Cloudron makes it easy to run web apps like WordPress, Nextcloud, GitLab on your server. Find out more or install now.


  • Categories
  • Recent
  • Tags
  • Popular
  • Bookmarks
Skins
  • Light
  • Cerulean
  • Cosmo
  • Flatly
  • Journal
  • Litera
  • Lumen
  • Lux
  • Materia
  • Minty
  • Morph
  • Pulse
  • Sandstone
  • Simplex
  • Sketchy
  • Spacelab
  • United
  • Yeti
  • Zephyr
  • Dark
  • Cyborg
  • Darkly
  • Quartz
  • Slate
  • Solar
  • Superhero
  • Vapor

  • Default (No Skin)
  • No Skin
Collapse

Cloudron Forum

Apps | Demo | Docs | Install

Cloudflare Proxy - How to hide the IP of the mail subdomain and make it work

Scheduled Pinned Locked Moved Discuss
mailcloudflare
16 Posts 3 Posters 1.3k Views
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
Reply
  • Reply as topic
Log in to reply
This topic has been deleted. Only users with topic management privileges can see it.
  • BrutalBirdieB Offline
    BrutalBirdieB Offline
    BrutalBirdie Staff
    wrote on last edited by BrutalBirdie
    #1

    I don't want my IP broadcasted by the mail/my subdomain


    Why can't I hide my IP from the mail domain, either my.domain.tld or a custom one in my case mail.domain.tld, behind the Cloudflare proxy service?

    https://docs.cloudron.io/domains/#cloudflare-dns

    Email and HTTP Proxy
    If you use Cloudflare for your primary domain and enable Cloudron email for any domain, Cloudflare proxying must be disabled for the my subdomain. This is because Cloudflare will only proxy HTTP and not email protocol.

    fyi: this also applies for Teamspeak, OpenVPN and more apps that do not fall in the supported port ranges.
    The supported port ranges are documented below, so keep reading 😉


    There is a way, but this is more security via obscurity. So do not depend on this in any way.

    To put it in simple terms:
    This will not hide your IP address completely even though mail.domain.tld is set to Proxied! As soon a someone connects to your server, the origin IP will be revealed. But this setting prevents your server of being detected by DNS scanners, because they would see Cloudflare IPs.

    They have a product named Cloudflare Spectrum which aims to solve this problem. But only for Enterprise customers. So if you are one? Maybe check this out first?
    I did not get the opportunity to try it out and paying for enterprise hmmmm naah.

    First of all lets read some docs from Cloudflare - Supported port ranges:
    https://support.cloudflare.com/hc/en-us/articles/200169156-Identifying-network-ports-compatible-with-Cloudflare-s-proxy

    TL;DR

    By default, Cloudflare proxies traffic destined for the HTTP/HTTPS ports listed below.
    
    HTTP ports supported by Cloudflare:
    
        80
        8080
        8880
        2052
        2082
        2086
        2095
    
    HTTPS ports supported by Cloudflare:
    
        443
        2053
        2083
        2087
        2096
        8443
    
    Caching is disabled for the following ports:
    
        2052
        2053
        2082
        2083
        2086
        2087
        2095
        2096
        8880
        8443
    

    So what can we do?
    The answer is srv records.

    Sorry to my blind users but a few screenshots up ahead for context, but I followup with a text based short guide.

    Add 3 srv records for the ports listed in Connection details for other email clients
    https://my.domain.tld/#/email/domain.tld.
    Ports listed as of writing this: 993 & 587 & 4190

    62acd468-750b-4cd8-ab3a-178d1be12c79-image.png

    e1887109-7108-47b9-a49e-2b05160f5d67-image.png

    1c631aa6-e615-42c0-98a4-cd35302d18c3-image.png

    ecdfc77a-cff4-469e-a381-a690c724cdcb-image.png

    • Type: SRV
    • Name: mail (since I choose the custom mail subdomain. Aka the domain name for which this record is valid - default my)
    • Service: _mail 🤷 (the symbolic name of the desired service. Go wild)
    • Protocol: TCP (since the mail traffic is TCP)
    • TTL: auto
    • Priority: 0
    • Weight: 0
    • Port: 993 & 587 & 4190 (each, one SRV record)
    • Target: Your mail domain, in my case its mail.domain.tld (the canonical hostname of the machine providing the service)

    Now a nslookup will show Cloudflare Proxied IPs:

    nslookup mail.domtain.tld 1.1.1.1                                                               23:18:18
    Server:         1.1.1.1
    Address:        1.1.1.1#53
    
    Non-authoritative answer:
    Name:   mail.domtain.tld
    Address: 104.21.57.26
    Name:   mail.domtain.tld
    Address: 172.67.158.189
    Name:   mail.domtain.tld
    Address: 2606:4700:3036::6815:391a
    Name:   mail.domtain.tld
    Address: 2606:4700:3036::ac43:9ebd
    

    And here a little proof screenshot of me sending and receiving mails with this setup.

    1dfc3a5e-f4a8-4b3d-8422-2e8082ae930e-image.png

    Cheers,
    ~ BrutalBirdie 🍻

    Like my work? Consider donating a drink drink. Cheers!

    robiR BrutalBirdieB 2 Replies Last reply
    1
  • robiR Offline
    robiR Offline
    robi
    replied to BrutalBirdie on last edited by
    #2

    @brutalbirdie This is good stuff, I just didn't see where Cloudflare says they will use SRV records to enable traffic to non-supported ports.

    This is also a good feature request for Cloudron to make it the default configuration for Cloudflare managed DNS.

    This way there is some DDoS protection and some site speed enhancements by having CF proxy & cache supported traffic w/o disrupting other Cloudron services.

