PDA

View Full Version : How to setup mail server (mailserver) to stop IP leak when using Cloudflare



Fli
11-15-2016, 08:21 PM
ISSUE: Your site (site.com) is behind cloudflare, but you are using e-mail account [email protected] , it is likely that you are leaking your real web server IP thanks to this.

EXPLANATION, SOLUTIONS: When having site protected by cloudflare, still real IP (where we host website) can leak thanks to a MX record. MX record is responsible for routing incoming e-mail. Hostname (and IP under it) which is part of the MX record can not be protected by cloudflare (per my knowledge as it may cause delivery failure) and this means this DNS record is leaking real web server IP to public. (Linux command to verify: host mail.yourdomain.com; dig txt mail.yourdomain.com) MX record is required to receive e-mail.

So we can either:
A) delete our mailbox and MX record + use gmail (or other service) OR
B) we need to use different mail server which IP we are OK to leak

In this article i focus on option B and attempt to write for noobs like me how to reconfigure DNS records. For experienced people, there is still some catch to take note of, it is mentioned in last paragraph "OTHER IMPORTANT THINGS TO DO".

EXPLANATION HOW TO SEPARATE MAILSERVER FROM WEBSERVER AND RECONFIGURE DNS TO PREVENT WEBSERVER IP LEAK:

OPTION A) buy private server/VPS used for bigger mailing

instruct php scripts to send e-mails through this external new SMTP mail server instead of using local server mail() function. Google: php send e-mail via SMTP


Steps to create new external mail server can be these:

1. get/order new Linux server with Ubuntu 14.04 x64 and at least 1GB RAM
2. go to cloudflare or your hosting control panel and go into DNS section of your domain name, there add or modify A record of the mail. Example my A record is named mail and points to IP address where is my website hosted. So i change the IP address to be the IP of my new mail server.
3. install Mail-in-a-box on your mail server: https://mailinabox.email/guide.html
4. setup new e-mail account with SMTP
5. tweak SMTP mail server configuration file not to leak source web hosting server IP ("Received: from") in headers, it is described below in last paragraph (search "received:").
5. set your website to send e-mail via this new SMTP
6. send test e-mail

OPTION B) buy cheap shared hosting which IP will be exposed and used for e-mailing

downside of this method is that there is possibility that the mail server will reveal your web server IP (IP of server which hosts your cloudflare protected website) in headers(source code) of e-mails sent by your PHP mail or PHP SMTP function (correct me if i am wrong, you can check current source code of your sent mail for IPs, possibly near line "Received: from"). This is possible to work-around in the mail server software, but the server admin (not you?) may not be willing to adjust server config. to hide it. (more about this issue is mentioned in paragraph below "OTHER THINGS TO DO"

Anyway here i continue how to setup this method:
1. ordering shared hosting and using it either for sending mail through its SMTP or just for receiving e-mails. This enable us to replace web server real IP in publicly visible MX type record by IP of the mail server which downtime is not so critical. Next 4 steps is to setup/modify DNS records so it is presenting IP of mail server not a web server.

2. in Cloudflare / Site / DNS section, either remove existing CNAME type DNS record for "mail" and make sure there is A type DNS record for "mail" which pointing to an IP address of the new mail server setup in step 1. Hosting provider usually mention what is the domain/hostname/server name that user need to use in their mail client). This way attacker may only discover IP of the mail server, not IP of the hosting server which we want to hide. So probably mail server being attacked is better than web server IP leaked and web server down because of an attack. Example "A" type DNS record i set in my cloudflare:

type: A, name: mail, value: 1.2.3.4
(1.2.3.4 is the IP of the server where are your mailboxes/mail server, not IP of a web server)

3. in Cloudflare / Site / DNS section set MX record to point to hostname of the SMTP mail server or shared hosting ordered for e-mailing purpose only. Example, my MX entries are two:

type: MX, name: mydomain.com, value: mail.mydomain.com
type: MX, name: mydomain.com, value: hostname.mydomain.com
So that way all e-mail sent to me is properly redirected to e-mail server, not web server which would reveal webserver real IP. Currently defined domain DNS records (MX,TXT,A) can be checked by various tools like: intodns.com, dnsinspect.com or google: mx record check

4. in Cloudflare / Site / DNS section set TXT type DNS record where you define PTR as provided by your e-mail hosting provider. In my case i have this in cloudflare:

type: TXT, name: yourdomainhere.com, type: v=spf1 ip4:1.2.3.4 a mx include:yourdomainhere.com ~all
(1.2.3.4 is the IP of the server where are your mailboxes/mailserver, not IP of a webserver)

5. in Cloudflare / Site / DNS section set TXT type DNS record where you define DKIM as provided by your e-mail hosting provider. In my case i have this in cloudflare:

type: TXT, name: default._domainkey, value: v=DKIM1;k=rsa;p=StringHere\;
(note no spaces and no quotation marks in TXT record value, we use value that was generated by the server that is relaying e-mail (smtp server), not webhosting server)

OTHER IMPORTANT THINGS TO DO:

If we instruct PHP scripts to relay e-mail via our remote SMTP mail server (including one provided by shared hosting account we purchased just for e-mailing) trying to hide our web server IP, it will probably fail, because if our PHP script/s send an e-mail to attacker/investigator, then he can discover real web server IP in this e-mail headers/source code. To prevent this leak, server admin can reconfigure SMTP server not to leak the IP thanks to "Received: from" header (https://forums.cpanel.net/threads/how-to-edit-exim-configuration-so-it-do-not-reveal-received-from-in-headers.608043/#post-2467367) (google: hide received from header SMTP). On shared hosting where we are not server admins, admin may not agree to edit this which is understandable.
--
If you know about any other way or have any fixes for this tutorial, please kindly describe it below.