Back to Community Threads
Web Proxy concepts for SmarterMail - Entry Point control
Problem reported by Douglas Foster - Today at 6:24 AM
Submitted
D
One of the roles of a web proxy is to ensure that users follow the intended flow path, rather than jumping around unilaterally in an attempt to bypass application security.    I have identified these entry points for SmarterMail web traffic.

Autodiscover for MAPI, EWS, ActiveSync configuration
  • /Autodiscover
  • /autodiscover
Web login
  • /    (redirects to /interface/root#/login)
  • /interface/root#/login
ActiveSync from Cell Phones
  • /Microsoft-Server-ActiveSync
Offline Address Book from Outlook
  • /OAB
EWS from Apple Clients
  • /EWS
MAPI from Outlook
  • /mapi
  • /mapi/nspi
Scripting
  • /API
With this information and a web proxy for external users, you can decide which functions are allowed from the outside by controlling which paths are allowed as entry points.   Possible configuration restrictions:

  • Most sites probably want to block /API as an initial entry point, so that attackers cannot use API scripting.  You will need to carefully test your web proxy to ensure that it blocks /API as an initial entry point, but allows access to /API after the user enters the site using /interface/root#login.

  • MAPI and EWS will download and store large amounts of data onto the local device, which is a problem if you are worried about data loss after a personal device gets compromised.

  • If you don't use Offline Address Book at all, or do not want to share it with the world, then blocking access to the /OAB path also makes sense.

  • Autodiscover allows both legitimate and malicious users to find your mail server.   It may be desirable to drop this from your DNS configuration, and block remote access to that entry point.   This will force remote users to configure server connections manually, which seems like a manageable burden.   This restriction will only work if you have chosen to block MAPI from external users, since Outlook MAPI setup requires Autodiscover.   If Autodiscover is disabled externally but allowed internally, you may need to deploy the autodiscover registry keys to limit which connection methods are used.  Some of the seven techniques connect  to a Microsoft server, then relay back to your server.   This means that the Microsoft server will attempt to use the external Autodiscover entry for your server, and when if fails the whole Autodiscover process may get flaky..
Hosting services will have less flexibility because all users are remote, but disabling the /API entry point is still probably desirable.
Back to Community Threads

Reply to Thread

Enter the verification text
Related Knowledge Base Articles
Automatic SSL Certificates on a New SmarterMail ServerSmarterMail > Server Configuration and Management
Force Traffic Over HTTPS when using a Reverse ProxySmarterMail > Server Configuration and Management
500 Error After Upgrading to the Latest BuildSmarterMail > Troubleshooting
Automated SSL certificate Issues.SmarterMail > Troubleshooting
Deploying Rspamd For Use With SmarterMailSmarterMail > Server Configuration and Management