10
Support for proxy/sec gateway/LBL: X-Forwarded-For and proxy protocol implementation
Idea shared by Mail Server - 3/22/2019 at 12:32 PM
Proposed
Suggestion/Feature request:

Please implement X-Forwarded-For an proxy protocoll for web and mail protocols:

For an up to date application design fulfilling security aspects a proxy/sec geteway ... is absolutely necessary. Best would be Proxy/Sec Gateway -> Application/web Server -> Backend Data store
No way to expose an application/http server direct to the internet. Always use something like F5 LBL, haproxy, nginx, apache, IIS. Not to talk ablot load balancing, HA setups and SSL offloading.

To fulfill these major app design rules, it's an absolutely need to implement X-Forwarded-For header (https://tools.ietf.org/html/rfc7239) and the proxy protocoll (https://www.haproxy.org/download/1.8/doc/proxy-protocol.txt). A lot of applications do so right now!

Without these features, all IP restrictions, protocoll information and IP-Restrictions are wothless when using an security based application design.

So I would really appreciate to think about these really necessary feature for the Web and mail services (imap, smtp ...)

Many Thanks and best regards

20 Replies

Reply to Thread
0
Matt Petty Replied
Employee Post
So if I'm understanding this correctly.

When SM receives these web requests they are coming from a load-balancer (or web Gateway) with the "X-Forwarded-For" header?
I could see this. We could then verify that if we do see "X-Forwarded-For" that we only accept that header when coming from a known safe IP. Otherwise client's could write this header's themselves to bypass IP checks. Thankfully we have a list for these kinds of checks already, bypassed IP's.

What specific purpose does proxy-protocol fill that 'X-Forwarded-For' doesn't? Looking at it, seems like it would be quite a bit of work.
Matt Petty Senior Software Developer SmarterTools Inc. www.smartertools.com
0
Hi Matt,

yes right, the header is insertet by the proxy/lbl. Typically at this point all client inserted headers are replaced.

X-Forwarded-For is only usable when speaking abount http protocol but not for TCP smtps, imaps, pops ... for these protocols I only know about proxy protocol. However the "best but most complex" solution is a transparent proxy.

...
The protocol is simple enough that it is expected that other implementations will appear, especially in environments such as SMTP, IMAP, FTP, RDP where the client's address is an important piece of information for the server and some intermediaries. In fact, several proprietary deployments have already done so on FTP and SMTP servers.
...
Best regards

0
Hi Matt, any news concerning the proxy protocoll?

Actually I have a constant 24x7 SMTP authentication probe from different countries which cant't be handeled by the SmarterMail blocking system, cause they all came from the local proxy ...

Best regards
0
Kyle Kerst Replied
Employee Post
I've submitted this for you as a feature request/discussion item as Matt is likely tied up with other tasks, and this should help keep it on the radar in the future. In the meantime, physically binding the IP address to the server should allow for your IDS system to function properly. If you're unable to bind the IP directly to the server, I recommend implementing a network level IDS system that can scan traffic during ingress so that the IDS system in SM is not necessary. 
Kyle Kerst IT Coordinator SmarterTools Inc. www.smartertools.com
0
Dear Kyle, many thanks for submitting. Alas binding is not the solution, cause I run haproxy in front of smartermail. So all client connects terminate in haproxy. Them haproxy connects to SmarterMail. In consequence SmarterMail only sees the haproxy IP. Thus fixes the proxy protocol. Running an external IDS didn't give me the opportunity to prevent e.g. then admin login to SmarterMail only from a specific IP or disable an external IP, which constantly probes login for SMTP Auth.

Best regards
1
Hello Kyle,

did you discuss the support for this datacenter enterprise setup internally?

Best gegards

Lars
3
Hello, This is a feature we are looking for too but also for mail protocols, as we are going to proxy IMAP/POP/SUBMISSION through dovecot frontend servers in proxy mode.

