Actual IP outflow when sending mail

mail

#1

Hello
Run your web server efficiently with cloud flare.
However, after using Cloudflare, we found a problem.
When sending mail using SMTP, the physical address of the web server is exposed.

I will briefly describe the web server environment.
Cloudflare + Nginx + Wordpress + WordpressPlugin (WP Mail SMTP by WPForms) + Mailgun SMTP Service

The main reason for using Cloudflare is to hide the server’s IP.
However, when sending mail, the actual IP of the web server is displayed publicly as shown below, and using Cloudflare is meaningless.

“Receive: localhost (unknown [my server real IP])”


#2

You could host your mail server somewhere else/ call a mail app on another server or proxy through another mail server configured to strip the true origin header. The issue is with the mailer(s), not Cloudflare. Care still needs to be taken in SMTP and other avenues not to accidentally expose the origin IP address.

You can also configure your origin server to not accept connection requests from non Cloudflare IP addresses which can help in forcing the traffic through Cloudflare, though that doesn’t stop the leakage you described.


#3

I have been contacted by several sites that offer SMTP services, but I have been told that I can not hide my IP.
Is there a suitable hosting company?
I have one server and I can not create my own SMTP server.


#4

Well to be fair, you can create your own SMTP server somewhere else, it just costs money (and really any solution is going to cost something). I only mention it because I recently worked with a customer who went that route. But managing your own Postfix or Sendmail server just to configure it to strip out the received from header and forward it on can be a PITA if a. that’s all it is doing and b. you don’t speak SMTP for a living*.

I believe both Mimecast and Proofpoint might offer such a service for outbound mail. Generally services are reluctant to offer that because knowing the true origin IP address helps in fighting the good fight against Spam, but there are valid reasons such as this where one might want to strip that data.

If you decided to host your own server you could do something like the link below describes. But given your use case you could further lock down the server in EC2 settings to only allow SMTP connections from your origin IPs making it somewhat easier to manage/ keep secure.

https://elprespufferfish.net/blog/aws,mail/2015/09/03/mail-server-ec2.html

And you could do something like https://posluns.com/guides/header-removal/ to remove the headers (I haven’t actually tested either link I just Googled for them).

*I used to speak SMTP for a living and I still think it’s a PITA so even that’s not a sure thing.

Hope that helps…