XF 2.0 Email being sent from server Xenforo is hosted on which is leaking IP

[Foxum]

I have two separate IPs hosted by digital ocean, I read I needed two servers with web servers to take advantage of cloudflare otherwise its impossible to hide your IP by hosting mail on the same server its sending from. I am running VestaCP on both servers and have disabled the mail function all together on my server hosting xenforo within the VestaCP. I looked into email headers and it seems emails are being sent directly from the server itself and not what I configured in VestaCP which is hosting the private emails server. I can see I am still getting emails from the forum server and not the mail server.

I am bit confused on how xenforo goes about mailing and how I would go about ensuring xenforo sends emails through different server to protect IP (aka my mail server) and not the (Forum server)

Doing all this because cloudflare which is working great besides email ip leaking.

 

[Foxum]

Alright I solved it after I posted it of course, you have to enable Email transport method: SMTP instead of Default and then add in the info and test it using email tester on xenforo. Also if you have VestaCP it shows multiple bits of info for usernames and ports be sure to use SMTP ones.

 

[TPerry]

Yes... the only way to stay RFC compliant is to use the SMTP process on XenForo and hand off the email processing that way. If you use the local delivery method, the IP of the system sending that mail (your HTTP and your web server) will be included in there.
There are ways to get around that, but as I said, if you do that you are outside of the RFC compliance for email.

 

[Xon]

"RFC compliance" for email are vague suggestions at best, and outright ignores in many cases by every major provider.

I've got a postfix instance with this line in main.cf

header_checks = pcre:/etc/postfix/header_checks

With header_checks's contents being:

/^\s*(Received: from)[^\n]*(.*)/ REPLACE $1 [127.0.0.1] (localhost [127.0.0.1])$2

I then have XenForo email via SMTP to the postfix instance, which then relays outbound.

 

[TPerry]

"RFC compliance" for email are vague suggestions at best, and outright ignores in many cases by every major provider.

Really... can you name a few major providers that hide/spoof the originating IP?

I then have XenForo email via SMTP to the postfix instance, which then relays outbound.

And there are many rules that will block receipt of any inbound mail that originates from a localhost address.
Every server I have ever set up does that.

 

[Xon]

Really... can you name a few major providers that hide/spoof the originating IP?

Originating IP is meaningless, the only IP which matters is the one actually connecting. Because all the rest are completely untrustable.

Have a look at headers from email send from google/hotmail one day. Both of them will use the 10.x.x.x ip address range on internal hops, if they show you anything at all.

And there are many rules that will block receipt of any inbound mail that originates from a localhost address.
Every server I have ever set up does that.

Awesome, you are horrible at email. The delivery to localhost (which can be a very large number of addresses) has no utility for indicating the quality of email.

I could pick a random non-routable IP, and it would be perfectly valid. Technically you don't even need an IP address in there at all.

 

[TPerry]

Awesome, you are horrible at email. The delivery to localhost (which can be a very large number of addresses) has no utility for indicating the quality of email.

Nope, localhost is typically used by spammers.... so it's a natural to block.
Internal IP's (no-routable) are valid actually.
If you look at their headers, you will see that it actually relays via a valid domain that they own.

Received: ⁨from mail-oi0-x232.google.com (mail-oi0-x232.google.com. [2607:f8b0:4003:c06::232]) by mx.google.com with ESMTPS id e133si404454oib.315.2017.03.23.20.26.23 for <xxxxx@yyyyy.org> (version=TLS1_2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128/128); Thu, 23 Mar 2017 20:26:24 -0700 (PDT)⁩

so if you are relaying through a valid domain relay that is internal to your "business" it should be compliant. Most small sites don't do that as they deliver directly to the interwebz.
Delivering direct from a private IP or localhost to another server is a poor setup. That is very typical of spammer behavior.

 

[Foxum]

Alright so did I do this the right way?

 

[TPerry]

Easiest way... and usually cheapest is get a small VPS and install main-in-a-box or similar and then set your system to use SMTP to send via the VPS (at least for me it would be)... otherwise simply use SMTP.

 

[Gossipy]

I know I'm bumping an old thread, but it's the newest one I could find on the topic.

We use G Suite and we have Xenforo connecting to G Suite via SMTP to send forum emails. As we all know, that leaves the server IP exposed which is not ideal. Does anyone have recent experiences solving this issue while remaining within acceptable Internet standards for mail? For example have any of you used Amazon's SES for this purpose? I've read conflicting accounts on whether the origin IP is exposed with SES.

Setting up another server with Postfix is an option, but it's not particularly appealing (more maintenance, security, work, babysitting, etc.)

 

[loulou]

The best solution is a postfix relay with modified header on a seperate server as Xon mentioned above.
It does not require a heavy maintennace once configured.
Using it with cpanel Exim for years.

 

[questlot]

Easiest way... and usually cheapest is get a small VPS and install main-in-a-box or similar and then set your system to use SMTP to send via the VPS (at least for me it would be)... otherwise simply use SMTP.

Can main-in-a-box mask IP address to avoid ddos attack?

 

[Sim]

They are paid services and that way you simply use SMTP to send mail via their services.

Depending on the provider - using SMTP to send via an ESP may still insert the origin IP address into the mail headers. You'd need to check for your specific provider to see if they mask the origin or show it.

Sending email via HTTP API if your ESP supports it and if you have an adapter for XenForo - is an alternative approach that should guarantee your IP address won't leak.