Support for proxy/sec gateway/LBL: X-Forwarded-For and proxy protocol implementation
Idea shared by Mail Server - March 22 at 12:32 PM
Proposed
Suggestion/Feature request:

Please implement X-Forwarded-For an proxy protocoll for web and mail protocols:

For an up to date application design fulfilling security aspects a proxy/sec geteway ... is absolutely necessary. Best would be Proxy/Sec Gateway -> Application/web Server -> Backend Data store
No way to expose an application/http server direct to the internet. Always use something like F5 LBL, haproxy, nginx, apache, IIS. Not to talk ablot load balancing, HA setups and SSL offloading.

To fulfill these major app design rules, it's an absolutely need to implement X-Forwarded-For header (https://tools.ietf.org/html/rfc7239) and the proxy protocoll (https://www.haproxy.org/download/1.8/doc/proxy-protocol.txt). A lot of applications do so right now!

Without these features, all IP restrictions, protocoll information and IP-Restrictions are wothless when using an security based application design.

So I would really appreciate to think about these really necessary feature for the Web and mail services (imap, smtp ...)

Many Thanks and best regards

4 Replies

Reply to Thread
0
Matt Petty Replied
Employee Post
So if I'm understanding this correctly.

When SM receives these web requests they are coming from a load-balancer (or web Gateway) with the "X-Forwarded-For" header?
I could see this. We could then verify that if we do see "X-Forwarded-For" that we only accept that header when coming from a known safe IP. Otherwise client's could write this header's themselves to bypass IP checks. Thankfully we have a list for these kinds of checks already, bypassed IP's.

What specific purpose does proxy-protocol fill that 'X-Forwarded-For' doesn't? Looking at it, seems like it would be quite a bit of work.
Matt Petty
Software Developer
SmarterTools Inc.
(877) 357-6278
www.smartertools.com
0
Hi Matt,

yes right, the header is insertet by the proxy/lbl. Typically at this point all client inserted headers are replaced.

X-Forwarded-For is only usable when speaking abount http protocol but not for TCP smtps, imaps, pops ... for these protocols I only know about proxy protocol. However the "best but most complex" solution is a transparent proxy.

...
The protocol is simple enough that it is expected that other implementations will appear, especially in environments such as SMTP, IMAP, FTP, RDP where the client's address is an important piece of information for the server and some intermediaries. In fact, several proprietary deployments have already done so on FTP and SMTP servers.
...
Best regards

0
Hi Matt, any news concerning the proxy protocoll?

Actually I have a constant 24x7 SMTP authentication probe from different countries which cant't be handeled by the SmarterMail blocking system, cause they all came from the local proxy ...

Best regards
0
Kyle Kerst Replied
Employee Post
I've submitted this for you as a feature request/discussion item as Matt is likely tied up with other tasks, and this should help keep it on the radar in the future. In the meantime, physically binding the IP address to the server should allow for your IDS system to function properly. If you're unable to bind the IP directly to the server, I recommend implementing a network level IDS system that can scan traffic during ingress so that the IDS system in SM is not necessary. 
Kyle Kerst
Technical Support Specialist
SmarterTools Inc.
(877) 357-6278
www.smartertools.com

Reply to Thread