Forum Discussion
Michael_Harwoo1
Dec 23, 2015Nimbostratus
I have recently found this post by someone else that shows an irule that works almost for what i wanted. https://devcentral.f5.com/questions/adding-starttls-functionality-to-outbound-smtp-sessions-via-irule
It just needed some tweaking of the "IF" statements to get it to accept the slightly different responses from the TLS SMTPS server we were trying to connect to.
when CLIENT_ACCEPTED {
No SSL client side, also check no SSL running already on server side
log local0. "client accepted"
SSL::disable serverside
}
when SERVER_CONNECTED {
TCP::collect
}
when SERVER_DATA {
Read in responses from remote server into a variable and log to /var/log/ltm
log local0. "server payload: [string tolower [TCP::payload]]"
set payload [string tolower [TCP::payload]]
if {$payload starts_with "220" and $payload contains "esmtp"}
{
Listen for remote servers opening 220 and esmtp message
NOTE the ‘if’ statement above may need to be tweaked to except what message the other
side is actually sending in reply. Logs should show this.
Respond with a EHLO to server, most servers require a name after the EHLO as well.
TCP::respond "EHLO insert.dns.certificate.server.name.here.com\r\n"
TCP::payload replace 0 [TCP::payload length] ""
TCP::release
log local0. "responded to server with EHLO"
serverside {TCP::collect}
}
elseif {$payload contains "250-starttls" }
{
Check server responds with "250-starttls", if so, respond with a STARTTLS
TCP::respond "STARTTLS\r\n"
TCP::payload replace 0 [TCP::payload length] ""
TCP::release
log local0. "Sent the server a STARTTLS"
serverside {TCP::collect}
}
elseif {$payload contains "220 ready for tls" or $payload contains "220 2.0.0 continue"}
{
if server gives a 220 response, then start server side ssl profile
NOTE the ‘if’ statement above may need to be tweaked to except what message the other
side is actually sending in reply. Logs should show this.
log local0. "server said he is ready for TLS, enable the SSL profile"
TCP::payload replace 0 [TCP::payload length] ""
TCP::release
serverside {SSL::enable}
TLS hanshake should now start, which is best seen in wireshark packet captures.
}
}
when SERVERSSL_HANDSHAKE {
This will only trigger if that is completed successfully.
ServerSSL profile will need a certificate to match the outbound IP and DNS name,
and you may want to set the "Server certificate" setting to "require",
and the "Trusted Certificate Authorities" set to "ca-bundle".
log local0. "SSL handshake completed."
clientside { TCP::respond "220 SMTP ESMTP Relay F5\r\n" }
SSL::collect
}
when SERVERSSL_DATA {
Log the SMTP responses to see any errors.
log local0. "server SSL payload: [SSL::payload]"
SSL::release
SSL::collect
}
- JG_249184Mar 13, 2017Altocumulus
How can I use this and have it enable client said ssl when it detects starttls from the client but send clear text when it doesn't?