Cloudflare Proxy - How to hide the IP of the mail subdomain and make it work
I don't want my IP broadcasted by the
Why can't I hide my IP from the mail domain, either
my.domain.tldor a custom one in my case
mail.domain.tld, behind the Cloudflare proxy service?
Email and HTTP Proxy
If you use Cloudflare for your primary domain and enable Cloudron email for any domain, Cloudflare proxying must be disabled for the my subdomain. This is because Cloudflare will only proxy HTTP and not email protocol.
fyi: this also applies for Teamspeak, OpenVPN and more apps that do not fall in the supported port ranges.
The supported port ranges are documented below, so keep reading
There is a way, but this is more security via obscurity. So do not depend on this in any way.
To put it in simple terms:
This will not hide your IP address completely even though
mail.domain.tldis set to
Proxied! As soon a someone connects to your server, the origin IP will be revealed. But this setting prevents your server of being detected by DNS scanners, because they would see Cloudflare IPs.
They have a product named Cloudflare Spectrum which aims to solve this problem. But only for Enterprise customers. So if you are one? Maybe check this out first?
I did not get the opportunity to try it out and paying for enterprise hmmmm naah.
First of all lets read some docs from Cloudflare - Supported port ranges:
By default, Cloudflare proxies traffic destined for the HTTP/HTTPS ports listed below. HTTP ports supported by Cloudflare: 80 8080 8880 2052 2082 2086 2095 HTTPS ports supported by Cloudflare: 443 2053 2083 2087 2096 8443 Caching is disabled for the following ports: 2052 2053 2082 2083 2086 2087 2095 2096 8880 8443
So what can we do?
The answer is srv records.
Sorry to my blind users but a few screenshots up ahead for context, but I followup with a text based short guide.
Add 3 srv records for the ports listed in
Connection details for other email clients
Ports listed as of writing this:
- Type: SRV
_mail(the symbolic name of the desired service. Go wild)
- Protocol: TCP (since the mail traffic is TCP)
- TTL: auto
- Priority: 0
- Weight: 0
4190(each, one SRV record)
- Target: Your mail domain, in my case its
mail.domain.tld(the canonical hostname of the machine providing the service)
nslookupwill show Cloudflare Proxied IPs:
nslookup mail.domtain.tld 220.127.116.11 23:18:18 Server: 18.104.22.168 Address: 22.214.171.124#53 Non-authoritative answer: Name: mail.domtain.tld Address: 126.96.36.199 Name: mail.domtain.tld Address: 188.8.131.52 Name: mail.domtain.tld Address: 2606:4700:3036::6815:391a Name: mail.domtain.tld Address: 2606:4700:3036::ac43:9ebd
And here a little proof screenshot of me sending and receiving mails with this setup.
@brutalbirdie This is good stuff, I just didn't see where Cloudflare says they will use SRV records to enable traffic to non-supported ports.
This is also a good feature request for Cloudron to make it the default configuration for Cloudflare managed DNS.
This way there is some DDoS protection and some site speed enhancements by having CF proxy & cache supported traffic w/o disrupting other Cloudron services.
The MX entry will still expose the mail server, no?
this is what my Cloudflare DNS Dashboard now looks like.
Yes the MX still reveals the real IP.
This is more like a small inconvenience for DNS scanners / script kiddies.
@robi I may need to revert my post, because as of today I can no longer get / send my mails.
SOGo and Thunderbird did not work anymore.
I will have to dig a little deeper.
After reading this forum post I assumed this would work as well
@brutalbirdie It may be good to ping someone at CF or find some docs that SRV records are supposed to do that and is a supported config.
It may have worked for a while due to DNS propagation.
@robi maybe my
_mailService entry is wrong?
also for sieve?
@brutalbirdie hmm, perhaps the names of the SRV records are important. If you add those, see if it starts flowing again.
@robi I want to try it.
Not sure about sieve..
@brutalbirdie does not look like its working hmmm
Sent out an SOS here: https://twitter.com/vRobM/status/1442197044303577089?s=20
@robi Very Nice!
robi last edited by robi
I didn't know Argo tunnels were free. So one can hide the mail service and put it thru an Argo tunnel on a subdomain to the world.
Similarly one can have another domain and IP handle the incoming, which is tunneled to you via Tailscale.