Question
Mail Server Stops Working When Switching To Cloudflare DNS
- Posted on January 5, 2017
- EmailApacheDNSSystem ToolsUbuntu 16.04
Asked by weblora
Upon switching over to Cloudflare, the mail server that I have set up with PostFix and Dovecot stops working. By “stops working”, I mean that I am no longer able to send or receive mail from my Thunderbird client. As soon as I switch back to Digital Ocean’s nameservers, I am able to receive the mails that had queued up while on Cloudflare’s NS.
So the mailserver doesn’t stop working entirely, however when I try to authenticate/login to my mail account through Thunderbird, to send/receive, the connection just times out/server doesn’t respond.
My mailserver has DKIM and SPF records in use.
Any help would be much appreciated!
This textbox defaults to using Markdown to format your answer.
You can type !ref in this text area to quickly search our full set of tutorials, documentation & marketplace offerings and insert the link!
These answers are provided by our Community. If you find them useful, show some love by clicking the heart. If you run into issues leave a comment, or add your own answer to help others.
Want to learn more? Join the DigitalOcean Community!
Join our DigitalOcean community of over a million developers for free! Get help and share knowledge in Q&A, subscribe to topics of interest, and get courses and tools that will help you grow as a developer and scale your project or business.
@weblora
CloudFlare only resolves the DNS entries that you provide, so if you’re not receiving e-mail after switching to their DNS, the issue would most likely be due to misconfiguration.
The DNS that shows here at DigitalOcean should be identical to that which is setup for CloudFlare (i.e. all A, CNAME, MX, TXT, etc). You also have to modify your domains DNS to use CloudFlare’s provided DNS servers after your setup.
If you can, please provide links to a screenshot of your DNS setup with DigitalOcean as well as a screenshot of what shows up for the same domain in CloudFlare’s CP. I’ll be more than happy to take a look at it for you.
@weblora
All public web servers expose their public IP addresses. The only IP that is hidden from public access is the private network IP. Anyone could get the IP of a web server by performing a DNS lookup. That said, there’s no need to worry about public IP exposure – properly setting up your firewall will mitigate most common concerns regarding public exposure.
Beyond the firewall, further locking down the droplet and tightening security will further prevent the majority of other cases.
Sending Mail w/ PHP
As far as sending e-mail using PHP, the
mail()function really doesn’t accept connection parameters on the fly so you wouldn’t be connecting to your mail server using this function.The following lines of code should send an e-mail without any issues:
… of course, since you’re not connecting to your mail server, this e-mail will most likely end up in the SPAM box of whatever provider it’s being sent to since there’s absolutely zero authentication using the above.
If you want something more advanced, such as actually sending through your mail server, I’d recommend using something such as PHPMailer:
https://github.com/PHPMailer/PHPMailer
or SwiftMailer
https://github.com/swiftmailer/swiftmailer
These libraries provide a feature-rich set of functions that’ll allow you to do what you need to do and connect to your mail server by passing the correct details during configuration.
If you’re using a CMS, such as WordPress, you can use a plugin to handle the connection for you. You can take a look at:
https://wordpress.org/plugins-wp/wp-mail-smtp/
@weblora
Starting a new reply as there’s not an option to reply to your last comment.
So, as far as your DNS at DigitalOcean, as long as those are the correct IP’s, it looks perfect! I wouldn’t foresee any issues once you run CloudFlare to scan the domain.
As far as the errors on your MX lookup, the first one concerning DMARC is something you can handle by configuring DMARC through your mail configuration, though it’s not a huge concern for the initial setup or getting things working. Some providers are checking DMARC, though I’ve not ran in to any issues with providers rejecting e-mail on domains that do not have it setup (at least currently).
The HTTP error showing up simply means that either your web server isn’t setup to receive requests (i.e. NGINX or Apache isn’t serving requests) or there was a failure on initial request. As long as you’re able to access your domain and view the page once your server is setup, that one can be overlooked for now.
The third error is a blacklist error on the mail servers IP. This happens as the IP’s that DigitalOcean assigns are used by many users before they become yours. It’s possible that DigitalOcean had a spammer come on board, send boatloads of e-mails, and the result was that the IP was blacklisted at one of the spam databases.
There’s good and bad news with the blacklist. The good is that it’s not one of the major spam databases, so you’re not likely to see mail bounce as a result. The bad, even if you do, they don’t offer a way to remove the listing just yet.
You can keep at eye on:
http://psky.me
… which will allow you to keep up with when you can apply to remove the IP. Essentially, once able, you’d get in touch and let them know that you are not the previous owner, are running a new mail server and it’s for personal mail (or something similar). They’ll check the IP against their records and if they find the submission to be valid, they will remove it.