[os-caddy] Exchange Web Services (EWS)

[hakodi]

For about 1 month, we are using the os-caddy plugin as reverse proxy for Microsoft Exchange 2016 & 2019, because our central gateway will be replaced. Through the reverse proxy, only /Microsoft-Server-ActiveSync and /EWS/Exchange.asmx is accessible. Our customers can use there smartphones or any EWS compatible client (e.g. eM Client) to connect to there mailbox.

All is working fine, except sending emails throw EWS (Exchange Web Services).

• Sending emails without any attachments works like a charme.
• Sending emails with attachments doesn't work since we switched to os-caddy.

In "Services\Caddy\Log File" we got the following error(s):

Code Select Expand

"warn","ts":"2025-07-04T05:13:27Z","logger":"http.handlers.reverse_proxy","msg":"aborting with incomplete response","upstream":"10.0.250.2:443","duration":0.020832445,"request":{"remote_ip":"xxx.xxx.xxx.xxx","remote_port":"40927","client_ip":"xxx.xxx.xxx.xxx","proto":"HTTP/1.1","method":"POST","host":"fqdn.anonymized.de","uri":"/EWS/Exchange.asmx","headers":{"Content-Type":["text/xml; charset=utf-8"],"Cookie":["REDACTED"],"X-Forwarded-Host":["fqdn.anonymized.de"],"Via":["1.1 Caddy"],"Accept-Encoding":["gzip, deflate"],"X-Clientstatistics":["MessageId=28ab40b6-8961-40aa-83c0-46c73c3f597f,ResponseTime=380,SoapAction=SubscribeToStreamingNotifications;"],"Content-Length":["754"],"User-Agent":["eM Client/10.3.2412.0 (ExchangeServicesClient/10.3.2412.0)"],"Accept":["text/xml"],"X-Forwarded-For":["xxx.xxx.xxx.xxx"],"X-Forwarded-Proto":["https"],"Authorization":["REDACTED"]},"tls":{"resumed":true,"version":771,"cipher_suite":49199,"proto":"","server_name":"fqdn.anonymized.de"}},"error":"reading: context canceled"}
The Caddyfile:

Code Select Expand

# DO NOT EDIT THIS FILE -- OPNsense auto-generated file


# caddy_user=root

# Global Options
{
log {
output net unixgram//var/run/caddy/log.sock {
}
format json {
time_format rfc3339
}
}

servers {
protocols h1 h2
}

grace_period 10s
import /usr/local/etc/caddy/caddy.d/*.global
}

# Reverse Proxy Configuration


fqdn.anonymized.de:443 {
tls /var/db/caddy/data/caddy/certificates/temp/684fd0fdd8aef.pem /var/db/caddy/data/caddy/certificates/temp/684fd0fdd8aef.key {
}

handle /Microsoft-Server-ActiveSync {
reverse_proxy https://10.0.250.2:443 {
transport http_ntlm {
tls_insecure_skip_verify
}
}
}

handle /EWS/Exchange.asmx {
reverse_proxy https://10.0.250.2:443 {
transport http_ntlm {
tls_insecure_skip_verify
}
}
}
}

import /usr/local/etc/caddy/caddy.d/*.conf

Before we switched to OPNsense & os-caddy, we used a centralized Sophos UTM with the Web Application Firewall (WAF) and had no problems.

Edit: Currently we are using OPNsense 25.1.10

Can anybody help us?

Kindly,
Christian

[Monviech (Cedrik)]

In the business edition we offer a WAF where we added explicit exchange support, that would be most comparable to what sophos offered:

https://docs.opnsense.org/vendor/deciso/opnwaf.html#exchange-server

The same kind of reasoning also applies to caddy, only use FQDNs everywhere, and ensure even the internal connection to the Exchange server uses an FQDN or proper certificate handling e.g. with internal names and self signed certs.

(e.g. like this https://docs.opnsense.org/manual/how-tos/caddy.html#reverse-proxy-the-opnsense-webgui)

tls skip is not the proper configuration.

Try to use an empty path in the handler first. If you want to block ecp, just create another handler with /ecp and put an access list on it. Empty path handlers will always match last.