There are so many more options in WHM and RVskins that with the reseller account I've had.

I would like to know what things are important to configure/setup, so it would be great if we would list what are the important things to configure/setup and why.

Thanks :)

Just got through exploring WHM. These are some of the things I'm not sure how to set and would appreciate any feedback :)

In Server setup - tweak setting

-Attempt to prevent pop3 connection floods

-Include a list of Pop before SMTP senders in the X-PopBeforeSMTP header when relaying mail. (exim 4.34-30+ required)

-Prevent the user 'nobody' from sending out mail to remote addresses (php and cgi scripts generally run as nobody if you are not using phpsuexec and suexec respectively.)

-Silently Discard all FormMail-clone requests with a bcc: header in the subject line
-Track the origin of messages sent though the mail server by adding the X-Source headers (exim 4.34+ required)

I told you there were a lot of options. I need to get busy working on mine - between having to turn in grades and no a/c, I am a bit behind... I wish I could help but I have not looked too much yet. But those options look to me like something I would enable, just glancing at the descriptions. Anyhow, just tell Dustin to research the ones you need help on. :D

Seriously, have you looked at cpanel.net? I bet some of this info is there. I will look around later at these as I need to work on my sites for a while.

Kevin, good idea :)

There's also some things in the rvskins setup that we need to checkout.

Something that I don't know about -- should our servers have anytype of virus protection/scans onit?

Look here...

http://forums.deftechgroup.com/showthread.php?t=161&highlight=virus

Other than that thread, I don;t know - but it sound like something nice to have (server antivirus). I am definitely going to look into it...

Kevin

You can have them install ClamAV for you - just drop in a support ticket. It uses some resources though and must be enabled server-side, not on a per-domain basis, so if you're running mailing lists, you may need to watch out that you don't overload the server.

Is ClamAV something we should have on our servers?

Only if you want it Karen. It is server-based antivirus, so if you or your customers require this, you can have it installed here. At the other host, you had to purchase a dedicated server (read: "hock your Granny") in order to get them to install it.

I haven't installed it yet as I have a few customers that use DadaMail to send periodic mailings to opt-in lists and I don't want it to hold things up, since it can't be enabled per domain.

I do have a few other customers that would really like it, but I'm taking it one step at a time right now. I may get a separate VPS for customers requiring server-side anti-virus.

Ah, ok I see :)

Thanks Eric (so many things to learn)

Hi Karen, I had them install via a support ticket ClamAV. I figure might as well keep my VPS fully secure.

Also implemented option 7 and 8 in this sticky security post Security (http://forums.deftechgroup.com/showthread.php?t=26&highlight=security)

Anyone else using ClamAV ?

I had ClamAV installed when I got my VPS, works great. You can test it at http://www.webmail.us/testvirus. I watched the mailserver log and could see it reject many types of the test mails. I noticed an immediate reduction in the amount of stuff spamassassin had to deal with instead.

I run a mailing list to 6700, and didn't occur to me ClamAV might have performance impact. It runs fine however so long as I keep it throttled down to where it doesn't over utilitize cpu or memory. Would be nice however if I could configure to only scan inbound mail.

You can reduce memory utilization some by limiting the number of spamd processes. This is something support did for me, setting it to 2, but I think it was just using the "Addon Modules" option and selecting the spamdconf option, then it puts the new option under "Add-Ons". I presume they may have also installed ClamAv through this Addon Modules section.

I also went into "Change System Mail Preferences" and set everything there to forward to my preferred e-mail address, one that's not hosted on my VPS.

I run a mailing list to 6700, and didn't occur to me ClamAV might have performance impact. It runs fine however so long as I keep it throttled down to where it doesn't over utilitize cpu or memory. Would be nice however if I could configure to only scan inbound mail.

You can reduce memory utilization some by limiting the number of spamd processes. This is something support did for me, setting it to 2, but I think it was just using the "Addon Modules" option and selecting the spamdconf option, then it puts the new option under "Add-Ons". I presume they may have also installed ClamAv through this Addon Modules section.

I also went into "Change System Mail Preferences" and set everything there to forward to my preferred e-mail address, one that's not hosted on my VPS.

Hi smoore,

I have a several clients on the server running DadaMail - two that have lists of around 2000 that they send to once per week max. I'm interested in knowing what you mean by 'throttled down'.

I was considering asking customers to set Dada to send X messages per hour/minute to reduce load on the server, but I'd still like the security of having ClamAV installed. Also, which VPS package are you on, and do you have other clients with mailing lists too, and how do you manage them?

Is it easy to uninstall ClamAV if necessary? From what I've read, it almost sounds like SpamAssassin is more taxing on the server than ClamAV, am I wrong?

