Enforce HTTP to HTTPS Redirect in SmarterTools Products
Idea shared by Bruce Barnes - October 2, 2014 at 7:03 AM
Completed
While we have seen lots of discussion regarding solutions to enforce HTTP to HTTPS redirects with SmarterTools products, I don't believe this has ever been presented as a suggestion.
 
This is an official suggestion that SmarterTools include an Admin switch which can be enabled to enforce SSL / HTTPS encryption on SmarterTools products.
 
Additionally, if anyone has a temporary solution for the WEB.CONFIG file, which will do a valid HTTP/HTTPS url rewrite/redirect, and can share it, that would be an invaluable tool for those of us who would like to enforce this directly, and not use IIS to do so.
Bruce Barnes
ChicagoNetTech Inc
brucecnt@comcast.net

Phonr: (773) 491-9019
Phone: (224) 444-0169

E-Mail and DNS Security Specialist
Network Security Specialist

Customer Service Portal: https://portal.chicagonettech.com
Website: https://www.ChicagoNetTech.com
Security Blog: http://networkbastion.blogspot.com/

Web and E-Mail Hosting, E-Mail Security and Consulting

37 Replies

Reply to Thread
1
Employee Replied
Employee Post
Hey Bruce,
 
This is a suggestion that is made quiet often for all of the SmarterTools products.  As for SmarterStats, this is a feature that is planned to be included in the next major release of SmarterStats.  In the interim though there is not a web.config change or modification that I could think of to do this.  Someone else in the community might have a bit more insight, but as for now there just isn't a way to go about this.
 
Again though this is something that you can expect to see in a future release of SmarterStats.
 
Thanks
3
I have used IIS with URL rewite to set this up before. It does add the rules into the web.config.
 
However the problem was on every upgrade this file gets overwritten.
 
Someone prior had recommended you add the url rewrite directly to the server level and not the actual website.
 
Once I did that the settings sticks and survives an upgrade.
 
The global file is located: C:\Windows\system32\inetsrv\config\applicationHost.config
 
it adds the following:
 
        <rewrite>
            <globalRules>
                <rule name="Redirect to HTTPS" stopProcessing="true">
                    <match url="(.*)" />
                    <conditions>
                        <add input="{HTTPS}" pattern="^OFF$" />
                    </conditions>
                    <action type="Redirect" url="https://{HTTP_HOST}/{R:1}" redirectType="SeeOther" />
                </rule>
            </globalRules>
        </rewrite>
 
 
And I have "IIS URL Rewrite Module 2" installed via web platform installer 4.5
 
0
Steve, thanks for the suggested solution.
 
Does the GLOBAL REWRITE affect all of the hosted websites, or just those with SSL certificates?
Bruce Barnes
ChicagoNetTech Inc
brucecnt@comcast.net

Phonr: (773) 491-9019
Phone: (224) 444-0169

E-Mail and DNS Security Specialist
Network Security Specialist

Customer Service Portal: https://portal.chicagonettech.com
Website: https://www.ChicagoNetTech.com
Security Blog: http://networkbastion.blogspot.com/

Web and E-Mail Hosting, E-Mail Security and Consulting
0
Michael: This is great news. Thanks for the quick response and, even though it's not instant, affirmative answer.
Bruce Barnes
ChicagoNetTech Inc
brucecnt@comcast.net

Phonr: (773) 491-9019
Phone: (224) 444-0169

E-Mail and DNS Security Specialist
Network Security Specialist

Customer Service Portal: https://portal.chicagonettech.com
Website: https://www.ChicagoNetTech.com
Security Blog: http://networkbastion.blogspot.com/

Web and E-Mail Hosting, E-Mail Security and Consulting
0
I'm not absolutely positive, but yes I think it does.

I only have one site on my Smartermail server so I didn't run into that problem.
1
Since I don't have too many domains, I use manual rules for each domain has certificate.
 
