Back to Community Threads
IS THIS A BUG? Adding an IP WHITELIST with "TCP Proxy" enabled, blocks ALL incoming emails, regardless of where they come from
Problem reported by Gabriele Maoret - SERSIS - Today at 7:22 AM
Not A Problem
Adding an IP WHITELIST with "TCP Proxy" enabled, blocks ALL incoming emails, regardless of where they come from

This is the offending option:



With this active even in just one WhiteList entry, you no longer receive any emails from anyone and you start to have SMTP logs similar to this:


[2025.08.26] 15:13:58.063 [251.380.362.290][43106295] "421 Server is busy, try again later." response returned.
[2025.08.26] 15:13:58.063 [251.380.362.290][43106295] IP 251.380.362.290 rejected for proxy. Reason: not a configured proxy.
[2025.08.26] 15:13:58.063 [251.380.362.290][43106295] disconnected at 26/08/2025 15:13:58



As soon as you disable it everything works again.


Is it a bug?

And if it's not a bug, can you explain how and why this happens?
Gabriele Maoret - Head of SysAdmins and CISO at SERSIS
Currently manages 6 SmarterMail installations (1 in the cloud for SERSIS which provides services to a few hundred third-party email domains + 5 on-premise for customers who prefer to have their mail server in-house)
Andrew Barker Replied
Today at 7:49 AM
Employee Post
This is expected behavior.

The TCP Proxy toggle for whitelist entries should only be used if there is a proxy server, such as HAProxy, in front of your SmarterMail instance. The proxy server must also be configured to use version 1 of the proxy protocol, which allows the proxy server to relay information about the remote connection to SmarterMail.

When the toggle is enabled, it triggers the following behavior:
 
  1. If a connection is initiated by an IP that is not configured in the whitelist as a TCP Proxy, the connection is rejected. This prevents a malicious server from providing spoofed header information to bypass the blacklist, IDS rules, etc. This means that, if you enable TCP Proxy for any whitelist entry, all TCP connections must go through a configured TCP Proxy.
  2. SmarterMail expects all SMTP, POP, IMAP, and LDAP connections to include the proxy header information. Given the specification for the proxy protocol, this information must be received before the server returns the greeting banner for the communication protocol. If the header information is not received within a couple seconds, the connection is closed.
  3. After the connection has been accepted by SmarterMail, further IP based spam checks will use the IP information that was relayed by the proxy server.
Andrew Barker Software Developer SmarterTools Inc. www.smartertools.com
Gabriele Maoret - SERSIS Replied
Today at 8:37 AM
Ooook, now I understand how it works and why it blocked me... THX Andrew!!!

But...
I must say, however, that the yellow warning is (in my opinion) unclear, making it very easy to activate this option by mistake, even on a single entry, and then get stuck without understanding why.

Perhaps it would be nice to include a warning that clearly states:
"WARNING!!! Enabling this option EVEN FOR A SINGLE IP will block ALL external connections from IPs not on the whitelist with TCP Proxy enabled."
Or something along those lines, so it's very clear...

And then perhaps ask for double confirmation before applying...
Gabriele Maoret - Head of SysAdmins and CISO at SERSIS Currently manages 6 SmarterMail installations (1 in the cloud for SERSIS which provides services to a few hundred third-party email domains + 5 on-premise for customers who prefer to have their mail server in-house)
Oliver Replied
Today at 8:53 AM
@Andrew Barker
Does SmarterTools provide an example of the HAProxy configuration file for using it correctly as a proxy for SmarterMail?
Matt Petty Replied
Today at 9:12 AM
Employee Post 
global
	log stdout local0
	log stdout local1 notice
	stats timeout 30s

	# Default SSL material locations
	ca-base /Users/smartermail/certs
	crt-base /Users/smartermail/certs

	# See: https://ssl-config.mozilla.org/#server=haproxy&server-version=2.0.3&config=intermediate
        ssl-default-bind-ciphers ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384
        ssl-default-bind-ciphersuites TLS_AES_128_GCM_SHA256:TLS_AES_256_GCM_SHA384:TLS_CHACHA20_POLY1305_SHA256
        ssl-default-bind-options ssl-min-ver TLSv1.2 no-tls-tickets

defaults
	log	global
	mode	http
	option	httplog
	option	dontlognull
        timeout connect 30s
        timeout client  31m
        timeout server  31m

frontend http-in
	bind *:80
	default_backend backend_servers_http
	option forwardfor
	http-request set-header X-Forwarded-Proto http
	http-request set-header X-Forwarded-Host %[req.hdr(Host)]

backend backend_servers_http
	balance leastconn
	stick-table type ip size 1m expire 30m
	stick on src
	server hub01 127.0.0.1:1120
	server hub02 127.0.0.1:1221

frontend https-in
	bind *:443
	default_backend backend_servers_https
	option forwardfor
	http-request set-header X-Forwarded-Proto https
	http-request set-header X-Forwarded-Host %[req.hdr(Host)]

