The SMTP (Simple Mail Transfer Protocol) is a communication protocol for electronic mail transmission. Based on SMTP, STARTTLS upgrades a plain text connection to an encrypted (TLS or SSL) connection instead of using a separate port for encrypted communication.
STARTTLS Process Flow
The following is the STARTTLS process flow:
STARTTLS process starts after the TCP handshake.
The server identifies with 220 Ready that the email client can proceed with the communication.
The client sends the server EHLO to inform the server that the client will use Extended SMTP.
The server sends 250 STARTTLS to the client to check if STARTTLS is accepted or not.
The client sends STARTTLS to the server, saying STARTTLS is ok.
The server sends 220 GO Heads to the client if SSL/ TLS can be started.
The client starts SSL/TLS with server.
After SSL/TLS is done, email messages are encrypted.
DataScript Event in Layer 4 SSL
New Datascript Event:
Event name: VS_DATASCRIPT_EVT_TCP_CLIENT_ACCEPT
Functionality: Happens after TCP handshake done.
New Datascript API:
API Name |
Events |
Description |
Functionality |
---|---|---|---|
avi.ssl.disable_ssl() |
VS_DATASCRIPT_EVT_TCP_CLIENT_ACCEPT |
No argument |
Deactivate SSL after TCP handshake |
avi.ssl.enable_ssl() |
VS_DATASCRIPT_EVT_L4_REQUEST |
No argument |
Activate SSL during the traffic |
Traffic Flow
The traffic flow is as shown below:
The following is the traffic flow process:
NSX Advanced Load Balancer will create a connection to the backend server after TCP handshakes with the client.
NSX Advanced Load Balancer sends proxy messages between the client and the server.
The client can send
EHLO
anytime to the server about the usage of extended SMTP (right after the TCP handshake or after some data is sent).After receiving
EHLO
, the server will advertise its services.If there is no
STARTTLS
, the system will add250 STARTTLS
as one of the services.The client can send a request for
TLS
toSTARTTLS
.NSX Advanced Load Balancer replies to the client with
220
and then starts TLS negotiation.After
SSL/TLS
negotiation, the client sends encrypted mail to NSX Advanced Load Balancer.