Cloudron makes it easy to run web apps like WordPress, Nextcloud, GitLab on your server. Find out more or install now.


    Cloudron Forum

    • Register
    • Login
    • Search
    • Categories
    • Recent
    • Tags
    • Popular

    Cloudflare Proxy - How to hide the IP of the mail subdomain and make it work

    Discuss
    mail cloudflare
    3
    16
    1069
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • BrutalBirdie
      BrutalBirdie Staff last edited by BrutalBirdie

      I don't want my IP broadcasted by the mail/my subdomain


      Why can't I hide my IP from the mail domain, either my.domain.tld or a custom one in my case mail.domain.tld, behind the Cloudflare proxy service?

      https://docs.cloudron.io/domains/#cloudflare-dns

      Email and HTTP Proxy
      If you use Cloudflare for your primary domain and enable Cloudron email for any domain, Cloudflare proxying must be disabled for the my subdomain. This is because Cloudflare will only proxy HTTP and not email protocol.

      fyi: this also applies for Teamspeak, OpenVPN and more apps that do not fall in the supported port ranges.
      The supported port ranges are documented below, so keep reading 😉


      There is a way, but this is more security via obscurity. So do not depend on this in any way.

      To put it in simple terms:
      This will not hide your IP address completely even though mail.domain.tld is set to Proxied! As soon a someone connects to your server, the origin IP will be revealed. But this setting prevents your server of being detected by DNS scanners, because they would see Cloudflare IPs.

      They have a product named Cloudflare Spectrum which aims to solve this problem. But only for Enterprise customers. So if you are one? Maybe check this out first?
      I did not get the opportunity to try it out and paying for enterprise hmmmm naah.

      First of all lets read some docs from Cloudflare - Supported port ranges:
      https://support.cloudflare.com/hc/en-us/articles/200169156-Identifying-network-ports-compatible-with-Cloudflare-s-proxy

      TL;DR

      By default, Cloudflare proxies traffic destined for the HTTP/HTTPS ports listed below.
      
      HTTP ports supported by Cloudflare:
      
          80
          8080
          8880
          2052
          2082
          2086
          2095
      
      HTTPS ports supported by Cloudflare:
      
          443
          2053
          2083
          2087
          2096
          8443
      
      Caching is disabled for the following ports:
      
          2052
          2053
          2082
          2083
          2086
          2087
          2095
          2096
          8880
          8443
      

      So what can we do?
      The answer is srv records.

      Sorry to my blind users but a few screenshots up ahead for context, but I followup with a text based short guide.

      Add 3 srv records for the ports listed in Connection details for other email clients
      https://my.domain.tld/#/email/domain.tld.
      Ports listed as of writing this: 993 & 587 & 4190

      62acd468-750b-4cd8-ab3a-178d1be12c79-image.png

      e1887109-7108-47b9-a49e-2b05160f5d67-image.png

      1c631aa6-e615-42c0-98a4-cd35302d18c3-image.png

      ecdfc77a-cff4-469e-a381-a690c724cdcb-image.png

      • Type: SRV
      • Name: mail (since I choose the custom mail subdomain. Aka the domain name for which this record is valid - default my)
      • Service: _mail 🤷 (the symbolic name of the desired service. Go wild)
      • Protocol: TCP (since the mail traffic is TCP)
      • TTL: auto
      • Priority: 0
      • Weight: 0
      • Port: 993 & 587 & 4190 (each, one SRV record)
      • Target: Your mail domain, in my case its mail.domain.tld (the canonical hostname of the machine providing the service)

      Now a nslookup will show Cloudflare Proxied IPs:

      nslookup mail.domtain.tld 1.1.1.1                                                               23:18:18
      Server:         1.1.1.1
      Address:        1.1.1.1#53
      
      Non-authoritative answer:
      Name:   mail.domtain.tld
      Address: 104.21.57.26
      Name:   mail.domtain.tld
      Address: 172.67.158.189
      Name:   mail.domtain.tld
      Address: 2606:4700:3036::6815:391a
      Name:   mail.domtain.tld
      Address: 2606:4700:3036::ac43:9ebd
      

      And here a little proof screenshot of me sending and receiving mails with this setup.

      1dfc3a5e-f4a8-4b3d-8422-2e8082ae930e-image.png

      Cheers,
      ~ BrutalBirdie 🍻

      Like my work? Consider donating a beer 🍻 Cheers!

      robi BrutalBirdie 2 Replies Last reply Reply Quote 1
      • robi
        robi @BrutalBirdie last edited by

        @brutalbirdie This is good stuff, I just didn't see where Cloudflare says they will use SRV records to enable traffic to non-supported ports.

        This is also a good feature request for Cloudron to make it the default configuration for Cloudflare managed DNS.

        This way there is some DDoS protection and some site speed enhancements by having CF proxy & cache supported traffic w/o disrupting other Cloudron services.

