Forum Discussion

Adam_L__1503's avatar
Adam_L__1503
Historic F5 Account
Feb 01, 2012

Adding STARTTLS functionality to outbound SMTP sessions via iRule

Note: I am not the author of this iRule, but I thought that this was a very useful trick, and the author of it has given me permission to share it here. This iRule will take outbound SMTP connections which pass through a LTM and will add full STARTTLS functionality. In other words -- how to add encryption to your outbound SMTP sessions without having to upgrade or otherwise fiddle with your SMTP server. :)

 

 

Comments and/or suggestions welcome.

 

 

 

when CLIENT_ACCEPTED {

 

log local0. "client accepted"

 

SSL::disable serverside

 

}

 

when SERVER_CONNECTED {

 

TCP::collect

 

}

 

when SERVER_DATA {

 

log local0. "server payload: [string tolower [TCP::payload]]"

 

 

set payload [string tolower [TCP::payload]]

 

 

if {$payload contains "220 smtp esmtp relay"}

 

{

 

respond with a EHLO to server

 

TCP::respond "EHLO\r\n"

 

TCP::payload replace 0 [TCP::payload length] ""

 

TCP::release

 

log local0. "responded to server with EHLO"

 

serverside {TCP::collect}

 

}

 

elseif {$payload contains "250-starttls" }

 

{

 

respond with a STARTTLS to server

 

TCP::respond "STARTTLS\r\n"

 

TCP::payload replace 0 [TCP::payload length] ""

 

TCP::release

 

log local0. "Sent the server a STARTTLS"

 

serverside {TCP::collect}

 

}

 

elseif {$payload contains "220 2.0.0 ready to start tls"}

 

{

 

start ssl profile with server

 

log local0. "server said he is ready for TLS, enable the SSL profile"

 

TCP::payload replace 0 [TCP::payload length] ""

 

TCP::release

 

serverside {SSL::enable}

 

}

 

}

 

 

when SERVERSSL_HANDSHAKE {

 

log local0. "SSL handshake completed."

 

clientside { TCP::respond "220 SMTP ESMTP Relay\r\n" }

 

SSL::collect

 

}

 

when SERVERSSL_DATA {

 

log local0. "server SSL payload: [SSL::payload]"

 

SSL::release

 

SSL::collect

 

}

 

 

application delivery
dev
devops
iRules

5 Replies

Sort By
  • bdavis's avatar
    bdavis
    Icon for Nimbostratus rankNimbostratus
    Oct 15, 2013
    Does this get applied to a forwarding Virtual Server? Our is there another way to see the outbound traffic to apply this code?
  • nitass's avatar
    nitass
    Icon for Employee rankEmployee
    Oct 15, 2013
    i understand it is standard virtual server because of serverssl profile.
  • bdavis's avatar
    bdavis
    Icon for Nimbostratus rankNimbostratus
    Oct 15, 2013
    Where I am confused is, if this is for the outbound traffic initiated from your mail relay to a distant end mail relay. How are you seeing the traffic that is being initiated from the mail relay to the Internet without a forwarding VS or something that can see outbound traffic?
  • nitass's avatar
    nitass
    Icon for Employee rankEmployee
    Oct 15, 2013
    i understand it is wildcard standard virtual server e.g. 0.0.0.0:25/0 and its pool is default gateway. actually, if pool is not defined, bigip will forward traffic based on routing even it is not ip forwarding virtual server.
  • Michael_Harwoo1's avatar
    Michael_Harwoo1
    Icon for Nimbostratus rankNimbostratus
    Dec 23, 2015

    I have recently also been trying to do the same, server side STARTTLS and SSL only, not clientside, and found this article a month or so ago. I managed to use your irule suggestions to get it working on mine as well.

     

    I had to make some adjustments to the EHLO message, to add a server name on the end, otherwise the other end refused to start the TLS handshake (SERVER HELLO error), and also had to tweak the if statements to match some different response strings from the other side. But otherwise it works well.

     

    Here is my devcentral post on the same thing, were i have posted my version of the irule:

     

    https://devcentral.f5.com/questions/need-an-irule-for-starttls-for-smtps-server-side-only-not-client-side

     

    If you've learned any other lessons using this irule since and have any further advice then let me know. As far as i can tell, even 11.6.0 still doesn't allow you do configure STARTTLS for the Serverside in the GUI or config files, and irule still seems to be the only way. Hopefully they will improve this in later versions.