POP3/IMAP Start TLS
Problem this snippet solves:
Summary: This iRule allows either clear text or TLS encrypted communication with the LTM initiating the encryption process if it sees the appropriate "starttls" command in the SMTP communication.
Code :
#imap#
when CLIENT_ACCEPTED {
SSL::disable
}
when SERVER_CONNECTED {
TCP::collect
}
when CLIENT_DATA {
set lcpayload [string tolower [TCP::payload]]
if { $lcpayload contains "starttls" } {
set tag [getfield [TCP::payload] " " 1]
TCP::respond "$tag OK \"Begin TLS negotiation now\"\r\n"
TCP::payload replace 0 [TCP::payload length] ""
TCP::release
SSL::enable
} else {
set id [getfield [TCP::payload] " " 1]
TCP::respond "$id BAD \"Must issue a STARTTLS command first\"\r\n"
TCP::payload replace 0 [TCP::payload length] ""
TCP::release
TCP::collect
}
}
when SERVER_DATA {
if { [TCP::payload] contains "* CAPABILITY" } {
TCP::payload replace 12 0 " STARTTLS"
TCP::release
clientside { TCP::collect }
} else {
TCP::release
TCP::collect
}
}
#pop3#
when CLIENT_ACCEPTED {
SSL::disable
}
when SERVER_CONNECTED {
TCP::collect
}
when CLIENT_DATA {
if { [TCP::payload] contains "STLS" } {
TCP::respond "+OK Begin TLS negotiation\r\n"
TCP::payload replace 0 [TCP::payload length] ""
TCP::release
SSL::enable
} else {
set id [getfield [TCP::payload] " " 1]
TCP::respond "-ERR Must issue STLS command first\r\n"
TCP::payload replace 0 [TCP::payload length] ""
TCP::release
TCP::collect
}
}
when SERVER_DATA {
set lcpayload [string tolower [TCP::payload]]
if { $lcpayload contains "capability" } {
# assume last 3 bytes are .\r\n which is end of capability response
TCP::payload replace [expr [TCP::payload length] - 3] 0 "STLS\r\n"
TCP::release
clientside { TCP::collect }
} else {
TCP::release
TCP::collect
}
}Published Mar 18, 2015
Version 1.0
Nat_Thirasuttakorn
Employee
EmployeeNat_ThirasuttakornEmployee
Employee
