starttls proxy for imap

Hi All,

 

 

I'm trying to write an irule that will let me offload starttls functionality off my imap servers and onto our LTM.

 

 

We've gotten imaps and pops working just fine. However getting STARTTLS for imap to work is taking some effort.

 

 

Here's the irule I'm trying to use:

 

 

--

 

when RULE_INIT {

 

set ::tls 0

 

}

 

 

when CLIENT_ACCEPTED {

 

 

if { $::tls ne 1} {

 

TCP::respond "* OK \[CAPABILITY IMAP4REV1 LOGIN-REFERRALS STARTTLS AUTH=LOGIN\] mailbox-starttls.xxx.xxx.ca IMAP4rev1 2002.336+utsl at Tue, 6 Feb 2007 12:33:56 -0500 (EST)\r\n"

 

TCP::collect

 

}

 

 

if { $::tls == 1 } {

 

persist ssl

 

pool TEST_STARTTLS_pool

 

}

 

}

 

 

when CLIENT_DATA {

 

set cdata [TCP::payload]

 

 

if { [string length $cdata ] <= 0} {

 

return

 

}

 

 

if {($cdata contains "CAPABILITY") or ($cdata contains "capability")} {

 

TCP::respond "* CAPABILITY IMAP4REV1 IDLE NAMESPACE MAILBOX-REFERRALS BINARY SCAN SORT THREAD=REFERENCES THREAD=ORDERED SUBJECT MULTIAPPEND LOGIN-REFERRALS STARTTLS AUTH=LOGIN\r\n"

 

set theline [split $cdata]

 

set theindex [lindex $theline 0]

 

TCP::respond "$theindex OK CAPABILITY completed\r\n"

 

TCP::payload replace 0 [string length $cdata] ""

 

set theline ""

 

set theindex ""

 

return

 

}

 

 

if {$cdata contains "STARTTLS"} {

 

set tls 1

 

set theline [ split $cdata]

 

set theindex [ lindex $theline 0]

 

TCP::respond "$theindex OK Begin TLS negotiation now\r\n"

 

TCP::payload replace 0 [string length $cdata] ""

 

return

 

 

}

 

 

if {($cdata contains "LOGIN") or ($cdata contains "login") } {

 

set theline [ split $cdata ]

 

set usrname [ lindex $theline 1]

 

set pwd [ lindex $theline 2 ]

 

pool TEST_STARTTLS_pool

 

}

 

 

TCP::collect

 

 

}

 

----

 

 

Using a sniffer I can see the conversation between the mail client and the virtual server happening as expected up until the point where the client begins the tls negotiation. I was vainly hoping that the "persist ssl" statement would automagically setup the tls connection and the pool command would send all the subsequent traffic to the imap server.

 

 

What I see is that the client initiates a connection to the virtual server and then I see an imap request that looks likes its been encrypted. The virtual server sends back an ACK...and then....nothing for 60 secs. I then see the client send a FIN,ACK and the connection goes away.

 

 

Can anyone suggest:

 

(1) a good way to troubleshoot the actual ssl conversation between the client and the virtual server

 

(2) am I approaching handling the ssl traffic the right way. Should I be trying something a bit more low level than the 'persist ssl' command?

 

 

 

Regards,

 

 

Darren Jacobs