Forum Discussion
SMTPS Encrypted traffic issues
Hi Team
We're currently relaying email to our SMTP cloud server over the internet. Our goal is to ensure the traffic to the cloud relay is encrypted. Right now, the internal servers send traffic in plain text to the F5, which then handles SSL encryption before forwarding to the cloud.
I've tried two methods to set this up but I'm running into errors. Could someone suggest a reliable approach for encrypting this traffic.
:
Method1:
Server < Clear Text > F5 VIP < SMTPS Profile STARTTLS> CloudServer
Send-MailMessage : The SMTP server requires a secure connection or the client was not authenticated. The server
response was: Must issue a STARTTLS command first
At line:1 char:1
+ Send-MailMessage -from " atest@xmail.com " -to "a ...
+ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+ CategoryInfo : InvalidOperation: (System.Net.Mail.SmtpClient:SmtpClient) [Send-MailMessage], SmtpExcept
ion
+ FullyQualifiedErrorId : SmtpException,Microsoft.PowerShell.Commands.SendMailMessage
Method2:
Server < Clear Text > F5 VIP < SSL Encryption (SSL profile)> CloudServer
Error:
Send-MailMessage : Unable to read data from the transport connection: An existing connection was forcibly closed by
the remote host.
At line:1 char:1
+ Send-MailMessage -from "atest@xmail.com" -to "a ...
+ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+ CategoryInfo : InvalidOperation: (System.Net.Mail.SmtpClient:SmtpClient) [Send-MailMessage], SmtpExcept
ion
+ FullyQualifiedErrorId : SmtpException,Microsoft.PowerShell.Commands.SendMailMessage
1 Reply
- Sravs
Altocumulus
Hi
Method1: F5 does not inject STARTTLS negotiation on behalf of the client. The client itself must initiate STARTTLS. But your internal client is speaking plaintext SMTP, and doesn’t trigger STARTTLS.
Method2: This also fails since the client sends plaintext, but the cloud server expects an SSL handshake, causing it to close the connection.
If you want to implement SSL, you need to use both client and server SSL profiles, and the servers must support SSL as well. Are you using iApp ?
Recent Discussions
Related Content
* Getting Started on DevCentral
* Community Guidelines
* Community Terms of Use / EULA
* Community Ranking Explained
* Community Resources
* Contact the DevCentral Team
* Update MFA on account.f5.com