4
Can I put smartermail behind a proxy (e.g. CloudFlare)
Question asked by Amit Prabhu - 6/14/2022 at 7:00 PM
Unanswered
As in title pretty much. I'm working to reduce my organisation's attack surface from external threats; so far we've made rather successful use of Geo blocking and restricting access to Smartermail's web interface from certain regions. But now as we start using cloudflare for this sort of thing, I wonder if I could just drop cloudflare in front of this so the frontend of our system isn't exposed to the internet? What are the considerations before doing this sort of thing?

7 Replies

Reply to Thread
0
Zach Sylvester Replied
Employee Post
Hey Amit, 

Thanks for reaching out to the community. I haven't heard of anyone using Cloudflare with SmarterMail. But theoretically, it would be like any other IIS site. 
Looking forward to hearing your results. 

Kind Regards, 
Zach Sylvester System/Network Administrator SmarterTools Inc. (877) 357-6278 www.smartertools.com
0
Kyle Kerst Replied
Employee Post
I have used Cloudflare/SmarterMail together and while most of CF's functionality works nicely, the proxying behavior can lead to trouble with SMTP sessions and spam check verifications and so in my own setup I ended up bypassing the HTTPS and other protocol proxies for best results. 
Kyle Kerst System/Network Administrator SmarterTools Inc. (877) 357-6278 www.smartertools.com
0
I used with my mail server. MX records should not be proxied. In my view, there is no advantage of using Cloudflare for mail servers.
0
Zach Sylvester Replied
Employee Post
Hey Nageswara, 

Thank you for posting. I agree here with the MX records. But I think that Cloudflare could be beneficial for the web interface. It could help prevent DDOS attacks etc. 

Kind Regards, 

Zach Sylvester System/Network Administrator SmarterTools Inc. (877) 357-6278 www.smartertools.com
0
Built in DDOS is better than CF's.
0
Lasse B. Replied
Proxing requests to SmarterMail (eg. to handle some workload on the Webmail) requires SmarterMail to handle the X-Forwarded-For header to get the real IP of the client connecting. Else you just get the IP address of CloudFlare (or your internal proxy) as SmarterMail does not support/handle the X-Forwarded-For header which is a shame. Please implement - it's easy.
1
Lasse B. Replied
Hi SmarterTools

Have a look at the following description on how to implement support for proxies and the X-Forwarded-For header in the newest version of SmarterMail (.NET 8), so logging, displaying etc. of the reel clients IP address are correct whenever the client are jumping through Cloudflare, HA Proxies etc:

Configure services for Mailservice.exe:
    services.Configure<ForwardedHeadersOptions>(options =>
    {
        var knownProxyNetworks = configuration.GetValue("KnownProxyNetworks", "").Split(new[]{',',';'}, StringSplitOptions.RemoveEmptyEntries);
        var networkList = knownProxyNetworks.Select(x => x.ToIpNetwork());

        options.ForwardedHeaders = ForwardedHeaders.All;
        options.KnownNetworks.AddRange(networkList);
    });

Add middleware:
app.UseForwardedHeaders();

Make use of the following extension method:
public static class NetworkExtensions
{
    public static IPNetwork ToIpNetwork(this string cidr)
    {
        try
        {
            var delimiterIndex = cidr.IndexOf('/');
            var ipSubnet = cidr.Substring(0, delimiterIndex);
            var mask = cidr.Substring(delimiterIndex + 1);
            var prefixLength = int.Parse(mask);

            var subnetAddress = IPAddress.Parse(ipSubnet);

            return new IPNetwork(subnetAddress, prefixLength);
        }
        catch
        {
            return new IPNetwork(IPAddress.Parse("127.0.0.1"), 32);
        }
    }
}

Configure the Known Proxy Networks:
This is needed so not everyone can inject a fake IP in the X-Forwarded-For header.
So now you just need to pull the "KnownProxyNetworks" value from the system configuration :)
Eg. KnownProxyNetworks = "192.168.10.5/32;192.168.10.13/32"

Reply to Thread