We have a pair of exchange servers on-prem fronted by a F5 ADC. We have SSL offload configured on the F5 which listens on port 587.
Certificate on F5 is a domain wildcard cert. We do not use authentication on the backend mailservers atm.
If i send mail through F5 ADC using port 25 w/o SSL it works fine, but if i enable SSL and use SSL offload on F5 ADC, my test mails fail...
From ActionsExecution.log:
at Interop.cdosys.MessageClass.Send()
at SolarWinds.Orion.Core.Actions.Utility.Smtp.Clients.CdoSmtpClient.Send()
at SolarWinds.Orion.Core.Actions.Impl.Email.EmailMethodInvoker.SendTestEmail(String args)
2021-02-05 09:18:30,380 [152] WARN SolarWinds.Orion.Core.Actions.Utility.Smtp.SmtpServerConnectionChecker - (null) Failed to get host entry 10.xx.xx.31 port 587. No such host is known
2021-02-05 09:18:30,380 [152] ERROR SolarWinds.Orion.Core.Actions.Impl.Email.EmailMethodInvoker - (null) Test for SMTP server (10.xx.xx.31:587, SSL enabled, Authentication disabled) failed
System.Runtime.InteropServices.COMException (0x80040213): The transport failed to connect to the server.
If i test using commandline it works OK;
C:\Users\user.mail>openssl s_client -connect 10.xx.xx.31:587 -starttls smtp
CONNECTED(00000124)
Can't use SSL_get_servername
depth=2 C = US, O = DigiCert Inc, OU = www.digicert.com, CN = DigiCert Global Root CA
verify error:num=19:self signed certificate in certificate chain
verify return:1
depth=2 C = US, O = DigiCert Inc, OU = www.digicert.com, CN = DigiCert Global Root CA
verify return:1
depth=1 C = US, O = DigiCert Inc, CN = DigiCert SHA2 Secure Server CA
verify return:1
depth=0 C = SE, ST = state , L = acme, O = acme inc, OU = ITO, CN = *.acme.com
verify return:1
---
Certificate chain
0 s:C = SE, ST = state, L = acme, O = acme inc, OU = ITO, CN = *.acme.com
i:C = US, O = DigiCert Inc, CN = DigiCert SHA2 Secure Server CA
1 s:C = US, O = DigiCert Inc, CN = DigiCert SHA2 Secure Server CA
i:C = US, O = DigiCert Inc, OU = www.digicert.com, CN = DigiCert Global Root CA
2 s:C = US, O = DigiCert Inc, OU = www.digicert.com, CN = DigiCert Global Root CA
i:C = US, O = DigiCert Inc, OU = www.digicert.com, CN = DigiCert Global Root CA
---
Server certificate
-----BEGIN CERTIFICATE-----
..rzCCBZegAwIBAgIQBj2+e5dR3Zw0m/RwCAOMKDANBgkqhkiG9w0BAQsFADBN
MQswCQYDVQQGEwJVUzEVMBMGA1UEChMMRGlnaUNlcnQgSW5jMScwJQYDVQQDEx5E
aWdpQ2VydCBTSEEyIFNlY3VyZSBTZXJ2ZXIgQ0EwHhcNMjAwMjExMDAwMDAwWhcN
MjIwMzA5MTIwMDAwWjCBgTELMAkGA1UEBhMCU0UxHTAbBgNVBAgMFFbDpHN0ZXJi
....
....
DQYJKoZIhvcNAQELBQADggEBAB2yPFQRMljwTBkzANZRtrULw6AJludiyumdYwGb
TgLCmjZClls7jIn93ezY0CinRmyiSQwEXaWSgd8jAV5zxLrlUEB7d+q1GtQcYkJC
+88Ce/z/ZJfuRIPHm8rtQjHzQphbboV1yMfm7jdLQKg366am/HJ+U9stSzjHmKlU
W6MJJ8kQC6AgU5lXiEOp03zeIQUgDiJX+Kvo2Wml5cCrNNyqLcXRAPcu5d2j8uld
7nIUOSp71HFxl+E21z0uB19j9Zb8DGbzZZcmn0+VDGuEViyLvBXXwXDiJXQs0M7Q
5rGYA4wuVnMoZjxd71+4lSg5/PCyWaTAQa2G9WC4j1F..
