Cloudflare to proxy box.mymailserver.com

Guys,

I currently use Cloudflare on my domain , but until now I use MAIB box entry there to be “DNS Only” and not “proxied by cloudflare”. Everything works fine with this set up.

I want to explore if I can proxy the MAIB box as well through Cloudflare (only the A record of box.mymailserver.com ) as I wanted to see the analytics data of that to be included in Cloudflare console as well.

Does anybody have this setup working ?

I cant seem to get my head round how this can be made to work (my default setting is to enforce SSL 1.3 in CF) . The route would be user -> CF -> MAIB , so I guess CF will need to import the MAIB’s Letsencrypt certficate. Is that correct / make sense ?
If it makes sense how do I export the MAIB certificate , can this be process be scripted ? Any pointers would be great as have never done this sort of thing .

Thanks

I am not a CF user, but afaik, CF creates it’s own SSL certificate. So that part is not an issue.

I know that you absolutely cannot proxy the MX record, and in setup’s such as DirectAdmin and cPanel, you cannot proxy the SMTP/POP3/IMAP connection. What I do not know is if proxying the A record for box.mymailserver.com will be problematic, or not.

I suppose that you’ll be our guinea pig. :slight_smile:

I don’t mind being my own guinea pig but would appreciate help in talking things over to be more informed guinea pig, hopefully.

yes CF only proxies A, AAA and CNAME records, and I don’t really want to proxy MX records.

CF has the following SSL options (which will kick in, once I proxy the A record for box.maibdomain.com)
image

So my question is if I want to stick to Full setting, then CF will have its own cert for the browser to CF part and will allow me to import my server cert into CF for CF to MAIB connection to work.

how do I export the MAIB certificate, and can this be process be scripted? … otherwise every few weeks when letsencrypt cert gets updated, the link would start to fail.

Has anyone does this before or can they suggest pointers on achieving it, if it’s a theoretical possibility?

Thanks

Just thinking out loud … what if you select the flexible option?

I am guessing that the connection from the web browser to CF would be encrypted by CF, and then the connection from CF to your MiaB will be encrypted with the cert on the box.

Maybe looking at their docs will shed some light on that possibility?

I don’t currently use CF in front of my MIAB but am interest as to how.

That said I do use CF to a self hosted server, both using letsencrypt and CF allows full (strict) without a problem.

No exporting necessary if using LE.