Category / WHM Guides

by Ben

Multiple cPanel Accounts on the same IP Address

This is just a very quick and basic guide on how you can have multiple cPanel accounts on the same IP address that’s not the default shared IP address.

One benefit of spreading cPanel accounts over multiple IP addresses for example would be to reduce the impact of poor mail deliverability should one account on a particular IP address start sending out spam. Another real world benefit that springs to mind is if you were to suffer a DDoS attack that could not be mitigated, your provider is likely to “null-route” (take offline) the IP address under attack. In which case it’s better to have 100 accounts spread over 5 IP addresses rather than all on one IP address.

As we know in WHM you can only have one shared IP address set in “Basic WebHost Manager® Setup” which is the default for newly created cPanel accounts.

Let’s say you have the following IP Addresses and domains…
10.10.10.2 – Main Shared IP (Shared for aaa.benyarwood.co.uk – bbb.benyarwood.co.uk – ccc.benyarwood.co.uk)
10.10.10.3 – Currently dedicated to benyarwood.co.uk

… and you want to put bbb.benyarwood.co.uk on 10.10.10.3 by going to “Change Site’s IP Address” but the option is greyed out because it’s already dedicated to benyarwood.co.uk.

So how do I put multiple cPanel accounts on the same IP address?

The “trick” (it really is very simple) is to:
1) Go to Basic WebHost Manager® Setup
2) Change the “The IPv4 address (only one address) to use to set up shared IPv4 virtual hosts.” to be 10.10.10.3
3) Go to Change Site’s IP Address and now 10.10.10.3 should no longer be greyed out.
3a) If it is still greyed out then simply change to another IP address, click “Change” and then go back to the drop-down box and it should now definitely be available to select.
4) Repeat step 1 and 2 to change the default main shared IP address back to what it was before.

It should be noted that when changing IP addresses of websites you could disrupt visitors accessing the website due to DNS cache / propagation times.

Note: This requires WHM root access.

For more WHM related guides, see here

Email
by Ben

Relay Different Domains via Multiple SmartHosts in WHM

If you’re running a shared web-hosting server then you may occasionally have the odd request by a user to relay their mail through their chosen relayer (such as MailGun, Sendgrid, Mailjet etc). This guide will assist you in setting up your WHM to relay different domains via Multiple SmartHosts.

cPanels Blog here explains very well what a SmartHost is. We are going to be following the content of this guide somewhat below with a few extra steps to allow us to specify the domains.

Note: This requires root access to WHM to complete.

Setting up Multiple SmartHosts.

We will assume you’ve already added the domain to your chosen SmartHost(s) control panel, verified the domain and received the appropriate SMTP details to start relaying mail.

In WHM -> Exim Configuration Manager

Login to WHM, go to Exim Configuration Manager, select the Advanced Tab and find the AUTH section similar to the image below.

Copy in the contents of the box below.

#Section: AUTH
#Smart Host Sending
sendbysmarthosts:
driver = plaintext
public_name = LOGIN
hide client_send = : ${extract{user}{${lookup{$sender_address_domain}lsearch{/etc/exim_smarthosts}}}}: ${extract{pass}{${lookup{$sender_address_domain}lsearch{/etc/exim_smarthosts}}}}

Next up we want to add the PREROUTERS section. 

#Section: PREROUTERS
#Smart Host Sending
sendbysmarthostsrouter:
driver = manualroute
domains = ! +local_domains
condition =  "${if eq{${lookup{$sender_address_domain}partial-lsearch{/etc/exim_smarthosts}{$value}}}{}{false}{true}}"
ignore_target_hosts = 0.0.0.0 : 127.0.0.0/8
headers_add = "${perl{mailtrapheaders}}"
transport = sendbysmarthoststransport
route_list = * ${extract{smtp}{${lookup{$sender_address_domain}lsearch{/etc/exim_smarthosts}}}}

Next up we want to add the TRANSPORTSTART section. 

#Section: TRANSPORTSTART
#Smart Host Sending
sendbysmarthoststransport:
driver = smtp
port = ${extract{port}{${lookup{$sender_address_domain}lsearch{/etc/exim_smarthosts}}}}
hosts_require_auth = $host_address
hosts_require_tls = $host_address

And that’s it for the WHM side of things so go ahead and save the configuration.

Multiple SmartHosts – File Modifications in SSH / Terminal

We need to edit a few files so go ahead and open up an SSH session or you can use the Terminal inside WHM.

