Help
Technical Forum
Ask questions. Discover Answers.
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Technical Forum Quicklinks: No Replies | Active-Not Solved | Recent Solutions

Securing Client-Side and Server-Side SMTP Traffic

yquirion
Altostratus
Altostratus

‎01-Nov-2022 15:01

Dear all,

I'm looking to secure my SMTP server using STARTLS, on the client-side and the server-side. The SMTP server has been configured to listen on port 25 and supports STARTTLS (using self-signed certificate on the server itself). From the F5-LTM, I can create a SMTPS profile to enable the TLS feature on port 25 on the client-side, but I can't do it on the server-side. 

Here is my SMTPS profile config:

 

 

ltm profile smtps smtp-tls-25_smtps {
    activation-mode allow
    app-service none
    defaults-from /Common/smtps
}

 

 

Here is my Client-SSL config:

 

 

ltm profile client-ssl smtp.domain.com_CS {
    app-service none
    cert-key-chain {
        smtp.domain_Sectigo_cert_chain_0 {
            cert smtp.domain.com
            chain /Common/Sectigo_cert_chain.crt
            key smtp.domain.com
        }
        smtp.domain_Sectigo_cert_chain_1 {
            cert smtp.domain.com
            chain /Common/Sectigo_cert_chain.crt
            key smtp.domain.com
            usage CA
        }
    }
    defaults-from /Common/udes-default-clientssl_profile
    inherit-ca-certkeychain false
    inherit-certkeychain false
    ssl-forward-proxy enabled
    ssl-forward-proxy-verified-handshake enabled
}

 

 

Here is my Server-SSL config:

 

 

ltm profile server-ssl smtp.domain.com-proxy-fwd_SS {
    app-service none
    defaults-from /Common/udes-default-serverssl_profile
    revoked-cert-status-response-control ignore
    ssl-forward-proxy enabled
    ssl-forward-proxy-verified-handshake enabled
}

 

 

Here's my Pool config:

 

 

ltm pool smtp-25_pool {
    description "Test de passerelles SMTP sur le port 25"
    members {
        smtpi-dev01_node:25 {
            address 10.32.160.127
            session monitor-enabled
            state up
        }
    }
    monitor /Common/gateway_icmp and smtp-25_hm
    partition INFRA-DEV
}

 

 

Here's my Virtual Server config:

 

 

ltm virtual smtp-25_vs {
    destination 1.1.1.1%1:smtp
    ip-protocol tcp
    last-modified-time 2022-11-01:17:36:56
    mask 255.255.255.255
    partition INFRA-DEV
    pool smtp-25_pool
    profiles {
        /Common/tcp { }
        smtp-tls-25_smtps { }
        smtp.domain.com-proxy-fwd_SS {
            context serverside
        }
        smtp.domain.com_CS {
            context clientside
        }
    }
    rules {
        /Common/logging_clients_tcp_v3
    }
    serverssl-use-sni disabled
    source 0.0.0.0/0
    source-address-translation {
        pool natpool-inside-vlan6
        type snat
    }
    translate-address enabled
    translate-port enabled
    vs-index 36
}

 

 

When I issue the command:

openssl s_client -showcerts -starttls smtp -connect smtp-dev.domain.com:25

I got this result:

 

 

CONNECTED(00000003)
didn't found starttls in server response, try anyway...
139865767704464:error:140790E5:SSL routines:ssl23_write:ssl handshake failure:s23_lib.c:177:
---
no peer certificate available
---
No client certificate CA names sent
---
SSL handshake has read 0 bytes and written 324 bytes
---
New, (NONE), Cipher is (NONE)
Secure Renegotiation IS NOT supported
Compression: NONE
Expansion: NONE
No ALPN negotiated
SSL-Session:
    Protocol  : TLSv1.2
    Cipher    : 0000
    Session-ID: 
    Session-ID-ctx: 
    Master-Key: 
    Key-Arg   : None
    Krb5 Principal: None
    PSK identity: None
    PSK identity hint: None
    Start Time: 1667338630
    Timeout   : 300 (sec)
    Verify return code: 0 (ok)
---

 

 

 Doing the same command directly on the backend server, I got:

 

 

