How do you hide an origin server behind CloudFlare and still be able to send transactional emails via providers like Sendgrid, Mailgun, etc.?
My problem is that when I send an email it seems that a Received: from line is always added to the message, revealing my origin server's real IP.
I tried it with Sendgrid, both via JSON API and SMTP endpoints, but it's visible in both cases.
How do you solve this problem?
Are there some transactional email providers which do not append this line?
Do you use some complicated setup with a distributed message queue and a worker running on a different host with different IP, only for sending emails?
Do you connect to the providers via a proxy / VPN? Is there such a thing as proxy for SMTP?
In your case we recommend running your email through a different server. You can find some guidance in this KB article. If your IP is still leaked you should contact Cloudflare support.
Run email on separate server/service If you are running your mail on
the same server as your website, then the attacker can always find
your origin server IP. To close this possible security gap, you can
use an email service on a separate server than your website, whether
through your hosting provider or an outside service (e.g., Google
Apps).
For Mac users:
You can run this command in Terminal to see what IP is being reported
with your MX records:
dig +short $(dig mx +short WEBSITE) For example, if I was concerned
about example.com, I would enter:
dig +short $(dig mx +short example.com) The output will be an IP
address. This is the IP address that an attacker can always find. You
want to make sure this IP address is different that the IP address for
your web server. Otherwise, no matter how many times you change your
web server, if your email is also on the same server, then the
attacker can always find the new IP.
For PC users:
You can run this command in command prompt to see what IP is being
reported with your MX records:
nslookup -q=mx WEBSITE For example, if I was concerned about
example.com, I would enter:
nslookup -q=mx example.com The output will be an IP address. This is
the IP address that an attacker can always find. You want to make sure
this IP address is different that the IP address for your web server.
Otherwise, no matter how many times you change your web server, if
your email is also on the same server, then the attacker can always
find the new IP.
Related
I created a web app to do some basic content management for just myself. I want to mail some docs to the server instead of downloading then uploading them. Ive been looking at postfix but everything assumes you have a domain. Is it possible to receive email at a server with a fixed ip and no domain?
if you want anybody and any app to be able to send mail you need MX records in DNS. And MX records point at dns server names, not IP addresses.
https://serverfault.com/questions/663112/why-cant-mx-records-point-to-an-ip-address
If its just you then you can telnet to the SMTP port to send mail
Hi Our site is based on Smartphone, Laptop, Gadgets Specs, Price
and we are using Linode server to get host our site but same sit opening in Linode rDNS, due to this most of our links such as https://www.pdevice.com/product/samsung-galaxy-s20-ultra-5g-price-specs opening with Linode domain address, we also contacted to them they have told us that, It looks like "pdevice.com" is your domain name but since it's pointing to CloudFlare's IP, you would need a work around in regards to setting reverse DNS. An option would be to create a subdomain and point this to your server's IP address. You may be able to get around this by having the "www" record for your domain point to your server's IP addresses rather than Cloudflare's IP addresses. and as we told we are using Cloudflare to provide CDN and DNS so how to solve this isse we can't recognize, because it shows issue while past RDNS to Subdomain.pdevice dot com, so how to do this with our server.
I bought a domain.
I pointed his name servers to:
ns1.digitalocean.com
ns2.digitalocean.com
I have added a CNAME record point to #
I want to send and receive emails using my Mac mail program.
I know that I should probably build a full mail server which is an awful thing to do.
Therefore, I have another server (not digitalocean) running on cPanel. In this cPanel I have a very powerful cPanel's mail server.
How can I point my digitalocean CNAME to the remote server where the cPanel is?
I hope it's clear enough.
In order to make your domain points to the digital ocean server, you will have to create A record that points to the IP of that server, same goes to any subdomain.
Regarding your mail server, you need to make mail.mydomain.com points to the IP of your cPanel server using A record not CName and also modifying other records like SPF/DKIM records.
For your local mail client you can get the configuration by logging into the cPanel user account and view the mail settings
I'm using a DNS service and so far I've successfully hid my server's IP address from appearing to the public (including nslookup to all my subdomains).
The only problem is that my server's IP is still showing in the email header of every sent email. Is there a way to hide it from appearing or change it to something else?
I'm using CloudFlare service, as for my email service I'm using qmail.
Why do you want to hide your SMTP server? I don't believe it's possible to hide your IP completely because the receiving server has to know where the connection is coming from for TCP/IP to work (in the same way that your browser has to know an ip address for google.com to load the page). So the receiving server will always know the ip address even if you don't put it in a header.
There are many services that provide SMTP servers if you do not want to use your own and expose it to the world. I'd recommend exploring these options if privacy or security is a concern.
I've recently setup my Ubuntu web server with exim4 so my PHP website applications can send email such as "thank you" and "confirmation" notices.
I've got it setup and working such that I can send email to gmail, Yahoo! and my work address. However, my work email gets caught up in our spam filter. I'm new to setting up mail servers so I'm not sure what I might need to look for in making this mail server more trusted, while keeping is secure.
Here are some details:
Server is NATed behind a firewall.
Firewall has port 25 open for outgoing SMTP traffic (from server to anywhere).
Server is virtual hosting a couple different of our websites
The server is running the following exim4 config:
dc_eximconfig_configtype='internet'
dc_other_hostnames='web-serv.example1.com;example2.com'
dc_local_interfacees='127.0.0.1'
dc_readhost=''
dc_relay_domains=''
dc_minimaldns='false'
dc_relay_nets='' dc_smarthost=''
CFILEMODE='644'
dc_use_split_config='false'
Questions:
Do I need to open port 25 to incoming SMTP mail (anywhere to server)? I wonder if other mail servers need to talk to my mail server to verify itself, in a sort of handshake attempt.
I have not created any MX records primarily because the server has different websites on it the mail server should send mail for all the websites. Do I need to pick/create a domain address and create MX records for it?
One thing of note is that the mail headers look like this:
Return-Path: <www-data#example2.com>
Received: from web-serv.example1.com ([Firewall public IP Address])
Received-SPF: neutral (google.com: [Firewall public IP Address] is neither permitted nor denied by best guess record for domain of www-data#example2.com)
"web-serv" is the host name of the server, such that you get this if you type it into the command line:
$ hostname
web-serv
and "www-data" is the account name for the Apache2 server that Ubuntu gave it as default.
Any other general advice would be appreciated. It's all new to me.
Cheers!
One item of note, since I posted this question time time ago (almost 10 months) is that I found out the biggest issue I had was with setting up the DNS for reverse DNS on our hosting providers side of things.
In other words, our hosting provider (the people who give us our IP address and manage our hardware) had to enter a record to match my server(s) hostname to whatever IP address it used.
There's a specific name for this. I believe it's a "PTR" record but the name escapes me at the moment, but you basically tell them "my server hostname is ..." and they do a quick update to the DNS for reverse DNS purposes.
When I asked this question, we had a different hosting provider who didn't really help explain this to me, and after switching providers, I got to talk to someone who was happy to help me understand that side of the equation.
And as I understand it, this is setup by the people who assign you the IP addresses. But there's probably more to it than that.
Once I got that setup properly, email had no problem getting through the spam filters and Gmail/Yahoo showed SPF as "passed". It was showing neutral before.
Our company email was set to drop any email that would not resolve reverse DNS, which is why I could not even receive the email or find it in the spam filter. Of course, that situation would be dependent on the company and what email policy and software they're using to manage spam. Some might just drop all email that does not reverse DNS and some might dump it in to spam filters instead.
Hope that might help some people with similar issues.
Cheers!