Help Center

Preventing Unauthorized IPs from Bypassing MailChannels Inbound Protections on WHM/cPanel and DirectAdmin Servers

To prevent senders from bypassing your MailChannels Inbound protections and delivering spam into your domains, an ACL (Access Control List) is needed to prevent unauthorized IPs from connecting directly to your Mail Server(s).

This guide outlines the steps to restrict your server IPs to only allow deliveries from MailChannels inbound service IPs, preventing unauthorized connections and delivery attempts to your Mail Server(s).

 

For WHM/cPanel Servers

Step 1: Create Protection Scripts

  1. SSH into your WHM/cPanel server using a terminal application.
  2. Create a file named /opt/mc-mx-protect with the following content:

    #!/bin/bash
    host -t MX $1 | sort -n -k1 | cut -d ' ' -f 7 | sed -e 's/\.$//' | xargs | sed -e 's/ /:/g' | tr -d '\n'
    Save the file.
  3. Create a second file /opt/mc-ptr-protect with the following content:

    #!/bin/bash
    host -t PTR $1 | cut -d ' ' -f5 | sed 's/\.$//g' | tr -d '\n'
    Save the file.
  4. Add execute permissions to both files:
    chmod +x /opt/mc-mx-protect && chmod +x /opt/mc-ptr-protect

Step 2: Update Exim Configuration

  1. Log in to the WHM panel UI.
  2. Open Exim Configuration Editor -> Advanced Editor.

  3. Search for custom_begin_recp_verify.

  4. Add the following text snippet in the provided box:
    ################## Start MailChannels verification #####################################
    defer
    !condition = ${if match_domain{${run {/opt/mc-ptr-protect $sender_host_address}}}{*.mailchannels.net}}
    set acl_m_mx_records = ${run {/opt/mc-mx-protect $domain}}
    condition = ${if eq{$acl_m_mx_records}{mx1.mailchannels.net:mx2.mailchannels.net}}
    message = Please deliver mail to the address specified in the MX records for this domain.
    ################## End MailChannels verification #####################################
  5. Save the configuration and restart/reload your Exim Mail Server.

 

For DirectAdmin Servers(v1.63.0+)

Step 1: Create Protection Scripts

  1. SSH into your DirectAdmin server using a terminal application.
  2. Create a file named /usr/local/directadmin/scripts/custom/mc-mx-protect with the following content:

    #!/bin/bash
    host -t MX $1 | sort -n -k1 | cut -d ' ' -f 7 | sed -e 's/\.$//' | xargs | sed -e 's/ /:/g' | tr -d '\n'
    Save the file.
  3. Create a second file /usr/local/directadmin/scripts/custom/mc-ptr-protect with the following content:

    #!/bin/bash
    host -t PTR $1 | cut -d ' ' -f5 | sed 's/\.$//g' | tr -d '\n'
    Save the file.
  4. Add execute permissions to both files:

    chmod +x /usr/local/directadmin/scripts/custom/mc-mx-protect && chmod +x /usr/local/directadmin/scripts/custom/mc-ptr-protect

     

Step 2: Update Exim Configuration

  1. Navigate to the custom configuration directory:
    cd /usr/local/directadmin/custombuild
  2. Ensure Exim is set to be configured:
    ./build update
    ./build set exim yes
    ./build exim
  3. Add the custom ACL directly in the Exim configuration:
    vi /etc/exim.acl_check_rcpt.conf.custom
  4. Insert the following ACL rule:

    ################## Start MailChannels verification #####################################
    defer
    !condition = ${if match_domain{${run {/usr/local/directadmin/scripts/custom/mc-ptr-protect $sender_host_address}}}{*.mailchannels.net}}
    set acl_m_mx_records = ${run {/usr/local/directadmin/scripts/custom/mc-mx-protect $domain}}
    condition = ${if eq{$acl_m_mx_records}{mx1.mailchannels.net:mx2.mailchannels.net}}
    message = Please deliver mail to the address specified in the MX records for this domain.
    ################## End MailChannels verification #####################################
  5. Save the changes and rebuild the Exim configuration:
    ./build exim_conf
  6. Restart Exim to apply the new configuration:
    service exim restart

 

Summary

Once the above changes have been successfully completed on either WHM/cPanel or DirectAdmin, the following conditions apply to your MailChannels Inbound service:

  • Accept mails if they originate from the hosts with the PTR *.mailchannels.net or localhost.
  • Reject direct deliveries not originating from the "trusted" MailChannels Inbound delivery service IP addresses. Direct delivery attempts are temporarily failed, and senders are directed to use the MX path when sending mail into this domain instead of connecting directly.
  • If the domain does not have MailChannels MX records configured, it is assumed that the inbound domain is not protected by MailChannels and direct deliveries are not automatically rejected.

 

 

Was this article helpful?
0 out of 0 found this helpful
Have more questions? Submit a request

Comments

Article is closed for comments.