F5 is upgrading its customer support chat feature on My.F5.com. Chat support will be unavailable from 6am-10am PST on 1/20/26. Refer to K000159584 for details.

Forum Discussion

yquirion's avatar
yquirion
Icon for Altostratus rankAltostratus
Nov 01, 2022

Securing Client-Side and Server-Side SMTP Traffic

Dear all, I'm looking to secure my SMTP server using STARTLS, on the client-side and the server-side. The SMTP server has been configured to listen on port 25 and supports STARTTLS (using self-signe...
security
yquirion's avatar
yquirion
Icon for Altostratus rankAltostratus
Nov 04, 2022

Hi JRahm,

On an F5 lab appliance we have deployed, we have all available licences, but it is limited to 10Mb/s.

I tried the iRule, but I was getting the same issue:

 

CONNECTED(00000003)
didn't found starttls in server response, try anyway...
139865767704464:error:140790E5:SSL routines:ssl23_write:ssl handshake failure:s23_lib.c:177:
---
no peer certificate available
---
No client certificate CA names sent
---
SSL handshake has read 0 bytes and written 324 bytes
---
New, (NONE), Cipher is (NONE)
Secure Renegotiation IS NOT supported
Compression: NONE
Expansion: NONE
No ALPN negotiated
SSL-Session:
    Protocol  : TLSv1.2
    Cipher    : 0000
    Session-ID: 
    Session-ID-ctx: 
    Master-Key: 
    Key-Arg   : None
    Krb5 Principal: None
    PSK identity: None
    PSK identity hint: None
    Start Time: 1667338630
    Timeout   : 300 (sec)
    Verify return code: 0 (ok)
---

 

When using openssl (in STARTTLS mode), to test the connection, I will see on the /var/log/ltm, the "CLIENT_ACCEPTED" from the iRule debug line:

 

if { $DEBUG } { log local0. "CLIENT_ACCEPTED" }

 

Then it took maybe 10-15 seconds and the message "Didn't find STARTTLS in server response, trying anyway..." will appear.

I will now try your suggestion and disable ssl-proxy from the CS.

I'll keep you posted.

Thank you again for your reply.

Regards,
Yanick

yquirion's avatar
yquirion
Icon for Altostratus rankAltostratus
Nov 04, 2022

Hi again!
I did the test, and I have the same result. Here is the config I have:

 

 

ltm profile client-ssl smtp-dev.domain.com-proxy-fwd_CS {
    app-service none
    cert-key-chain {
        smtp-dev.domain_Sectigo_cert_chain_0 {
            cert smtp-dev.domain.com_SECTIGO
            chain /Common/Sectigo_cert_chain.crt
            key smtp-dev.domain.com_SECTIGO
        }
    }
    defaults-from /Common/udes_clientssl_profile
    inherit-ca-certkeychain true
    inherit-certkeychain false
}
ltm profile server-ssl smtp-dev.domain.com-proxy-fwd_SS {
    allow-expired-crl enabled
    app-service none
    defaults-from /Common/udes_serverssl_profile
    peer-cert-mode ignore
    revoked-cert-status-response-control ignore
    unknown-cert-status-response-control ignore
}
ltm virtual smtp-dev-25_vs {
    creation-time 2022-11-02:10:30:50
    destination 1.1.1.1%6:smtp
    ip-protocol tcp
    last-modified-time 2022-11-04:09:07:59
    mask 255.255.255.255
    partition INFRA-DEV
    pool smtp-dev-25_pool
    profiles {
        /Common/tcp { }
        smtp-dev.domain.com-proxy-fwd_CS {
            context clientside
        }
        smtp-dev.domain.com-proxy-fwd_SS {
            context serverside
        }
    }
    rules {
        smtp-starttls_rule
    }
    serverssl-use-sni disabled
    source 0.0.0.0/0
    translate-address enabled
    translate-port enabled
    vs-index 20
}

 

 

I'm using the iRules from the article postes by mihaic. Have the same behavior as described on my last post.
So, I think we will just use the F5 in passthru mode (no SSL) and install the certificate directly on the servers.
If someone has any suggestion I will be happy to test.

Thank you again for your help!
Yanick