Issues with SSL - Need advice

I have purchased a Comodo EssentialSSL which protects one URL so I added www.domain.com.au (which auto includes domain.com.au)

Ok - no problems.

Client wanted to use SSL for email though and as the certificate was installed only on A record and www CNAME, setting the server to domain.com.au was a possible solution BUT it was proxied through Cloudflare which meant that mail could not connect to this URL without SMTP errors.

Therefore, I have switched cloudflare to DNS only on these 2 records to allow mail to work on SSL.

They have a web app which uses PHPMailer as well which connects to SSL via SMTP.

Is there anyway around this to use SSL on mail AND have cloudflare proxy web traffic apart from extending SSL to be wildcard SSL?

If you’re thinking about using domain.com.au for your SMTP/IMAP/POP server, it’s also your website address, so it can’t be proxied.

The only workaround I can see is use ‘www’ as the canonical URL for your website, then you can proxy it. And don’t proxy example.com.au so it can be used for mail connections. Then configure the web server to forward requests for example.com.au over to the proxied ‘www’ subdomain.

Yeah, that’s what I was thinking.

Site is currently indexed as domain.com.au though so need to setup redirects and change the default URL.

thanks

1 Like

Referring to your reply and to excerpts from the tutorials:

“Since mail traffic cannot be proxied through Cloudflare by default, you will expose your origin web server’s IP address. Information on your origin IP address would allow attackers to bypass Cloudflare security features and attack your web server directly.”

AND:

"Removing the dc-###### record is only possible via one of these methods:

  • If no mail is received for the domain, delete the MX record.

  • If mail is received for the domain, update the MX record to resolve to a separate A record for a mail subdomain that isn’t proxied by Cloudflare:

example.com MX mail.example.com
mail.example.com A 192.0.2.1
example.com A 203.0.113.1

If your mail server resides on the same IP as your web server, your MX record will expose your origin IP address."

Question:
If all A, AAAA, and CNAME records are proxied with the exception of the MX record, can the MX record be deleted without disrupting the emails functions set up under the root domain (which is proxied)?

Or should the MX record (Proxy status: DNS only) be maintained under the existing configurations? If it should be maintained, wouldn’t attackers be able able to see the origin IP address?

Please advise. (Kind of confused…)
Thanks.