Sending emails without revealing server's ip address

Question

To reduce attacks, we put our servers behind cloudflare's cloud service.

But, our app sends emails (via sendmail and smtp) to users (password reset etc), and those email headers contain the real backend ip addresses. Is there anyway to hide these ip addresses in emails, such as

1. setup a separate server for smtp which can strip sender ip info?
2. any existing service available?
3. any other thoughts?

thanks!

Answer 1

The ip address is not in any header, it is the base of your communication. smtp it's over ip (wiki). so you can't "strip" it out.

The solution according to cloudflare is:

Don't host mail or other services on the same server as your web server If your mail server hosted by the same IP as your http server, an attacker could find the IP address from an outgoing email.

Good luck!

Answer 2

As MeNa said, it isn't in the header it is in the SMTP trail.

My recommendation would be to use a 2ndary/external SMTP server to proxy the mail through (as you suggested), that will result in the 2ndary/external IP being in the trail, but your originating IP not being. There are plenty of services as well, just have a google for "smtp service" or similar.

The other thing to be aware of is SPF records, if you are (too) specific they'll be able to find your host IP that way as well.

Answer 3

Any time your server connects to the outside world via SMTP then the IP will be logged in the headers (it's part of the protocol, and it's how we fight spam).

So the only ways to avoid this (that I can think of) are:

• Use a third-party mail service such as Postmark (https://postmarkapp.com/)
• Connect to another server and send mail through that (perhaps over a VPN, using a message queue like RabbitMQ, or some other API)