2. Table of Contents
2
Introduction
Configuration of the Password’s
Strength
Enable Greylisting
Enable cPHulk
SMTP Restrictions
Exim Configuration Manager
Tweak Settings
Max Hourly Emails Per Domain
Max Hourly Emails Per Domain (Continued)
Account-Specific Max Hourly Emails Per
Domain Settings
Prevent “nobody” from Sending Mail
The Percentage of Email Messages (above
the Account's Hourly Maximum) to Queue
and Retry for Delivery
Maximum Percentage of Failed or Deferred
Messages a Domain May Send Per Hour
Maximum Percentage of Failed or Deferred
Messages a Domain May Send Per Hour
(Continued)
Initial Default/Catch-All Forwarder
Destination
PHP Configuration
3. The aim of this PPT is to provide information on the best practices that need to be followed to ensure
the prevention of email abuse on a cPanel & WHM server. cPanel & WHM is meant for automating
tasks related to web hosting for Linux operating system.
The “Best Website Hosting Company”, the “Best Cloud Hosting Company”, the “Best Reseller Hosting
Company”, etc., these are some of the terms that are used to refer to those hosting service providers
that excel in providing hosting service. Hosting service is provided by web hosting companies and
ensures that websites are always accessible and up and running without any issues.
3
Introduction
4. Increasing the minimum password strength with regard to the mail accounts of the users, results in a
decrease in the risk of a hacker guessing the passwords correctly. The Password Strength
Configuration interface ofWHM needs to be used for defining the minimum password strength for the
mail accounts of the users. It is recommended that the default minimum password strength be set to at
least 50.
WHM >> Home >> Security Center >> Password Strength Configuration
4
Configuration of the Password’s Strength
5. Enabling the service of Greylisting helps protect a server against spam or unwanted email.When this
service has been enabled, any email from a sender that is unrecognized by the server, is temporarily
rejected by the mail server. In the event that the email is legit, there are attempts to resend it by the
originating server, after a delay. Once enough time has passed, the email is accepted by the server.
In order to enable this feature, you need to navigate to the Greylisting interface of WHM and then
click Off to toggle the status of the feature.
WHM >> Home >> Email >> Greylisting
5
Enable Greylisting
6. Protection against brute force attacks for a server is ensured by cPHulk. Enabling cPHulk helps to
reduce the chances of brute force attack being used by a hacker for gaining access to the mail accounts
of a server.
You need to navigate to the CPHulk Brute Force Protection interface ofWHM, for enabling this
feature.Then you need to click Off in order to toggle the status of the feature.
WHM >> Home >> Security Center >> CPHulk Brute Force Protection
6
Enable cPHulk
8. Spammers cannot interact directly with the remote mail servers when SMTP Restrictions feature is
enabled. Moreover, they cannot work around the settings for mail security either.You need to navigate
to the SMTP Restrictions interface in WHM and click Enable in order to enable this feature.
WHM >> Home >> Security Center >> SMTP Restrictions
The outgoing email connection attempts to the MTA (Mail Transfer Agent), the root user and to the
mailman system user are restricted by this feature. Moreover, this feature makes sure that both scripts
and users use the sendmail binary of Exim.
8
SMTP Restrictions
9. Numerous options with regard to spam and abuse prevention are provided by the Exim Configuration
Manager interface ofWHM.
WHM >> Home >> Service Configuration >> Exim Configuration Manager
9
SMTP Restrictions
10. Certain settings that are present in the Mail section of the Tweak Settings interface inWHM, aid in
preventing email abuse.These settings are mentioned in the following slides.
10
Tweak Settings
11. This setting serves the purpose of specifying the maximum number of emails which can be sent by each
domain in every hour. Its default setting is Unlimited.The following points need to be mentioned in this
context:
Email send limits are enforced by the system only on remote email deliveries.
This setting will not appear if the Exim Mail Server service in the Service Manager interface ofWHM is
disabled.WHM >> Home >> Service Configuration >> Service Manager
This setting will not function if the Eximstats driver in the Service Manager interface ofWHM is
disabled.WHM >> Home >> Service Configuration >> Service Manager
This setting doesn’t override the below-mentioned settings:
Maximum Hourly Email by Domain Relayed
Maximum percentage of failed or deferred messages a domain may send per hour
It is recommended that such a value be specified that is not Unlimited in order to prevent email abuse.
11
Max Hourly Emails Per Domain
12. If the option for Max Hourly Emails Per Domain is set to 500, then each of the hosted domains can
send 500 email messages in every hour.You can use the setting, the percentage of email messages
(above the account’s hourly maximum) to queue and retry for delivery, for specifying a soft limit.