One to redirect the "webmail." (if used) and another for "mail."
 
And also use one to redirect another third domain to second domain
 
IIS 7 on Windows 2008 Standard and .Net 4
<rewrite>
    <rules>
        <!-- Redirect webmail to https site -->
        <rule name="Domain-1 Rule" stopProcessing="true">
            <match url=".*" />
            <conditions>
                <add input="{HTTP_HOST}" pattern="^(webmail)\.domain-1\.ext/*" />
            </conditions>
            <action type="Redirect" url="https://mail.domain-1.ext/{R:0}" />
        </rule>
        <!-- Redirect mail to https site -->
        <rule name="Domain-1 Rule HTTPS" stopProcessing="true">
            <match url=".*" />
            <conditions>
                <add input="{HTTP_HOST}" pattern="^(mail)\.domain-1\.ext/*$" />
                <add input="{HTTPS}" pattern="^OFF$" />
            </conditions>
            <action type="Redirect" url="https://mail.domain-1.ext/Login.aspx"; redirectType="Permanent" />
        </rule>
        <!-- Redirect webmail to https site -->
        <rule name="Domain-2 Rule" stopProcessing="true">
            <match url=".*" />
            <conditions>
                <add input="{HTTP_HOST}" pattern="^(webmail)\.domain-2\.ext$" />
            </conditions>
            <action type="Redirect" url="https://mail.domain-2.ext/{R:0}" />
        </rule>
        <!-- Redirect mail to https site -->
        <rule name="Domain-2 Rule HTTPS" stopProcessing="true">
            <match url=".*" />
            <conditions>
                <add input="{HTTP_HOST}" pattern="^(mail)\.domain-2\.ext/*$" />
                <add input="{HTTPS}" pattern="^OFF$" />
            </conditions>
            <action type="Redirect" url="https://mail.domain-2.ext/Login.aspx"; redirectType="Permanent" />
        </rule>
        <!-- Redirect domain-3 to domain-2 https site -->
        <rule name="Domain-3 Rule" stopProcessing="true">
            <match url=".*" />
            <conditions>
                <add input="{HTTP_HOST}" pattern="^(webmail)\.domain-3\.ext$" />
            </conditions>
            <action type="Redirect" url="https://mail.domain-2.ext/{R:0}" />
        </rule>
        <rule name="Domain-3 Rule HTTPS" stopProcessing="true">
            <match url=".*" />
            <conditions>
                <add input="{HTTP_HOST}" pattern="^(mail)\.domain-3\.ext/*$" />
                <add input="{HTTPS}" pattern="^OFF$" />
            </conditions>
            <action type="Redirect" url="https://mail.domain-2.ext/Login.aspx"; redirectType="Permanent" />
        </rule>

    </rules>
</rewrite>
 
0
Thanks, Hany!
 
Got a similar solution for IIS 6 on Server 2003.  I know it's sunset in November, but I have a lot of customers who don't have the budget to upgrade until sometime in 2015 or 2016.
Bruce Barnes
ChicagoNetTech Inc
brucecnt@comcast.net

Phonr: (773) 491-9019
Phone: (224) 444-0169

E-Mail and DNS Security Specialist
Network Security Specialist

Customer Service Portal: https://portal.chicagonettech.com
Website: https://www.ChicagoNetTech.com
Security Blog: http://networkbastion.blogspot.com/

Web and E-Mail Hosting, E-Mail Security and Consulting
0
Bruce you can try something like this is your applicationhost.config and have it match all the conditions.. with the logical grouping and the site name.

<rewrite>
<globalRules>
<rule name="Redirect to HTTPS" enabled="true" stopProcessing="true">
<match url=".*" />
<conditions logicalGrouping="MatchAll">
<add input="{HTTPS}" pattern="^OFF$" />
<add input="{HTTP_HOST}" pattern="yourmailserver.com$" />
</conditions>
<action type="Redirect" url="https://{HTTP_HOST}{REQUEST_URI}" />
</rule>
</globalRules>
</rewrite>
www.unlocktheinbox.com
1
Also I notice issues with the HTTPS redirect on heavy usage sites, The module will bug out and say "Too Many Redirects" and only a reboot will fix the issue. 
 
