php mail and SMTP while using cloudflare

5
votes

I am using cloudflare on my website and I want to keep my server's IP (the ORIGIN IP) private, to avoid DDoS attacks being sent directly to my server's IP. My server uses Apache, PHP, MySQL.

When using php mail to send emails (even if I use phpmailer library to send the emails through external SMTP) the IP of my server is added to the mail headers. It happens with Google SMTP, Mailgun and others, because probably it is in their policy to write in the header the IP from which the mail came.

At the moment, the only solution that I have in mind and requires a lot of effort, which is to create my own REST API and send emails through another server, something like this:

ORIGIN SERVER IP sends email data in text format via my REST API to MY MAIL SERVER IP and then MY MAIL SERVER IP uses php mail function with phpmailer to send the email via SMTP to the user. This way, the IP of MY MAIL SERVER will appear in the email headers and not the IP of the ORIGIN SERVER.

Is there a much more elegant way to do this? Is there a mail service that offers a rest API and if I use their API, they won't display my server's IP in the email headers? Or maybe there is an already developed REST API / library for sending emails remotely as I requested, so I won't have to develop and test my own from scratch?

5
phpemailsecuritysmtpcloudflare

5 Answers

8
votes

You should send emails through mailgun (or sendgrid, or jetmail, or SES, or ...) through their API and not the SMTP protocol and your IP won't be disclosed.

For instance for Mailgun SDK: https://github.com/mailgun/mailgun-php

$mg = Mailgun::create('key-example');

# Now, compose and send your message.
# $mg->messages()->send($domain, $params);
$mg->messages()->send('example.com', [
  'from'    => '[email protected]',
  'to'      => '[email protected]',
  'subject' => 'The PHP SDK is awesome!',
  'text'    => 'It is so simple to send a message.'
]);

But there are SDK for most providers:

Moreover, I would recommend using SwiftMailer which is powerful library to handle email. One of the cool thing is that it abstract the transport and you would be able to switch from SMTP or any provider API using packages.

0
votes

You can use e.g. mailchimp, amazon SES, or other mail service provider, they should not add your ip. But that services are paid.

0
votes

Long time ago, at college, I can not use php mail command because of firewall rules so write my own SMTP autentication class. Some time latter I start using PHPMailer class and I never had another problem, even using Gmail as sender. Give a look at https://github.com/PHPMailer/PHPMailer .

This is a simple example:

<?php
// Import PHPMailer classes into the global namespace
// These must be at the top of your script, not inside a function
use PHPMailer\PHPMailer\PHPMailer;
use PHPMailer\PHPMailer\Exception;

//Load composer's autoloader
require 'vendor/autoload.php';

$mail = new PHPMailer(true);                              // Passing `true` enables exceptions
try {
    //Server settings
    $mail->SMTPDebug = 2;                                 // Enable verbose debug output
    $mail->isSMTP();                                      // Set mailer to use SMTP
    $mail->Host = 'smtp1.example.com;smtp2.example.com';  // Specify main and backup SMTP servers
    $mail->SMTPAuth = true;                               // Enable SMTP authentication
    $mail->Username = '[email protected]';                 // SMTP username
    $mail->Password = 'secret';                           // SMTP password
    $mail->SMTPSecure = 'tls';                            // Enable TLS encryption, `ssl` also accepted
    $mail->Port = 587;                                    // TCP port to connect to

    //Recipients
    $mail->setFrom('[email protected]', 'Mailer');
    $mail->addAddress('[email protected]', 'Joe User');     // Add a recipient
    $mail->addAddress('[email protected]');               // Name is optional
    $mail->addReplyTo('[email protected]', 'Information');
    $mail->addCC('[email protected]');
    $mail->addBCC('[email protected]');

    //Attachments
    $mail->addAttachment('/var/tmp/file.tar.gz');         // Add attachments
    $mail->addAttachment('/tmp/image.jpg', 'new.jpg');    // Optional name

    //Content
    $mail->isHTML(true);                                  // Set email format to HTML
    $mail->Subject = 'Here is the subject';
    $mail->Body    = 'This is the HTML message body <b>in bold!</b>';
    $mail->AltBody = 'This is the body in plain text for non-HTML mail clients';

    $mail->send();
    echo 'Message has been sent';
} catch (Exception $e) {
    echo 'Message could not be sent. Mailer Error: ', $mail->ErrorInfo;
}
0
votes

get an instance from any cloud provider, send REST request to that instance or whatever you prefer, then your original web server's ip will be totally invisible.

0
votes

There is no API or elegant way to hide your IP from emails that you're sending. Any SMTP provider who offers this is worthy of blacklisting and would be immediately overcome by spammers signing up to abuse this privacy.

You must use your idea of creating an internal Web relay system to send to other IPs before initiating SMTP. But the hassle of setting that up should be more of a hassle than rebuilding your current site with another IP.

This sounds like a classic case of treating your server like a pet instead of like cattle. If rebuilding your current site on a new IP is less attractive than building and maintaining a custom Web API to hide your IP from exposure, you need to investigate automation tools.