Cloudflare Proxy - How to hide the IP of the mail subdomain and make it work
-
I don't want my IP broadcasted by the
mail/mysubdomain
Why can't I hide my IP from the mail domain, either
my.domain.tldor a custom one in my casemail.domain.tld, behind the Cloudflare proxy service?https://docs.cloudron.io/domains/#cloudflare-dns
Email and HTTP Proxy
If you use Cloudflare for your primary domain and enable Cloudron email for any domain, Cloudflare proxying must be disabled for the my subdomain. This is because Cloudflare will only proxy HTTP and not email protocol.fyi: this also applies for Teamspeak, OpenVPN and more apps that do not fall in the supported port ranges.
The supported port ranges are documented below, so keep reading
There is a way, but this is more security via obscurity. So do not depend on this in any way.
To put it in simple terms:
This will not hide your IP address completely even thoughmail.domain.tldis set toProxied! As soon a someone connects to your server, the origin IP will be revealed. But this setting prevents your server of being detected by DNS scanners, because they would see Cloudflare IPs.They have a product named Cloudflare Spectrum which aims to solve this problem. But only for Enterprise customers. So if you are one? Maybe check this out first?
I did not get the opportunity to try it out and paying for enterprise hmmmm naah.First of all lets read some docs from Cloudflare - Supported port ranges:
https://support.cloudflare.com/hc/en-us/articles/200169156-Identifying-network-ports-compatible-with-Cloudflare-s-proxyTL;DR
By default, Cloudflare proxies traffic destined for the HTTP/HTTPS ports listed below. HTTP ports supported by Cloudflare: 80 8080 8880 2052 2082 2086 2095 HTTPS ports supported by Cloudflare: 443 2053 2083 2087 2096 8443 Caching is disabled for the following ports: 2052 2053 2082 2083 2086 2087 2095 2096 8880 8443So what can we do?
The answer is srv records.Sorry to my blind users but a few screenshots up ahead for context, but I followup with a text based short guide.
Add 3 srv records for the ports listed in
Connection details for other email clients
https://my.domain.tld/#/email/domain.tld.
Ports listed as of writing this:993&587&4190
- Type: SRV
- Name:
mail(since I choose the custommailsubdomain. Aka the domain name for which this record is valid - defaultmy) - Service:
_mail
(the symbolic name of the desired service. Go wild) - Protocol: TCP (since the mail traffic is TCP)
- TTL: auto
- Priority: 0
- Weight: 0
- Port:
993&587&4190(each, one SRV record) - Target: Your mail domain, in my case its
mail.domain.tld(the canonical hostname of the machine providing the service)
Now a
nslookupwill show Cloudflare Proxied IPs:nslookup mail.domtain.tld 1.1.1.1 23:18:18 Server: 1.1.1.1 Address: 1.1.1.1#53 Non-authoritative answer: Name: mail.domtain.tld Address: 104.21.57.26 Name: mail.domtain.tld Address: 172.67.158.189 Name: mail.domtain.tld Address: 2606:4700:3036::6815:391a Name: mail.domtain.tld Address: 2606:4700:3036::ac43:9ebdAnd here a little proof screenshot of me sending and receiving mails with this setup.
Cheers,
~ BrutalBirdie
-
@brutalbirdie This is good stuff, I just didn't see where Cloudflare says they will use SRV records to enable traffic to non-supported ports.
This is also a good feature request for Cloudron to make it the default configuration for Cloudflare managed DNS.
This way there is some DDoS protection and some site speed enhancements by having CF proxy & cache supported traffic w/o disrupting other Cloudron services.
-
The MX entry will still expose the mail server, no?
-
Moved from Help Wanted or Offered by
girish
-
this is what my Cloudflare DNS Dashboard now looks like.
Yes the MX still reveals the real IP.
This is more like a small inconvenience for DNS scanners / script kiddies. -
@robi I may need to revert my post, because as of today I can no longer get / send my mails.
Damn.
SOGo and Thunderbird did not work anymore.
I will have to dig a little deeper. -
After reading this forum post I assumed this would work as well
https://community.cloudflare.com/t/teamspeak-setup/58035hmmm
-
@brutalbirdie It may be good to ping someone at CF or find some docs that SRV records are supposed to do that and is a supported config.
It may have worked for a while due to DNS propagation.
Life of Gratitude.
Life of Advanced Technology -
@robi maybe my
_mailService entry is wrong?
https://tools.ietf.org/id/draft-daboo-srv-email-05.html#rfc.section.3.2
also for sieve?
-
@brutalbirdie hmm, perhaps the names of the SRV records are important. If you add those, see if it starts flowing again.
Life of Gratitude.
Life of Advanced Technology -
@robi I want to try it.
-
@brutalbirdie
_imap._tcp
_smtp._tcp
_sieve._tcpNot sure about sieve..
Life of Gratitude.
Life of Advanced Technology -
@robi Yea I just updated that and will report back.
also
_imapsand not_imap
time to do some reading...
-
@brutalbirdie does not look like its working hmmm
-
Sent out an SOS here: https://twitter.com/vRobM/status/1442197044303577089?s=20
Life of Gratitude.
Life of Advanced Technology -
@robi Very Nice!
-
I didn't know Argo tunnels were free. So one can hide the mail service and put it thru an Argo tunnel on a subdomain to the world.
https://docs.ibracorp.io/all-guides-in-order/documentation/cloudflare-tunnel
Similarly one can have another domain and IP handle the incoming, which is tunneled to you via Tailscale.
https://docs.ibracorp.io/all-guides-in-order/documentation/tailscale
