Force all traffic over HTTPS
Question asked by Ant - November 21, 2017 at 1:03 PM
Answered
Changing this setting doesn't do anything on my installation. What does it actually do? 
 
I have it switched on for my test domain and I can't see any difference in the traffic whether it's switched on or not, whether I'm logging in over HTTP or HTTPS. Additionally I'm a bit confused as to why it's set on each domain as opposed to server-wide.
 
I thought I remembered reading that SM16 would automatically have a setting that would redirect over to HTTPS, but this 'Force all traffic over HTTPS' is the only HTTPS-related setting I can find. In SM versions before 16 I ran two separate sites, one listening on HTTP with a redirect to the one listening on HTTPS. This meant I didn't have to reconfigure the redirect with each minor version update. I've set my single SM16 site to listen to on both HTTP and HTTPS bindings but logins can still happen over HTTP.
 
Did I misunderstand and do I still need my own method of enforcing HTTPS?
 
 

16 Replies

Reply to Thread
0
Andrea Rogers Replied
Employee Post
Hi Ant,
 
Forcing all traffic over HTTPS is a three-step process that includes a.) installing a valid SSL certificate on the server, b.) setting up SmarterMail in IIS and c.) enabling the setting within SmarterMail for each domain where you want to enforce HTTPS access. We have a knowledge base articles that outlines these steps. Please check it out and let me know if you have any questions! 
 
Force Webmail Traffic Over HTTPS:

Andrea Rogers
Communications Specialist
SmarterTools Inc.
(877) 357-6278

www.smartertools.com

0
Ant Replied
Hi Andrea, I've seen this but it doesn't answer my questions. Whether that setting is ticked or un-ticked for a domain doesn't make any difference
0
Ant Replied
It also seems strange that arguably the most important part to force HTTPS on is the root screen where the username/password is transmitted. But there doesn't seem to be a setting to force it here
0
Andrea Rogers Replied
Employee Post Marked As Answer
Hi Ant,
 
If an SSL certificate is configured for the domain, and enabling the Force All Traffic Over HTTPS setting does not actually force an HTTPS redirect, I'd encourage you to reach out to the Support Department for a technical review. The Email Ticket on your account can be submitted to the Support Department using the Tickets button above. Please keep in mind that if this issue is found to be caused by a bug in SmarterMail, that ticket will be refunded back to your account for future use. 

Andrea Rogers
Communications Specialist
SmarterTools Inc.
(877) 357-6278

www.smartertools.com

0
Ant Replied
Hi Andrea, thanks but what I'm really after is more information on what it's meant to do. I.e. if the domain is set to Force All Traffic Over HTTPS, when would the HTTPS redirect take place? To me, if the login screen is served over HTTP, then 'forcing traffic to HTTPS' will already happen too late as an email address and/or password would've already been transmitted to the server to see whether the domain has 'force traffice to HTTPS' enabled
0
Matt Petty Replied
Employee Post
Yes the redirect occurs immediately upon any request to the site. So if I hit the login page over HTTP, I get redirected to the login page over HTTPS.

You can see it in action here, http://mail.smartertools.com (you get redirected to HTTPS)
Matt Petty
Software Developer
SmarterTools Inc.
(877) 357-6278
www.smartertools.com
0
Ant Replied
Hi Matt, that redirected me - but then I don't understand why the Force HTTPS setting is set on each domain? That server redirects everyone (as it redirected me before I typed anything in). Say, hypothetically, that right now I had a mailbox on mail.smartertools.com for a domain that didn't have Force traffic to HTTPS enabled, its still redirecting me even before I enter my email address / password.
0
Matt Petty Replied
Employee Post
We look at the URL to determine if the redirect should occur or not then reference that against the list of domains with the redirect turned on/off.

Some domains may not have an SSL certificate setup. Which is one of the reasons why it is done on a per-domain basis.
Matt Petty
Software Developer
SmarterTools Inc.
(877) 357-6278
www.smartertools.com
0
Ant Replied
Ok this is starting to make sense. What happens if two domains share the same URL, one of them has Force HTTPS enabled and the other doesn't?
I'm assuming it's the 'Hostname' field in the domain settings that is used to match on the URL.
0
Matt Petty Replied
Employee Post
We match based off of the domain name within SmarterMail. We don't use the hostname field in this case.
Matt Petty
Software Developer
SmarterTools Inc.
(877) 357-6278
www.smartertools.com
0
Ant Replied
Ahh ok. In my setup all the domains use the same mail.<mydomain>.com. None use their own domain. I think it's safe to say then that this effectively renders the Force HTTPS setting ineffective?
0
Matt Petty Replied
Employee Post
No, we check subdomains as well. So if you have a mail. or email. or whatever, We take those into account. So if we accessed SM using this.is.will.still.get.redirected.smartertools.com for example, it would still work for smartertools.com.

You could still make it work if you made a domain that matches the domain you have people access and set Force on that.
Matt Petty
Software Developer
SmarterTools Inc.
(877) 357-6278
www.smartertools.com
0
Ant Replied
I mean all the domains in my setup access on the same mail.MyHostingCompanyName.com, not on their own mail.TheirDomain.com
0
Matt Petty Replied
Employee Post
Are you hosting MyHostingCompanyName.com on that machine as well? Setting Force on that should still work.
Matt Petty
Software Developer
SmarterTools Inc.
(877) 357-6278
www.smartertools.com
0
Ant Replied
Got it - that did it. Thanks Matt for the explanation. I added MyHostingCompanyName.com (and set the delivery setting to 'Use MX record', so users can still email for support) and it's working now. I wonder if you could explore adding the 'Hostname' field for matching on whether the redirect should happen?
0
Matt Petty Replied
Employee Post
Yea, I could see the argument there. Could suggest it in a new thread that way we can track it.
Matt Petty
Software Developer
SmarterTools Inc.
(877) 357-6278
www.smartertools.com

Reply to Thread