using 3rd party email provider, close incoming smtp question

Post Reply
futureH
Junior Member
Posts: 9
Joined: 20 Sep 2019, 12:54

using 3rd party email provider, close incoming smtp question

Post by futureH »

If you have a WHM/cPanel VPS and

mx is set to use a third party email provider such as Zoho or gsuite for email and
the VPS only sends outgoing email from web scripts, CSF/LFD and cpanel,
then is incoming SMTP actually required?

If not, how does one lock it down [and any ports that can be closed off] to help stop bots/hackers?
BallyBasic79
Junior Member
Posts: 80
Joined: 22 Aug 2019, 21:43

Re: using 3rd party email provider, close incoming smtp question

Post by BallyBasic79 »

This is good, critical thinking. :cool:

Given a cPanel server, it presumably uses Exim as the mail transfer agent (MTA). That handles both sending and receiving email so it cannot be shut off.

But if you have no need to receive email on that machine, you should be able to shut down the mail delivery agent (MDA) aka mail server, such as Dovecot or Postfix. In WHM, go to Home »Service Configuration »Mailserver Configuration and deselect all of the protocols.
Note: If you do not select a checkbox, the system will operate in authentication-only mode.
While you are there, (actually, EVERYONE should do this), set
Allow Plaintext Authentication (from remote clients) to "No"
This setting will allow remote email clients to authenticate using unencrypted connections. When set to “no”, only connections originating on the local server will be allowed to authenticate without encryption. Selecting “no” is preferable to disabling IMAP in the Protocols Enabled section since it will force remote users to use encryption while still allowing webmail to function correctly.
With no need to login to fetch mail, you can remove from allowed access in CSF the standard POP3 and IMAP ports including:

Code: Select all

PORTS_pop3d = "110,995"  # remove
PORTS_imapd = "143,993"  # remove
Note that even when just sending email, it is still a two-way conversation between the sending and receiving servers. This means that you still need to keep open:

Code: Select all

PORTS_smtpauth = "25,465,587"  # keep
PORTS_eximsyntax = "25,465,587"  # keep
I see the standard Exim config on several of my servers listen on ports 25, 26, 487, 587. You could probably whittle these down through some careful work, but tightening the firewall should be just as effective. I suggest:

Code: Select all

###############################################################################
# SECTION:SMTP Settings
###############################################################################
# Block outgoing SMTP except for root, exim and mailman (forces scripts/users
# to use the exim/sendmail binary instead of sockets access). This replaces the
# protection as WHM > Tweak Settings > SMTP Tweaks
#
# This option uses the iptables ipt_owner/xt_owner module and must be loaded
# for it to work. It may not be available on some VPS platforms
#
# Note: Run /etc/csf/csftest.pl to check whether this option will function on
# this server
SMTP_BLOCK = "1"

# This is a comma separated list of the ports to block. You should list all
# ports that exim is configured to listen on
SMTP_PORTS = "25,465,587,26"

###############################################################################
# SECTION:Login Failure Blocking and Alerts
###############################################################################
# [*]Enable login failure detection of SMTP AUTH connections
LF_SMTPAUTH = "1"
LF_SMTPAUTH_PERM = "172800"

# [*]Enable syntax failure detection of Exim connections
LF_EXIMSYNTAX = "1"
LF_EXIMSYNTAX_PERM = "172800"

# [*]Enable login failure detection of pop3 connections
#
# SECURITY NOTE: This option is affected by the RESTRICT_SYSLOG option. Read
# this file about RESTRICT_SYSLOG before enabling this option:
LF_POP3D = "1"
LF_POP3D_PERM = "172800"

# [*]Enable login failure detection of imap connections
#
# SECURITY NOTE: This option is affected by the RESTRICT_SYSLOG option. Read
# this file about RESTRICT_SYSLOG before enabling this option:
LF_IMAPD = "1"
LF_IMAPD_PERM = "172800"

Note that with no services running at the standard email ports, the probers will get no response and should buzz off. But just because there's no service there won't keep them from trying. Also, they are usually probing those ports with others so setting a really low threshold on these blocks (basically any password attempt) will block them well (especially also with tracking port knocking and scan tracking.)

