How to Disable a Domain From Sending Email

You can easily disable inbound email for a single domain simply by switching off the MX records and/or removing the domain from /etc/localdomains.  However, disabling a domain from sending email off of your server is slightly more complicated.  Even if you manage to disable the domain of an account from sending out, you still have to deal with the fact that the cPanel user itself can send email.  This user has the address of user@serverhostname, and is the default sender for scripts that utilize sendmail.  In other words, any PHP or Perl script that sends email off of your server without using proper SMTP authentication will send mail as the cPanel user.

Disable Email from Specific Domains

First, create a file called /etc/blockedsenderdomains, and add the list of domains to block email from to this file, one line at a time.
Then go into WHM > Exim Configuration Manager > Advanced Editor, and add the following to “Section: CONFIG” part:

domainlist blocked_domains = lsearch;/etc/blockedsenderdomains

In the ROUTERSTART section, add:

reject_domains:
 driver = redirect
 domains = +blocked_domains
 allow_fail
 data = :fail: Connection rejected: SPAM source $domain is manually blacklisted.

Then save the file.

How to Block an Entire .TLD with Exim

cPanel comes stock with a number of ACLs and tuneables to help reduce the amount of unwanted email into your server.  At present, there are not a lot of controls on the Exim side that allow for blocking specific email addresses or servers.  While you can easily use the integrated SpamAssassin controls on a per-cPanel account basis,  it’s generally less resource-intensive to handle these blocks at SMTP time.

cPanel’s implementation of Exim is set to automatically load filters from an include directory.  This directory is located here:

/usr/local/cpanel/etc/exim/sysfilter/options/

Any files you drop in here will be included into the Exim filter.  First, create a file in this folder.  You can name it anything you want, but we’ll call ours inbound_tld_block:

vim /usr/local/cpanel/etc/exim/sysfilter/options/inbound_tld_block

In this file, add the following filter, replacing .tld with the actual TLD you want to block:
if first_delivery
and ("$h_to:, $h_cc:" contains ".tld")
or ("$h_from:" contains ".tld")
then
seen finish
endif
Now go into WHM -> Exim Configuration Manager -> Basic Editor -> Filters, and you should see the new filter listed:

** Custom Filter: inbound_tld_block

If it’s not already enabled, enable it here and then save.

To disable the filter, you can set it to “Off” in the same location in WHM and hit Save again.

#exim, #spam

How to Change a Parked Domain to an Addon Domain

Cpanel supports both parked domains and addon domains, with the ability to easily remove a domain as one and re-add as the other.  However, you may find this problematic if you have set up email addresses, filters, or mailing lists under a parked domain and want to make it into an addon domain.

While performing this action is not directly supported by cPanel at this time, there is a way to do this if you have root access to your server.

1) Create a subdomain

cPanel maps addon domains to subdomains of the main domain on the account.  So go into cPanel and create a subdomain for the parked domain.  For example, if your parked domain is mydomain.com, create:

mydomain.maindomain.com

 

2) Edit main userdata file

Go into /var/cpanel/userdata/$user/ and open up the main file in an editor.  You should see something like this:

addon_domains: {}

If you have existing addon domains, you’ll see them listed and can just add your domain to the list.  Otherwise, alter the entry to look like this:

addon_domains:
  mydomain.com: mydomain.mymaindomain.com

The “mydomain.mymaindomain.com” is the subdomain you created in step 1.

Remove the domain from the parked_domains section of this file, then save and close.

 

3) Edit the Virtualhost

In the same folder, open the config file for your main domain and remove the parked domain from the serveralias: line – including the www for the parked domain.

Open the file for the subdomain you created in step one, and add the parked domain to the serveralias: directive.

Make sure the mydomain.mymaindomain.com part is the same as the subdomain you created in step 1.

 

4)  Update cPanel config

Run the following commands:

/scripts/updateuserdomains

/scripts/rebuildhttpdconf

service httpd restart

 

If you go into cPanel now, the domain will be listed and treated as an addon domain, and you and upload the website’s files to the location you specified when you created its subdomain.

cPanel fatal: Cannot upgrade due to insufficient disk space.

