0

We have most of our stuff behind Cloudflare.

However, some services such as mail (ex: mail.mydomain.com MX record) cannot be pushed through cloudflare and they expose our mail server's IP which makes it easy to discover where our infrastructure is located because they all share the same block and organization name (per ARIN whois).

Since our mail servers and VMs are at the same colo facility, knowing the IP of the mail server exposes the IP block and increases our attack surface. We host our own mail server using postfix/dovecot and it's not practical to move it to a public mail provider like Gmail.

So what I'd like to do is setup some type of a proxy, kind of like what Cloudflare does with web ports 80/443, on a public cloud instance, ex: AWS, and have our MX record pointed to that, and then accept incoming mail connections on port 25 and relay/proxy/tunnel anything that comes through that port to the real origin server.

I'm sure something like this must exist. And if not, does anyone have any clues as to how to setup a simple secure tunnel or proxy like this?

Thanks!

user3630380
  • 1
  • 1
  • "A simple secure tunnel or proxy" is a VPN. A simple VPN connection to tunnel your e-mail traffic to a remote site with a static IP address would do. I think your assessment of risk here may be a little overrated. The vast majority of discoveries are made by simply scanning IP addresses. If your server is online and accessible from the internet it is going to be scanned multiple times a day. Cloudflare is a service to protect your web servers from DDoS and improve performance through it's CDN. Nothing about the service is designed to "hide" who you are or what IP addresses you have. – Appleoddity Feb 11 '22 at 03:30
  • 1
    Thanks. Makes sense... However, I would like to point out that a very big part of Cloudflares offering is the ability to hide the origin IP to reduce the attack surface. What's the point of using cloudflare if the attacker knows your web server's real IP or datacenter and can hammer it. The idea is that cloudflare accepts incoming traffic, filters it, cleans it using user specified rules and forwards it to the origin server without revealing its network information. – user3630380 Feb 11 '22 at 03:37
  • What you are saying is mostly correct. But you did not also include the fact that you have to block all other traffic to your server with a firewall. If you leave port 80/443 open to the internet, it doesn’t matter if you have cloud flare. You have to allow only traffic from Cloudflare’s proxies. The open ports will be discovered in a matter of minutes or hours. Hence, if the server is online, it’s discoverable and will be discovered. You’re not hiding your IP you’re mitigating a specific attack vector. Security by obscurity is not security at all. – Appleoddity Feb 11 '22 at 03:40
  • The point I’m trying to make is that your IP addresses are public knowledge. You must have other protections already in place. Only in the case of a targeted attack on your organization, where someone might have an advantage of specifically linking your business to your IP address, does it matter if you try to hide your IP. All other hackers in the world don’t care. They are simply scanning the internet for servers with open ports including yours. A public IP address is like a home address. Anybody who drives by can see it, even if they don’t know who lives inside. – Appleoddity Feb 11 '22 at 03:47
  • You're right. IP ownership records are public knowledge. But it doesn't mean that the service behind them should be. There are many practical reasons why it makes sense to try to prevent discovery of origin IP. – user3630380 Feb 11 '22 at 04:28
  • @Appleoddity It does not matter that the IP addresses are "public knowledge", because attempting to guess which IP address is hosting which Cloudflare-protected domain is infeasible. DDoS attacks are targeted and a separate problem from scripted bot vulnerability probing. – Paul Feb 11 '22 at 13:27
  • @Paul yes I understand. You’re both not really understanding what I’m saying. Yes, cloudflare protects the server by proxying the traffic. The protection is NOT because nobody will know the true IP address. Hackers aren’t trying to guess the service IP behind cloudflare. They’re simply scanning the internet for hosts with open ports. If the underlying server is exposed to the internet, it’s irrelevant what cloudflare provides in regards to “secret” IPs. And if the server is not exposed, through open ports, etc. then knowing the IP doesn’t matter. Two different attack vectors. – Appleoddity Feb 11 '22 at 13:35
  • @user3630380 Cloudflare offers a service currently in Beta that you can apply for which does similar to what you are looking for, but keep in mind that rather than proxying it behaves more like redirect. I suspect the best solution is to host the mail server on a different IP address block. An effective mail server needs to access loads of other DNS records and a smart attacker will simply configure their own authoritative name server to capture the querying IP addresses. It is likely more work to use caching resolver plus VPN than to simply use a different IP address block. – Paul Feb 11 '22 at 13:47
  • @Appleoddity You are responding with comments to *some other question*, because this question is in regards to DDoS protection. The Cloudflare service requires servers in the globally reachable IP address space. Other security concerns related to administrating a server on the globally reachable IP address space are not a part of this question. – Paul Feb 11 '22 at 13:50

2 Answers2

0

We have the same problem. In the end, we solved it by risking the public at the mail server and put it on a VPS with a fixed IP. We protect all other services with Cloudflare services. Until Cloudflare has a solution to this, it will stay that way.

csiber
  • 1
0

Isn't Cloudflare Email Routing an answer to this question (at least for the incoming traffic)?

Outgoing part is not handled by Cloudflare and using VPS or some kind of outgoing email service is probably the only option. Please make sure to properly setup you clients (so they use designated outgoing gateway), if they went through your infrastructure hidden behind Cloudflare, they would still leak its IP addresses through email headers.

Tomek
  • 3,390
  • 1
  • 16
  • 10