12
Max Hourly Emails Per Domain (Continued)
13. When you want to specify values for an individual package or an individual account, you need to use
the Edit a Package interface of WHM or the Modify an Account interface ofWHM.
WHM >> Home >> Packages >> Edit a Package
Or
WHM >> Home >> Account Functions >> Modify an Account
You need to carry out the below-mentioned steps for manually editing the cpuser file, in order to
enable this setting from the command line.
Open the file, /var/cpanel/users/username from the command line. In it, the term “username”
represents the desired account username.
Add the MAX_EMAIL_PER_HOUR key in this file and specify the selected username’s value.
Run the script, /usr/local/cpanel/scripts/updateuserdomains
13
Account-Specific Max Hourly Emails Per
Domain Settings
14. This setting makes sure that the nobody user is denied the ability to send mail to a remote address.
The default setting is set to On. It is recommended that you select the On option to prevent email
abuse. It is the PHP and CGI scripts, which usually run as the nobody user. You need to enable the
suEXEC or mod_php modules in the Apache configuration in order to use a PHP or CGI script to
send mail.
14
Prevent “nobody” from Sending Mail
15. It is specified by this setting if the outgoing messages for later delivery should be queued, once a
domain reaches its limit with regard to outgoing messages per hour. This setting’s minimum value is
100 and its maximum value is 10,000.
The following key points need to be mentioned in this context:
This option needs to be set to 100 in order to force the failure of all outgoing messages, once the
domain reaches its limit.
This setting will not appear if the Exim Mail Server service in the Service Manager interface ofWHM is
disabled.WHM >> Home >> Service Configuration >> Service Manager
This setting will not function if the Eximstats driver in the Service Manager interface ofWHM is
disabled.WHM >> Home >> Service Configuration >> Service Manager
15
The Percentage of Email Messages (above the Account's Hourly
Maximum) to Queue and Retry for Delivery
16. Through this setting the maximum percentage of failed or deferred messages, which might be sent by your
domain in every hour, can be specified.The default for this setting is set to Unlimited. Outgoing mails from a
domain are temporarily blocked by your server, when both of the below-mentioned conditions are true.
The number of failed or deferred messages sent by the domain equals that specified in the setting,
Number of failed or deferred messages a domain may send before protections can be triggered.
In the total number of sent messages, the percentage of failed or deferred messages is equal to or
greater than the percentage that has been specified.
All outgoing and local mail, for the previous hour, are examined by the system for determining if these
conditions are met.When only one of the above-mentioned conditions is true, outgoing mail isn’t blocked
by the system.
16
Maximum Percentage of Failed or Deferred Messages a Domain May Send Per Hour
17. Maximum Percentage of Failed or Deferred Messages a Domain May Send Per Hour (Continued)
17
Maximum Percentage of Failed or Deferred Messages
a Domain May Send Per Hour (Continued)
18. The initial forwarding destination with regard to the default/catch-all email addresses for new accounts is specified by this
setting. Emails received by the non-existent users on a server’s domain are handled by the default address. It is recommended
that this setting be changed from System account (default) to Fail, if a lot of spam is being received on the default accounts. The
default setting for newly-created accounts is changed by this setting. The following steps need to be carried out for changing
this setting for an existing account:
Log in to the specific cPanel account or navigate to the cPanel interface of the account through the List Accounts
interface of WHM. WHM >> Home >> Account Information >> List Accounts
Navigate to the Default Address interface of cPanel. cPanel >> Home >> Email >> Default Address
Select from the menu, Send all unrouted email for the following domain, that domain for which you need to set a default
address.
Select the option, Discard the email while your server processes it by SMTP time with an error message. This option
sends an error message to the sender.
Enter an error message in the text box, Failure Message (seen by sender)
Click Change.
18
Initial Default/Catch-All Forwarder Destination
19. Server security can be improved by configuring PHP and suEXEC, ModRuid2, or suPHP. Through this configuration you
can have information regarding which users run which processes system-wide. It needs to be mentioned here that
suEXEC should not be enabled with ModRuid2, as suEXEC isn’t compatible with it.
CGI applications are forced by ModRuid2 and suPHP to run as the cPanel account user. Moreover, some of the
POSIX.1e capabilities are exploited by ModRuid2 in order to ensure performance enhancements over the default
suEXEC configuration of Apache. CGI and PHP applications are forced by the suEXEC Apache module to run as the
cPanel account user.
19
PHP Configuration