Created
April 23, 2020 03:42
-
-
Save Sam-Hall/5c743933b13ad8bc8734fef02eed5ab1 to your computer and use it in GitHub Desktop.
F5 SMTPS STARTTLS iRule port 587 to 587 with SSL Bridging
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
when RULE_INIT { | |
set static::stls_greeting_rsp "220 SMTP ESMTP Relay F5\r\n" | |
set static::stls_ready_rsp "220 2.0.0 SMTP server ready\r\n" | |
} | |
when CLIENT_ACCEPTED { | |
log local0. "Client connected: [IP::client_addr]" | |
set starttls 0 | |
set client_ehlo "" | |
SSL::disable serverside | |
SSL::disable clientside | |
# Send an SMTP server greeting to get the ball rolling... | |
TCP::respond $static::stls_greeting_rsp | |
TCP::collect | |
} | |
when CLIENT_DATA { | |
set payload [string tolower [TCP::payload]] | |
log local0. "Client request: $payload" | |
if { $payload starts_with "ehlo" or $payload starts_with "helo" } { | |
# Store the initial EHLO for responding to email server greeting | |
set client_ehlo [TCP::payload] | |
TCP::payload replace 0 [TCP::payload length] "" | |
} elseif { $payload starts_with "starttls" } { | |
set starttls 1 | |
TCP::release | |
return | |
} | |
# Keep collecting requests until we get the STARTTLS... | |
set starttls 0 | |
TCP::release | |
TCP::collect | |
} | |
when SERVER_CONNECTED { | |
log local0. "Connected to server" | |
TCP::collect | |
} | |
when SERVER_DATA { | |
set payload [string tolower [TCP::payload]] | |
log local0. "Server response: $payload" | |
if { $payload starts_with "220" and $client_ehlo ne "" } { | |
# Server is ready to accept the clients EHLO | |
TCP::respond $client_ehlo | |
# We don't want to send the server's greeting to the client | |
TCP::payload replace 0 [TCP::payload length] "" | |
set client_ehlo "" | |
} elseif {$payload starts_with "220" and $starttls } { | |
# If server gives a 220 response, then start SSL at both ends | |
clientside { TCP::respond $static::stls_ready_rsp } | |
TCP::payload replace 0 [TCP::payload length] "" | |
TCP::release | |
SSL::enable serverside | |
SSL::enable clientside | |
return | |
# You're welcome! | |
} | |
TCP::release | |
TCP::collect | |
} |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment