Back to Community Threads
Web Proxy concepts for SmarterMail - solving the dual proxy problem
Problem reported by Douglas Foster - Today at 6:01 AM
Submitted
D
Configuring an external web proxy requires a good understanding of the current architecture of SmarterMail.
  • Users connect to IIS on the SmarterMail server using HTTPS on port 443
  • IIS acts as as web proxy and relays traffic to SmarterMail using HTTP on port 17017.
Someday, SmarterTools may be able to build full HTTPS support into its embedded webserver, but for now, we need IIS to serve this role.  (I have not used the Linux version, but I assume the lack of embedded HTTPS exists on both platforms.)

One consequence of this architecture is that you already have access to the web proxy features of IIS.   Logan Price has offered an example in this topic about CVE mitigation:

Of course, the web proxy capability of IIS are limited, so good reasons exist to configure an alternate product.    You could add a web proxy in front of IIS, but your configuration will now have two web proxies, and are likely to have problems.   At minimum, you will lose visibility to source IP addresses, because SmarterMail does not understand multiple values for X-Forwarded-For.  A second, and probably greater, problem is that the IIS-SmarterMail combination does not distinguish between internal and external traffic, so you cannot easily configure different policies for different message sources.

My recommendation for adding a web proxy looks like this:
  • Internal web users continue to connect to IIS on the SmarterMail server using HTTPS on port 443, for local relay to SmarterMail using HTTP on port 17017.
  • External web users connect to your chosen web proxy using HTTP on port 443, for LAN-based relay to SmarterMail using HTTP on port 17017.
  • Ensure that the web proxy configures X-Forwarded-For
Reducing risk of this configuration:
  • Configure firewall rules on the SmarterMail server so that the web proxy is the only external device that can connect using HTTP on port 17017.
  • If feasible, use a private VLAN to isolate the HTTP traffic flowing between the two systems 
  • If you have the sophistication, use IPSEC encryption to protect the HTTP traffic flowing between the web proxy and the SmarterMail server.
The next step is to configure acceptable entry points, which I will put in a separate topic
Back to Community Threads

Reply to Thread

Enter the verification text
Related Knowledge Base Articles
Configure URL Rewriting for Autodiscover on LinuxSmarterMail > Server Configuration and Management
Configure an Alternative Linux Web Server for SmarterMailSmarterMail > Server Configuration and Management
Force Traffic Over HTTPS when using a Reverse ProxySmarterMail > Server Configuration and Management
500 Error After Upgrading to the Latest BuildSmarterMail > Troubleshooting
Automated SSL certificate Issues.SmarterMail > Troubleshooting