Exim

  • Service: Exim
  • Ports: 25, 26, 465, 587

In WHM -> Home -> Service Configuration -> Exim Configuration Manager -> Security check the following settings:

Allow weak SSL/TLS ciphers = Off

Require clients to connect with SSL or issue the STARTTLS command before they are allowed to authenticate with the server = On

Options for OpenSSL = Defaults

SSL/TLS Cipher Suite List = Defaults

If you don't use Exim on port 26, disable that in WHM -> Home -> Service Configuration -> Service Manager.  Also close port 26 in the ConfigServer Firewall configuration.

Afraid of outgoing spam due to insecure scripts?

Under Home → Server Configuration → Tweak Settings → Mail make sure this option is enabled, it'll show the location of the script that's sending email and/or spam. That'll be in the header of the email and it helps to quickly locate the source so you can disable it.

Track email origin via X-Source email headers = On

But if you're that worried about insecure and/or outdated scripts sending out spam, you might consider disabling outgoing email for the cPanel account until you can get things updated and secured.

root@miss [~]# whmapi1 suspend_outgoing_email user=anna
--- 
metadata: 
command: suspend_outgoing_email
reason: OK
result: 1
version: 1

Then unsuspend outgoing email when you're sure there's not going to be any spamming.

root@miss [~]# whmapi1 unsuspend_outgoing_email user=anna
--- 
metadata: 
command: unsuspend_outgoing_email
reason: OK
result: 1
version: 1

Not Recommended:  Disabling port 465

Now, this might not happen to you, but when I did a PCI scan on my personal VPS, I failed due to Exim running on port 465.  Here's a link with more information on that.  I use port 587 to connect to SMTP anyway, so no big deal to disable port 465.  DO NOT disable this unless you are sure about what you're doing and/or it's required for PCI compliance.

In WHM → Home → Service Configuration → Exim Configuration Manager → Advanced Editor  check the following settings:

daemon_smtp_ports = 25 : 587
tls_on_connect_ports = unset

Also remove port 465 where applicable in the ConfigServer Firewall configuration file.

root@miss [~]# grep 465 /etc/csf/csf.conf 
TCP_IN = "20,21,22,25,53,80,110,143,443,465,587,993,995,2077,2078,2082,2083,2086,2087,2095,2096,2200,30000:30100"
SMTP_PORTS = "25,465,587"
PORTS_smtpauth = "25,465,587"
PORTS_eximsyntax = "25,465,587"
Check the ciphers that Exim is using
anna@xps:~$ nmap miss.annahost.org -p 587 --script ssl-enum-ciphers

Starting Nmap 7.01 ( https://nmap.org ) at 2018-06-23 19:48 CDT
Nmap scan report for miss.annahost.org (162.246.58.251)
Host is up (0.045s latency).
PORT    STATE SERVICE
587/tcp open  submission
| ssl-enum-ciphers: 
|   TLSv1.2: 
|     ciphers: 
|       TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256 (secp256r1) - A
|       TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256 (secp256r1) - A
|       TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384 (secp256r1) - A
|       TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 (secp256r1) - A
|     compressors: 
|       NULL
|     cipher preference: client
|_  least strength: A

Nmap done: 1 IP address (1 host up) scanned in 39.45 seconds