the error "The remote certificate is invalid according to the validation procedure."
I've tried adding our mail certificate to the F5 and configuring it as both the client and server certificate, without luck. In fact, if I configure it as the server certificate for the virtual server on the F5, the error message does change but still fails (Unable to read data from the transport connection: An existing connection was forcibly closed by the remote host.)
The individual who originally set up our F5, and who knew the most about its configuration, has retired, so I'm trying to figure this out with no internal guidance.
Has anyone successfully been able to get authenticated port 587 traffic to forward through the F5 to M365 that can provide some advice?
hi JGCovalt, congrats on inheriting the BIG-IP! Welcome to the community, and hopefully we can assist. Just a couple comments/resources to get you thinking before the long weekend:
- Currently, do you have only port 25 virtual server and port 25 pool members, or do you have listeners/pool members for both 25/587?
- Do you need to observe/act on secured mail arriving from client or server, or just route it?
- Solutions for supporting cleartext and tls-encrypted mail
- Codeshare - https://community.f5.com/t5/codeshare/starttls-server-smtp-with-cleartext-and-starttls-client-support/ta-p/287751
- Codeshare - https://community.f5.com/t5/codeshare/smtp-start-tls/ta-p/291390
- Article - https://community.f5.com/t5/technical-articles/advanced-irules-smtp-start-tls/ta-p/287499
- JRahm
Admin
hi JGCovalt, congrats on inheriting the BIG-IP! Welcome to the community, and hopefully we can assist. Just a couple comments/resources to get you thinking before the long weekend:
- Currently, do you have only port 25 virtual server and port 25 pool members, or do you have listeners/pool members for both 25/587?
- Do you need to observe/act on secured mail arriving from client or server, or just route it?
- Solutions for supporting cleartext and tls-encrypted mail
- Codeshare - https://community.f5.com/t5/codeshare/starttls-server-smtp-with-cleartext-and-starttls-client-support/ta-p/287751
- Codeshare - https://community.f5.com/t5/codeshare/smtp-start-tls/ta-p/291390
- Article - https://community.f5.com/t5/technical-articles/advanced-irules-smtp-start-tls/ta-p/287499
JGCovaltI have a pool and virtual machine set up for 25 and another for 587, and can confirm that both are getting a reply from M365 when seting a health check to those ports. I'd been trynig to use the iRule in your second link without success.
The iRule on the first link you provided, however, seemed to fix the issue. I have at least one application that still won't authenticate properly on 587, but I think that's the app, not my settings.
Thanks very much!
- zamroni777
Nacreous
i suggest you do tcpdump in f5, client and smtp servers to see details of of tls session setup.
probably the cipher list of client and server doesnt have any match so they cant make the session.