I had to enforce it in code on my website.. Something SmarterTools can do.. 
 
I'll give them a head start.. 
 
 If Request.ServerVariables("HTTPS") = "off" Then
            Response.Redirect("https://"; & Request.Url.Host & Request.Url.AbsolutePath, False)
            Response.StatusCode = 301
            Response.End()
 End If
 
 
www.unlocktheinbox.com
0
Why limit this to SmarterStats?
2
Another solution is to run two different websites:
 
One whatever.domain.com that just listens on 443 that is the SmarterTools product.
 
One whatever.domain.com that listens on port 80. All this site contains is a web.config containing a urlrewrite 301 redirect to https://whatever.domain.com/. ;
 
This solved the problem of minor version updates overwriting urlrewrites on the main site - http://forums.smartertools.com/threads/minor-version-updates-keep-url-rewrites.39091/ 
 
The global urlrewrite also works but each rewrite will be tested for each request across all sites running on the server. Seems like wasted effort for a lot of requests to me. 
1
I found this solution to be the best for my own setup.
 
"Default Web Site" is set to use :80 with IP binding set to "All unassigned"
and no hostname specified. The wwwroot folder only contains a web.config file with the following inside it:
 
<?xml version="1.0" encoding="UTF-8"?>
<configuration>
    <system.webServer>
        <httpRedirect enabled="true" destination="https://your.domain.com"; />
    </system.webServer>
</configuration>
 
The second site would then be set up as per normal SmarterMail guidelines with the :443 with IP binding set to a local server IP address, hostname pointing to a domain name of your choice (i.e. your.domain.com). The appropriate SSL certificate is then selected.
 
Optionally you can enable "Require Server Name indication" but this will mean that older browsers will not be able to display the interface since they don't support this option. I have it enabled simply because I want to make sure that my customers' browser is up-to-date. 
 
Something to keep in mind: Any other domains that you may have pointing toward this web server but not explicitly set up in IIS will automatically be forwarded to SmarterMail login page (due to the above redirect rule)
 
Hope this makes sense :)
0
If port 80 is disabled the user is forced to use https. This shouldn't be an issue for internal use, but not user friendly for external customers.
0
Steve is spot on here, this is exactly what we do to force everyone to https for webmail. This can be done at the server level but we do it at the site level in IIS and it works like a charm.
3
There is a good discussion on this on StackOverflow:
 
stackoverflow.com/questions/46347/iis7-http-https-cleanly
 
Once you're using SSL, you should run a Qualys SSL scan on your site to make sure you're happy with the implementation. The default Windows settings leave you with an F grade on the test in most situations.
 
I did a blog post with screenshots of the steps I took to get the F grade remedied to an A rating:
 
www.oceanbytes.org/2015/03/23/making-the-grade-with-ssl/
 
 
4
Are we going see a https redirect in place in version 14.x ? This has been a long time coming and is a significant one SM needs to focus on if not. We lost a possible new medical client the other day because we could not offer them web based internal https email. Bluntly, I don't want to be messing around with configs and workarounds when at this maturity level of SM we should have it.
0
So important this get solved, but seems to get little attention.
0
This is so extremely simple to implement yourself using the examples above that I find it hard to understand why this is so important?
0
We have many domains that point to the SM folder. I believe what this thread is asking for is one of 2 things:
1. A turnkey way to do the SSL redirect from the SM software.
2. A clear set of tested and official instructions from ST explaining how to implement for the multi domain environment.
0
Michael, Your spot on.
0
I'm sorry kicking this old threat.
I installed SM15 on my backup mail server and had to deal with the http > https redirect again
When you're using IIS than you can set the SSL Settings to Require SSL with a checkmark
If someone uses http he'll get a 403 error form
In IIS management you can edit the behaviour of the Error pages
Edit the settings of the 403 status code, select Respons with a 302 redirect and typ your Absolute URL
 