ONNECTED(00000003)
depth=0 CN = smtpi-dev01.domain.com
verify error:num=18:self signed certificate
verify return:1
depth=0 CN = smtpi-dev01.domain.com
verify return:1
---
Certificate chain
 0 s:/CN=smtpi-dev01.domain.com
   i:/CN=smtpi-dev01.domain.com
---
Server certificate
-----BEGIN CERTIFICATE-----
MIIFbDCCA1SgAwIBAgIUVujZu3QKSfTguvw+U67aQDl8d4swDQYJKoZIhvcNAQEL
...
-----END CERTIFICATE-----
subject=/CN=smtpi-dev01.domain.com
issuer=/CN=smtpi-dev01.domain.com
---
No client certificate CA names sent
Peer signing digest: SHA256
Server Temp Key: ECDH, P-256, 256 bits
---
SSL handshake has read 2647 bytes and written 450 bytes
---
New, TLSv1/SSLv3, Cipher is ECDHE-RSA-AES256-GCM-SHA384
Server public key is 4096 bit
Secure Renegotiation IS supported
Compression: NONE
Expansion: NONE
No ALPN negotiated
SSL-Session:
    Protocol  : TLSv1.2
    Cipher    : ECDHE-RSA-AES256-GCM-SHA384
    Session-ID: E9C2D4E06675C447B026017E368AE3148F25A4118DB2D09FC53A1A97AD22165B
    Session-ID-ctx: 
    Master-Key: E12AFB816901DAABAA5BC25F7CF144138E1F1FAF82FA62A3CB734B445FC7420616B571E6377FE2E08257D08DD2B1B651
    Key-Arg   : None
    Krb5 Principal: None
    PSK identity: None
    PSK identity hint: None
    TLS session ticket lifetime hint: 1 (seconds)
    TLS session ticket:
    0000 - 90 89 7c db d6 aa b9 18-5a bf 98 35 04 c0 8f 5c   ..|.....Z..5...\
    0010 - 74 29 37 2e 30 5b 97 98-11 84 51 6e c2 57 90 e4   t)7.0[....Qn.W..
    0020 - 18 33 fc 1b 64 be 35 2f-15 0a 2c b1 f2 7b f1 5b   .3..d.5/..,..{.[
    0030 - 2b 6f 69 da 5a 58 26 42-db 74 61 7e 63 f0 4c 75   +oi.ZX&B.ta~c.Lu
    0040 - 85 d5 11 ae 0c a3 d4 69-cf 23 35 ad 58 05 40 44   .......i.#5.X.@D
    0050 - 89 32 50 af c7 36 65 35-48 3e 1c c2 31 f3 d8 84   .2P..6e5H>..1...
    0060 - 3a b6 3c 52 2f 3c 94 90-3f c6 77 e1 b4 9a 01 54   :.<R/<..?.w....T
    0070 - 90 6a 0a c3 6e e3 20 1c-71 aa 66 7e bb 07 60 fe   .j..n. .q.f~..`.
    0080 - f3 41 e2 73 94 0f 25 f9-70 92 9c ac 01 ef 26 d2   .A.s..%.p.....&.
    0090 - 42 c9 bd aa 84 41 79 21-05 09 a7 16 cd 31 7c 2c   B....Ay!.....1|,

    Start Time: 1667339374
    Timeout   : 300 (sec)
    Verify return code: 18 (self signed certificate)
---
250 HELP

 

 

So I'm wondering how to have thin working. We are using port 25 for the client because we want to allow user to connect to the server in plain text (no SSL) as well as TLS (starttls). The communication to the backend servers can always be encrypted. I tried use the port 465 into the pool definition (SMTP server has been configured to listen on that port), but I got the same answer (didn't found starttls in server response, try anyway...) .

I think I will need to use some iRules to enable STARTTLS on server side, but I'm not sure how to configure it.

Thank you all in advance for your help!

Best Regards,
Yanick

Labels:
0 Kudos
5 REPLIES 5

yquirion
Altostratus
Altostratus
In response to mihaic

‎02-Nov-2022 05:38

Hi mihaic,

Thank you for your answer. I tried to add this iRule, but it seems than SSL Forward Proxy needs a licence on the BigIP device, which I don't have:

Nov  2 08:34:44 f5-0905 crit tmm2[20835]: 01260000:2: Profile /INFRA-DEV/smtp-dev.domain.com_CS: Forward Proxy is enabled without a license.

For I think I will change my mind and let commuinication between F5 and the server unencrypted (SSL ofload).

Thank you very much for taking the time to answer me!

