SmarterMail with Web Application Firewall?
Question asked by Douglas Foster - 3/15/2024 at 6:49 AM
This question is a follow-up to this forum topic:

One PCI DSS requirement says that all externally-facing websites should be behind a Web Application Firewall (WAF) product.   In theory this makes sense, because a WAF product should be able to protect against maliciously malformed data, such as a 500 character response in a field that is configured with MaxLength=5.  Typical web application developers cannot anticipate and test for all possible malformed responses, so a specialized product is needed.

Additionally, PCI DSS specifies that remote access should use two-factor authentication, with good reason.   Unfortunately, the SmarterMail implementation of 2-factor is hard to love, because it is not sensitive to whether a connection is remote or local.   Administrators can control which users require 2-factor logins, but we cannot control whether an account can be used remotely.   Consequently, a defense based on 2-factor authentication requires that it be enabled on all accounts, including generic accounts that are shared by multiple users.   For users who usually or always access SmarterMail locally, adding 2-factor to their internal work environment is an unattractive burden that will produce complaints.

Consequently, I am looking to implement a WAF site which:
  • Is positioned at the network perimeter, to intercept remote connections,
  • Authenticates users to decide whether a particular account can be used remotely with webmail, and
  • Provides 2-factor authentication for those connections.
SmarterMail support has already told me that I am on my own for this undertaking.  I don't think I should be, because PCI DSS requirements (and general network security principles) apply to everybody.  

So far, I have tried two different WAF products, but have been unable to get either of them working.  Has anyone found a WAF product that can co-exist with SmarterMail?
Am I the only one that has this concern?

5 Replies

Reply to Thread
SmP Replied
When it comes to mail platforms, you'd run into a similar scenario with any mainstream email product out there based on what you're trying to do -

SmarterMail already offers 2FA but it almost sounds like you're wanting to place a layer ahead of that which is certainly possible. If you're trying to prevent external connections to webmail, you could do that with a VPN and deny access to the rest of the Internet on those IIS ports. This is rather unique to your situation and not something that we've seen with deployments on 365, Google Workspace, or SmarterMail.
Sorry, I read over both this and the thread you referenced.  Maybe I am just too old school and you are using newer terminology for the same thing, but I honestly could not follow along.

We use pfSense as the firewall in front of our web servers. It is free and open source. It also has the ability to install additional plugins through "Package Manager"
- pfBlockerNG to help manage other things. GeoBlocking, IP ban feeds, and such, 
- WireGuard for VPN setups

Plus there are a variety of other tools for it.
www.HawaiianHope.org - Providing technology services to non profit organizations, low income families, homeless shelters, clean and sober houses and prisoner reentry programs. Since 2015, We have refurbished over 11,000 Computers !
Douglas Foster Replied
In your pfSense implementation do you have a WAF login page sitting in front of the SmarterMail login?  (My WAF product calls it "reverse authentication".)  That is where my problem occurs.

It appears that the WAF site needs to track its own authentication structure, so it discards the SmarterMail authentication data.   The SmarterMail login page completes a successful login, but since the authentication structure is lost immediately after it is provided, webmail cannot proceed to the next page.

One solution would be to fix or replace the WAF product so that to both authentications are preserved.

The other option would be to create an intermediary website to obtain credentials, login into SmarterMail using the API, then redirect quickly to the autologin URL, as partially documented here:

Don't know if we will pursue one of these or give up.

Douglas Foster Replied
This post was also fighting WAF issues, but did not obtain an answer for his problems.
Mark Johnson Replied
Our security team are also wanting us to try adding Cloudflare WAF in front of our SM server .. will try it and see what happens i guess

Reply to Thread