Portal Home > Knowledgebase > Articles Database > Cloudflare and Email


Cloudflare and Email




Posted by Ricjustsaid, 10-06-2014, 01:06 AM
Hey all, I'm thinking about using Cloudflare to protect one of my websites on a dedicated server from DDOS. I've been reading up on it and one potential issue I see is email hosting. I currently run a POP3/IMAP email server to send and receive emails. But Cloudflare's docs suggest using an external service provider for email, because otherwise the MX record will be able to give away the server's true IP. What service would you guys recommend for sending and receiving email? I don't need anything too crazy - most sent emails are from a forum software, and under 200 emails are sent per day.

Posted by Larry, 10-06-2014, 09:40 AM
You could just go with a cheap box or VPS and use that as your email service. Checkout the offers section for some cheap options. Alternatively, have you looked into Mandrill by Mailchimp? The service is free for up to 12k emails per month with good sender reputation.

Posted by Andei, 10-06-2014, 09:48 AM
1 for Mandrill They're very good and affordable (if not free). But that's just for sending out emails, so it kinda solves just half of your problem.

Posted by Infinitnet, 10-06-2014, 09:57 AM
Mandrill will not work properly in this scenario - they include the X-Originating-IP header the mails, which will then also expose the IP of the server that connected to their SMTP. The only good mail services that trim X-Originating-IP headers by default are Amazon SES (recommended) and SendGrid. To receive mails, you could use Google Apps. But if you want to protect your website from DDoS, you should know that there are anti DDoS providers out there who can also forward mail server ports and not just HTTP (CloudFlare doesn't really filter the bad traffic, they just distribute it via anycast and just not forward it to your backend server - an NGINX reverse proxy only forwards full TCP connections by design and UDP can be ACL'd completely, which is most likely also the reason why they don't do anything but HTTP), which would allow you to keep using your own mail server, at least for incoming mails. Last edited by Infinitnet; 10-06-2014 at 10:02 AM.

Posted by henriduf, 10-07-2014, 01:07 AM
As long as you didn't find a new email server to point your MX record to, Don't forget to remove your MX records from your cloudflare DNS records because it is possible to get your true IP right now from that.

Posted by xgenHosting, 10-07-2014, 01:27 AM
I am not sure if mailjet.com includes the originating service but they are a good 3rd party mail service

Posted by Ricjustsaid, 10-07-2014, 09:04 PM
What about Amazon S2? Would the t2.micro plan (1GB RAM, 25GB storage) be enough to run Postfix, Dovecot, ClamAV and SpamAssassin? I think it should for such a low volume of email, but I'm not sure. Ah, that's good to know about the mail headers! I was considering using Google Apps for receiving email, but I hate the idea of not being in control of my mail. I'd prefer not to go the Google route for this (all me paranoid). Thanks! I haven't yet started using CF. At this point I'm just trying to figure out how everything is going to work.

Posted by Infinitnet, 10-08-2014, 04:20 AM
It would be barely enough, yes, although 1.5GB RAM would be safer, just to make sure ClamAV doesn't hang or gets OOM (it's quite resource hungry). Also, if you use that box to send mails as well, remember to setup Postifx filters that trim the X-Originating-IP headers (there should be howtos on Google).

Posted by EthernetServers, 10-08-2014, 06:57 AM
Two great options are Rackspace and Google Apps. Both will provide you with a reliable service and deliver your emails properly (e.g. to inboxes - not spam/junk folders). I can personally vouch for these two as I have active subscriptions with both. No problems and I've not needed to contact them (which tells a thousands words). However, as you mentioned about being paranoid going with Google, you might like to buy a small VPS somewhere and set up your own email server. Postfix or Exim are both excellent choices. You might like to look at: https://www.linode.com/docs/email/running-a-mail-server https://www.linode.com/docs/email/em...ecot-and-mysql

Posted by Infinitnet, 10-08-2014, 07:00 AM
Please don't suggest services that include X-Originating-IP headers in outgoing mails, such as Google Apps (not sure about RackSpace). This will only lead to the OPs server IP being exposed and the bad guys could hit it directly then, rendering any remote DDoS protection useless.



Was this answer helpful?

Add to Favourites Add to Favourites    Print this Article Print this Article

Also Read
VPS Swedish (Views: 630)