SMTP Start TLS

Nat_Thirasuttakorn · ‎18-Mar-2015

Problem this snippet solves:

Summary: This iRule allows either clear text or TLS encrypted communication with the LTM initiating the encryption process if it sees the appropriate "starttls" command in the SMTP communication.

Code :

when CLIENT_ACCEPTED {
    set ehlo 0
    SSL::disable
}
when SERVER_CONNECTED {
    TCP::collect
}
when CLIENT_DATA {
    set lcpayload [string tolower [TCP::payload]]
    if { $lcpayload starts_with "ehlo" } {
        set ehlo 1
        serverside { TCP::collect }
        TCP::release
        TCP::collect
    } elseif { $lcpayload starts_with "starttls" } {
        TCP::respond "220 Ready to start TLS\r\n"
        TCP::payload replace 0 [TCP::payload length] ""
        TCP::release
        SSL::enable
    } else {
        TCP::release
    }
}
when SERVER_DATA {
    if { $ehlo == 1 and not([string tolower [TCP::payload]] contains "starttls") } {
        TCP::payload replace 0 0 "250-STARTTLS\r\n"
    }
    TCP::release
    clientside { TCP::collect }
}

JG_249184 · ‎03-Mar-2017

Does this achieve end to end SMTP TLS? I am looking for a way to send secure all the way to the backend servers.

MichaelJordan_1 · ‎02-May-2019

Thanks. I'm gonna try this one. Fingers crossed...

Sam_Novak · ‎02-May-2019

@MichaelJordan perhaps the iRule I just posted might solve your problem? My testing thus far is promising. https://devcentral.f5.com/s/articles/starttls-server-smtp-with-cleartext-and-starttls-client-support...

¬†

DevCentral

SMTP Start TLS