Mailgun leaking server's real IP behind Cloudflare


(shitposting) #1

Mailgun is leaking my DigitalOcean server IPs via emails deployed for Discourse which is resulting in repeated DDoS attacks.

Received: from localhost.localdomain (sposting.com [**REAL IP HERE**]) by mxa.mailgun.org with ESMTP id 78c1220.7fe02c20b530-smtp-out-n03; Wed, 15 Mar 2017 01:30:08 -0000 (UTC)

No DDoSers have discovered this yet.

Additionally, a security researcher just pasted me the following information and told me it was pulled using “linux dig”

IP address **REAL IP HERE**
Reverse DNS (PTR record) sposting.com
DNS server (NS record) ns3.digitalocean.com (198.41.222.173)
ns1.digitalocean.com (173.245.58.51)
ns2.digitalocean.com (173.245.59.41)
ASN number 393406
ASN name (ISP) Digital Ocean, Inc.
IP-range/subnet 138.197.80.0/20
138.197.80.0 - 138.197.95.255

So it may be leaking in other ways as well but I can’t totally confirm that.

Any ideas?


Hiding the origin on cloudflare
(Jeff Atwood) #2

Why are you reporting this to us? Shouldn’t you contact mailgun about it?


(shitposting) #3

I want the solution indexed here in the event someone else runs into the same issue in the future.

I did submit a support ticket there first and I’m waiting on the response. Sometimes it takes Mailgun a long time to respond or they don’t respond at all. Either way, I intend to discover and/or leave a solution to the problem ITT.

Mailgun is commonly used in conjunction with Discourse.


(Matt Palmer) #4

cough:

$ dig @ns1.digitalocean.com sposting.com +short
138.197.91.157

Looks like you setup DNS on DigitalOcean before moving to Cloudflare, then forgot to remove the zone from DO.


(shitposting) #5

Derp. Thanks.

That won’t prevent the IP from leaking via Mailgun though, will it? I think I might be limited to Mailgun API only. No idea how I’m going to integrate that if so.


(Matt Palmer) #6

Mailgun is a separate problem, but you’ve got to close off every avenue of leakage if you want to remain DDoS proof.


(Michael - DiscourseHosting.com) #7

I warned you for that:

I don’t think Mailgun has any options or settings for this. It’s best to set up a separate relay server inbetween Discourse and Mailgun, that removes those headers. See this article: Remove sensitive information from email headers with postfix - major.io


(Jay Pfaffman) #8

If you did a standard install, you’re delivering mail via SMTP, not the API.


(shitposting) #9

Going to try to implement this. I’ll let you know how I make out ITT.

Yes naturally. I’m either going to set up a separate relay server or try to locate and alter the email send code in Discourse; which I understand vanishes upon updates and fresh installs. Uncharted territory. My first attempt will be the former method as it seems the simplest approach.


(Jay Pfaffman) #10

Yeah. The relay server is the cleaner of those solutions. You could offer a bounty for someone to write a send-with-mailgun-api plugin. I have no idea how hard it’d be, but there are hooks to use mailgun webhooks.


(shitposting) #11

Solved.

The quick and dirty solution was indeed a mail relay server. I set up a cheap $5/mo DigitalOcean droplet running Postfix as a Mailgun relay and a custom header_checks file to prevent the original requesting IP, i.e. my Discourse droplet, from being displayed in the email headers. Discourse now talks to that mailserver opposed to connecting directly to smtp.mailgun.org

A non-SMTP Mailgun API solution be it a plugin, or as an official Discourse option would be incredibly useful for anyone using Cloudflare. An additional fix could be pushed internally at Mailgun as well if they added an option to hide the original requesting IP as is done automatically through their API.

In the meantime this works fine enough.

Thanks to @michaeld, @pfaffman and @mpalmer for the sound advice and I hope this thread serves as reference in the future for anyone experiencing similar issues.


(blaumeer) #12

Just for curiosity I checked what Mandrill does, and yes it leaks my server IP address too. So if I were concerned hiding the original IP gainst DOS, I would setup a mailrelay .