Let’s start by creating a new file in the etc directory called exim_smarhosts, i.e. /etc/exim_smarthosts 

It should be quite clear but the purpose of this file is to specify the domains and their associated SMTP credentials. In the example below I have demonstrated my own domain.  In this file you only need to add the domains that will be relayed via SmartHost, any domains not specified will continue to be sent out normally through your own server.

# sending by Mailgun
domain1.com: domain=domain1.com user=MAILGUN_smtp_user pass=MAILGUN_api_password smtp=smtp.eu.mailgun.org port=587
benyarwood.co.uk: domain=benyarwood.co.uk [email protected] pass=asupersecretpassword smtp=smtp.eu.mailgun.org port=587

# sending by Mailjet
domain3.com: domain=domain3.com user=MAILJET_smtp_user pass=MAILJET_api_password smtp=in-v3.mailjet.com port=587
domain4.com: domain=domain4.com user=MAILJET_smtp_user pass=MAILJET_api_password smtp=in-v3.mailjet.com port=587

# sending by Sendpulse
domain5.com: domain=domain5.com user=SENDPULSE_smtp_user pass=SENDPULSE_api_password smtp=smtp-pulse.com port=587
domain6.com: domain=domain6.com user=SENDPULSE_smtp_user pass=SENDPULSE_api_password smtp=smtp-pulse.com port=587

Save and exit.

That’s it! We just need to rebuild the exim configuration to perform a quick syntax check and activate the changes.

/scripts/buildeximconf

At this point I’d recommend heading into cPanel -> Webmail for one of the domains and sending a test email to an outside recipient to check delivery works okay. Also check that you can still send mail from accounts that AREN’T being relayed.

Adapted from a cPanel forum post here

For more WHM related guides please see here

by Ben

ConfigServer Security & Firewall (CSF) – How to reduce the email alerts

ConfigServer Security & Firewall

ConfigServer Security & Firewall (CSF) is great, but the email alerts can certainly be a little overwhelming so here’s a very quick, dirty copy + paste to disable the most of the common email alerts sent out by CSF. 

Now depending what you’re hosting, you might want to keep some of these alerts enabled, but some of them are just unnecessary. For example, any server with a public-facing IP address will be port-scanned and have its SSH port brute-forced. In an ideal world we’d have SSH locked down via access-lists with the port closed to public but it’s not always achievable. In this case not many people need to know if an IP address was blocked 5 times for failing to login to their SSH service so long as adequate steps have been taken to protect the service.

You should definitely read the csf.conf file in-depth for further explanation of what each one of these parameters does within CSF but we’ll go ahead and assume you know what these do and that you don’t particularly want the email notifications!

Go ahead and open up SSH to your server. These commands should be run as root.

First you’ll want to make a backup of the your /etc/csf/csf.conf file just in case anything goes wrong or stops working.

cp /etc/csf/csf.conf /etc/csf/csf.conf-bak

Next up just paste the following into your SSH terminal.

