Help
Technical Articles
F5 SMEs share good practice.
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Technical Forum Quicklinks: No Replies | Active-Not Solved | Recent Solutions
Custom Alert Banner

F5 AppWorld 2024 session proposal deadline extended to Friday, December 8th!

Advanced iRules: SMTP Start TLS

JRahm
Community Manager
Community Manager

‎26-Oct-2011 13:49 - edited ‎02-Oct-2023 14:35

F5er and DevCentral member natty76 wrote a few iRules a while back on interactive TLS session starting on the SMTP, IMAP, and POP3 protocols. A lot of the iRules can be understood from a flow perspective by reading the iRule top to bottom. This is not the case for these iRules. In this article, I’ll break down the SMTP communication context for the BIG-IP as middleman between client and server. I’ve saved the iRule as an image below so I reference line numbers as I go. The SMTP iRule as well as the IMAP and POP3 iRules are available in the iRules Codeshare.   Before digging into the iRule, the usage example in section six of RFC 2487 is illustrated in the drawing below with the steps from our description to follow highlighted on each leg of the protocol exchange.

0151T000003d4AWQAY.png

 

The iRule

0151T000003d4AXQAY.png

  1. The process starts with the standard TCP 3-way handshake, which results in the CLIENT_ACCEPTED event firing (line 2). At this point I don’t know if the client is requiring TLS yet, so ehlo is set to 0 and SSL is disabled (set by default in the virtual server profile.)
  2. With the SMTP protocol, the client initiates the connection but it’s the server that sends data first. This means that after the client connection occurs, we need to collect data on the server side of the connection, which is performed here when the SERVER_CONNECTED event fires (lines 6-7).
  3. SERVER_DATA fires when the server sends (and has been collected by the collect in line 7). The if will not match yet as the ehlo variable is still zero with no client data to match. The data is also released here (line 29)
  4. I do however, want to catch when the client sends data, so I do a clientside collect. (line 30)
  5. When the client does send data, the CLIENT_DATA event fires (line 9). The payload is de-cased and stored in the variable lcpayload (line 10) and then is checked for the existence of the ehlo command (line 11).
  6. If the ehlo was present, I collect on the serverside  again (looking for TLS support messages) and make sure I set ehlo to true (lines 12-13).
  7. I release client data to continue flow, then collect again to look for the starttls command from the client.
  8. Now on the server side, if ehlo is set and the starttls is not in the message, replace the payload with a starttls message. (line 27)
  9. And again release the data (line 29)
  10. Now when client data arrives with starttls, LTM responds directly informing the client to start TLS communication (lines 16-17) and then swallows the payload (line 18).
  11. After responding to the client, I need to enable SSL to the virtual is ready  for the client hello from the client (line 20).
  12. Finally, if there is no ehlo or starttls from the client, I’ll just release the payload. This is to allow clients not supporting starttls through. (line 22)
 
Labels:
Comments
Gaetan_Gicquel
Nimbostratus
Nimbostratus
‎26-Jan-2021 03:27

Many thank's !

Just one precision, if you have configured SSL Bridging on your Virtual Server, you must specify SSL::disable for both clientside and serverside at the step 1, beceause by default it's only apply on clientside.

0 Kudos
Version history
Last update:
‎02-Oct-2023 14:35
Updated by:
Community Manager
Contributors
Copyright © 2023 Khoros, LLC