Keep Webmail Feature but remove public login via browser

durangod

Well-Known Member
May 12, 2012
505
46
78
cPanel Access Level
Website Owner
Hi,

I dont want to remove the webmail feature as i want to still use the internal email accounts. But what i would like to do is to remove the public web login for webmail (i think its port 2095).

I just want to access the webmail through cPanel only and not directly via broswer. How do i restrict or block that webmail login page?

Can i just block 2095 in the csf firewall?

thanks :)
 
Last edited:

durangod

Well-Known Member
May 12, 2012
505
46
78
cPanel Access Level
Website Owner
Ok ill try to block it in the csf like so

Code:
iptables -A INPUT -p tcp --dport 2095 -j DROP
iptables -A INPUT -p tcp --dport 2096 -j DROP
i have also removed 2095 and 2096 from the ip section in csf

i also restarted csf and lfd but i can still bring up the browser page for 2096

anyone got an idea how to block this access? thanks
 
Last edited:

durangod

Well-Known Member
May 12, 2012
505
46
78
cPanel Access Level
Website Owner
well that effort didnt work with the ip tables, it still comes up no matter what. Boy i sure would like to stop that webmail page from loading, i have never ever accessed webmail that way and i dont plan to. And this is only me on the server, no other users.
 

durangod

Well-Known Member
May 12, 2012
505
46
78
cPanel Access Level
Website Owner
Update and plan b to this... i thought well if i can find the template or html file ill just comment out the login inputs and that will take care of that issue, no inputs no cracking... So basically you break it to secure it.

one step closer i found the html login page and commented out the login inputs to test to see if this was the right file and clear CF cache but still nothing the page still loads.

why would there be a webmail login html file if its not used wth... Maybe there is whm cache of some kind. Do i need to clear some whm cache?

the file is in /usr/local/cpanel/base/unprotected and its called login_webmaild.html as far as i know this has to be the right file for the webmail login page for public..
 

durangod

Well-Known Member
May 12, 2012
505
46
78
cPanel Access Level
Website Owner
ok here we go how does this look....

nowebmailforyou.jpg

so no inputs means no access authorized or not... thats what we want...


Basically cpanel uses one file for all login page content, they just pick and choose the words used depending on the access (ie whm, webmail, cpanel), i dont know what language that is being used with the html but i was able to figure out how to use it rather quickly with my coding experience. If someone knows what language that is tell me as i would be interested in learning it. Is that java?

I just added and if statement around the inputs and gave it an else. At first i did not plan to have an else statement but since js autofocuses on the id="user" and without it, it gives an error that it cant focus. So i just gave it what it wanted (something with an id of user) and that is my (else) div id. So that took care of the js requirement and no more error.

So to show you the page source ill show you that section of this on the page source. If i knew what language this was i could put the comments so they dont show on the source but i tried using # for comments and did not work. So i used html comment code...

nowebmailforyou_source.jpg

and then here is the file that i changed. Now i assume ill have to redo this every time there is a whm update but its worth it to me. On day maybe cPanel will have some feature added where we can turn off login to public webmail and we wont have to edit core files. :)

Just so i dont show too much of the file here ill just show my part that i edited. It starts at line 174 which is the beginning of the form.

/usr/local/cpanel/base/unprotected/cpanel/templates/login.tmpl

I did test this and it does allow login to cpanel and whm, just not webmail...

here is my code.

HTML:
                           <form novalidate id="login_form" action="/login/" method="post" target="[% login_target %]" style="visibility:[% linked_users.size ? 'hidden' : '' %]">

<!-- modifed by dave to prevent login on webmail browser page that faces public added if code   -->
                                [% IF app_name != "webmaild" %]

                                <div class="input-req-login"><label for="user">[% IF app_name=="webmaild" %][% locale.maketext('Email Address') %][% ELSE %][% locale.maketext('Username') %][% END %]</label></div>
                                <div class="input-field-login icon username-container">
                                    <input name="user" id="user" autofocus="autofocus" value="[% user.html() %]" placeholder="[% IF app_name=="webmaild" %][% locale.maketext('Enter your email address.') %][% ELSE %][% locale.maketext('Enter your username.') %][% END %]" class="std_textbox" type="text" [% allow_login_autocomplete ? '' : 'autocomplete="off"' %] tabindex="1" required>
                                </div>

<!-- this end code added by dave -->
                                 [% ELSE %] <div id="user"> <span>[% locale.maketext('Sorry not authorized - move on please !') %]</span></div>
                                  [% END %]
<!-- end of username input mod -->

<!-- modifed by dave to prevent login on webmail browser page that faces public added if code   -->
                                [% IF app_name != "webmaild" %]


                                <div class="input-req-login login-password-field-label"><label for="pass">[% locale.maketext('Password') %]</label></div>
                                <div class="input-field-login icon password-container">
                                    <input name="pass" id="pass" placeholder="[% IF app_name=="webmaild" %][% locale.maketext('Enter your email password.') %][% ELSE %][% locale.maketext('Enter your account password.') %][% END %]" class="std_textbox" type="password" tabindex="2" [% allow_login_autocomplete ? '' : 'autocomplete="off"' %] required>
                                </div>

<!-- this end code added by dave -->
                                  [% END %]
<!-- end of username input mod -->



                                <div class="controls">
                                    <div class="login-btn">
<!-- modifed by dave to prevent login on webmail browser page that faces public added if code   -->
                                [% IF app_name != "webmaild" %]


                                        <button name="login" type="submit" id="login_submit" tabindex="3">[% locale.maketext('Log in') -%]</button>

<!-- this end code added by dave -->
                                  [% END %]
<!-- end of username input mod -->


                                    </div>
and here is the file:
 

Attachments

Last edited:

24x7server

Well-Known Member
Apr 17, 2013
1,911
99
78
India
cPanel Access Level
Root Administrator
Twitter
I just want to access the webmail through cPanel only and not directly via broswer. How do i restrict or block that webmail login page?
The simple way is to remove ports 2095 and 2096 from the csf.conf file and allow ports 2095 and 2096 ports to your machine's public IP only in the csf.allow section
-------------- --------------
tcp|in|d=2095|d=xx.xx.xx.xx
tcp|in|d=2096|d=xx.xx.xx.xx
-------------- --------------
replace xx.xx.xx.xx with your static IP from where you want to access it..
 

durangod

Well-Known Member
May 12, 2012
505
46
78
cPanel Access Level
Website Owner
Hi, thanks for the reply.... thats one of the main challenges is that i dont have a static ip and it costs $500 to get one from verizon. So i needed to find another solution, im not a big fan of modding core files but its all i had to go on for now.
 

cPanelLauren

Product Owner II
Staff member
Nov 14, 2017
13,274
1,284
313
Houston
Hi @durangod


Because accessing webmail uses that page even when you access through cPanel you removing that page wouldn't be possible. You could disable webmail which wouldn't affect your mail client, you could also close 2096/2095 but that would disable webmail as well.