Please whitelist cPanel in your adblocker so that you’re able to see our version release promotions, thanks!

The Community Forums

Interact with an entire community of cPanel & WHM users!
cPanelResources

Tutorial SMTP Restrictions (WHM) versus SMTP_BLOCK (CSF)

Comparing the SMTP Restrictions option in WHM with the SMTP_BLOCK feature included with CSF.

  1. cPanelResources
    Overview
    When attempting to secure your server against spam,you might consider enabling the SMTP Restrictions option in WHM or if you have the third-party ConfigServer Security & Firewall (CSF) plugin, the SMTP_BLOCK feature. This article is designed to explain how these two services affect the server. Both options are used to prevent outgoing requests over the common mail ports, but there are some differences to be aware of.

    Important Notice: If CSF is installed on the server, it is strongly recommended to use its SMTP_BLOCK feature instead of the SMTP Restrictions option within WHM. CSF can remove rules that are not explicitly defined in its own configuration files. As such, rules added via the SMTP Restrictions could be lost when CSF restarts or reloads the rules. In some cases, this could cause problems with all outbound mail.

    SMTP Restrictions (within WHM)
    The SMTP Restrictions feature is controlled through Web Host Manager. When this feature is enabled, only the root user, Mail Agent, and Mailman services are allowed to make outgoing connections over ports 25, 465, and 587. If any other user attempts the connection, it is looped back to the server. You can see this for yourself here:

    First the rules that are added to the firewall when this is enabled:
    Code:
    [root@test ~]#echo "nat table:" ; iptables -t nat --line-numbers -nL OUTPUT ; echo "filter table:" ; iptables -t filter --line-numbers -nL  OUTPUT
    nat table:
    Chain OUTPUT (policy ACCEPT)
    num  target     prot opt source               destination
    1    RETURN     tcp  --  0.0.0.0/0            0.0.0.0/0            multiport dports 25,465,587 owner GID match 990
    2    RETURN     tcp  --  0.0.0.0/0            0.0.0.0/0            multiport dports 25,465,587 owner GID match 12
    3    RETURN     tcp  --  0.0.0.0/0            127.0.0.1            multiport dports 25,465,587 owner UID match 202
    4    RETURN     tcp  --  0.0.0.0/0            0.0.0.0/0            multiport dports 25,465,587 owner UID match 0
    5    REDIRECT   tcp  --  0.0.0.0/0            0.0.0.0/0            multiport dports 25,465,587
    filter table:
    Chain OUTPUT (policy ACCEPT)
    num  target     prot opt source               destination
    1    ACCEPT     tcp  --  0.0.0.0/0            0.0.0.0/0            multiport dports 25,465,587 owner GID match 990
    2    ACCEPT     tcp  --  0.0.0.0/0            0.0.0.0/0            multiport dports 25,465,587 owner GID match 12
    3    ACCEPT     tcp  --  0.0.0.0/0            127.0.0.1            multiport dports 25,465,587 owner UID match 202
    4    ACCEPT     tcp  --  0.0.0.0/0            0.0.0.0/0            multiport dports 25,465,587 owner UID match 0
    
    Connecting as the root user:
    Code:
    [root@test ~]# telnet mx1.cpanel.net 25
    Trying 208.74.121.68...
    Connected to mx1.cpanel.net.
    Escape character is '^]'.
    220-mx1.cpanel.net ESMTP Exim 4.92 #2 Fri, 12 Apr 2019 05:40:18 -0500
    220-We do not authorize the use of this system to transport unsolicited,
    220 and/or bulk e-mail.
    Connecting as a normal user:
    Code:
    [user@test ~]$ telnet mx1.cpanel.net 25
    Trying 208.74.121.68...
    Connected to mx1.cpanel.net.
    Escape character is '^]'.
    220-test.server ESMTP Exim 4.91 #1 Fri, 12 Apr 2019 12:26:32 +0000
    220-We do not authorize the use of this system to transport unsolicited,
    220 and/or bulk e-mail.
    As you can see, when connecting as the user, this ends up connecting right back to the main server. This forces users to send any outgoing messages through the server.

