To prevent senders from bypassing your MailChannels Inbound protections and delivering spam into your domains, an ACL (Access Control List) is needed to prevent unauthorized IPs from connecting directly to your Mail Server(s).
This guide outlines the steps to restrict your server IPs to only allow deliveries from MailChannels inbound service IPs, preventing unauthorized connections and delivery attempts to your Mail Server(s).
For WHM/cPanel Servers
Step 1: Create Protection Scripts
- SSH into your WHM/cPanel server using a terminal application.
- Create a file named
/opt/mc-mx-protect
with the following content:
#!/bin/bash
Save the file.
host -t MX $1 | sort -n -k1 | cut -d ' ' -f 7 | sed -e 's/\.$//' | xargs | sed -e 's/ /:/g' | tr -d '\n' - Create a second file
/opt/mc-ptr-protect
with the following content:
#!/bin/bash
Save the file.
host -t PTR $1 | cut -d ' ' -f5 | sed 's/\.$//g' | tr -d '\n' - Add execute permissions to both files:
chmod +x /opt/mc-mx-protect && chmod +x /opt/mc-ptr-protect
Step 2: Update Exim Configuration
- Log in to the WHM panel UI.
-
Open Exim Configuration Editor -> Advanced Editor.
-
Search for
custom_begin_recp_verify
. - Add the following text snippet in the provided box:
################## Start MailChannels verification #####################################
defer
!condition = ${if match_domain{${run {/opt/mc-ptr-protect $sender_host_address}}}{*.mailchannels.net}}
set acl_m_mx_records = ${run {/opt/mc-mx-protect $domain}}
condition = ${if eq{$acl_m_mx_records}{mx1.mailchannels.net:mx2.mailchannels.net}}
message = Please deliver mail to the address specified in the MX records for this domain.
################## End MailChannels verification ##################################### - Save the configuration and restart/reload your Exim Mail Server.
For DirectAdmin Servers(v1.63.0+)
Step 1: Create Protection Scripts
- SSH into your DirectAdmin server using a terminal application.
- Create a file named
/usr/local/directadmin/scripts/custom/mc-mx-protect
with the following content:
#!/bin/bash
Save the file.
host -t MX $1 | sort -n -k1 | cut -d ' ' -f 7 | sed -e 's/\.$//' | xargs | sed -e 's/ /:/g' | tr -d '\n' - Create a second file
/usr/local/directadmin/scripts/custom/mc-ptr-protect
with the following content:
#!/bin/bash
Save the file.
host -t PTR $1 | cut -d ' ' -f5 | sed 's/\.$//g' | tr -d '\n' - Add execute permissions to both files:
chmod +x /usr/local/directadmin/scripts/custom/mc-mx-protect && chmod +x /usr/local/directadmin/scripts/custom/mc-ptr-protect
Step 2: Update Exim Configuration
- Navigate to the custom configuration directory:
cd /usr/local/directadmin/custombuild
- Ensure Exim is set to be configured:
./build update
./build set exim yes
./build exim - Add the custom ACL directly in the Exim configuration:
vi /etc/exim.acl_check_rcpt.conf.custom
-
Insert the following ACL rule:
################## Start MailChannels verification #####################################
defer
!condition = ${if match_domain{${run {/usr/local/directadmin/scripts/custom/mc-ptr-protect $sender_host_address}}}{*.mailchannels.net}}
set acl_m_mx_records = ${run {/usr/local/directadmin/scripts/custom/mc-mx-protect $domain}}
condition = ${if eq{$acl_m_mx_records}{mx1.mailchannels.net:mx2.mailchannels.net}}
message = Please deliver mail to the address specified in the MX records for this domain.
################## End MailChannels verification ##################################### - Save the changes and rebuild the Exim configuration:
./build exim_conf
- Restart Exim to apply the new configuration:
service exim restart
Summary
Once the above changes have been successfully completed on either WHM/cPanel or DirectAdmin, the following conditions apply to your MailChannels Inbound service:
- Accept mails if they originate from the hosts with the PTR
*.mailchannels.net
or localhost. - Reject direct deliveries not originating from the "trusted" MailChannels Inbound delivery service IP addresses. Direct delivery attempts are temporarily failed, and senders are directed to use the MX path when sending mail into this domain instead of connecting directly.
- If the domain does not have MailChannels MX records configured, it is assumed that the inbound domain is not protected by MailChannels and direct deliveries are not automatically rejected.
Comments
Article is closed for comments.