Some other servers support this (at least dovecot, cyrus), for example:

It would be nice to have it so the logs can contain the real client IP address.
Sébastien Riccio System & Network Admin https://swisscenter.com
2
Hi all together,
are there any news to enhance SmarterMail in proxy security setups to support this?
Any time frame for implementation?
Many thanks
Lars
0
In this case if you use the dovecot you can get the real ip in the info.log 
0
+1
Sébastien Riccio System & Network Admin https://swisscenter.com
1
Kyle Kerst Replied
Employee Post
This has been submitted as a feature request, and so unfortunately I cannot provide you an ETA on this. This request will be re-visited and re-evaluated in the future by our Product Management team. Based on its appeal to the wide range of users of our products and the popularity of the feature, this functionality may be included in a future Build.
Kyle Kerst IT Coordinator SmarterTools Inc. www.smartertools.com
1
interested as well, especially for this use case: seamlessly migrate a tenant to another backend server without changing the IMAP/SMTP/Web addresses for them.
Would hep with migrating customers into smartermail from other  products (a few at a time, instead of all of them at once), or to balance backend server usage.
Without proxy support, all the IP filtering and logging done by smartermail would see the forwarder IP
0
+1 for supporting PROXY protocol for any TCP/UDP-based services offered by SmarterMail and additionally, X-Forwarded-For: from trusted source addresses for any HTTP/HTTPS-based services offered by SmarterMail through IIS.
0
Hi all together,
are there any plans to implement thesse security relevant functions soon?
Thanks & regards
Lars
0
+1 really looking forward to this
0
Would like to see option to use "X-Forwarded-For" from trusted source IP addresses for HTTP/HTTPS-requests, so log files about web users in and logins to webmail are correct.
0
Hmmm, that would be something you configure at IIS Level I guess ?

i know how to do it for apache or nginx but not IIS.
Sébastien Riccio System & Network Admin https://swisscenter.com
4
This thread is more than 3 year old. What is happening for such a simple feature?

I would really like to see the option to use "X-Forwarded-For" from trusted source IP addresses for HTTP/HTTPS-requests to webmail, so log files about web users IP address and logins to webmail are correct as all active webmail users are currently listed with IP 192.168.10.5 which is our proxy.

And i'm not sure what Sébastien is talking about as it's NOT possible to get the correct real IP from the connecting client via HTTP/HTTPS without the X-Forwared-For header. So please implement.

If you need the code for .NET Core just ask me. We always implement this in our .NET Core projects.

Thanks :-)
1
Push
1
SmarterTools - here the code for .NET that enables the option to configure trusted proxy IP adresses in CIDR-format like 192.168.25.10/32:

First an extension method ->
using System.Net;
using IPNetwork = Microsoft.AspNetCore.HttpOverrides.IPNetwork;

namespace Xperion.BusinessCenter.Extensions;

public static class NetworkExtensions
{
    public static IPNetwork ToIpNetwork(this string cidr)
    {
        try
        {
            var delimiterIndex = cidr.IndexOf('/');
            var ipSubnet = cidr.Substring(0, delimiterIndex);
            var mask = cidr.Substring(delimiterIndex + 1);
            var prefixLength = int.Parse(mask);

            var subnetAddress = IPAddress.Parse(ipSubnet);

            return new IPNetwork(subnetAddress, prefixLength);
        }
        catch
        {
            return new IPNetwork(IPAddress.Parse("127.0.0.1"), 32);
        }
    }
}
Then the service configuration for ForwardedHeaderOptions (found in Microsoft.AspNetCore.HttpOverrides.dll) which gets the known trusted proxy IP in CIDR-format from the configuration - where else you have it.

services.Configure<ForwardedHeadersOptions>(options =>
    {
        var knownProxyNetworks = configuration.GetValue("KnownProxyNetworks", "").Split(new[]{',',';'}, StringSplitOptions.RemoveEmptyEntries);
        var networkList = knownProxyNetworks.Select(x => x.ToIpNetwork());

        options.ForwardedHeaders = ForwardedHeaders.All;
        options.KnownNetworks.AddRange(networkList);
    });
Let's implement it so the reel ip of the clients are shown in logfiles, logged in users overview etc.
Thanks :-)

Reply to Thread