Back to Community Threads
Can I put smartermail behind a proxy (e.g. CloudFlare)
Question asked by Amit Prabhu - 6/14/2022 at 7:00 PM
Unanswered
A
As in title pretty much. I'm working to reduce my organisation's attack surface from external threats; so far we've made rather successful use of Geo blocking and restricting access to Smartermail's web interface from certain regions. But now as we start using cloudflare for this sort of thing, I wonder if I could just drop cloudflare in front of this so the frontend of our system isn't exposed to the internet? What are the considerations before doing this sort of thing?
Zach Sylvester Replied
6/15/2022 at 7:17 AM
Employee Post
Hey Amit, 

Thanks for reaching out to the community. I haven't heard of anyone using Cloudflare with SmarterMail. But theoretically, it would be like any other IIS site. 
Looking forward to hearing your results. 

Kind Regards, 

Zach Sylvester

Software Developer
SmarterTools Inc.
Kyle Kerst Replied
6/15/2022 at 9:44 AM
Employee Post
I have used Cloudflare/SmarterMail together and while most of CF's functionality works nicely, the proxying behavior can lead to trouble with SMTP sessions and spam check verifications and so in my own setup I ended up bypassing the HTTPS and other protocol proxies for best results. 
Kyle Kerst
Lead Internal Network/System Administrator
SmarterTools Inc.
I used with my mail server. MX records should not be proxied. In my view, there is no advantage of using Cloudflare for mail servers.
Zach Sylvester Replied
6/16/2022 at 10:52 AM
Employee Post
Hey Nageswara, 

Thank you for posting. I agree here with the MX records. But I think that Cloudflare could be beneficial for the web interface. It could help prevent DDOS attacks etc. 

Kind Regards, 

Zach Sylvester

Software Developer
SmarterTools Inc.
Built in DDOS is better than CF's.
Lasse B. Replied
9/13/2023 at 1:27 AM
Proxing requests to SmarterMail (eg. to handle some workload on the Webmail) requires SmarterMail to handle the X-Forwarded-For header to get the real IP of the client connecting. Else you just get the IP address of CloudFlare (or your internal proxy) as SmarterMail does not support/handle the X-Forwarded-For header which is a shame. Please implement - it's easy.
Lasse B. Replied
1/24/2024 at 9:36 AM
Hi SmarterTools

Have a look at the following description on how to implement support for proxies and the X-Forwarded-For header in the newest version of SmarterMail (.NET 8), so logging, displaying etc. of the reel clients IP address are correct whenever the client are jumping through Cloudflare, HA Proxies etc:

Configure services for Mailservice.exe:
    services.Configure<ForwardedHeadersOptions>(options =>
    {
        var knownProxyNetworks = configuration.GetValue("KnownProxyNetworks", "").Split(new[]{',',';'}, StringSplitOptions.RemoveEmptyEntries);
        var networkList = knownProxyNetworks.Select(x => x.ToIpNetwork());

        options.ForwardedHeaders = ForwardedHeaders.All;
        options.KnownNetworks.AddRange(networkList);
    });

Add middleware:
app.UseForwardedHeaders();

Make use of the following extension method:
public static class NetworkExtensions
{
    public static IPNetwork ToIpNetwork(this string cidr)
    {
        try
        {
            var delimiterIndex = cidr.IndexOf('/');
            var ipSubnet = cidr.Substring(0, delimiterIndex);
            var mask = cidr.Substring(delimiterIndex + 1);
            var prefixLength = int.Parse(mask);

            var subnetAddress = IPAddress.Parse(ipSubnet);

            return new IPNetwork(subnetAddress, prefixLength);
        }
        catch
        {
            return new IPNetwork(IPAddress.Parse("127.0.0.1"), 32);
        }
    }
}

Configure the Known Proxy Networks:
This is needed so not everyone can inject a fake IP in the X-Forwarded-For header.
So now you just need to pull the "KnownProxyNetworks" value from the system configuration :)
Eg. KnownProxyNetworks = "192.168.10.5/32;192.168.10.13/32"
Back to Community Threads

Reply to Thread

Enter the verification text
Related Knowledge Base Articles
Deploying Rspamd For Use With SmarterMailSmarterMail > Server Configuration and Management
Configure an Alternative Linux Web Server for SmarterMailSmarterMail > Server Configuration and Management
Force Traffic Over HTTPS when using a Reverse ProxySmarterMail > Server Configuration and Management
500 Error After Upgrading to the Latest BuildSmarterMail > Troubleshooting
Automated SSL certificate Issues.SmarterMail > Troubleshooting