backend backend_servers_https
	balance leastconn
	stick-table type ip size 1m expire 30m
	stick on src
	server hub01 127.0.0.1:1443
	server hub02 127.0.0.1:2443

frontend smtp-in
	bind *:25
	mode tcp
	timeout client 1m
	log global
	option tcplog
	default_backend backend_servers_smtp

backend backend_servers_smtp
	mode tcp
	log global
	timeout server 1m
	timeout connect 60s
	balance leastconn
        stick-table type ip  size 1m  expire 30m
        stick on src
	server hub01 127.0.0.1:10025 send-proxy
	server hub02 127.0.0.1:11025 send-proxy

frontend smtp-in-submission
	bind *:587
	mode tcp
	timeout client 1m
	log global
	option tcplog
	default_backend backend_servers_smtp_submission

backend backend_servers_smtp_submission
	mode tcp
	log global
	timeout server 1m
	timeout connect 60s
	balance leastconn
        stick-table type ip  size 1m  expire 30m
        stick on src
	server hub01 127.0.0.1:10587 send-proxy
	server hub02 127.0.0.1:11587 send-proxy


frontend smtp-secure-in
	bind *:465
	mode tcp
	timeout client 1m
	log global
	option tcplog
	default_backend backend_servers_smtp_secure

backend backend_servers_smtp_secure
	mode tcp
	log global
	timeout server 1m
	timeout connect 60s
	balance leastconn
        stick-table type ip  size 1m  expire 30m
        stick on src
	server hub01 127.0.0.1:10465 send-proxy
	server hub02 127.0.0.1:11465 send-proxy

frontend imap-in
        bind *:143
        mode tcp
        timeout client 1m
        log global
        option tcplog
        default_backend backend_servers_imap

backend backend_servers_imap
        mode tcp
        log global
        timeout server 1m
        timeout connect 30s
        balance leastconn
	stick-table type ip size 1m expire 30m
	stick on src
        server hub01 127.0.0.1:10143 send-proxy
        server hub02 127.0.0.1:11143 send-proxy

frontend imap-in-secure
        bind *:993
        mode tcp
        timeout client 1m
        log global
        option tcplog
        default_backend backend_servers_imap_secure

backend backend_servers_imap_secure
        mode tcp
        log global
        timeout server 1m
        timeout connect 30s
        balance leastconn
	stick-table type ip size 1m expire 30m
	stick on src
        server hub01 127.0.0.1:10993 send-proxy
        server hub02 127.0.0.1:11993 send-proxy

frontend pop-in
        bind *:110
        mode tcp
        timeout client 1m
        log global
        option tcplog
        default_backend backend_servers_pop

backend backend_servers_pop
        mode tcp
        log global
        timeout server 1m
        timeout connect 30s
        balance leastconn
	stick-table type ip size 1m expire 30m
	stick on src
        server hub01 127.0.0.1:10110 send-proxy
        server hub02 127.0.0.1:11110 send-proxy

frontend pop-in-secure
        bind *:995
        mode tcp
        timeout client 1m
        log global
        option tcplog
        default_backend backend_servers_pop_secure

backend backend_servers_pop_secure
        mode tcp
        log global
        timeout server 1m
        timeout connect 30s
        balance leastconn
	stick-table type ip size 1m expire 30m
	stick on src
        server hub01 127.0.0.1:10995 send-proxy
        server hub02 127.0.0.1:11995 send-proxy

frontend xmpp-in
        bind *:5222
        mode tcp
        timeout client 1m
        log global
        option tcplog
        default_backend backend_servers_xmpp

backend backend_servers_xmpp
        mode tcp
        log global
        timeout server 1m
        timeout connect 30s
        balance leastconn
	stick-table type ip size 1m expire 30m
	stick on src
        server hub01 127.0.0.1:10222 send-proxy
        server hub02 127.0.0.1:11222 send-proxy


listen stats
    bind *:8404
    mode http
    stats enable
    stats uri /stats
    stats refresh 10s
    stats auth admin:admin

This is what I use locally for development but it kinda has everything turned on, but should be a good example.
Replace hub01 and hub02 with your server and fix the ports and paths (for certs)

This will setup haproxy for HTTPS + TCP. 

When setting up haproxy is very important to have "send-proxy" for the TCP protocols and "option forwardfor" and other headers added for HTTP. Oh and make sure "TCP Proxy" entry is added for your HAProxy (or any TCP proxy) server.
Matt Petty Senior Software Developer SmarterTools Inc. www.smartertools.com
Oliver Replied
Today at 10:01 AM
Wow, thank you so much.
Back to Community Threads

Reply to Thread

Enter the verification text
Related Knowledge Base Articles
Sender Verification Shield and Incoming GatewaysSmarterMail > Server Configuration and Management
500 Error After Upgrading to the Latest BuildSmarterMail > Troubleshooting
Deploying Rspamd For Use With SmarterMailSmarterMail > Server Configuration and Management
Configure an Alternative Linux Web Server for SmarterMailSmarterMail > Server Configuration and Management
Recommended SPAM SettingsSmarterMail > Antispam and Antivirus