Exim (Experimental Internal Mailer) is a mail transfer agent known for being a general and flexible mailer, with many tools for checking incoming email. Created in 1995 by Philip Hazel, an estimated 57% of publicly reachable mail servers on the internet use Exim. Using the Sendmail design model, Exim has defined stages where it gains or loses privileges on a server, to help increase the security of mail delivery overall. Many of the benefits that Exim provides over other MTAs are abilities like mail policy control, providing a system administrator the ability to control who may send or relay mail. Exim is also very well known for being highly configurable and makes extensive use of Access Control Lists (much like cPanel & WHM do!) and allows for easier integration of antivirus and anti-spam programs.
A downside of using Exim is that many of its options involve SMTP (Simple Mail Transfer Protocol), known to be a relatively vulnerable protocol. Malicious users can commit illicit acts such as sending messages with falsified headers or spam out a high number of messages from a server in a short period. This can consume a large amount of that server’s bandwidth or result in your mail server IP becoming blacklisted, causing email delivery failures for you or your customers.
When email was first designed, security was not considered an important aspect. Until fairly recently, it was still possible to send an email from any address and get away with it. Because spam, phishing, and spoofing attacks by email have become increasingly common, we’ve seen various attempts to make email more secure. In the last few years, major email providers (Google, Microsoft, etc.) have seriously tightened their security and authentication requirements for validating and receiving email. The result of this is legitimate email can be easily misclassified as spam or rejected by those providers.
By ensuring that Exim is secured, you can avoid scenarios like those mentioned previously. Let’s cover some best practices for securing your server against the abuse of Exim. We can think of hardening Exim as similar to making your air conditioner more efficient. There are a few settings you can tweak on the air conditioner itself, such as the thermostat, or making sure it is free of dust and lint. More so often than not, however, the environment is what you need to tweak to make the AC more efficient. For example, you may close vents and doors in areas where the AC is not necessary and allow more air to flow where needed, or close blinds in rooms where the sun is shining through so the room cools off more quickly. The same goes for Exim. There are many components along the way we need to secure to prevent abuse to your server.
Features to enable
The Exim Configuration Manager is a tool built into WHM that makes modifying your Exim configuration simpler. Split into “Basic” and “Advanced” Editors, the configuration manager allows users to choose configuration options to customize how their Exim instance runs, including ACL options, Access Lists, Domains and IPs, Mail, RBLs, OpenSSL options, and Apache SpamAssassin choices. Let’s go over some of the different options that will promote best practices and hardening of Exim.
Allow DKIM verification for incoming messages
By default, Exim verifies syntactically valid signatures in incoming mail even when Exim is not configured to act on the results of the check, so it makes it worthwhile to use this information. DKIM (DomainKeys Identified Mail) is a means of verifying incoming email. It ensures that incoming messages are unmodified and are from the sender from whom they claim to be. Technically, DKIM provides a method for validating a domain name identity that is associated with a message through cryptographic authentication. For more information, please visit http://www.dkim.org.
Sender Verification Callouts
Introduced as a feature in the mail server to arrest inbound spamming, Sender Verification Callouts is a technique used by SMTP software to validate e-mail addresses. The logic behind this feature operates with the understanding that most spammers would likely use spoofed (fake) email addresses to send emails, and looking up the sender address will help to confirm if the sender domain is a valid one or not.
When an email reaches your server, the sender address is obtained from the ‘MAIL FROM’ section of the email’s header data. The validation of this address is done by issuing a specific command (‘RCPT TO’) to the sending mail server using the email address in the `MAIL FROM`. If the sending mail server acknowledges this command, then your server knows that the sending email address is valid. The email from the sender is then accepted by the receiver.
In cPanel & WHM servers, the sender verification callouts feature can be enabled in WHM. Be advised that if the sender is unable to verify the email address or if the sender does not respond, the mail delivery will not be completed.
Apache SpamAssassin: Forced Global ON & Apache SpamAssassin: bounce spam score threshold
This setting specifies whether Apache SpamAssassin is enabled for all email accounts on the server. SpamAssassin includes a large set of rules (using a number system) to determine whether or not an email is spam. Employing a number of “tests” (the rules for which SpamAssassin assigns a number value to an email), the score of an email can be assigned a positive (indicating the message is spam) or a negative (indicating the message is ham, or a non-spam message). A message is weighed against all tests, and the results are combined into a global score that the message is given. The higher positive score an email gets, the more likely the message is spam.
The bounce spam score threshold option allows a user to define the score that SpamAssassin uses to bounce an incoming message. If an email exceeds the score threshold, SpamAssassin will bounce (reject) the message. If the email is below the user-defined threshold, the message will be delivered as normal. This gives a system administrator more flexibility in determining the rigidity of SpamAssassin’s valuation system.
Scan messages for malware from authenticated senders (exiscan) & Scan outgoing messages for malware
If your server has ClamAV installed (required for these settings), you have the option of using the software to scan outbound messages from your server for malware. Any messages that test positive for malware are rejected. Having this option enabled protects your server’s mail reputation score from being negatively impacted by the sender’s IP address being flagged as a source of spam and malware. Additionally, this gives system administrators valuable time to determine if an account on their server is actively sending spam maliciously.
Checklist of Best Practices
If you increase the minimum password strength for your users’ mail accounts, you can decrease the chance that a hacker will correctly guess their passwords. We recommend that you set the default minimum password strength to at least 50. Here are instructions on how to define a minimum password in WHM.
This limitation is meant to limit the ability to connect to Exim to send mail from your server. If you enable the SMTP Restrictions feature, spammers cannot directly interact with remote mail servers or work around mail security settings.
Max hourly emails per domain
This setting is ideal for hosting providers that cater to users without bulk mailing requirements. Limiting the number of emails that each user can send per hour can prevent email abuse because a spammer would only be able to send a limited number of emails from an account. This effectively gives time to the system administrator to find and stop the spammer.
You can configure this in WHM’s Tweak Settings.
Setting SPF and DKIM records for your domains
SPF and DKIM Authentication is a way to prove an email isn’t forged and prevent spoofing. A Sender Policy Framework (SPF) record indicates which mail server is authorized to send mail for a domain. A Domain Keys Identified Mail (DKIM) is a method that uses information about domain which is published by the domain owner. That information allows the receiving server to verify if the e-mail message was sent by an authorized owner of that domain name. Here you can Enable DKIM SPF Globally.
Everyone has the occasional user who may leave something on their server that may send spam, or not update things as fast as they should. Tracking down the spammer can be a real problem though. If you configure PHP to use suEXEC, ModRuid2, or suPHP, you can improve server security. This configuration allows you to know which users run which processes system-wide. Here we will walk through your PHP Configuration.
Installing an SSL Certificate on Your Site
Using an SSL connection will help to encrypt your user’s connection and secure any data transferred between the browser and the server. But, it can also help to encrypt your admin data. We automatically install SSL certificates for domains on any cPanel & WHM server. In case you haven’t heard of it already, AutoSSL is your new best friend.
Even with the length of this post already, we’ve omitted a ton of other options. If you’d like to continue your learning, take a look at the couple links we’ve provided here.
Did you find this article helpful? Do you have more you’d like to add? If you have any further questions or concerns, comment below or reach out to us via our Slack or Discord channels. You can even join the discussion on the Official cPanel & WHM Subreddit!