unsuspend_login blocking hook

[AndyB78]

Hello,

First, allow me to apologize for all the noob questions/assumptions below. I am 100% new to hookable events.

The problem I am trying to solve
Naturally, when a customer is sending spam (voluntarily or as in most cases, involuntarily) we suspend the email account affected. The problem is that there are reckless/ill-advised/thick-skinned/confused customers that simply reactivate the email account without solving the underlying problem. Naturally the spam resumes.

What I am trying to do
I am trying to find a way to prevent the above problem by denying the unsuspension of email accounts suspended (programmatically or not) for spam right upon the unsuspension attempt, so a custom error is returned to the customer attempting this (or at least even a generic error).

Questions:
1. Generally speaking are hookable events, the way to accomplish this or I understood completely wrong what hookable events are?
2. Is there an appropriate hookable event for this?

Additional question:
3. Is there a better or at least easier way to solve this?

Thanks!

 

[cPanelMichael]

Hello,

You may want to consider using the following WHM API 1 function:

WHM API 1 Functions - suspend_outgoing_email - Software Development Kit - cPanel Documentation

This function sets Exim's queue to suspend and force failure for email that a user sends to an external address, and prevents the user from unsuspending on their own.

Thank you.

 

[AndyB78]

Hi,

Thank you for your feedback. I was aware of this function but I am not trying to suspend the email sending capabilities of the entire cPanel account. I want to obtain the best outcome with minimum impact on the user's activity so I just want to be able to suspend an email account in such a way that it stays suspended.

Is there a way to intercept an attempt from the user to reactivate a suspended email address?

Thanks!

 

[cPanelMichael]

Hello,

You may want to vote and add feedback to the following feature request, as it's for the functionality you are seeking:

Suspend Outgoing mail for single mail account

As far as using hooks to prevent a cPanel user from unsuspending the login for an email account, you could develop a custom bash script that immediately suspends the login again using the following UAPI function:

UAPI Functions - Email::suspend_login - Software Development Kit - cPanel Documentation

For the purposes of hooks, the corresponding UAPI function when using the "Unsuspend Login" option for email accounts in cPanel is:

UAPI::Email::unsuspend_login

Thus, you'd run your custom bash script as a hook for the unsuspend_login UAPI function using the instructions at:

Guide to Standardized Hooks - Cpanel Functions - Software Development Kit - cPanel Documentation

This would ensure your custom bash script runs automatically anytime someone unsuspends an email account login.

Thank you.

 

[AndyB78]

Hello,

I've tried this (as a script) but unfortunately it doesn't work in my case. In my case it triggers (successfully) a shell script that is normally working OK. I believe the hooked script doesn't work because it runs under the ownership of the cPanel account from where the hook has triggered and the script needs to access root owned files, scripts from /scripts and UAPI api calls. Do you see any solution to this problem?

Thanks,
Kind regards!

 

[AndyB78]

Adding the hook with "--escalateprivs 1" solves the problem right there. But how safe is this? The hook action script doesn't take any user input (it takes data from a file NOT inside /home).

I took a look on a couple of servers and I have found only 2 more instances (both for the same 3rdparty app) that had privilege escalation. Right now I am only using this internally which leads to some security by obscurity (which I know it's not real security) but in time it might be offered as an addon or something and I'd like to know how much of a risk is this privilege escalation.