0
We've heard a lot that security is going to be a big part of future versions. Hope that this enhancement isn't forgotten.
0
Too bad we need to use a workaround; here is the easiest way I've found to do it:
 
I use enom.com as registrar for my domains. In my case, I just set up a "URL Redirect" for webmail.yourdomain.com that points at https//mail.yourdomain.com where mail.yourdomain.com is, of course, the public hostname/IP address of the SM server.
 
Inside the LAN, I use Windows DNS services to point users back at the LAN address of the SM server for mail.yourdomain.com (the enom DNS URL Redirect still works as expected).  Browser requests for hostnames that are not specifically defined on the Windows DNS server are, of course, forwarded to external Internet name servers.
 
The redirect works about 99.9% of the time.  Usually it's a browser problem where it doesn't work, and clearing the cache usually fixes it.
 
 
 
1
Crazy we still have to work around this.
0
I think I understand that you use a split DNS so internal users can use https://mail.yourdomain.com to the LAN IP nr but from the internet users are first redirected from webmail to mail and than end up on the public site of your server?
0
it's a nuisance with MSExchange too
https://blogs.msdn.microsoft.com/kaushal/2013/05/22/http-to-https-redirects-on-iis-7-x-and-higher/
0
Right, but LAN users are also automatically redirected to "https:// mail.yourdomain.com" (of course they go directly from there to the LAN address of the SM server) by entering "webmail.yourdomain.com" - the Internet URL Redirect works for that as well.
1
As this old thread is opened, would like to ask below there are couple of options seen in earlier posts but then too where would be better option to achieve
Redirect customer webmail urls to single secure webmail url
 
Thanks
0
See my comment above about using enom's URL Redirect function. Other registrars also have ways to accomplish this. Probably the simplest way, IMO.
2
Old thread this may be, but the need is there and continues to grow stronger.  I would dearly like to redirect any access to the smartermail to use HTTPS. Of course I can enforce HTTPS using IIS, but I want the redirect, not the enforcement.
 
It took me around 10 minutes to code something for one of our websites.  How hard can this be?
2
Seems that security is a huge focus now for Smarter Tools, so it only makes sense to force HTTPS connections to the web interface. Right? Otherwise we've gone about all this effort to protect passwords etc only to let users send passwords those same passwords to the interface via HTTP. Wild.
1
Here is my automated script that does this. I run it after every upgrade (because an upgrade wipes the web.config file). It is written in powershell.
 
# updateWebConfigforSmarterMail.ps1

# This powershell file adds the http->https forwarding xml nodes to a web.config file

Stop-Service "SmarterMail Service"

# This is the path to web.config
$webConfigPath = "C:\Program Files (x86)\SmarterTools\SmarterMail\MRS\Web.config"

[xml] $webConfig = Get-Content($webConfigPath)

# This is the new node that we are adding, I'm basically dimming a new var and parsing as an xml node
[xml] $newNode=@"
<rewrite>
  <rules>
  <rule name="Redirect to HTTPS" stopProcessing="true">
    <match url="(.*)" />
      <conditions><add input="{HTTPS}" pattern="^OFF$" /></conditions>
      <action type="Redirect" url="https://{HTTP_HOST}/{R:1}" redirectType="Permanent" />
  </rule>
  </rules>
</rewrite>
"@

# Now we just need to append the new node to the document in the correct place
$webConfig.configuration.'system.webServer'.AppendChild($webConfig.ImportNode(($newNode.DocumentElement),$true))

# Web.config now contains the rewrite rule, save it
$webConfig.Save($webConfigPath)

Start-Service "SmarterMail Service"
 
