I found this tool while looking for a solution for the following problem. Not sure it solves it, but any help is appreciated:
I wanted to host my own email server at my own domain.tld using Yunohost (https://yunohost.org/en/email). At the same time I wanted domain.tld to be protected using Cloudflare. It turns out that pointing an MX record to the server exposes the origin IP address (https://community.cloudflare.com/t/an-a-aaaa-cname-or-mx-rec...) which defeats Cloudflare's purpose. One of the solutions is to use an SMTP relay, but that is undesirable for privacy considerations; see: https://yunohost.org/it/email_configure_relay#disadvantages-.... The other one is to use a separate server to host emails, but I'll still have its origin IP exposed, that just moves the problem around. So I'm still looking for a different solution.
The same issue happens with XMPP as well. Yunohost comes with an XMPP server, and it requires setting up DNS SRV records:
_xmpp-client._tcp 3600 IN SRV 0 5 5222 mydomain.com.
_xmpp-server._tcp 3600 IN SRV 0 5 5269 mydomain.com.
cant you put a mail subdomain outside of cloudflare and not deal with that? sure your email ip is exposed but its hosted on linode or something so whats the worst an attacker can do? ddos linode?
4 comments
[ 3.4 ms ] story [ 19.4 ms ] threadthose were the fun hacking days.
I wanted to host my own email server at my own domain.tld using Yunohost (https://yunohost.org/en/email). At the same time I wanted domain.tld to be protected using Cloudflare. It turns out that pointing an MX record to the server exposes the origin IP address (https://community.cloudflare.com/t/an-a-aaaa-cname-or-mx-rec...) which defeats Cloudflare's purpose. One of the solutions is to use an SMTP relay, but that is undesirable for privacy considerations; see: https://yunohost.org/it/email_configure_relay#disadvantages-.... The other one is to use a separate server to host emails, but I'll still have its origin IP exposed, that just moves the problem around. So I'm still looking for a different solution.
The same issue happens with XMPP as well. Yunohost comes with an XMPP server, and it requires setting up DNS SRV records:
Similar to MX records, SRV records are not proxied via Cloudflare and can expose the origin IP address (Cloudflare dashboard actually warns you about it when adding them). It turns out that this is an issue Minecraft servers encouter (https://www.spigotmc.org/threads/hide-srv-record.466167/) which they can mitigate using a Cloudflare alternative called TCPShiled (https://falixnodes.net/help/minecraft/general/tcpshield/). It's not clear however if it can be used with other services such as XMPP (https://docs.tcpshield.com/faq#can-you-protect-things-other-...).What I'm basically looling for is DDOS protection for non HTTP/HTTPS endpoints. Cloudflare has Spectrum but it's only for enterprise customers.