Mail Server behind a Cloudflare Tunnel

What is the name of the domain?

example.com

What is the error number?

There is no error number

What is the issue you’re encountering

We want to run our mail server in-house behind a cloudflare tunnel.

What steps have you taken to resolve the issue?

After getting very frustrated with the mail service our ISP offers (false spam positives, no access to mail logs etc) we decided to look at running our own mail server. We were first looking at port forwarding from out Unifi router to the mail server on a VLAN but do not want the potential for harm that port-forwarding can lead to.

Then we thought of running a cloudflare tunnel with the mail server at the end of the tunnel. We cannot select an individual service type (SMTP, IMAP etc) so we were wondering if we could just point the tunnel at that machine and just use “TCP” as the service type, blocking anything we don’t want at the machine’s (Linux) firewall.

Then after a little research we discovered “Spectrum” but then found (at least I think we did) that to run a mail server we would have to subscribe to an “Enterprise” plan for what I presume would be a scary amount of money.

Can anyone confirm or clarify any or all the above points?

Does anyone have any alternative suggestions?

Please note that I am NOT asking if you think it’s a good idea or a bad idea to run your own mail server.

TIA for any responses,

Cloudflare Tunnel needs a :orange: Proxied record for inbound connections. Other than the usual HTTP/S ports that can tunnel to an internal webserver, those other services essentially need yet another tunnel for the inbound connection.

You’ve probably already realized you need cloudflared on your mail server to connect the tunnel to Port 25/487/573 (I probably got one or more of those wrong). But if it’s not HTTP, that outside requestor also needs to run cloudflared (or WARP).

For example, you can set up SSH through a Tunnel, but the outside user needs their SSH to connect to cloudflared on their device, like this:
ProxyCommand /opt/homebrew/bin/cloudflared access ssh --hostname %h

The point being, that any outside mail servers that want to deliver mail to you would need to use cloudflared at their end to connect to your tunnel. Here are docs for the various popular services people use tunnels for:

https://developers.cloudflare.com/cloudflare-one/connections/connect-networks/use-cases/ssh/#2-connect-as-a-user

https://developers.cloudflare.com/cloudflare-one/connections/connect-networks/use-cases/rdp/#2-connect-as-a-user

https://developers.cloudflare.com/cloudflare-one/connections/connect-networks/use-cases/smb/#2-connect-as-a-user

https://developers.cloudflare.com/cloudflare-one/connections/connect-networks/use-cases/grpc/#5-set-up-the-client

You’ll see from all their non-HTTP examples that the outside user needs cloudflared or WARP in able to connect.

This part of the documentation makes it pretty clear that the outsider needs to install something at the client in order to connect to the tunnel:

https://developers.cloudflare.com/cloudflare-one/applications/non-http/cloudflared-authentication/

Thanks for the prompt response.

Does this all still hold true for the Spectrum product offering? I thought I read that this would allow you to tunnel to any TCP service and not just https/ssh etc?

Oh, for Spectrum, anything goes. It’s a port-to-port proxy.

Be sure to read more about Spectrum with SMTP:

https://developers.cloudflare.com/spectrum/reference/configuration-options/#smtp

1 Like