I'm using it and configured it using this info.

Configure Exim to reject virus at SMTP time
http://www.rvskin.com/index.php?page=public/antispam#3

I'm using it and configured it using this info.

Configure Exim to reject virus at SMTP time
http://www.rvskin.com/index.php?page=public/antispam#3


Thanks. We just set that up :)

Regarding those rvskin instructions for Clamav. Support set ClamAV up for me however I don't see either of the additions mentioned in these instructions, so am thinking they did it some other way, or that WHM sets it up differently. That's one reason I did external testing on it, wanted to make sure it worked.

I'm throttling my mail sending to 15 mails every 4 seconds, which is 225/minute, and sending it directly to SMTP rather than the default MTA. In my testing I was able to push it a little higher, however the current settings seemed to be a reasonable balance. Note this is close to what my previous shared/reseller host wanted me to limit it to (250/minute). I would definitely ask people to throttle, its one of things most likely to overload your VPS, and according to PowerVPS could even affect other customers on the server. I'm only on the Power-1 VPS, however I use it only for myself.

I'm currently using some PHP mailing software called 12all. It's been usable but has a few issues.

If possible, watch your power panel next time someone mails to a list. I was having resource issues with a particular base memory item under the advanced button, and had to work with support to make adjustments, and had no problems after that.

Thank you smoore - I appreciate the input.

Not sure what you mean about sending through the SMTP rather than the default MTA, though . . . can you clarify? Do you mean using SMTP rather than sendmail?

Yeah, thats what I meant. Sendmail would be the default MTA (mail transfer agent) on a Cpanel server. That works for me also, but I just understand SMTP to be more efficient and less likely to have problems, however not all mailing software supports it.

Thanks again smoore. Curious why SMTP would be more efficient. I know DadaMail supports both.

I don't know for sure if it's more efficient, I figured it was more direct and that sendmail ended up sending it to SMTP anyway. I've also had a few various problems with sendmail in the past that I didn't have with SMTP. But then I did find one post on Google where someone claims sendmail is more efficient. I guess stick with whatever is working well, probably doesn't make a huge difference either way.

Hola Kalidust,

Just got through exploring WHM. These are some of the things I'm not sure how to set and would appreciate any feedback :)

In Server setup - tweak setting

-Attempt to prevent pop3 connection floods


This is definately a good idea - no valid connections will be attempting to flood pop3.


-Include a list of Pop before SMTP senders in the X-PopBeforeSMTP header when relaying mail. (exim 4.34-30+ required)


This is pretty well RFC standard these days, it helps to track down the origins of spam - definately something you should leave enabled.


-Prevent the user 'nobody' from sending out mail to remote addresses (php and cgi scripts generally run as nobody if you are not using phpsuexec and suexec respectively.)


Depending on when you signed up for a VPS with us, you may or may not have PHPsuexec enabled, but you will have suexec enabled. It's generally a good idea to have the above enabled, but if you're unsure, submit a tkt and we'll double check that it won't break anything.


-Silently Discard all FormMail-clone requests with a bcc: header in the subject line
-Track the origin of messages sent though the mail server by adding the X-Source headers (exim 4.34+ required)
[/QUOTE]

Yes, and Yes.

The first will stop people from uploading a formmail-cgi and then using it to spam hundreds of people, or, more likely, exploiting the weak security of the original formmail-cgi script.

The second is also a good way of tracking spam.


In regard to your virus protection, this may interest you:

http://www.rvskin.com/index.php?page=public/antispam

We can't unfortunately do this for you - it's simply too much work; and I doubt you'd want to pay the engineer charge for the time. However, looking at some of the other threads you've taken part in, I don't think it would be particularly difficult for you to set it up.

Sendmail would be the default MTA (mail transfer agent) on a Cpanel server.

Actually, it's exim =P (a sort of sendmail clone)

Thanks for the clarification. Cpanel shows a "Path to sendmail" but didn't realize it was really just a clone. Any advice on whether it's more efficient for newsletter software to send via "Sendmail" or through SMTP?

I haven't installed it yet as I have a few customers that use DadaMail to send periodic mailings to opt-in lists and I don't want it to hold things up, since it can't be enabled per domain.

I do have a few other customers that would really like it, but I'm taking it one step at a time right now. I may get a separate VPS for customers requiring server-side anti-virus.

Eric, how would ClamAV affect those using DadaMail? I have a few customers that use it.

Thanks for the clarification. Cpanel shows a "Path to sendmail" but didn't realize it was really just a clone. Any advice on whether it's more efficient for newsletter software to send via "Sendmail" or through SMTP?

