- Service: Exim
- Ports: 25, 26, 465, 587
In WHM -> Home -> Service Configuration -> Exim Configuration Manager -> Security check the following settings:
Allow weak SSL/TLS ciphers = Off
Require clients to connect with SSL or issue the STARTTLS command before they are allowed to authenticate with the server = On
Options for OpenSSL = Defaults
SSL/TLS Cipher Suite List = Defaults
If you don’t use Exim on port 26, disable that in WHM -> Home -> Service Configuration -> Service Manager. Also close port 26 in the ConfigServer Firewall configuration.
Afraid of outgoing spam due to insecure scripts?
Under Home → Server Configuration → Tweak Settings → Mail make sure this option is enabled, it’ll show the location of the script that’s sending email and/or spam. That’ll be in the header of the email and it helps to quickly locate the source so you can disable it.
Track email origin via X-Source email headers = On
But if you’re that worried about insecure and/or outdated scripts sending out spam, you might consider disabling outgoing email for the cPanel account until you can get things updated and secured.
root@miss [~]# whmapi1 suspend_outgoing_email user=anna --- metadata: command: suspend_outgoing_email reason: OK result: 1 version: 1
Then unsuspend outgoing email when you’re sure there’s not going to be any spamming.
root@miss [~]# whmapi1 unsuspend_outgoing_email user=anna --- metadata: command: unsuspend_outgoing_email reason: OK result: 1 version: 1
Not Recommended: Disabling port 465
Now, this might not happen to you, but when I did a PCI scan on my personal VPS, I failed due to Exim running on port 465. Here’s a link with more information on that. I use port 587 to connect to SMTP anyway, so no big deal to disable port 465. DO NOT disable this unless you are sure about what you’re doing and/or it’s required for PCI compliance.
In WHM → Home → Service Configuration → Exim Configuration Manager → Advanced Editor check the following settings:
daemon_smtp_ports = 25 : 587
tls_on_connect_ports = unset
Also remove port 465 where applicable in the ConfigServer Firewall configuration file.
root@miss [~]# grep 465 /etc/csf/csf.conf TCP_IN = "20,21,22,25,53,80,110,143,443,465,587,993,995,2077,2078,2082,2083,2086,2087,2095,2096,2200,30000:30100" SMTP_PORTS = "25,465,587" PORTS_smtpauth = "25,465,587" PORTS_eximsyntax = "25,465,587"
Check the ciphers that Exim is using
anna@xps:~$ nmap miss.annahost.org -p 587 --script ssl-enum-ciphers Starting Nmap 7.01 ( https://nmap.org ) at 2018-06-23 19:48 CDT Nmap scan report for miss.annahost.org (18.104.22.168) Host is up (0.045s latency). PORT STATE SERVICE 587/tcp open submission | ssl-enum-ciphers: | TLSv1.2: | ciphers: | TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256 (secp256r1) - A | TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256 (secp256r1) - A | TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384 (secp256r1) - A | TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 (secp256r1) - A | compressors: | NULL | cipher preference: client |_ least strength: A Nmap done: 1 IP address (1 host up) scanned in 39.45 seconds