Question What would the best setup be?

[michaeljoseph01]

Server operating system version

Ubuntu 20.04

Plesk version and microupdate number

18.0.51

So I'm trying to determine the most secure and simple way to set up a single server that hosts a single domain with website + postfix/dovecot mail service. I'm proxying the web traffic through cloudflare. I don't see any way around not exposing the mail server IP, so I'm using a mail.domain mx record with accompanying A record pointing to a 2nd un-proxied IP for the mail service.

This seems logical to me, but only if I can then lock down all non-mail traffic coming into the exposed email IP

So
1. Is there a way to configure the firewall to block traffic by destination/local IP? Or do I need other software for this?
2. Is there any way to secure the mail.domain email server on this setup with lets encrypt? Or does it only work if you run mail through domain.com? I could do that but it would defeat the purpose of hiding my apache IP through cloudflare.

Is there a different setup I should be using?

Thanks

 

[michaeljoseph01]

Update: I found the workaround before my post was even approved by the mods, geez.... asleep at the switch.

 

[scsa20]

I'm guessing you found you can just use the plesk firewall to whitelist only cloudflare's IPs and have it drop the rest for the WWW server service?

 

[michaeljoseph01]

Yes, and for the mail server I had to change it to webmail.domain because even after 2+ years of feature requests by countless people, plesk/lets encrypt does not issue ssl certs that will cover a mail.domain server setup. Seems incredible but here we are.

 

[scsa20]

If you're talking about for accessing webmail then yes you will need to have an A record for webmail.domain.tld but otherwise if you're using mail.domain.tld just for configuring an email client you could use that but you'll need to get a wildcard cert issue for it to work and choose to secure pop/imap/smtp with it.