I’m not really an expert in handling email solutions, so I would like to see if I can get someone who is an expert in SMTP or other email-related stuff, particularly with experience configuring Cloudflare Spectrum with SMTP port.
From my understanding, protecting SMTP port with Cloudflare Spectrum sounds feasible but with some caveats, particularly with the issue of information mismatch when performing forward DNS lookup and reverse DNS lookup. For example, messages from your server may be rejected if an MX record for your domain is associated with a Spectrum application, as the IP address of server will not match the Spectrum IP address.
With these restrictions in place, how can you solve these issues to make SMTP work with Cloudflare Spectrum? Anyone is having success doing this?
Are you talking about SMTP in the context of receiving emails and MX records or in the context of sending emails yourself? Right now I could not think of a use case for the latter.
Well, sending won’t work as you will still need an MSA to actually receive the email and forward it. You certainly could configure this on your end and point to your origin SMTP server, but - as mentioned - I couldn’t think of a use case where that would be useful, unless you assume your own users are possibly abusing your SMTP server for denial-of-service fun, but then it’s probably rather a social issue than a technical one
Same as the mail forwarding service. This is inbound only. You need an outbound MTA of your own and your SPF and other records need to reflect it’s true IP.
Use one of the 10,000 alternative mail providers and quit hosting your own. Or use one of the 5,000 anti-spam relays which will obfuscate your origin and only accept inbound SMTP connections from the relay.
We have a few government-based clients who still rely on on-premise email server hosting (yes convincing them to migrate to the cloud e.g. Microsoft 365 is difficult). Since the core Cloudflare DDoS protection offering is to protect HTTP/HTTPS application, it’s actually very common to receive questions like “why I cannot proxy mail-related DNS records?”, “how can I protect my on-premise email servers from DDoS attacks?” from them. We know that Cloudflare offers Spectrum product, which offers protections against all TCP/UDP ports, but at the same time our knowledge in SMTP is limited so we can’t provide a proper advice whether Spectrum is a good fit for them, especially when I came across this documentation https://developers.cloudflare.com/spectrum/reference/configuration-options/#smtp.
Thanks for your response @cscharff@sandro, this is helpful for us to answer our client’s questions.
Exchange doesn’t support the proxy protocol… which there is a good chance those agencies are using. A couple of public facing boxes intended for Spam /Phishing protection in the DMZ is a much better approach than Spectrum generally.