Regards,
Yanick

JRahm
Community Manager
Community Manager
In response to yquirion

‎03-Nov-2022 08:58 - edited ‎03-Nov-2022 09:00

The iRule itself does not require forward proxy, I think that's a profile setting that is unnecessary with the irule (see below). Sam comments on this on the linked codeshare entry, if you still want to pursue the solution you're after.

Probably can disable these specific lines:

 

ltm profile client-ssl smtp.domain.com_CS {
    ssl-forward-proxy enabled
    ssl-forward-proxy-verified-handshake enabled
}

 

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
https://twitter.com/jasonrahm
https://www.youtube.com/devcentral
0 Kudos

yquirion
Altostratus
Altostratus
In response to JRahm

‎04-Nov-2022 05:46 - edited ‎04-Nov-2022 05:48

Hi JRahm,

On an F5 lab appliance we have deployed, we have all available licences, but it is limited to 10Mb/s.

I tried the iRule, but I was getting the same issue:

 

CONNECTED(00000003)
didn't found starttls in server response, try anyway...
139865767704464:error:140790E5:SSL routines:ssl23_write:ssl handshake failure:s23_lib.c:177:
---
no peer certificate available
---
No client certificate CA names sent
---
SSL handshake has read 0 bytes and written 324 bytes
---
New, (NONE), Cipher is (NONE)
Secure Renegotiation IS NOT supported
Compression: NONE
Expansion: NONE
No ALPN negotiated
SSL-Session:
    Protocol  : TLSv1.2
    Cipher    : 0000
    Session-ID: 
    Session-ID-ctx: 
    Master-Key: 
    Key-Arg   : None
    Krb5 Principal: None
    PSK identity: None
    PSK identity hint: None
    Start Time: 1667338630
    Timeout   : 300 (sec)
    Verify return code: 0 (ok)
---

 

When using openssl (in STARTTLS mode), to test the connection, I will see on the /var/log/ltm, the "CLIENT_ACCEPTED" from the iRule debug line:

 

if { $DEBUG } { log local0. "CLIENT_ACCEPTED" }

 

Then it took maybe 10-15 seconds and the message "Didn't find STARTTLS in server response, trying anyway..." will appear.

I will now try your suggestion and disable ssl-proxy from the CS.

I'll keep you posted.

Thank you again for your reply.

Regards,
Yanick

0 Kudos

yquirion
Altostratus
Altostratus
In response to yquirion

‎04-Nov-2022 06:21 - edited ‎04-Nov-2022 06:23

Hi again!
I did the test, and I have the same result. Here is the config I have:

 

 

ltm profile client-ssl smtp-dev.domain.com-proxy-fwd_CS {
    app-service none
    cert-key-chain {
        smtp-dev.domain_Sectigo_cert_chain_0 {
            cert smtp-dev.domain.com_SECTIGO
            chain /Common/Sectigo_cert_chain.crt
            key smtp-dev.domain.com_SECTIGO
        }
    }
    defaults-from /Common/udes_clientssl_profile
    inherit-ca-certkeychain true
    inherit-certkeychain false
}
ltm profile server-ssl smtp-dev.domain.com-proxy-fwd_SS {
    allow-expired-crl enabled
    app-service none
    defaults-from /Common/udes_serverssl_profile
    peer-cert-mode ignore
    revoked-cert-status-response-control ignore
    unknown-cert-status-response-control ignore
}
ltm virtual smtp-dev-25_vs {
    creation-time 2022-11-02:10:30:50
    destination 1.1.1.1%6:smtp
    ip-protocol tcp
    last-modified-time 2022-11-04:09:07:59
    mask 255.255.255.255
    partition INFRA-DEV
    pool smtp-dev-25_pool
    profiles {
        /Common/tcp { }
        smtp-dev.domain.com-proxy-fwd_CS {
            context clientside
        }
        smtp-dev.domain.com-proxy-fwd_SS {
            context serverside
        }
    }
    rules {
        smtp-starttls_rule
    }
    serverssl-use-sni disabled
    source 0.0.0.0/0
    translate-address enabled
    translate-port enabled
    vs-index 20
}

 

 

I'm using the iRules from the article postes by mihaic. Have the same behavior as described on my last post.
So, I think we will just use the F5 in passthru mode (no SSL) and install the certificate directly on the servers.
If someone has any suggestion I will be happy to test.

Thank you again for your help!
Yanick

0 Kudos
Copyright © 2023 Khoros, LLC