Shoe Bill

Okay, now the main concern I have with SMTP: is it even possible for me to self-host an SMTP server, and to expose it ONLY via Cloudflare Tunnel, and NOT open any ports in the firewall?

Does that work, I mean?

I've read things that have confused me even more about this; the general consensus, as I understand it, is that that should work in theory but it probably doesn't actually work, or if it does work then for some reason it goes straight to spam anyway (which I would need to see to believe, frankly, because Cloudflare's IP addresses being misinterpreted as spam, would be weird and also ironic, I think).

#SelfHosting #SelfHosted #SMTP #Cloudflare #CloudflareTunnel

12:03amWeb
Show threadgary12h ago
@the i support this isea of all ports closed just tunnel everything through a jump box idea - you want to look at logging and rules on the vpn server. any traffic that hits your firewall is known bad traffic or just net background noise?
Show threadShoe Bill12h ago

@gary_alderson

Pretty much. Port forwarding is impossible in my case, because I'm behind the router which is behind the other router. That's at least two NATs, that I know of because they're both mine, and that's if we're not counting VirtualBox itself, which we probably should be and in which case that's at least three. Or if port forwarding through all of that is somehow still possible, I hate it.

Show threadMxFraud12h ago

@the I'm thinking about doing exactly that with l2tp from aa in the uk.
https://www.aa.net.uk/broadband/l2tp-service/

The l2tp deamon talks to aa, and send/receive trafic through the tunel.

Locally my smtp (stalwart) listen on the ports on that specific IP, like I would 127.0.0.1 or 192.168.0.10.

But I punched no holes through the firewall, as I initiate the tunel creation.

L2TP service

Show threadDarth Osler12h ago
@the I'm so happy I got out of that business when cloudflare was in its infancy
Show threadShoe Bill12h ago

@autolycos

What business, email, or…?

Show threadDarth Osler12h ago

@the network administration, especially the more obscure stuff

Dang, almost a quarter century ago

Show threadSheldon12h ago

@the if you're sending from a Cloudflare IP address, I would expect your undeliverable rate to be higher than expected because the typical volume of emails that come from a specific IP address is part of the that IP addresses' sender reputation.

An IP address that never sends emails and suddenly starts sending emails is suspicious as hell. Or an IP address that typically sends 1000 per week suddenly starts sending 100,000 per week will suffer extra scrutiny.

If you get to keep the same IP address, you might end up being able to build up a positive reputation over time, but if you're just sending personal emails, your volume is probably going to be so small that it won't matter much. At low volumes, you'll always look like a non-sending IP that is sending email.

Show threadShoe Bill11h ago

@sysop408

Okay, that makes sense, thanks. Is that why the built-in webmail you get automatically, when you register a domain through Gandi (and I would assume probably likewise for any of the popular registrars) doesn't seem to bounce; is it because their IP addresses already send a high volume normally?

Show threadSheldon11h ago

@the assuming that they're keeping their users honest, yes. Having a stable history that allows monitoring services to judge whether your activity is following expected patterns helps.

You can get an idea of what goes into email IP reputation by looking some up using this Cisco tool:
https://talosintelligence.com

One thing you'll notice there is there's a column for rDNS matching. That's become a big thing. Your Cloudflare IP isn't going to have matching rDNS and that will hurt a lot.

Cisco Talos Intelligence Group - Comprehensive Threat Intelligence

Cisco Talos Intelligence Group is one of the largest commercial threat intelligence teams in the world. Comprised of world-class cyber security researchers, analysts and engineers and supported by unrivaled telemetry, Talos defends Cisco customers against known and emerging threats, discovers new vulnerabilities in common software, and interdicts threats in the wild before they can further harm the internet at large.

Show threadradhitya12h ago
@the 🤔 i dont think it would work
Show threadarmerpunkt11h ago
@the I didn’t think you could do SMTP through a Cloudflare tunnel (at least not the free plan)? What I do is rent an inexpensive VPS (found a deal for $15/year on lowendbox.com) and use that as my relay server. It also means email will be stored and forwarded later if my local server goes offline.