Debug cloudflare preventing outgoing email?

caroline.bogart · July 23, 2024, 6:44pm

What is the name of the domain?

oldworldnames.com

What is the error number?

none

What is the error message?

none

What is the issue you’re encountering

Wordpress administrator’s email fail to send, fixed by turning off cloudflare

What steps have you taken to resolve the issue?

Admin using IP address 172.58.164.138 goes through Woocommerce orders to process, his actions do not result in emails being sent. Any other Admin can do the same thing and the emails go out. I narrowed it down to cloudflare by disabling the service. I am not 100% sure that cloudflare is the only variable. When Admin at 172.58.164.138 sends email with cloudflare paused, the recipient gets the message, but our email logger does not record the event. Any other Admiin can do the same action and the email logger records the outgoing email.

I am wondering how cloudflare could be blocking an outgoing email. It doesn’t feel logical to me, but I’m a noob to this service.

What are the steps to reproduce the issue?

Admin logs into wordpress from IP 172.58.164.138, changes an order status, email does not log or make it to recipient.
Same Admin logs into wordpress using a different login but still from 172.58.164.138, email does not log or make it to destiination.
Admin logs in from another IP, edits woo order, email is logged and recipient receives it.
I pause Cloudflare, Admin on 172.58.164.138 changes order, email does NOT log but recipient does receive it.

The hackers have used the site to card scan. We were getting 8 orders per minute. They were testing for good credit card numbers.
With “attack” mode on, we got that down to one breach per attempt. The hacker would get one order through and then the behavior would stop. I am guessing that Cloudflare recognized the threat after that first breach and stopped them.
Yesterday I blocked all Phillipines traffic. I believe I can turn off attack mode with that block in place, but I haven’t tested it yet.

The email issues started a few days ago. Many site changes were made just prior so I eliminated all of them before testing cloudflare. That was the only variable that made a difference.

I turned on wp debugging using multiple file settings .user_ini, php.ini, .htaccess all had display_errors directives. wp-config.php debug is on. I never saw a debug message. I am guessing this has to do with cloudflare cache but I never got that far to test.

I am very grateful for any insights on these puzzles. Thank you!

Laudian · July 23, 2024, 7:08pm

Can you check here if you see any requests from that IP address blocked? https://dash.cloudflare.com/?to=/:account/:zone/security/events

caroline.bogart · July 23, 2024, 11:31pm

The most recent block is 2600:4c00:3ff:fffe::72, which translates to the hosting company. There are hundreds of these. Given that the user was logged in but was prevented from SMTP, is it a possibility that this IP block could be the probelm?

The user’s IP is 172.58.164.138, and is not in that log.

I also see 136.36.252.222, which is the Admin’s network, however his remote Google Fiber is in Austin TX, and this IP is Utah.

Laudian · July 23, 2024, 11:43pm

So that is the address of your own server? If so, you could either allowlist it on Cloudflare, or make an entry in your hosts file so that your server’s name is resolved to a local address instead of the public address (I’d prefer the 2nd option, but the first is good for a quick test).

Which reason do the requests give for the block?

caroline.bogart · July 24, 2024, 6:44am

Could you please tell me where to permit the IP addresses?

2600:4c00:3ff:fffe::72 : This IP resolves to PrivateSystemsNetworks which is the name the hosting company uses. Their name is KnownHost, and my cpanel is is on a privatesystems.net subdomain.

The IP of the website is 170.249.236.36, which is not the same as that IP 6 address, as far as I can tell.

But they’re both PrivateSystems DOT net, a “VPN Server” in Georgia, according to the IP lookup.

A sample block of the IP4 address:

Managed Challenge
170.249.236.36
Rule ID iuam

Ray ID 8a7dec6eaa2b1d64

IP address 170.249.236.36
ASN AS63410 PRIVATESYSTEMS
Country United States
User agent WordPress/6.6.1; https://oldworldnames DOT com

HTTP Version HTTP/1.1
Method POST
Host oldworldnames DOT com
Path /wp-admin/admin-ajax.php
Query string ?action=wp_iawp_geo_database_background_job&nonce=9b124a909b

A sample block of the IP6 address
Managed Challenge
Ray ID 8a81dc59e9d48bba
IP address 2600:4c00:3ff:fffe::72
ASN AS63410 PRIVATESYSTEMS
Country United States
User agent Empty user agent
HTTP Version HTTP/1.0
Method GET
Host oldworldnames DOT com
Path /wp-content/plugins/wp-hummingbird/admin/assets/js/wphb-add-delay.min.js
Query string Empty query string

Laudian · July 24, 2024, 11:46am

You can create an IP access rule in security → WAF in your Cloudflare dashboard.

Your snippet of the block does not show the reason. Can you make a screenshot of the security event?

system · August 7, 2024, 6:45pm

This topic was automatically closed after 15 days. New replies are no longer allowed.

Topic		Replies	Views
Cloudflare keeps on blocking the email? Email Routing	6	2028	May 9, 2023
Cloudflare Email Routing and Wordpress (Not send Email) Email Routing	13	5494	February 13, 2022
Is it cloudflare configuration or something else? Getting Started	9	1997	November 16, 2020
Wordpress website is not sending emails since I switched to CloudFlare DNS & Network	9	2666	August 6, 2019
Cloudflare and outgoing mail DNS & Network	17	5645	March 26, 2022