Doesn't CloudFlare become null if MX IP is revealed?

Any attacker who wants to destroy your site can get a main IP by simply looking at the MX record. Doesn’t this then make CloudFlare fundamentally weak and vulnerable?

Other than to buy a separate email service, there is no way to truly get behind the safety net of CloudFlare.

Thanks.

Yes and no. It is not a fundamental issue of Cloudflare, but rather one of the typical one-host setups. Cloudflare simply does not handle mail and if you want to make sure your web server’s IP address stays “hidden” behind Cloudflare your only option will be to use another IP address for mail. That can be a separate mail service or also just one other machine.

2 Likes

Even if it is (servers are setup this way) - the entire business plan of CloudFlare just comes into question.

So, this multi-billion dollar enterprise is a hostage to the way web servers are generally setup. Kind of kills the entire deal.

So, unless one is externalizing email IP, every user is a sitting duck to attacks.

Yes, but I think you’re overestimating how many setups really use “mail and HTTP on the same machine”. Godaddy shared hosting, for example, has one IP address shared between multiple users’ mail accounts but otherwise doesn’t share it with the site Godaddy is also hosting.

GSuite and Office 365 are also growing at an extreme rate. GSuite acquired 1 million customers from 2017-2018 to total 5 million (~20% YoY), and Office 365 had 21% seat growth.

Cloudflare will work better when you have full control over your setup and are flexible in your arrangements; most things aren’t “one size fits all”, at least one use case will be invalid. Migrating to SaaS email offerings, or at least hosting email on a separate machine, is advised for DDoS protection with Cloudflare.

It is pretty clear from the start that Cloudflare does not handle mail, so it is no big secret that the IP address of the MX server will still be in the open when adding a site for Cloudflare and someone configuring their site is aware of that should know how to handle that.

You can certainly suggest to Cloudflare to start offering mail proxies either, but for the time being I believe the way you are phrasing the whole thing is slightly exaggerated (“comes into question”, “hostage”, “sitting duck”, etc.).

Also, there are plenty of other ways to discover an IP address, besides an MX record.