 

If you are getting any of the following errors that cpanel won’t update because /usr is full or does not have enough space

—–
The last attempt to update cPanel & WHM was blocked.
Please correct these issues and rerun updates.
fatal: Cannot upgrade due to insufficient disk space. Detected ?GB. You will need at least 3GB to install/update to a new version of cpanel.
—–

cPanel & WHM cannot update due to insufficient disk space in the staging
directory, “/usr/local/cpanel”. The system requires 3 GB to update; this
directory only has ? GB available.
—-
W NOTE: A system upgrade was not possible due to the following blockers:
W [FATAL] – Cannot upgrade due to insufficient disk space. Detected ?G. You will need at least ?G to install a new
version of cPanel
—-

Here’s a few fixes you can try:

Fix #1: Clear up unnecessary logs in

/usr/local/cpanel/logs/
/usr/local/apache/logs/
/usr/local/apache/domlogs/

Fix #2: Remove unnecessary old or duplicate folders such as
/usr/local/apache.*
/usr/local/maldet.*

Fix #3: CAUTION: This should only be done as an absolute last resort. This fix is dangerous and if done incorrectly can break your server. You should only do this if you are an experienced system admin. If not, ask someone experienced to do this for you. This method is not recommended by cpanel. This is just a workaround to resolving this where there are no other options rather than reloading your entire server

1) Stop crond, exim, cpanel, apache, mysql, leechprotect
2) Verify none are running by typing: lsof | grep /usr/local/cpanel
3) Make an empty folder at: /home/usr/local
4) Move /usr/local/cpanel to /home/usr/local/cpanel
5) Make an empty folder at: /usr/local/cpanel
6) Set the permissions: chmod 711 /usr/local/cpanel
7) Add the following line to the /etc/fstab file (save a copy of the file first before editing it):
/home/usr/local/cpanel /usr/local/cpanel none rw,bind 0 0
8) Mount the folder: mount /usr/local/cpanel
9) Now restart all of the services that were stopped
10) Update cpanel: /scripts/upcp –force

Perfect Forward Secrecy with Apache 2.2 on a cPanel Server

Perfect Forward Secrecy (PFS) is a security measure that helps to ensure that a session key cannot be compromised if one of the long-term keys in its set is compromised at a later date.  With PFS, if a single key is compromised, only data protected by that key has the potential to be compromised as well.  This is a feature specific to SSL connections that is now a somewhat standard requirement for passing PCI scans.

Apache 2.4 has this ability built-in, but Apache 2.2 supports the PFS-required ciphers as of 2.2.26.  To enable this, you’ll need to make a few adjustments to the main Apache template.  First, you need to change the SSLCipherSuite value. You can adjust this in WHM -> Apache Configuration -> Global Configuration, in the SSL Cipher Suite box.  Change this value to:

SSLCipherSuite EECDH+AES:EDH+AES:-SHA1:EECDH+RC4:EDH+RC4:RC4-SHA:EECDH+AES256:EDH+AES256:AES256-SHA:!aNULL:!eNULL:!EXP:!LOW:!MD5

Then save the file.  You can also adjust this in /var/cpanel/conf/apache/local.

From here, you will need to add an additional setting to tell Apache to honor the cipher order you just defined.  To do this:

cp /var/cpanel/templates/apache2/main.default /var/cpanel/templates/apache2/main.local

If main.local already exists, just use the existing file.

look for “SSLCipherSuite” in the template, it will look something like this:

[% IF main.sslciphersuite.item.sslciphersuite.length %]SSLCipherSuite [% main.sslciphersuite.item.sslciphersuite %][% END %]

Above this, add the following line:

SSLHonorCipherOrder on

Save the file, then apply the settings:

/scripts/rebuildhttpdconf

service httpd restart

 

To confirm PFS is working, you can run an SSL test here:

https://www.ssllabs.com/ssltest/