    Life of sky tech

    1 Reply Last reply
    1
  • girishG Offline
    girishG Offline
    girish Staff
    wrote on last edited by
    #3

    The MX entry will still expose the mail server, no?

    BrutalBirdieB 1 Reply Last reply
    1
  • girishG girish moved this topic from Help Wanted or Offered on
  • BrutalBirdieB Offline
    BrutalBirdieB Offline
    BrutalBirdie Staff
    replied to girish on last edited by
    #4

    @girish

    4238f7c5-7d12-44c4-8256-695b9e020161-image.png

    this is what my Cloudflare DNS Dashboard now looks like.

    Yes the MX still reveals the real IP.
    This is more like a small inconvenience for DNS scanners / script kiddies.

    Like my work? Consider donating a drink drink. Cheers!

    1 Reply Last reply
    0
  • BrutalBirdieB Offline
    BrutalBirdieB Offline
    BrutalBirdie Staff
    replied to BrutalBirdie on last edited by BrutalBirdie
    #5

    @robi I may need to revert my post, because as of today I can no longer get / send my mails.

    Damn. 😞

    SOGo and Thunderbird did not work anymore.
    I will have to dig a little deeper.

    Like my work? Consider donating a drink drink. Cheers!

    BrutalBirdieB robiR 2 Replies Last reply
    1
  • BrutalBirdieB Offline
    BrutalBirdieB Offline
    BrutalBirdie Staff
    replied to BrutalBirdie on last edited by
    #6

    After reading this forum post I assumed this would work as well
    https://community.cloudflare.com/t/teamspeak-setup/58035

    hmmm

    Like my work? Consider donating a drink drink. Cheers!

    1 Reply Last reply
    0
  • robiR Offline
    robiR Offline
    robi
    replied to BrutalBirdie on last edited by
    #7

    @brutalbirdie It may be good to ping someone at CF or find some docs that SRV records are supposed to do that and is a supported config.

    It may have worked for a while due to DNS propagation.

    Life of sky tech

    BrutalBirdieB 1 Reply Last reply
    1
  • BrutalBirdieB Offline
    BrutalBirdieB Offline
    BrutalBirdie Staff
    replied to robi on last edited by BrutalBirdie
    #8

    @robi maybe my _mail Service entry is wrong? 🤔

    https://tools.ietf.org/id/draft-daboo-srv-email-05.html#rfc.section.3.2

    also for sieve?

    https://datatracker.ietf.org/doc/html/rfc5804#section-1.8

    Like my work? Consider donating a drink drink. Cheers!

    robiR 1 Reply Last reply
    0
  • robiR Offline
    robiR Offline
    robi
    replied to BrutalBirdie on last edited by
    #9

    @brutalbirdie hmm, perhaps the names of the SRV records are important. If you add those, see if it starts flowing again. 😉

    Life of sky tech

    BrutalBirdieB 1 Reply Last reply
    0
  • BrutalBirdieB Offline
    BrutalBirdieB Offline
    BrutalBirdie Staff
    replied to robi on last edited by
    #10

    @robi I want to try it.

    Like my work? Consider donating a drink drink. Cheers!

    robiR 1 Reply Last reply
    0
  • robiR Offline
    robiR Offline
    robi
    replied to BrutalBirdie on last edited by
    #11

    @brutalbirdie
    _imap._tcp
    _smtp._tcp
    _sieve._tcp

    Not sure about sieve..

    Life of sky tech

    BrutalBirdieB 1 Reply Last reply
    0
  • BrutalBirdieB Offline
    BrutalBirdieB Offline
    BrutalBirdie Staff
    replied to robi on last edited by BrutalBirdie
    #12

    @robi Yea I just updated that and will report back.

    also _imaps and not _imap

    ec77f76c-62d1-450b-97f0-c806e8faec6d-image.png

    time to do some reading...

    https://datatracker.ietf.org/doc/html/rfc6186

    Like my work? Consider donating a drink drink. Cheers!

    BrutalBirdieB 1 Reply Last reply
    0
  • BrutalBirdieB Offline
    BrutalBirdieB Offline
    BrutalBirdie Staff
    replied to BrutalBirdie on last edited by
    #13

    @brutalbirdie does not look like its working hmmm

    Like my work? Consider donating a drink drink. Cheers!

    1 Reply Last reply
    0
  • robiR Offline
    robiR Offline
    robi
    wrote on last edited by
    #14

    Sent out an SOS here: https://twitter.com/vRobM/status/1442197044303577089?s=20

    Life of sky tech

    BrutalBirdieB 1 Reply Last reply
    2
  • BrutalBirdieB Offline
    BrutalBirdieB Offline
    BrutalBirdie Staff
    replied to robi on last edited by
    #15

    @robi Very Nice!

    Like my work? Consider donating a drink drink. Cheers!

    1 Reply Last reply
    0
  • robiR Offline
    robiR Offline
    robi
    wrote on last edited by robi
    #16

    I didn't know Argo tunnels were free. So one can hide the mail service and put it thru an Argo tunnel on a subdomain to the world.

    https://docs.ibracorp.io/all-guides-in-order/documentation/cloudflare-tunnel

    Similarly one can have another domain and IP handle the incoming, which is tunneled to you via Tailscale.

    https://docs.ibracorp.io/all-guides-in-order/documentation/tailscale

    Life of sky tech

    1 Reply Last reply
    0

  • Login

  • Don't have an account? Register

  • Login or register to search.
  • First post
    Last post
0
  • Categories
  • Recent
  • Tags
  • Popular
  • Bookmarks
  • Login

  • Don't have an account? Register

  • Login or register to search.