Disable Incoming Mail - DNSONLY
Open Discussion
I would like to have this option for the DNSONLY version of cPanel. I don't need incoming mail, only outgoing. So, exim running on ports 25, 465, and 587 doesn't really make sense. If there's no way to close those ports, maybe move them to non-standard ports? Or perhaps have an option in cPHulk to block IPs that try to use the DNS server to relay mail in addition to blocking login/authentication attempts via SMTP? If someone tries to connect to a DNSONLY server for mail, they're obviously spammers.
I like this idea 
cPanel, WebHost Manager and WHM are registered trademarks of cPanel, L.L.C. for providing its computer software that facilitates the management and configuration of Internet web servers.
Why not just block them in your firewall ? I presume that you have installed a firewall ? (Configserver CSF is the one we and most other hosts use).
Why not just block them in your firewall ? I presume that you have installed a firewall ? (Configserver CSF is the one we and most other hosts use).
Yes, I use CSF myself. But I think you're missing the point. There's really no need for a DNS server to be accepting incoming mail. Also, what if CSF fails for whatever reason? Wouldn't you feel more secure knowing that your server will not be compromised even without a firewall? I've been running the DNSONLY server with CSF blocking all the mail ports for some time now, but I really shouldn't have to do that.
The reason I'm requesting this feature isn't just for myself. I recently had an issue with the Service Manager on my DNSONLY servers that was causing some services that I didn't want to be running to always be on. While reporting the bug and helping tech support replicate the issue, a question came up. I asked them why so many mail-related services come pre-installed on the DNSONLY servers. The results of the log analyses aren't even visible in the DNSONLY version of cPanel without going into MySQL via SSH and looking at raw logs yourself.
Apparently, the reason why they have all those mail-related tools on a DNSONLY server is for forensics to help them figure out when cPanel owners who don't know how to secure their servers ask for help protecting their servers against malicious spammers. You have to remember, not everyone who uses cPanel is a webhost, so not everyone knows how to set up a firewall, etc... to protect their servers.
Anyway, I hope I'm getting my point across.
Yes, I use CSF myself. But I think you're missing the point. There's really no need for a DNS server to be accepting incoming mail. Also, what if CSF fails for whatever reason? Wouldn't you feel more secure knowing that your server will not be compromised even without a firewall? I've been running the DNSONLY server with CSF blocking all the mail ports for some time now, but I really shouldn't have to do that.
The reason I'm requesting this feature isn't just for myself. I recently had an issue with the Service Manager on my DNSONLY servers that was causing some services that I didn't want to be running to always be on. While reporting the bug and helping tech support replicate the issue, a question came up. I asked them why so many mail-related services come pre-installed on the DNSONLY servers. The results of the log analyses aren't even visible in the DNSONLY version of cPanel without going into MySQL via SSH and looking at raw logs yourself.
Apparently, the reason why they have all those mail-related tools on a DNSONLY server is for forensics to help them figure out when cPanel owners who don't know how to secure their servers ask for help protecting their servers against malicious spammers. You have to remember, not everyone who uses cPanel is a webhost, so not everyone knows how to set up a firewall, etc... to protect their servers.
Anyway, I hope I'm getting my point across.
I agree that there is no need for exim to accept e-mail on DNS only server. Removing it would remove the risk of a server being hacked in the case of a security problem with exim or dovecot.
Exim and dovecot are configured to only allow authorized e-mail users and adresses that exist on the serveur to receive e-mail. As no users are created the only risk would be if either one had a security problem.
Exim is needed for outgoing e-mail so can't be removed, dovecot is not needed. Exim could be configured to not listen to any port if this is possible.
I agree that there is no need for exim to accept e-mail on DNS only server. Removing it would remove the risk of a server being hacked in the case of a security problem with exim or dovecot.
Exim and dovecot are configured to only allow authorized e-mail users and adresses that exist on the serveur to receive e-mail. As no users are created the only risk would be if either one had a security problem.
Exim is needed for outgoing e-mail so can't be removed, dovecot is not needed. Exim could be configured to not listen to any port if this is possible.
I'm trying to get my DNSOnly servers PCI compliant and have to whitelist my PCI scanner IP's so CSF doesn't do the job for this purpose as their IP's are excluded. I can't find anywhere how to disable these ports completely.
I'm trying to get my DNSOnly servers PCI compliant and have to whitelist my PCI scanner IP's so CSF doesn't do the job for this purpose as their IP's are excluded. I can't find anywhere how to disable these ports completely.
Replies have been locked on this page!