Any Success of using Cloudflare Spectrum with SMTP port?

I’m not really an expert in handling email solutions, so I would like to see if I can get someone who is an expert in SMTP or other email-related stuff, particularly with experience configuring Cloudflare Spectrum with SMTP port.

From my understanding, protecting SMTP port with Cloudflare Spectrum sounds feasible but with some caveats, particularly with the issue of information mismatch when performing forward DNS lookup and reverse DNS lookup. For example, messages from your server may be rejected if an MX record for your domain is associated with a Spectrum application, as the IP address of server will not match the Spectrum IP address.

With these restrictions in place, how can you solve these issues to make SMTP work with Cloudflare Spectrum? Anyone is having success doing this?

I guess @cscharff would be happy to help out.

Are you talking about SMTP in the context of receiving emails and MX records or in the context of sending emails yourself? Right now I could not think of a use case for the latter.

1 Like

Frankly speaking I don’t really understand this part, actually that sentence was copied from the Cloudflare Developers documentation in that link.

Well, sending won’t work as you will still need an MSA to actually receive the email and forward it. You certainly could configure this on your end and point to your origin SMTP server, but - as mentioned - I couldn’t think of a use case where that would be useful, unless you assume your own users are possibly abusing your SMTP server for denial-of-service fun, but then it’s probably rather a social issue than a technical one :slight_smile:

As for receiving email, that certainly could be a use case, but then you probably just need to make sure your mail server properly handles the client address Cloudflare is sending along - - and you should be back in the game, just as usual.

1 Like

It just works. It’s effectively the same as what Cloudflare’s SMTP forwarding service is doing except without the rewrites.

But I gotta ask… why? Is it just for the desire to test new things?

1 Like

Receiving? I can easily imagine use cases, unless you say the forwarding is good enough :smile:

One would avoid all the SPF obstacles with a Spectrum setup however.

Same as the mail forwarding service. This is inbound only. You need an outbound MTA of your own and your SPF and other records need to reflect it’s true IP.

1 Like

Name 5.

Don’t make me get on a plane.

I name one.

Honey, the users are MS-DOSing the kids - ehm - mail server

A question it was, my dear.

Use one of the 10,000 alternative mail providers and quit hosting your own. Or use one of the 5,000 anti-spam relays which will obfuscate your origin and only accept inbound SMTP connections from the relay.

1 Like

But I want!

We have a few government-based clients who still rely on on-premise email server hosting (yes convincing them to migrate to the cloud e.g. Microsoft 365 is difficult). Since the core Cloudflare DDoS protection offering is to protect HTTP/HTTPS application, it’s actually very common to receive questions like “why I cannot proxy mail-related DNS records?”, “how can I protect my on-premise email servers from DDoS attacks?” from them. We know that Cloudflare offers Spectrum product, which offers protections against all TCP/UDP ports, but at the same time our knowledge in SMTP is limited so we can’t provide a proper advice whether Spectrum is a good fit for them, especially when I came across this documentation

Thanks for your response @cscharff @sandro, this is helpful for us to answer our client’s questions.

Exchange doesn’t support the proxy protocol… which there is a good chance those agencies are using. A couple of public facing boxes intended for Spam /Phishing protection in the DMZ is a much better approach than Spectrum generally.


This topic was automatically closed 3 days after the last reply. New replies are no longer allowed.