ACE module, TLS and smtp

Unanswered Question
Jul 15th, 2008


On a ACE module running software version ACE2(1.0), I have defined a virtual smtp server that is load-balanced to a serverfarm containing 2 SMTP servers. Normal SMTP connexions on port 25 work fine. SMTPS connexions to port 465 of a second vserver also work fine: SSL termination occurs at the ACE module and SMTP connexions to the real servers are in clear text on port 25. But I am having problems with TLS.

If a client connecting to port 25 of the first vserver tries to negotiate TLS, it works but it's the real server that handles TLS encryption. This is normal behavior - but the certificate has to be installed on each of the real servers. I would like the ACE module to handle TLS (it's supported according to the documentation). That way the certificate would only have to be installed on the ACE module.

So I tried to setup a third vserver on port 587 with the same "proxy-service" as the second vserver used for SSL. If a client connects to port 587 of the vserver via TLS, we only see the 3-way handshake between the client and the vserver, then a pause of a few seconds, then a FIN from the client and finally an ACK and a RESET from the vserver.

There are absolutely no lines in the log that could help me find out what's happening.

I found the "debug ssl" command in the documentation but I don't know how to use it - I entered the command and nothing happened; I don't know where the debugging information goes. This is probably why there's a warning that says that "The ACE debug commands are intended for use by trained Cisco personnel only."...

So my questions are: why is TLS not working? How can I find out why it's not working? Where does the "debug" information go when we use the "debug" commands?

Thanks a lot for any help you can give me!



I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 5 (1 ratings)
Syed Iftekhar Ahmed Tue, 07/15/2008 - 11:19

SMTP over TLS is not supported in ACE currently.

SMTP doesnt use SSL/TLS simply as a secure transport like LDAP, IMAP, POP, HTTP.

In case of SMTP client needs to open a new conn.

So ACE or for that matter any other SMTP relay device needs to terminate conn, look in to the SMTP pkts and punch hole according to the new client conns.

You can get more details at


MMazuhelli_2 Mon, 07/21/2008 - 05:11

Hello Syed,

Thank you for your answer. I was afraid of something like this. I would have prefered a solution to make the ACE module handle SMTP over TLS, but at least it explains why it wasn't working.




This Discussion