This is good, critical thinking.
Given a cPanel server, it presumably uses
Exim as the
mail transfer agent (
MTA). That handles both sending and receiving email so it cannot be shut off.
But if you have no need to receive email on that machine, you should be able to shut down the
mail delivery agent (
MDA) aka mail server, such as Dovecot or Postfix. In WHM, go to
Home »Service Configuration »Mailserver Configuration and deselect all of the protocols.
Note: If you do not select a checkbox, the system will operate in authentication-only mode.
While you are there, (actually,
EVERYONE should do this), set
Allow Plaintext Authentication (from remote clients) to "No"
This setting will allow remote email clients to authenticate using unencrypted connections. When set to “no”, only connections originating on the local server will be allowed to authenticate without encryption. Selecting “no” is preferable to disabling IMAP in the Protocols Enabled section since it will force remote users to use encryption while still allowing webmail to function correctly.
With no need to login to fetch mail, you can remove from allowed access in CSF the standard POP3 and IMAP ports including:
Code: Select all
PORTS_pop3d = "110,995" # remove
PORTS_imapd = "143,993" # remove
Note that even when just sending email, it is still a two-way conversation between the sending and receiving servers. This means that you still need to keep open:
Code: Select all
PORTS_smtpauth = "25,465,587" # keep
PORTS_eximsyntax = "25,465,587" # keep
I see the standard Exim config on several of my servers listen on ports 25, 26, 487, 587. You could probably whittle these down through some careful work, but tightening the firewall should be just as effective. I suggest:
Code: Select all
###############################################################################
# SECTION:SMTP Settings
###############################################################################
# Block outgoing SMTP except for root, exim and mailman (forces scripts/users
# to use the exim/sendmail binary instead of sockets access). This replaces the
# protection as WHM > Tweak Settings > SMTP Tweaks
#
# This option uses the iptables ipt_owner/xt_owner module and must be loaded
# for it to work. It may not be available on some VPS platforms
#
# Note: Run /etc/csf/csftest.pl to check whether this option will function on
# this server
SMTP_BLOCK = "1"
# This is a comma separated list of the ports to block. You should list all
# ports that exim is configured to listen on
SMTP_PORTS = "25,465,587,26"
###############################################################################
# SECTION:Login Failure Blocking and Alerts
###############################################################################
# [*]Enable login failure detection of SMTP AUTH connections
LF_SMTPAUTH = "1"
LF_SMTPAUTH_PERM = "172800"
# [*]Enable syntax failure detection of Exim connections
LF_EXIMSYNTAX = "1"
LF_EXIMSYNTAX_PERM = "172800"
# [*]Enable login failure detection of pop3 connections
#
# SECURITY NOTE: This option is affected by the RESTRICT_SYSLOG option. Read
# this file about RESTRICT_SYSLOG before enabling this option:
LF_POP3D = "1"
LF_POP3D_PERM = "172800"
# [*]Enable login failure detection of imap connections
#
# SECURITY NOTE: This option is affected by the RESTRICT_SYSLOG option. Read
# this file about RESTRICT_SYSLOG before enabling this option:
LF_IMAPD = "1"
LF_IMAPD_PERM = "172800"
Note that with no services running at the standard email ports, the probers will get no response and should buzz off. But just because there's no service there won't keep them from trying. Also, they are usually probing those ports with others so setting a really low threshold on these blocks (basically any password attempt) will block them well (especially also with tracking port knocking and scan tracking.)
It's a matter of what you want to track in your logs: attempts or blocks.
Does this answer your question? HTH
Thank you for your compliment and comprehensive answer!