sed -i 's/LOGFLOOD_ALERT = "[0-9]*"/LOGFLOOD_ALERT = "0"/' /etc/csf/csf.conf
sed -i 's/LF_PERMBLOCK_ALERT = "[0-9]*"/LF_PERMBLOCK_ALERT = "0"/' /etc/csf/csf.conf
sed -i 's/LF_NETBLOCK_ALERT = "[0-9]*"/LF_NETBLOCK_ALERT = "0"/' /etc/csf/csf.conf
sed -i 's/LF_EMAIL_ALERT = "[0-9]*"/LF_EMAIL_ALERT = "0"/' /etc/csf/csf.conf
sed -i 's/LF_SSH_EMAIL_ALERT = "[0-9]*"/LF_SSH_EMAIL_ALERT = "0"/' /etc/csf/csf.conf
sed -i 's/LF_SU_EMAIL_ALERT = "[0-9]*"/LF_SU_EMAIL_ALERT = "0"/' /etc/csf/csf.conf
sed -i 's/LT_EMAIL_ALERT = "[0-9]*"/LT_EMAIL_ALERT = "0"/' /etc/csf/csf.conf
sed -i 's/RT_RELAY_ALERT = "[0-9]*"/RT_RELAY_ALERT = "0"/' /etc/csf/csf.conf
sed -i 's/RT_AUTHRELAY_ALERT = "[0-9]*"/RT_AUTHRELAY_ALERT = "0"/' /etc/csf/csf.conf
sed -i 's/RT_LOCALRELAY_ALERT = "[0-9]*"/RT_LOCALRELAY_ALERT = "0"/' /etc/csf/csf.conf
sed -i 's/RT_LOCALHOSTRELAY_ALERT = "[0-9]*"/RT_LOCALHOSTRELAY_ALERT = "0"/' /etc/csf/csf.conf
sed -i 's/CT_EMAIL_ALERT = "[0-9]*"/CT_EMAIL_ALERT = "0"/' /etc/csf/csf.conf
sed -i 's/PT_USERKILL_ALERT = "[0-9]*"/PT_USERKILL_ALERT = "0"/' /etc/csf/csf.conf
sed -i 's/PS_EMAIL_ALERT = "[0-9]*"/PS_EMAIL_ALERT = "0"/' /etc/csf/csf.conf
sed -i 's/AT_ALERT = "[0-9]*"/AT_ALERT = "0"/' /etc/csf/csf.conf
sed -i 's/AT_ALERT = "[0-9]*"/AT_ALERT = "0"/' /etc/csf/csf.conf
sed -i 's/AT_ALERT = "[0-9]*"/AT_ALERT = "0"/' /etc/csf/csf.conf
sed -i 's/PORTKNOCKING_ALERT = "[0-9]*"/PORTKNOCKING_ALERT = "0"/' /etc/csf/csf.conf
sed -i 's/LF_DIRWATCH = "[0-9]*"/LF_DIRWATCH = "0"/' /etc/csf/csf.conf
sed -i 's/PT_LOAD = "[0-9]*"/PT_LOAD = "0"/'  /etc/csf/csf.conf
sed -i 's/PT_LIMIT = "[0-9]*"/PT_LIMIT = "0"/' /etc/csf/csf.conf
sed -i 's/PT_USERPROC = "[0-9]*"/PT_USERPROC = "0"/' /etc/csf/csf.conf
sed -i 's/PT_USERMEM = "[0-9]*"/PT_USERMEM = "0"/' /etc/csf/csf.conf
sed -i 's/PT_USERTIME = "[0-9]*"/PT_USERTIME = "0"/' /etc/csf/csf.conf

And restart ConfigServer Security & Firewall to apply the changes.

csf -ra

We use “-ra” to restart both CSF service and the related LFD service.

Enjoy the substantially less email spam 🙂

For more guides related to WHM please see here.

Email
by Ben

AmazonSES SmartHost – Relay specific domains in WHM / Exim.

So, if you’ve found this guide then you probably already know what AmazonSES and SmartHosts are. In this guide I’ll demonstrate how to specifiy certain domains to be relayed through an AmazonSES SmartHost.

cPanels Blog here explains very well what a SmartHost is. We are going to be following the content of this guide somewhat below with a few extra steps to allow us to specify the domains.

Note: This requires root access to WHM to complete.

Configuring the AmazonSES SmartHost in WHM.

We’ll be jumping right into the WHM/Exim Configuration here, this guide assumes you have already set-up your AmazonSES account, verified your domain and added an “identity” for sending test emails to.

Prepare your AmazonSES SMTP Details. You will need:
SMTP Host (server name): Usually ends amazonaws.com
In this example I will be using “email-smtp.eu-west-2.amazonaws.com” however you MUST use the one specified in your account.
SMTP Username and SMTP Password

AmazonSES SmartHost SMTP Info

Classic Console.

In WHM -> Exim Configuration Manager

Login to WHM, go to Exim Configuration Manager, select the Advanced Tab and find the AUTH section similar to the image below.

Copy in the contents of the box below, but change the USERNAME and PASSWORD to your SMTP Username and Password provided in the Amazon SES Management Console.

## AmazonSES 
ses_login: 
driver = plaintext 
public_name = LOGIN 
client_send = : USERNAME : PASSWORD
## End AmazonSES
AmazonSES SmartHost Auth Section

Here’s my example in a test environment.

Next up we want to add the ROUTERSTART section. Copy in the below but replace YOUR_SERVER_IP with your actual server IP address.

# Added for Amazon SES
smarthost_dkim:
  driver = manualroute
  domains = !"+local_domains +smart_hosts"
  condition = "${if eq{${lookup{$sender_address_domain}partial-lsearch{/etc/staticroutes}{$value}}}{}{false}{true}}"
  ignore_target_hosts = 0.0.0.0 : 127.0.0.0/8 : YOUR_SERVER_IP
  headers_add = "${perl{mailtrapheaders}}"
  require_files = "+/var/cpanel/domain_keys/private/${sender_address_domain}"
  transport = remote_smtp_smart_dkim
  route_list = !+local_domains "${lookup{$sender_address_domain}partial-lsearch{/etc/staticroutes}}"

smarthost_regular:
  driver = manualroute
  domains = !"+local_domains +smart_hosts"
  condition = "${if eq{${lookup{$sender_address_domain}partial-lsearch{/etc/staticroutes}{$value}}}{}{false}{true}}"
  ignore_target_hosts = 0.0.0.0 : 127.0.0.0/8 : YOUR_SERVER_IP
  headers_add = "${perl{mailtrapheaders}}"
  transport = remote_smtp_smart_regular
  route_list = !+local_domains "${lookup{$sender_address_domain}partial-lsearch{/etc/staticroutes}}"
###

AmazonSES SmartHost ROUTERSTART

Here’s my example in a test environment.

