Manual Chapter : Securing Client-Side SMTP Traffic

Applies To:

Show Versions Show Versions


  • 13.0.1, 13.0.0


  • 13.0.1, 13.0.0

BIG-IP Link Controller

  • 13.0.1, 13.0.0

BIG-IP Analytics

  • 13.0.1, 13.0.0


  • 13.0.1, 13.0.0


  • 13.0.1, 13.0.0


  • 13.0.1, 13.0.0


  • 13.0.1, 13.0.0


  • 13.0.1, 13.0.0
Manual Chapter

Overview: Securing client-side SMTP traffic

You can add SSL encryption to SMTP traffic quickly and easily, by configuring an SMTPS profile on the BIG-IP® system. SMTPS is a method for securing Simple Mail Transport Protocol (SMTP) connections at the transport layer.

Normally, SMTP traffic between SMTP servers and clients is unencrypted. This creates a privacy issue because SMTP traffic often passes through routers that the servers and clients do not trust, resulting in a third party potentially changing the communications between the server and client. Also, two SMTP systems do not normally authenticate each other. A more secure SMTP server might only allow communications from other known SMTP systems, or the server might act differently with unknown systems.

To mitigate these problems, the BIG-IP system includes an SMTPS profile that you can configure. When you configure an SMTPS profile, you can activate support for the industry-standard STARTTLS extension to the SMTP protocol, by instructing the BIG-IP system to either allow, disallow, or require STARTTLS activation for SMTP traffic. The STARTTLS extension effectively upgrades a plain-text connection to an encrypted connection on the same port, instead of using a separate port for encrypted communication.

This illustration shows a basic configuration of a BIG-IP system that uses SMTPS to secure SMTP traffic between the BIG-IP system and an SMTP mail server.

An SMTPS configuration

Sample BIG-IP configuration for SMTP traffic with STARTTLS activation

Task summary

To configure the BIG-IP ®system to process Simple Mail Transport Protocol (SMTP) traffic with SSL functionality, you perform a few basic tasks.

Task list

Creating an SMTPS profile

This task specifies that STARTTLS authentication and encryption should be required for all client-side Simple Mail Transport Protocol (SMTP) traffic. When you require STARTTLS for SMTP traffic, the BIG-IP® system effectively upgrades SMTP connections to include SSL, on the same SMTP port.
  1. On the Main tab, click Local Traffic > Profiles > Services > SMTPS .
    The SMTPS profile list screen opens.
  2. Click Create.
    The New SMTPS Profile screen opens.
  3. In the Name field, type a unique name for the profile.
  4. Select the Custom check box.
  5. From the STARTTLS Activation Mode list, select Require.
  6. Click Finished.
The BIG-IP system is now required to activate STARTTLS for all client-side SMTP traffic.

Creating a Client SSL profile

You create a Client SSL profile when you want the BIG-IP® system to authenticate and decrypt/encrypt client-side application traffic.

  1. On the Main tab, click Local Traffic > Profiles > SSL > Client .
    The Client SSL profile list screen opens.
  2. Click Create.
    The New Client SSL Profile screen opens.
  3. Configure all profile settings as needed.
  4. Click Finished.
After creating the Client SSL profile and assigning the profile to a virtual server, the BIG-IP system can apply SSL security to the type of application traffic for which the virtual server is configured to listen.

Creating a virtual server and load-balancing pool

You use this task to create a virtual server, as well as a default pool of Simple Mail Transport Protocol (SMTP) servers. The virtual server listens for, and applies SSL security to, client-side SMTP application traffic. The virtual server then forwards the SMTP traffic on to the specified server pool.
Note: Using this task, you assign an SMTPS profile to the virtual server instead of an SMTP profile. You must also assign a Client SSL profile.
  1. On the Main tab, click Local Traffic > Virtual Servers .
    The Virtual Server List screen opens.
  2. Click the Create button.
    The New Virtual Server screen opens.
  3. In the Name field, type a unique name for the virtual server.
  4. In the Destination Address/Mask field, type an address, as appropriate for your network.
    The supported format is address/prefix, where the prefix length is in bits. For example, an IPv4 address/prefix is or, and an IPv6 address/prefix is ffe1::0020/64 or 2001:ed8:77b5:2:10:10:100:42/64. When you use an IPv4 address without specifying a prefix, the BIG-IP® system automatically uses a /32 prefix.
  5. In the Service Port field, type 25 or select SMTP from the list.
  6. From the Configuration list, select Basic.
  7. For the SSL Profile (Client) setting, in the Available box, select a profile name, and using the Move button, move the name to the Selected box.
  8. From the SMTPS Profile list, select the SMTPS profile that you previously created.
  9. In the Resources area of the screen, for the Default Pool setting, click the Create (+) button.
    The New Pool screen opens.
  10. In the Name field, type a unique name for the pool.
  11. In the Resources area, for the New Members setting, select the type of new member you are adding, then type the information in the appropriate fields, and click Add to add as many pool members as you need.
  12. Click Finished to create the pool.
    The screen refreshes, and reopens the New Virtual Server screen. The new pool name appears in the Default Pool list.
  13. Click Finished.
After performing this task, the virtual server applies the custom SMTPS and Client SSL profiles to incoming SMTP traffic.

Implementation result

After you have created an SMTPS profile and a Client SSL profile and assigned them to a virtual server, the BIG-IP system listens for client-side SMTP traffic on port 25. The BIG-IP system then activates the STARTTLS method for that traffic, to provide SSL security on that same port, before forwarding the traffic on to the specified server pool.