        Life of Advanced Technology

        1 Reply Last reply Reply Quote 1
        • girish
          girish Staff last edited by

          The MX entry will still expose the mail server, no?

          BrutalBirdie 1 Reply Last reply Reply Quote 1
          • Moved from Help Wanted or Offered by  girish girish 
          • BrutalBirdie
            BrutalBirdie Staff @girish last edited by

            @girish

            4238f7c5-7d12-44c4-8256-695b9e020161-image.png

            this is what my Cloudflare DNS Dashboard now looks like.

            Yes the MX still reveals the real IP.
            This is more like a small inconvenience for DNS scanners / script kiddies.

            Like my work? Consider donating a beer 🍻 Cheers!

            1 Reply Last reply Reply Quote 0
            • BrutalBirdie
              BrutalBirdie Staff @BrutalBirdie last edited by BrutalBirdie

              @robi I may need to revert my post, because as of today I can no longer get / send my mails.

              Damn. 😞

              SOGo and Thunderbird did not work anymore.
              I will have to dig a little deeper.

              Like my work? Consider donating a beer 🍻 Cheers!

              BrutalBirdie robi 2 Replies Last reply Reply Quote 1
              • BrutalBirdie
                BrutalBirdie Staff @BrutalBirdie last edited by

                After reading this forum post I assumed this would work as well
                https://community.cloudflare.com/t/teamspeak-setup/58035

                hmmm

                Like my work? Consider donating a beer 🍻 Cheers!

                1 Reply Last reply Reply Quote 0
                • robi
                  robi @BrutalBirdie last edited by

                  @brutalbirdie It may be good to ping someone at CF or find some docs that SRV records are supposed to do that and is a supported config.

                  It may have worked for a while due to DNS propagation.

                  Life of Advanced Technology

                  BrutalBirdie 1 Reply Last reply Reply Quote 1
                  • BrutalBirdie
                    BrutalBirdie Staff @robi last edited by BrutalBirdie

                    @robi maybe my _mail Service entry is wrong? 🤔

                    https://tools.ietf.org/id/draft-daboo-srv-email-05.html#rfc.section.3.2

                    also for sieve?

                    https://datatracker.ietf.org/doc/html/rfc5804#section-1.8

                    Like my work? Consider donating a beer 🍻 Cheers!

                    robi 1 Reply Last reply Reply Quote 0
                    • robi
                      robi @BrutalBirdie last edited by

                      @brutalbirdie hmm, perhaps the names of the SRV records are important. If you add those, see if it starts flowing again. 😉

                      Life of Advanced Technology

                      BrutalBirdie 1 Reply Last reply Reply Quote 0
                      • BrutalBirdie
                        BrutalBirdie Staff @robi last edited by

                        @robi I want to try it.

                        Like my work? Consider donating a beer 🍻 Cheers!

                        robi 1 Reply Last reply Reply Quote 0
                        • robi
                          robi @BrutalBirdie last edited by

                          @brutalbirdie
                          _imap._tcp
                          _smtp._tcp
                          _sieve._tcp

                          Not sure about sieve..

                          Life of Advanced Technology

                          BrutalBirdie 1 Reply Last reply Reply Quote 0
                          • BrutalBirdie
                            BrutalBirdie Staff @robi last edited by BrutalBirdie

                            @robi Yea I just updated that and will report back.

                            also _imaps and not _imap

                            ec77f76c-62d1-450b-97f0-c806e8faec6d-image.png

                            time to do some reading...

                            https://datatracker.ietf.org/doc/html/rfc6186

                            Like my work? Consider donating a beer 🍻 Cheers!

                            BrutalBirdie 1 Reply Last reply Reply Quote 0
                            • BrutalBirdie
                              BrutalBirdie Staff @BrutalBirdie last edited by

                              @brutalbirdie does not look like its working hmmm

                              Like my work? Consider donating a beer 🍻 Cheers!

                              1 Reply Last reply Reply Quote 0
                              • robi
                                robi last edited by

                                Sent out an SOS here: https://twitter.com/vRobM/status/1442197044303577089?s=20

                                Life of Advanced Technology

                                BrutalBirdie 1 Reply Last reply Reply Quote 2
                                • BrutalBirdie
                                  BrutalBirdie Staff @robi last edited by

                                  @robi Very Nice!

                                  Like my work? Consider donating a beer 🍻 Cheers!

                                  1 Reply Last reply Reply Quote 0
                                  • robi
                                    robi last edited by robi

                                    I didn't know Argo tunnels were free. So one can hide the mail service and put it thru an Argo tunnel on a subdomain to the world.

                                    https://docs.ibracorp.io/all-guides-in-order/documentation/cloudflare-tunnel

                                    Similarly one can have another domain and IP handle the incoming, which is tunneled to you via Tailscale.

                                    https://docs.ibracorp.io/all-guides-in-order/documentation/tailscale

                                    Life of Advanced Technology

                                    1 Reply Last reply Reply Quote 0
                                    • First post
                                      Last post
                                    Powered by NodeBB