Just stumbled onto this nasty find. Users connecting via IPv6 (pretty much all Mobile phones and Mobile Hotspots) into web portal will end up looking like 127.0.0.1 in Smartermail. This is automatically trusted by SM for Administrator logins (w/IP Restrictions). So you essentially lose all ability to protect your admin account by IP# unless you go into Cloudflare, select your domain and then click Network. Under Pseudo IPv4, set it to Overwrite Headers. CF then replaces it with a dummy IP. You can then add this to your web.config under <serverVariables> to get the real IPs.

<set name="HTTP_X_FORWARDED_FOR" value="{HTTP_CF_CONNECTING_IP}" />

<set name="HTTP_X_REAL_IP" value="{HTTP_CF_CONNECTING_IP}" />