Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Attention: The Community will be in read-only mode on 12/14/2017 from 12:00 am pacific to 11:30 am.

During this time you will only be able to see content. Other interactions such as posting, replying to questions, or marking content as helpful will be disabled for few hours.

We apologize for the inconvenience while we perform important updates to the Community.

New Member

ACE module, TLS and smtp

Hello,

On a ACE module running software version ACE2(1.0), I have defined a virtual smtp server that is load-balanced to a serverfarm containing 2 SMTP servers. Normal SMTP connexions on port 25 work fine. SMTPS connexions to port 465 of a second vserver also work fine: SSL termination occurs at the ACE module and SMTP connexions to the real servers are in clear text on port 25. But I am having problems with TLS.

If a client connecting to port 25 of the first vserver tries to negotiate TLS, it works but it's the real server that handles TLS encryption. This is normal behavior - but the certificate has to be installed on each of the real servers. I would like the ACE module to handle TLS (it's supported according to the documentation). That way the certificate would only have to be installed on the ACE module.

So I tried to setup a third vserver on port 587 with the same "proxy-service" as the second vserver used for SSL. If a client connects to port 587 of the vserver via TLS, we only see the 3-way handshake between the client and the vserver, then a pause of a few seconds, then a FIN from the client and finally an ACK and a RESET from the vserver.

There are absolutely no lines in the log that could help me find out what's happening.

I found the "debug ssl" command in the documentation but I don't know how to use it - I entered the command and nothing happened; I don't know where the debugging information goes. This is probably why there's a warning that says that "The ACE debug commands are intended for use by trained Cisco personnel only."...

So my questions are: why is TLS not working? How can I find out why it's not working? Where does the "debug" information go when we use the "debug" commands?

Thanks a lot for any help you can give me!

Regards,

Marc.

2 REPLIES

Re: ACE module, TLS and smtp

SMTP over TLS is not supported in ACE currently.

SMTP doesnt use SSL/TLS simply as a secure transport like LDAP, IMAP, POP, HTTP.

In case of SMTP client needs to open a new conn.

So ACE or for that matter any other SMTP relay device needs to terminate conn, look in to the SMTP pkts and punch hole according to the new client conns.

You can get more details at

http://tools.ietf.org/html/rfc2487

Syed

New Member

Re: ACE module, TLS and smtp

Hello Syed,

Thank you for your answer. I was afraid of something like this. I would have prefered a solution to make the ACE module handle SMTP over TLS, but at least it explains why it wasn't working.

Regards,

Marc.

755
Views
5
Helpful
2
Replies
CreatePlease to create content