Solution, Smatermail Linux
Severe Bug in Whitelist: activating “TCP Proxy” disables IMAP for all customers
I discovered a critical and fully reproducible bug in SmarterMail (current Tahoe build).
The issue occurs the moment a single IP address is added to the Whitelist with “TCP Proxy” enabled.
Steps to reproduce
Log in as System Administrator.
Go to Security → Whitelist.
Add any public IP address and activate the checkbox “TCP Proxy”.
Save.
Immediately after saving, IMAP access stops working for all users on the system, regardless of their own IPs.
Every connection, from any customer, even from completely unrelated networks fails with:
* NO Server is busy, try again later.
Proxy protocol header not received.
IP xxx.xxx.xxx.xxx rejected for proxy. Reason: not a configured proxy.
No other changes are required to trigger this. The effect is global and instant.
Impact
IMAP becomes unavailable for every mailbox on the server.
Clients using Apple Mail, Outlook, Thunderbird, etc. cannot connect.
Removing or editing the Whitelist entry immediately restores full IMAP functionality.
Root cause
Enabling “TCP Proxy” on a single Whitelist entry appears to switch the entire IMAP listener (port 993 / 143) into Proxy Protocol mode.
Instead of applying the setting only to the specific IP, SmarterMail expects Proxy Protocol headers from all incoming connections.
Normal clients do not send those headers, so the server rejects every connection.
Verification
This behaviour is reproducible on a clean SmarterMail Tahoe installation with no load balancer and default configuration.
The logs show consistent errors until the Whitelist entry with “TCP Proxy” is deleted.
Why this is a critical bug
One checkbox for one IP address can disable mail service for all customers.
The error message “Server is busy” is misleading.
The UI gives no indication that “TCP Proxy” changes the behaviour of the entire port.
Expected behaviour
“TCP Proxy” should apply only to the IPs explicitly configured with that option.
Other IPs should continue to connect normally without Proxy Protocol headers.
Temporary workaround
Remove the Whitelist entry or uncheck “TCP Proxy” and restart SmarterMail.
IMAP connectivity for all customers returns immediately.
Request to SmarterTools
Please fix this behaviour and add a clear warning in the UI:
“Enabling this option activates Proxy Protocol mode on the entire service port.
Only enable this for IPs that actually send Proxy Protocol headers (e.g. from a load balancer).”
This bug can take down IMAP for every user on the system in seconds.
It should be addressed with high priority. I'm sone for today ;-(
After deleting that single Whitelist entry where “TCP Proxy” was enabled, IMAP immediately started working again for all customers.
Every mailbox, including those with completely different IP addresses, could connect normally again.
This confirms that one Whitelist entry with “TCP Proxy” active globally forces the IMAP service into Proxy Protocol mode and blocks all direct client connections until the entry is removed.
----- update -----
For troubleshooting Customer #1, I first added his IP address to the Whitelist to rule out any possible blocking by SmarterMail. While doing so, I accidentally checked the “PROXY” option. This immediately caused IMAP to stop working entirely.
Result: total panic.