Help Center

Inbound Delivery Restrictions - Protecting Mail Server IP Addresses in cPanel & WHM

To prevent senders from bypassing your MailChannels Inbound protections and delivering spam into your domains, an ACL(Access Control List) is needed to prevent unauthorized IPs from connecting directly to your Mail Server(s).

Perform the following steps to restrict your WHM/cPanel server IPs to only allow deliveries from the MailChannels inbound service IPs, preventing unauthorized connections and delivery attempts to your Mail Server(s).

1) In your WHM server, please perform the following tasks:

  • SSH to the WHM server using a terminal application.
  • Create a file named /opt/mc-mx-protect with the following content:


[root@server ~]# vi /opt/mc-mx-protect

#!/bin/bash
host -t MX $1 | sort -n -k1 | cut -d ' ' -f 7 | sed -e 's/\.$//' | xargs | sed -e 's/ /:/g' | tr -d '\n'
  • Save the file.

  • Create a second file /opt/mc-ptr-protect with the following content

[root@server ~]# vi /opt/mc-ptr-protect

#!/bin/bash
host -t PTR $1 | cut -d ' ' -f5 | sed 's/\.$//g' | tr -d '\n'
  • Save the file

  • Add execute permissions to both the newly created files using the following command:
[root@server ~]# chmod +x /opt/mc-mx-protect && chmod +x /opt/mc-ptr-protect

 

2) Login to the WHM panel UI and open Exim Configuration Editor -> Advanced mode and search for the text string: custom_begin_recp_verify

  • Add the  following text snippet into the box provided
################## Start MailChannels verification #####################################
defer
!condition = ${if match_domain{${run {/opt/mc-ptr-test $sender_host_address}}}{*.mailchannels.net}}
set acl_m_mx_records = ${run {/opt/mc-mx-protect $domain}}
condition = ${if eq{$acl_m_mx_records}{mx1.mailchannels.net:mx2.mailchannels.net}}
message = Please deliver mail to the address specified in the MX records for this domain.
################## End MailChannels verification ####################################

 

  • Save the configuration and restart/reload your Exim Mail Server.

Once the above changes have been successfully completed, the following conditions apply to your MailChannels Inbound service:

  1. Accept mails if they originate from the hosts with the PTR "*.mailchannels.net" or localhost
  2. Reject direct deliveries not originating from the "trusted" MailChannels Inbound delivery service IP addresses. Direct delivery attempts are temp failed and senders are directed to use the MX path when sending mail into this domain opposed to connecting directly.

If the cPanel domain does not have MailChannels MX records configured, it is assumed that the inbound domain is not protected by MailChannels and direct deliveries are not automatically rejected.

 

Was this article helpful?
0 out of 0 found this helpful
Have more questions? Submit a request

Comments

Please sign in to leave a comment.