Note: If your server has multiple IP addresses then you want to add each IP address to this line which would then look like this (obviously replacing 1.1.1.1 and 1.1.1.2 here with your public IP addresses)

ignore_target_hosts = 0.0.0.0 : 127.0.0.0/8 : 1.1.1.1 : 1.1.1.2

Next up we have the TRANSPORTSTART Section box to fill with the below, nothing needs changing in the code below so copy it straight in

# Added for Amazon SES
remote_smtp_smart_dkim:
  driver = smtp
  hosts_require_auth = *
  hosts_require_tls = *
  interface = ${if exists {/etc/mailips}{${lookup{$sender_address_domain}lsearch*{/etc/mailips}{$value}{}}}{}}
  helo_data = ${if exists {/etc/mailhelo}{${lookup{$sender_address_domain}lsearch*{/etc/mailhelo}{$value}{$primary_hostname}}}{$primary_hostname}}
  dkim_domain = $sender_address_domain
  dkim_selector = default
  dkim_private_key = "/var/cpanel/domain_keys/private/${dkim_domain}"
  dkim_canon = relaxed

remote_smtp_smart_regular:
  driver = smtp
  hosts_require_tls = *
  hosts_require_auth = *
  interface = ${if exists {/etc/mailips}{${lookup{$sender_address_domain}lsearch*{/etc/mailips}{$value}{}}}{}}
  helo_data = ${if exists {/etc/mailhelo}{${lookup{$sender_address_domain}lsearch*{/etc/mailhelo}{$value}{$primary_hostname}}}{$primary_hostname}}
###

AmazonSES SmartHost TRANSPORTSTART Exim Config

Here’s my example in a test environment.

And that’s it for the WHM side of things so go ahead and save the configuration.

AmazonSES SmartHost File Modifications in SSH / Terminal

We need to edit a few files so go ahead and open up an SSH session or you can use the Terminal inside WHM.

Let’s start with /etc/exim.conf.local

Find the @CONFIG@ line and add the below inside it.

# Added for Amazon SES
hostlist smart_hosts = lsearch;/etc/smarthosts
###

Save and exit.

Here’s my example (note the @AUTH@ part should already be populated with the changes made earlier, we are only added the above hostlist line underneath @CONFIG@)

AmazonSES SmartHost eximconflocal

Next up is the /etc/smarthosts file, this won’t exist already so you need to create the file. This is the file which specifies which domains on your server will be relaying through the AmazonSES SmartHost. Don’t forget that you must create the domain the Amazon SES Management Console and verify the domain using CNAME records first!

Copy the following into the file but replace domain1.com and domain2.com with the actual domains on your server.

Replace Amazon_SES_Server with the SMTP Host shown to you in the Amazon SES Management Console.

# Added for Amazon SES
domain1.com: Amazon_SES_Server
domain2.com: Amazon_SES_Server
###

AmazonSES SmartHost etc-smarthosts

Finally we want to create /etc/staticroutes – this will contain the same contents as your /etc/smarthosts file. The easiest way to do this is just copy the file with:

cp /etc/smarthosts /etc/staticroutes

That’s it! We just need to rebuild the exim configuration to perform a quick syntax check and activate the changes.

/scripts/buildeximconf

To confirm, what we’ve just configured is to have emails sent from the domains specified in /etc/smarthosts and /etc/staticroutes to be relayed through AmazonSES. All other domains not specified will continue to be sent directly from your server.

At this point I’d recommend heading into cPanel -> Webmail for one of the domains and sending a test email to an outside recipient (or the identity you’ve set-up in AmazonSES!) to check delivery works okay.

Additional notes: I have discovered that upon performing these changes when you go back to Exim Configuration Manager you might see the following warning:

AmazonSES SmartHost exim-warning

I set this to contain just “amazonses.com” and the warning disappeared. I then removed it and saved the configuration again and the warning was still gone. *Shrugs*.

Remember to add the following to the SPF record of any domains that will be relaying through the AmazonSES SmartHost.

include:amazonses.com

For more WHM related guides please see here

Adapted from the guide kindly provided here.