    This service is either enabled or disabled server wide and would affect all users on the server. You can manage this service either via the "SMTP Restrictions" option in WHM (Home >> Security Center >> SMTP Restrictions) or through "Tweak Settings" (Home >> Server Configuration >> Tweak Settings) on the "Mail" tab.

    SMTP_BLOCK (within CSF)
    This is a feature that can be enabled in CSF when it is installed that is very similar to the SMTP Restrictions for WHM. This feature adds its own rules for which users can create outgoing connections over ports 25, 465, and 587.

    First, the rules that are added to the firewall:
    Code:
    [root@test ~]# iptables -nL SMTPOUTPUT
    Chain SMTPOUTPUT (1 references)
    target     prot opt source               destination
    ACCEPT     tcp  --  0.0.0.0/0            0.0.0.0/0            multiport dports 25,465,587
    ACCEPT     tcp  --  0.0.0.0/0            0.0.0.0/0            multiport dports 25,465,587 owner GID match 989
    ACCEPT     tcp  --  0.0.0.0/0            0.0.0.0/0            multiport dports 25,465,587 owner GID match 12
    ACCEPT     tcp  --  0.0.0.0/0            0.0.0.0/0            multiport dports 25,465,587 owner UID match 202
    ACCEPT     tcp  --  0.0.0.0/0            0.0.0.0/0            multiport dports 25,465,587 owner UID match 0
    LOGDROPOUT  tcp  --  0.0.0.0/0            0.0.0.0/0            multiport dports 25,465,587
    Whereas SMTP Restrictions redirects the connection to back to the server, the SMTP_BLOCK feature will reject the connections by default. You can see this behavior for yourself here:

    Connecting as the root user:
    Code:
    [root@test ~]# telnet mx1.cpanel.net 25
    Trying 208.74.121.68...
    Connected to mx1.cpanel.net.
    Escape character is '^]'.
    220-mx1.cpanel.net ESMTP Exim 4.92 #2 Fri, 12 Apr 2019 07:31:24 -0500
    220-We do not authorize the use of this system to transport unsolicited,
    220 and/or bulk e-mail.
    Connecting as a normal user:
    Code:
    [user@test ~]$ telnet mx1.cpanel.net 25
    Trying 208.74.121.68...
    telnet: connect to address 208.74.121.68: Connection refused
    It is important to note that even if the SMTP Restrictions are disabled, this setting can still prevent users from making connections to external mail services if it is enabled.

    The SMTP_BLOCK function has its own additional configuration options that can be modified through the csf.conf file (which is usually located at /etc/csf/csf.conf). For example, using the “SMTP_ALLOWUSER” or “SMTP_ALLOWGROUP” variables, you can define the users and groups that are allowed to bypass this restriction. This allows you to exclude certain users from this protection that may need to send through an external server. The “SMTP_PORTS” variable allows you to specify the mail ports you want to limit. This is useful if you are using a smarthost over an alternate port and want to limit access to that service as well. You can also redirect the connections instead of rejecting them by enabling the "SMTP_REDIRECT" option.

    Please note that we do not provide technical support for CSF, and it is developed by a third-party. The behavior and availability of this feature may change without notice. If you have trouble with the SMTP_BLOCK feature, you may want to run the built-in CSF test script to confirm that any necessary modules are installed. If this was an automatic installation, this can be called with the following command:
    Code:
    /etc/csf/csftest.pl
    If you continue to have trouble, you should try contacting ConfigServer for assistance.

    Summary
    While very similar in function, you can see that there are some differences between the two services that could be a little confusing if you are not aware of them. Primarily, the SMTP Restrictions will redirect the request over the mail ports, while the SMTP_BLOCK feature will block the request entirely.

    If you want to disable this kind of protection entirely, you would need to ensure that both the SMTP_BLOCK and SMTP Restrictions features were disabled.

    Questions/Feedback
    Feel free to click on the Discussion tab to let us know if you have any questions or feedback about the information in this tutorial.
  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.
    Dismiss Notice