-----END CERTIFICATE-----
subject=C = SE, ST = state, L = acme, O = acme AB, OU = ITO, CN = *.acme.com
issuer=C = US, O = DigiCert Inc, CN = DigiCert SHA2 Secure Server CA
---
No client certificate CA names sent
Peer signing digest: SHA256
Peer signature type: RSA
Server Temp Key: ECDH, P-256, 256 bits
---
SSL handshake has read 4693 bytes and written 452 bytes
Verification error: self signed certificate in certificate chain
---
New, TLSv1.2, Cipher is ECDHE-RSA-AES128-GCM-SHA256
Server public key is 2048 bit
Secure Renegotiation IS supported
Compression: NONE
Expansion: NONE
No ALPN negotiated
SSL-Session:
Protocol : TLSv1.2
Cipher : ECDHE-RSA-AES128-GCM-SHA256
Session-ID: 0278841257BCF9F6EB400687BC05A07FDA97B3B014D12F94E2DBE14B8E95F08F
Session-ID-ctx:
Master-Key: ...00B0F22812AA687141E5B..3B0A21B..
PSK identity: None
PSK identity hint: None
SRP username: None
Start Time: 1612512328
Timeout : 7200 (sec)
Verify return code: 19 (self signed certificate in certificate chain)
Extended master secret: yes
---
250 XRDST
EHLO
250-mailserver.acme.internal Hello [10.xx.xx.18]
250-SIZE 26214400
250-PIPELINING
250-DSN
250-ENHANCEDSTATUSCODES
250-STARTTLS
250-X-ANONYMOUSTLS
250-AUTH NTLM
250-X-EXPS GSSAPI NTLM
250-8BITMIME
250-BINARYMIME
250-CHUNKING
250 XRDST
MAIL FROM:user.mail@acme.com
250 2.1.0 Sender OK
RCPT TO:user.mail@acme.com
RENEGOTIATING
Can't use SSL_get_servername
depth=2 C = US, O = DigiCert Inc, OU = www.digicert.com, CN = DigiCert Global Root CA
verify error:num=19:self signed certificate in certificate chain
verify return:1
depth=2 C = US, O = DigiCert Inc, OU = www.digicert.com, CN = DigiCert Global Root CA
verify return:1
depth=1 C = US, O = DigiCert Inc, CN = DigiCert SHA2 Secure Server CA
verify return:1
depth=0 C = SE, ST = state, L = acme, O = acme inc, OU = ITO, CN = *.acme.com
verify return:1
RCPT TO:user.mail@acme.com
RENEGOTIATING
Can't use SSL_get_servername
depth=2 C = US, O = DigiCert Inc, OU = www.digicert.com, CN = DigiCert Global Root CA
verify error:num=19:self signed certificate in certificate chain
verify return:1
depth=2 C = US, O = DigiCert Inc, OU = www.digicert.com, CN = DigiCert Global Root CA
verify return:1
depth=1 C = US, O = DigiCert Inc, CN = DigiCert SHA2 Secure Server CA
verify return:1
depth=0 C = SE, ST = state, L = acme, O = acme inc, OU = ITO, CN = *.acme.com
verify return:1
RCPT TO:user.mail@acme.com
RENEGOTIATING
Can't use SSL_get_servername
depth=2 C = US, O = DigiCert Inc, OU = www.digicert.com, CN = DigiCert Global Root CA
verify error:num=19:self signed certificate in certificate chain
verify return:1
depth=2 C = US, O = DigiCert Inc, OU = www.digicert.com, CN = DigiCert Global Root CA
verify return:1
depth=1 C = US, O = DigiCert Inc, CN = DigiCert SHA2 Secure Server CA
verify return:1
depth=0 C = SE, ST = state, L = acme, O = acme inc, OU = ITO, CN = *.acme.com
verify return:1
DATA
503 5.5.2 Need rcpt command
RCPT TO:user.mail@acme.com
RENEGOTIATING
Can't use SSL_get_servername
depth=2 C = US, O = DigiCert Inc, OU = www.digicert.com, CN = DigiCert Global Root CA
verify error:num=19:self signed certificate in certificate chain
verify return:1
depth=2 C = US, O = DigiCert Inc, OU = www.digicert.com, CN = DigiCert Global Root CA
verify return:1
depth=1 C = US, O = DigiCert Inc, CN = DigiCert SHA2 Secure Server CA
verify return:1
depth=0 C = SE, ST = state, L = acme, O = acme inc, OU = ITO, CN = *.acme.com
verify return:1
rcpt to:user.mail@acme.com
250 2.1.5 Recipient OK
data
354 Start mail input; end with <CRLF>.<CRLF>
Subject: Testing TLS with pcap
This is a test message!
.
250 2.6.0 <088645eecdc7461c80c1e070574e0b80@mailserver.acme.internal> [InternalId=274843547205755, Hostname=mailserver.acme.internal] Queued mail for delivery
QUIT
DONE
C:\Users\user.mail>
From a packet capture, it seems like Orion is not sending smtp using tls, but sending the smtp data payload encrypted..