It's a matter of what you want to track in your logs: attempts or blocks.

Does this answer your question? HTH
futureH
Junior Member
Posts: 9
Joined: 20 Sep 2019, 12:54

Re: using 3rd party email provider, close incoming smtp question

Post by futureH »

BallyBasic79 wrote: 26 Sep 2019, 01:32 This is good, critical thinking. :cool:


Does this answer your question? HTH
:) Thank you for your compliment and comprehensive answer!

I already had IMAP and POP3 unchecked in WHM but WHM states
Note: LMTP is required and you cannot disable it.
Also interesting: https://forums.cpanel.net/threads/why-c ... ed.577591/

Also had Allow Plaintext Authentication (from remote clients) to "No"


PORTS_pop3d = 110,995 (removed ports)
PORTS_imapd = 143,993 (removed ports)


re: Block outgoing SMTP except for root, exim and mailman (forces scripts/users
# to use the exim/sendmail binary instead of sockets access). by use of
SMTP_BLOCK = "1"
- I was hoping to avoid this one given there are a number of emails generated via php on the VPS and the learning curve to forces scripts/users to use the exim/sendmail binary!

I had the attempts set to 1 but have increased the timeout periods like yours as 1 second really doesn't stop them!
LF_SMTPAUTH = "1"
LF_SMTPAUTH_PERM = "172800"
BallyBasic79
Junior Member
Posts: 80
Joined: 22 Aug 2019, 21:43

Re: using 3rd party email provider, close incoming smtp question

Post by BallyBasic79 »

You are welcome. I have SMTP_BLOCK = "1" on several servers sending lots of mail with php scripts. You might enable it and trigger a script to confirm whether it will be a problem or not.
# If LF_TRIGGER is > "0" then LF_TRIGGER_PERM can be set to "1" to permanently
# block the IP address, or LF_TRIGGER_PERM can be set to a value greater than
# "1" and the IP address will be blocked temporarily for that value in seconds.
# For example:
# LF_TRIGGER_PERM = "1" => the IP is blocked permanently
# LF_TRIGGER_PERM = "3600" => the IP is blocked temporarily for 1 hour
Your setting of LF_TRIGGER_PERM = "1" should be permanent.

Presuming LF_TRIGGER = "0", then LF_XXXX_PERM > 0 is the amount of temp block.
• 1= permanent
• 172800 = 48 hours.

See you in the future!
futureH
Junior Member
Posts: 9
Joined: 20 Sep 2019, 12:54

Re: using 3rd party email provider, close incoming smtp question

Post by futureH »

BallyBasic79 wrote: 26 Sep 2019, 03:34 You are welcome. I have SMTP_BLOCK = "1" on several servers sending lots of mail with php scripts. You might enable it and trigger a script to confirm whether it will be a problem or not.
Good point! Guess I was a little scared/nervous to do so, but it worked just fine after testing with 'lost password' function for a forum,

You champion, thank you!
BallyBasic79
Junior Member
Posts: 80
Joined: 22 Aug 2019, 21:43

Re: using 3rd party email provider, close incoming smtp question

Post by BallyBasic79 »

"Test and See" should be the mantra in these forums! ;)
futureH
Junior Member
Posts: 9
Joined: 20 Sep 2019, 12:54

Re: using 3rd party email provider, close incoming smtp question

Post by futureH »

Just in case anyone else comes across this topic, according to this:
https://serverfault.com/questions/14990 ... ail-server
"Actually, port 25 is also needed to send emails, it's used by mail servers to communicate with each other. It's the only outgoing port needed if your server only send emails."

So perhaps [ie., untested] ports 465 and 587 can be removed from the relevant setting[s] in CSF such as
TCP_IN
TCP_OUT

and perhaps other settings.
Post Reply