• We value your experience with Plesk during 2024
    Plesk strives to perform even better in 2025. To help us improve further, please answer a few questions about your experience with Plesk Obsidian 2024.
    Please take this short survey:

    https://pt-research.typeform.com/to/AmZvSXkx
  • The Horde webmail has been deprecated. Its complete removal is scheduled for April 2025. For details and recommended actions, see the Feature and Deprecation Plan.
  • We’re working on enhancing the Monitoring feature in Plesk, and we could really use your expertise! If you’re open to sharing your experiences with server and website monitoring or providing feedback, we’d love to have a one-hour online meeting with you.

Question What would the best setup be?

michaeljoseph01

New Pleskian
Server operating system version
Ubuntu 20.04
Plesk version and microupdate number
18.0.51
So I'm trying to determine the most secure and simple way to set up a single server that hosts a single domain with website + postfix/dovecot mail service. I'm proxying the web traffic through cloudflare. I don't see any way around not exposing the mail server IP, so I'm using a mail.domain mx record with accompanying A record pointing to a 2nd un-proxied IP for the mail service.

This seems logical to me, but only if I can then lock down all non-mail traffic coming into the exposed email IP

So
1. Is there a way to configure the firewall to block traffic by destination/local IP? Or do I need other software for this?
2. Is there any way to secure the mail.domain email server on this setup with lets encrypt? Or does it only work if you run mail through domain.com? I could do that but it would defeat the purpose of hiding my apache IP through cloudflare.

Is there a different setup I should be using?

Thanks
 
I'm guessing you found you can just use the plesk firewall to whitelist only cloudflare's IPs and have it drop the rest for the WWW server service?
 
Yes, and for the mail server I had to change it to webmail.domain because even after 2+ years of feature requests by countless people, plesk/lets encrypt does not issue ssl certs that will cover a mail.domain server setup. Seems incredible but here we are.
 
If you're talking about for accessing webmail then yes you will need to have an A record for webmail.domain.tld but otherwise if you're using mail.domain.tld just for configuring an email client you could use that but you'll need to get a wildcard cert issue for it to work and choose to secure pop/imap/smtp with it.
 
Back
Top