It should not make too much of a difference honestly. I personally use Sendmail when I can with scripts, just because I'm more comfortable with it. But if you're comfortable with SMTP, go for it! :)

Eric, how would ClamAV affect those using DadaMail? I have a few customers that use it.

ClamAV should not have any effect on those using DadaMail. The only thing that might happen is that if your maillist suddenly batches up 50k mail and sends it out... ClamAV will try to scan each of them as it sends it. So it can add a bit more to the system load as it scans each of them.

ClamAV is pretty friendly with it's resource useage... but anytime you send a TON of mail to the server, you're going to see a performance hit. Adding virus scanning to it will add a bit to the load as well.

I'm throttling my mail sending to 15 mails every 4 seconds, which is 225/minute, and sending it directly to SMTP rather than the default MTA. In my testing I was able to push it a little higher, however the current settings seemed to be a reasonable balance. Note this is close to what my previous shared/reseller host wanted me to limit it to (250/minute). I would definitely ask people to throttle, its one of things most likely to overload your VPS, and according to PowerVPS could even affect other customers on the server. I'm only on the Power-1 VPS, however I use it only for myself.

If possible, watch your power panel next time someone mails to a list. I was having resource issues with a particular base memory item under the advanced button, and had to work with support to make adjustments, and had no problems after that.


I may be having the same problem with my kmemsize. My system usage had been spiking at certain times for the past couple of days. None of the processess seem to be using that much cpu/memory.

Any idea how one goes about throttling it down to the above levels?

What were the adjustments that were made.

Yes, kmemsize was the one. Support raised the max for me a slight bit, and also freed up some memory by limiting the spamassassin to 2 child processes, and ensuring the 2 chat servers were off. After that I was fine (with throttling). It still pushes hits the VPS fairly hard but stays out of the yellow or red warning levels.

The throttling I'm talking about is something the mailing software would need to support, most of the better ones will have a feature for this.

I was just wondering if anyone has successfully followed all the steps as listed in BornOnline's URL:

http://www.rvskin.com/index.php?page=public/antispam

I have tried implementing it but I ended up getting emails outside my domain being rejected totally with the 550 Administrative prohibition error.

Thanks to Veena, I can confirm that step 4ii (filtering dictionary attacks) works isolated. Although I'm still in the process of finding an online dictionary attack testing tool.

Thank you in advance.

PS An update, I've managed to implement both 3i and 4ii without any mishap. I reckon the error may have something to do with trying to implement a solution for rejecting CLSID hidden attachments.


deny message = Hiding of file extensions is not allowed!
log_message = Dangerous extension (CLSID hidden)
regex = ^(?i)Content-Disposition::(.*?)filename=\\s*"+((\{[a-hA-H0-9-]{25,}\})|((.*?)\\s{10,}(.*?)))"+\$

I was just looking at Tonys' reply earlier but have a few thoughts if anyone can help.

-Attempt to prevent pop3 connection floods

If someone has a dozen or so domains which they pop from their email client, say each domain every couple of minutes, then the same IP address from the email client would obviously be used. Would this be seen as a pop3 connection flood or are we talking thousands of connections over a few seconds?



-Include a list of Pop before SMTP senders in the X-PopBeforeSMTP header when relaying mail. (exim 4.34-30+ required)

Now I tried this and when I replied to an email and the X-PopBeforeSMTP header was added it showed all the login usernames in the pop before list. Wouldn't this help spammers to get their emails through much easier since they'd have access to a working list of usuable addresses. You wouldn't need to know the domain names just stick the server address behind the username? I know a reply would have to be sent first but it could happen.

I use the :fail: option in the default address but often allow just the username as an allowed email address. I know that can be changed but of course even on a newly setup default (unles :fail: is set) cPanel account the username is going to be an allowed email name.

Seems a bit of a risk to me since you're also giving away half the account login details, so I've switched it off again. ;)

--
Norm

Just an update. The instructions on Rvskin seems to have worked out really well, what a beautiful solution. I found out that the ACL instructions (which I've got from a place other than Rvskin) for rejecting CLSID hidden attachments, didn't quite work but I've got it to work at last.

I am wondering, which file does WHM use for its Exim configuration editor. This is because directly editing exim.conf seems to not show up in WHM's Exim configuration editor.

Also, is it only me or have anyone who has tried using an EICAR virus-testing tool managed to see them correspondingly being rejected in exim_rejectlog ?

On my part, I've only managed to see 12 of them get rejected by Exim in the logs whereas the other 12 have yet to be accounted for although they seem to have been rejected as well. What worries me is that legitimate mail may be rejected without any trace in the logs.

Turning on ClamAV's logs doesn't seem to help much too as their logs weren't too verbose.

Any pointers on this please?

Thanks.