-1

For a while now I have been using Google Apps for Business to provide email services for my domain. I'm in the process of setting up a new storage server and want notification-type emails to be handled separately on the local server.

I've set up postfix as an internal smtp server and have that all working. However I use spf records in my dns set up to enable recipients to verify emails are coming from me. So I also need to specify that all mail received from a particular domain (in this case the fqdn of my internal mail server) is a pass.

The trouble is I can't see a clear way to accomplish this via CloudFlare, I saw 2 potential avenues:

  1. Specify the FQDN in the SPF record - that won't work as mail will get checked against CloudFlare's IP addresses.
  2. Specify my IP address directly - that will work but it'll leave my public IP accessible for the world to see in the DNS records. This negates negates the benefit of using CloudFlare in the first place?

Is there a configuration option that just verifies mail against a domain, without extended IP checks?

dcrdev
  • 89
  • 1
  • 1
  • 9

1 Answers1

1

If you need to send emails directly from a server and you are using SPF (as you should), you need to have that IP published in your SPF in order to allow the SPF check. Either it's there directly (ip4/ip6 mechanism) or indirectly via other mechanisms, but it must be there. That's not a huge problem as the IP address isn't something magical you need to protect at any cost.

If you need to keep your public IP hidden from the DNS lookups, you can't send emails directly from that server, as SPF will fail. As a second option, you could relay all mail through the server that's already in the SPF record.

  1. List the originating server as mynetworks at your CloudFlare server (or whatever it takes to permit relay from it).
  2. Add that SMTP server as relayhost on the server that needs to send these notifications.

This way the server performing the SPF check will check the SPF for the CloudFlare IP and result in PASS. SPF is only checked for the server trying to connect to the recipient MTA using your domain in MAIL FROM SMTP command; it doesn't check From: or any Received: headers.

Esa Jokinen
  • 43,252
  • 2
  • 75
  • 122
  • This is the best answer and I sort of assumed it to be the case. I hadn't really researched smtp relays up until now - but I've managed to configure my Google Apps for Business account to enable an smtp relay service. Everything is now working as I'd like it to. Thanks – dcrdev Aug 06 '17 at 22:57