Security of the email with flexible SSL

I have a registered domain, Django website deployed in Heroku, and email with Zoho. I make use of Cloudlare so that I can direct the CNAME DNS of my domain to Heroku and MX to Zoho so that both the website and the email can use the domain’s name. However, the free Heroku account which I use does not allow me to change the Cloudflare SSL from Flexible to Strict. From what I heard, Flexible SSL is quite insecure, however, I am not so much concerned about the safety of the website itself (it does not contain any user details or passwords - just market information about a company, no information to steal which is not already published), but I’m worried about the security of the email. Does the fact that the Domain is connected to Zoho email via Cloudflare with insecure SSL make the email more vulnerable to attacks? Or is the internal Zoho security still intact even if it’s conected to the domain?

This configuration does not affect the security of your email setup. The DNS records that are related to email (especially MX) should normally be grey-clouded (not proxied) in the DNS configuration, meaning that Cloudflare doesn’t add or modify any functionality really. Email will work in the same way as with any other provider and DNS service.

Yes, it’s indeed gray. Thank you very much:)

Then just set it to Off instead of Flexible and do not deceive your visitors.

I’m not very adept at this topic. Does flexible SSL expose the visitors to some risk? The website contains only marketing information and does not make use of log in functions or any forms to fill by the users.

Flexible SSL is no real encryption. If you have nothing sensitive on your site, set it to Off and you are good. If you have sensitive data, it needs to be Full Strict. Anything in-between is insecure.

This topic was automatically closed 3 days after the last reply. New replies are no longer allowed.