aFlex for log mail from,to, on STARTTLS/TLS mails in ssl-proxy port

Product Discussions aFleX
1

Hi, i’m new in this forum and with a10 aFlex. Device: A10 thunder 3030s Os: 2.7.2-P11(build: 77) I’ve configured a SMTP service in one VIP with two ports: 25 - SMTP 2530 - STARTTLS/TLS (port with ssl-client template in mode ssl-proxy) and (for GDPR law) need to log the ip, mail from, mail to, message id, ip from, vip, nat,… but when mail is sended with starttls or tls i can’t do it. How can i do it succesfully? The aflex:

# Script para capturar ip de origen del remitente, destinatario, remitente e id del mensaje
# 1539078849:09/10/2018-11:54:09] [<ip_origen> <ipVIP> <ip Servidor>] [<remitente> <destinatario/s> <mensaje id>]
when RULE_INIT {
    set ::cip "N/D"
    set ::cport "N/D"
    set ::vip "N/D"
    set ::vport "N/D"
    set ::fechahumana "N/D"
    set ::timestamp "N/D"
    set ::snat_ip "N/D"
    set ::snat_port "N/D"
    set ::sip "N/D"
    set ::sport "N/D"  
    set ::remitente "N/D" 
    set ::destinatario_s "N/D" 
    set ::id_mensaje "N/D"
}

when CLIENT_ACCEPTED {
    set ::cip [IP::client_addr]
    set ::cport [TCP::client_port]
    set ::vip [IP::local_addr]
    set ::vport [TCP::local_port]
    set fecha [clock format [TIME::clock seconds] -format {%d/%m/%Y}]
    set hora [clock format [TIME::clock seconds] -format {%H:%M:%S}]
    set ::fechahumana "$fecha-$hora"
    set ::timestamp [TIME::clock seconds]
}

when SERVER_CONNECTED {
    TCP::collect
    set ::snat_ip [IP::local_addr]
    set ::snat_port [TCP::local_port]
    set ::sip [IP::server_addr]
    set ::sport [TCP::server_port]    
    set fecha [clock format [TIME::clock seconds] -format {%d/%m/%Y}]
    set hora [clock format [TIME::clock seconds] -format {%H:%M:%S}]
    set ::fechahumana "$fecha-$hora"
    set ::timestamp [TIME::clock seconds] 
}
when CLIENT_DATA {
    set fecha [clock format [TIME::clock seconds] -format {%d/%m/%Y}]
    set hora [clock format [TIME::clock seconds] -format {%H:%M:%S}]
    set ::fechahumana "$fecha-$hora"
    set ::timestamp [TIME::clock seconds]
    set lcpayload [string tolower [TCP::payload]]
    regsub "\x0a" $lcpayload " " lcpayload
    #log local0.7 $lcpayload
    #log $lcpayload
    if { $lcpayload contains "mail from:" } {
        set ::remitente $lcpayload
        regsub "\r\n" $::remitente "" ::remitente
        regsub "\r" $::remitente "" ::remitente
        regsub "\n" $::remitente "" ::remitente
        regsub "mail from:" $::remitente "" ::remitente
        regsub " " $::remitente "" ::remitente
        set ::remitente [substr $::remitente 0 ">"]
    }   
    if { $lcpayload contains "rcpt to:" } {
        set ::destinatario_s $lcpayload
        regsub "\r\n" $::destinatario_s "" ::destinatario_s
        regsub "\r" $::destinatario_s "" ::destinatario_s
        regsub "\r" $::destinatario_s "" ::destinatario_s
        regsub "rcpt to:" $::destinatario_s "" ::destinatario_s
        regsub " " $::remitente "" ::remitente
        set ::destinatario_s [substr $::destinatario_s 0 ">"]
    }
    TCP::release 
    serverside { TCP::collect }
    # si $lcpayload contiene quit hacemos el logado de todo
    #if { $lcpayload contains "quit"} {
        log local0.7 "\[$::timestamp:$::fechahumana\] \[$::cip:$::cport $::vip:$::vport NAT:$::snat_ip:$::snat_port $::sip:$::sport\] \[$::remitente> $::destinatario_s> $::id_mensaje> \] "
    #}
}
when SERVER_DATA {
    set fecha [clock format [TIME::clock seconds] -format {%d/%m/%Y}]
    set hora [clock format [TIME::clock seconds] -format {%H:%M:%S}]
    set ::fechahumana "$fecha-$hora"
    set ::timestamp [TIME::clock seconds]
    set lspayload [string tolower [TCP::payload]]
    if { $lspayload contains "250 2.6.0 " } {
        regsub "250 2.6.0 " $lspayload "" ::id_mensaje
        set ::id_mensaje [substr $::id_mensaje 0 ">"]
    }
    TCP::release
    clientside { TCP::collect }
}

Thanx for all

2

I think crickets (or tumbleweeds) are my friends in this discussion, ???

3

Seven years and 22-ish versions ago is a rather long time to wait for an answer before pinging us all :slight_smile:

TLS encrypted payloads are not accessible to aFleX…you need something in front of your Thunder ADC to decrypt the SSL packet, pass it through to get processed by your script, then re-encrypt if you still want it SSL. A10 sells an “SSLi” product that does that. Talk to your account team if interested….and for that matter, why have you not asked them about this over the last 7 years??

4

hi @john_allen thanks for your detailed response, as to why I didn’t ping, it’s because that service is no longer configured on the A10, it’s deployed in the cloud.

And the recent ping is because I launched another query to see if it is possible to do a health monitor against a informix bbdd, although seeing that it is necessary to install a proprietary driver on the machine from where I did the tests I understand that this driver will not come in the a10 and therefore will not work. thanks.