Back to Community Threads
Ways to secure your Smartermail Server
Problem reported by rick - 1/30/2026 at 8:13 PM
Submitted
1) Make sure you're running latest version
2) Change your admin login name to something obscure, like J1MMY-JON, not admin or administrator
3) Restrict Admin login to specific IP#, and enable 2FA
4) Put Web Portal behind Cloudflare. ChatGPT is excellent at guiding you through this. This adds all sort of protections against attack. Only thing that users are noticing is the occasional Cloudflare "Verifying you are human" pop up. Force all incoming traffic through Cloudflare, deny anything trying to bypass.
5) Let Windows Defender scan C:\Program Files (x86)\SmarterTools\SmarterMail\Service\App_Data\upload.
6) Install Huntress. This fired off alarms and isolated our server as soon as it saw backdoor files appear in the folder mentioned in #5. Was running patched version of SM, but Huntress still did its job.
7) Highly recommend running Threatlocker to secure/limit Smartermail.exe. You can prevent it from running Powershell, cmd.exe, cscript, mshta.exe, rundll, etc. Threatlocker also prevents anything from running unless you've specifically permitted it in advance... so nothing can run. Very strong protection.
8) Cloudflare Access can let you lock down Admin, API, etc paths behind 2FA if you want to go overboard.

Anyone else have any good ideas - please chime in!
Richard Laliberte Replied
1/31/2026 at 6:50 AM
Question. Putting SM's webmail behind cloudflare was something we have looked into in the past, with proxy enable we lose all SM's IP based protection, like restricting admins to specific IP's and blocking IP's with to many attempts and such. 

With SM not currently understanding CF-Connecting-IP (or other potential headers) how did you get around this? Or do you let Cloudflare basically manage everything?

We currently have a ticket in with SM to implement support for CF-Connecting-IP and X-Forwarded-For, but if you know a better way?

fairly solid advice though. But if you are putting everything behind Cloudflare, i would also recommend on the server side blocking all incoming traffic via web ports to known Cloudflare IP addresses, just in case anyone tries to bypass and go directly to the server. https://www.cloudflare.com/en-ca/ips/
J
J. LaDow Replied
1/31/2026 at 7:15 AM
In IIS you can hunt for that host header {HTTP_CF_CONNECTING_IP} and {HTTP_X_FORWARDED_FOR}, then re-write the headers that are being sent to the SmarterMail/Kestrel web server. I believe this is also possible if you have Apache or Nginx in front on as well, but the header detection will be a little different. IIS replaces - with _ when reading and processing headers. 

Some other details may be found here:
MailEnable survivor / convert --
rick Replied
1/31/2026 at 7:33 AM
@Richard Laliberte  The real IP is passed through so it's not showing all Cloudflare IP#'s and so we can restrict Admin login via IP# (a must!).
Additionally, only Cloudflare CIDRs are allowed, all others denied.
The only way someone is hitting the SM server portal is through Cloudflare. I upgraded to the Pro account for $20 to add a bunch of additional protections as well... such as WAF, bot blocks and the best part is the Managed Rules (they keep them up to date with latest CVEs, etc). Only small snag was UptimeRobot getting denied but easy to add them as exception using Known-Bots and ttp.user_agent contains "UptimeRobot"
DRKZA Replied
1/31/2026 at 8:18 AM
Did you use the web.config to handle the pass through (like here https://portal.smartertools.com/community/a97718/smartermail-web-client-cloudflare-protection.aspx)
C
Carl Morris Replied
2/2/2026 at 9:34 PM
Also consider switching to using a limited service account (such as a managed service account) (for both MailService and IIS app pool), instead of the default network service or local system accounts.  This limited account should not be part of the Users Group or Domain Users group, and where possible should be limited to the host running Smarter Mail.  This does require file permissions for the service account to the Settings folder in addition to the other SmarterMail data folders.
M
MichaelL Replied
2/3/2026 at 10:49 AM
While proxying through CloudFlare may work and you may be able to get the correct headers passed through, the performance is terrible. Log searches through the web interface is hit or miss as well.

When proxying, the global-mail takes 10-25 seconds to load when logging in as a system administrator.
When the proxy is removed, its takes milliseconds.

Any ideas SmarterTools support?
M
MichaelL Replied
2/3/2026 at 10:57 AM
Just found the answer to my question. Every time you log in as a system admin, its downloading all the settings including trusted email addresses and trusted domains inside of that global-mail. So if you have a huge trusted email address list, the web interface is going to be slow. If you look at the response, it's gigantic and has every single configuration setting.
J
J. LaDow Replied
2/3/2026 at 11:01 AM
We ran into issues with how Cloudflare handles web sockets being a culprit to webmail interface errors. You may need to look into your CF configuration to be sure it's setup right.
MailEnable survivor / convert --
Back to Community Threads

Reply to Thread

Enter the verification text
Related Knowledge Base Articles
Configure SSL/TLS to Secure SmarterMailSmarterMail > Server Configuration and Management
Manually Securing SmarterMail Using Let's Encrypt and Certify the WebSmarterMail > Installation and Configuration
Automatic SSL Certificates on a New SmarterMail ServerSmarterMail > Server Configuration and Management
SmarterMail for Linux – SSL/TLS & Certificate ReferenceSmarterMail > Server Configuration and Management
SmarterMail Servers and TLS SupportSmarterMail > Installation and Configuration