2
Thank you all for your feedback! In the past, we've encouraged a URL rewrite in IIS in order to configure this functionality; however, I'm happy to report that rewrite is no longer necessary! The ability to force HTTPS will soon be included in all products: 
 
SmarterMail
The ability to force HTTPS has been added in SmarterMail 16.x and will be available upon that release within this first quarter of 2017. It will be found in the Miscellaneous Settings > Server Info section. The Administrator will see the following settings: Require SSL and Allow domains to override SSL Requirement
 
UPDATE: In SmarterMail 16.3.6754, a "Force all traffic over HTTPS" setting is available in the domain's configuration options. Log in as the System Admin and go to the Manage icon > Domains section. Click on the domain and you will find this setting on the Security card. For steps on using this feature, please refer to the KB, Force Webmail Traffic Over HTTPS: 
 
SmarterTrack
The ability to force HTTPS was added in SmarterTrack 11.0. In our current version, 12.x, this setting can be found at Settings > Configuration > Security > Options tab. The Administrator will see the following setting: Force all traffic over HTTPS.
 
SmarterStats
The ability to force HTTPS was added in SmarterStats 10.0. In our current version, 11.x, this setting can be found at Settings > General Settings > Options tab. The Administrator will see the following setting: Force all traffic over HTTPS.
 
 
Prior to enabling this setting in SmarterMail, SmarterTrack or SmarterStats, you must ensure the product is set up as a site in IIS and have a valid SSL certificate in place on the server. (Note: This option will not be seen to those using the Hosted SmarterTrack helpdesk, as a secure connection is already in place on the SmarterTools servers.)
 
Thank you all again for your participation on this thread! 

Andrea Rogers
Communications Specialist
SmarterTools Inc.
(877) 357-6278

www.smartertools.com

0
Hi Arthur,

This was very helpful in my case.. however there is a typo in the destination=, it needs quotes, so it should read
<httpRedirect enabled="true" destination="https://your.domain.com"; />

Just in case others see this, that is the correct way.

Thanks for posting though,
-dave
0
Thanks for spotting the typo! Corrected.
0
HI
 
SmarterMail
The ability to force HTTPS has been added in SmarterMail 16.x and will be available upon that release within this first quarter of 2017. It will be found in the Miscellaneous Settings > Server Info section. The Administrator will see the following settings: Require SSL and Allow domains to override SSL Requirement
i am using the latest build of SM16 (june 2018 build) and I dont have this option under server info section.
 
It seems this option is on propage domains and not server info.
we have 10,000 domains per smartermail enterprise server
we have 1 SSL
We want to enforce SSL but we want it to also enforce redirect
can this be added in to smartermail so we can enforce http://mail.domain.com to forward to https://mail-hostname.com
0
Andrea Rogers Replied
Employee Post
Hi Chris. This setting has been updated since my post from January 2017. In our most recent release, 16.3.6754, you can find a "Force all traffic over HTTPS" setting in the domain's configuration options. Log in as the System Admin and go to the Manage icon > Domains section. Click on the domain and you will find this setting on the Security card.

Select this option to force all SmarterTrack traffic over HTTPS. This improves SmarterMail security by allowing all traffic to be encrypted. Note: Prior to enabling this setting, SmarterMail must be set up as a site in IIS and have a valid SSL certificate in place for the SmarterMail site. If this is enabled and a user navigates to the IP address, the server will attempt a rDNS lookup and then redirect accordingly.

As you mentioned, this option can also be found on the Domain Defaults template, allowing you to propagate the setting to all domains on the server.

Our article, Force Webmail Traffic Over HTTPS, should help: https://portal.smartertools.com/kb/a3246/force-webmail-traffic-over-https.aspx

Andrea Rogers
Communications Specialist
SmarterTools Inc.
(877) 357-6278

www.smartertools.com

Reply to Thread