Header mail with ip of mail server

wonder_wonder

• November 06, 2020 17:27

I have two VPS configured for the same domain, one of them acts as a webserver (apache, mysql) the other acts as a mail server. The webserver is configured to use remote mail, the mail server, as local. The page hosted on webserver (it is a forum) sends emails to its users (notifications of new messages ... etc ...), the configuration on the page is simple, smtp server, user, password, encryption and port. It works correctly but, I have a "problem or doubt" regarding the header of the received mail. The mail is sent by the mail server (we are going to give an example as hostname = hostmail.mail) and it does it from that ip, well, the header that is received is this: Received: from server1.mydomain.com by server.mydomain.com with LMTP id fpt3O+bEpV8eVAAAb3laoA (envelope-from ) for ; Fri, 06 Nov 2020 22:49:26 +0100 Return-path: Envelope-to: user@mydomain.com Delivery-date: Fri, 06 Nov 2020 22:49:27 +0100 Received: from [IP of WEBSERVER] (port=43308 helo=mail.mydomain.com) by server1.mydomain.com with esmtpsa (TLS1.2) tls TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256 (Exim 4.93) (envelope-from ) id 1kb9bq-0005aO-Rc for user@mydomain.com; Fri, 06 Nov 2020 22:49:26 +0100 Date: Fri, 06 Nov 2020 21:49:26 +0000
Before continue, I view, in second line "server.mydomain.com" is the old hostname, a few hours before made this post, I was change this hostname for server1.mydomain.com As you can see, if it indicates the hostname of the mail server, but the ip indicates that of the webserver (the webserver only sends it to the mail server so that it is the one who sends the mail). I have looked and searched a lot about it, I have not found the way that the IP of the mail server and not the webserver also appear in the header. The mail server is the machine that sends the emails, I understand that the data of this machine should appear in the header. The reason is to avoid possible two attacks to the webserver (which has already suffered them). This domain is behind Cloudflare, we can "camouflage" the ip of the webserver, but not of the mail server, that is why a VPS has been created for only the mail, in case they attack, which is the mail machine (it does not matter regarding the webserver). I found this post right here, it's from a few years ago, I tried but ... it was worse ... in the header then the hostname and ip of the webserver appeared, hehe :) :

• 

  cPRex Jurassic Moderator

  • November 09, 2020 13:47

  Hey there! Just to make sure I'm following along, mail gets sent from the application on the webserver. That application connects to the mail server over SMTP, and then the message is sent from the mailserver. Is that correct? If so, this seems like normal behavior. For example, when I send a message from a mail client I still get the reverse DNS of my local IP in the mail headers, which we can see here, even though that ultimately isn't the machine that sent the message: 2020-11-09 09:42:18 1kc8N8-004doY-8e <= cptest@domain.com H=1-2-3-4.lightspeed.lnngmi.sbcglobal.net ([192.168.0.1]) [1.2.3.4]:58636 P=esmtpsa X=TLS1.2:ECDHE-RSA-AES128-GCM-SHA256:128 CV=no A=dovecot_plain:cptest@domain.com S=744 id=6f2efff1-4b44-214f-7e49-a795fc3b1982@domain.com T="test1" for rex.hatt@cpanel.net
  

  0
• 

  wonder_wonder

  • November 09, 2020 21:53

  Hey there! Just to make sure I'm following along, mail gets sent from the application on the webserver. That application connects to the mail server over SMTP, and then the message is sent from the mailserver. Is that correct?

  
  Its correct. In webserver, are a website, this website send mail to users (notifications...) with smtp, this smtp is configured to connect with other server (mail server) and then, this, send mail. And webserver are configured for remote mail, and mailserver like local mail. In the header appears the hostname of mailserver, ok, but the ip of the webserver. [quote]If so, this seems like normal behavior. For example, when I send a message from a mail client I still get the reverse DNS of my local IP in the mail headers, which we can see here, even though that ultimately isn't the machine that sent the message: 2020-11-09 09:42:18 1kc8N8-004doY-8e <= cptest@domain.com H=1-2-3-4.lightspeed.lnngmi.sbcglobal.net ([192.168.0.1]) [1.2.3.4]:58636 P=esmtpsa X=TLS1.2:ECDHE-RSA-AES128-GCM-SHA256:128 CV=no A=dovecot_plain:cptest@domain.com S=744 id=6f2efff1-4b44-214f-7e49-a795fc3b1982@domain.com T="test1" for rex.hatt@cpanel.net
  
  That's right, so I'm afraid the only solution is to go to Amazon SES (for example). The idea was to separate the two servers so that the exposed IP would be the one for the mail and in case of attack, they would not knock down the webserver. Thanks and regards!

  0
• 

  cPRex Jurassic Moderator

  • November 10, 2020 12:43

  Thanks for confirming all that. It sounds like what you're seeing is just "working as intended" for the mail system. You could think about it this way too - what if you could fully hide the origin IP. How much more spam would that produce?

  0
• 

  wonder_wonder

  • November 10, 2020 17:38

  Yes, I understand it, the reason for the "hiding" of the ip, although I really do not want to hide it, I want the ip of the mail server to appear, is to avoid what happened to me 10 days ago, a ddos attack and the service down. If they attack the IP of the mail server, "I don't care", the web is maintained and the IP of the webserver, being behind cloudflare, is not so "public", the one of the mail server is public. In this case, I think all I'm left with is Amazon SES. Thanks for your attention and help !!!

  0

Please sign in to leave a comment.