Score:0

How to hide origin IP of SMTP server by tunneling/proxying incoming port 25 traffic to real mail server

nl flag

We have most of our stuff behind Cloudflare.

However, some services such as mail (ex: mail.mydomain.com MX record) cannot be pushed through cloudflare and they expose our mail server's IP which makes it easy to discover where our infrastructure is located because they all share the same block and organization name (per ARIN whois).

Since our mail servers and VMs are at the same colo facility, knowing the IP of the mail server exposes the IP block and increases our attack surface. We host our own mail server using postfix/dovecot and it's not practical to move it to a public mail provider like Gmail.

So what I'd like to do is setup some type of a proxy, kind of like what Cloudflare does with web ports 80/443, on a public cloud instance, ex: AWS, and have our MX record pointed to that, and then accept incoming mail connections on port 25 and relay/proxy/tunnel anything that comes through that port to the real origin server.

I'm sure something like this must exist. And if not, does anyone have any clues as to how to setup a simple secure tunnel or proxy like this?

Thanks!

Appleoddity avatar
ng flag
"A simple secure tunnel or proxy" is a VPN. A simple VPN connection to tunnel your e-mail traffic to a remote site with a static IP address would do. I think your assessment of risk here may be a little overrated. The vast majority of discoveries are made by simply scanning IP addresses. If your server is online and accessible from the internet it is going to be scanned multiple times a day. Cloudflare is a service to protect your web servers from DDoS and improve performance through it's CDN. Nothing about the service is designed to "hide" who you are or what IP addresses you have.
user3630380 avatar
nl flag
Thanks. Makes sense... However, I would like to point out that a very big part of Cloudflares offering is the ability to hide the origin IP to reduce the attack surface. What's the point of using cloudflare if the attacker knows your web server's real IP or datacenter and can hammer it. The idea is that cloudflare accepts incoming traffic, filters it, cleans it using user specified rules and forwards it to the origin server without revealing its network information.
Appleoddity avatar
ng flag
What you are saying is mostly correct. But you did not also include the fact that you have to block all other traffic to your server with a firewall. If you leave port 80/443 open to the internet, it doesn’t matter if you have cloud flare. You have to allow only traffic from Cloudflare’s proxies. The open ports will be discovered in a matter of minutes or hours. Hence, if the server is online, it’s discoverable and will be discovered. You’re not hiding your IP you’re mitigating a specific attack vector. Security by obscurity is not security at all.
Appleoddity avatar
ng flag
The point I’m trying to make is that your IP addresses are public knowledge. You must have other protections already in place. Only in the case of a targeted attack on your organization, where someone might have an advantage of specifically linking your business to your IP address, does it matter if you try to hide your IP. All other hackers in the world don’t care. They are simply scanning the internet for servers with open ports including yours. A public IP address is like a home address. Anybody who drives by can see it, even if they don’t know who lives inside.
user3630380 avatar
nl flag
You're right. IP ownership records are public knowledge. But it doesn't mean that the service behind them should be. There are many practical reasons why it makes sense to try to prevent discovery of origin IP.
Paul avatar
cn flag
@Appleoddity It does not matter that the IP addresses are "public knowledge", because attempting to guess which IP address is hosting which Cloudflare-protected domain is infeasible. DDoS attacks are targeted and a separate problem from scripted bot vulnerability probing.
Appleoddity avatar
ng flag
@Paul yes I understand. You’re both not really understanding what I’m saying. Yes, cloudflare protects the server by proxying the traffic. The protection is NOT because nobody will know the true IP address. Hackers aren’t trying to guess the service IP behind cloudflare. They’re simply scanning the internet for hosts with open ports. If the underlying server is exposed to the internet, it’s irrelevant what cloudflare provides in regards to “secret” IPs. And if the server is not exposed, through open ports, etc. then knowing the IP doesn’t matter. Two different attack vectors.
Paul avatar
cn flag
@user3630380 Cloudflare offers a service currently in Beta that you can apply for which does similar to what you are looking for, but keep in mind that rather than proxying it behaves more like redirect. I suspect the best solution is to host the mail server on a different IP address block. An effective mail server needs to access loads of other DNS records and a smart attacker will simply configure their own authoritative name server to capture the querying IP addresses. It is likely more work to use caching resolver plus VPN than to simply use a different IP address block.
Paul avatar
cn flag
@Appleoddity You are responding with comments to *some other question*, because this question is in regards to DDoS protection. The Cloudflare service requires servers in the globally reachable IP address space. Other security concerns related to administrating a server on the globally reachable IP address space are not a part of this question.
mangohost

Post an answer

Most people don’t grasp that asking a lot of questions unlocks learning and improves interpersonal bonding. In Alison’s studies, for example, though people could accurately recall how many questions had been asked in their conversations, they didn’t intuit the link between questions and liking. Across four studies, in which participants were engaged in conversations themselves or read transcripts of others’ conversations, people tended not to realize that question asking would influence—or had influenced—the level of amity between the conversationalists.