The Community Forums

Interact with an entire community of cPanel & WHM users!
  1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

Disable SMTP Authentication and not allow open relay

Discussion in 'E-mail Discussions' started by regisit, Apr 1, 2014.

  1. regisit

    regisit Member

    Joined:
    Jul 31, 2013
    Messages:
    18
    Likes Received:
    0
    Trophy Points:
    1
    cPanel Access Level:
    Root Administrator
    Is there a way to disable SMTP Authentication? By that I don't mean create an open relay, I mean just stop attempts to authenticate via SMTP but still allow incoming email on port 25.

    The server is dedicated and for one business only. Mails are sent out from the hosted websites but there should be no inbound emails. Mail accounts on the domains are hosted elsewhere. Ideally we'd block inbound on port 25 completely but our hosting provider requires us to send mail via their relay servers so we have to allow it to deal with any NDRs from their relay cluster. They have an intermittent spam issue so are frequently changing IPs of the relay servers, meaning we can't maintain an accepted list of IPs for inbound mail on port 25.

    We have the CSF firewall and it blocks repeated failed attempts to authenticate, but this results in frequent alerts when a hacker tries to break in via SMTP and an ever extending list of blocked IPs. The simplest solution is to not allow anyone to authenticate on SMTP, because nobody should be, but still allow the hosted sites to send mail out and NDRs from the hosting relays to come back.

    Is there anyway to set this on WHM 11.42?
     
  2. cPanelMichael

    cPanelMichael Forums Analyst
    Staff Member

    Joined:
    Apr 11, 2011
    Messages:
    30,830
    Likes Received:
    672
    Trophy Points:
    113
    cPanel Access Level:
    Root Administrator
    Could you elaborate more on how the other websites will be sending out email, if not via SMTP? Also, the following thread contains some information you may find useful:

    Blocked Port 25 - Use Another Port

    Thank you.
     
  3. regisit

    regisit Member

    Joined:
    Jul 31, 2013
    Messages:
    18
    Likes Received:
    0
    Trophy Points:
    1
    cPanel Access Level:
    Root Administrator
    For example, Magento sends mail using Zend Mail which ultimately uses PHP mail. Mails are sent using SMTP but there is no explicit SMTP authentication needed for this.

    Not sure of the relevance of the Blocked Port 25 post? I can't filter incoming port 25 because I don't know the IPs of the relay servers, which are the only IPs we should accept mail from. It doesn't really matter if spammers try to deliver mail - they'll be rejected with invalid recipient as there's no actual mailboxes on the system aside from the default cPanel account mailbox.

    What I was hoping for was a way to reject any SMTP authentication from an external IP, rather blocking IPs once they've failed to authenticate 5 times. As it stands the IP block list will just grow and grow which will surely have an impact on performance over time.
     
  4. cPanelMichael

    cPanelMichael Forums Analyst
    Staff Member

    Joined:
    Apr 11, 2011
    Messages:
    30,830
    Likes Received:
    672
    Trophy Points:
    113
    cPanel Access Level:
    Root Administrator
    There are no native features in WHM that will reject SMTP authentication attempts from all external IP addresses. You would have to configure a custom Exim ACL to implement this type of rule. Or, you could block the entire country using CSF as this might be easier than attempting to block the individual IP addresses.

    Thank you.
     
  5. townwebsites

    townwebsites Registered

    Joined:
    Oct 3, 2012
    Messages:
    3
    Likes Received:
    0
    Trophy Points:
    1
    cPanel Access Level:
    Root Administrator
    I need the same capability, we see lfd probing bans on external SMTP logins for client-related emails. The websites can send via SMTP but we never need the port open to outside logins.

    I think the appropriate rephrasing of the question is, how can you change any configserver rules for iptables in a way that integrates with CPanel management of configserver. IE, can we just edit any of the configserver rules as we would on an unmanaged linux install, or are there parts of the configuration where we have to be aware of how CPanel interacts with configserver.

    Thanks,

    Charlie





     
Loading...

Share This Page