Shared IPs - Mail IPs

curdude

Member
Hello,

Ran into an interesting problem. Have a reseller on the VPS of which one of its clients got hacked and injected a bunch of spam into the system. This of course poisoned the main IP address. So decided to give the reseller (and their sites) their own shared IP address to prevent them from blacklisting the main IP again thus compromising the rest of the other folks on the VPS.

Turns out by swapping out an IP address the mail IP does not change. It continues to be the same as the main IP address. In other words you can have one reseller mess up your main IP address if one of their sites get compromised.

According to WHM/cPanel, if you give a site a dedicated IP address, the mail IP and select the correct option in the WHM interface, the mail IP will change to the dedicated IP address. Tried this and wrong again, did not work (interestingly a few of my sites that have dedicated IP address did have dedicated mail IPs without this option turned on). KH tech baffled also.

In any event, does anyone have and ideas of how to use shared IPs and also have that IP become the mail IP for those sites without using the main IP?

Thanks.
 
I'm in the same boat for exactly the same reasons. There was what seems to be a solution on a recent thread I replied to but I haven't tried it yet.
 
Hello adev,

The cPanel folks came in and fixed it. Here are some comment / directions that may also help you (and others).

----------------------------------------------------------------
This is happening because the file that exim reads to determine which ip each domain uses(/etc/mailips) was blank. It was not being populated by the Exim Configuration Manager, when enabling the option "Send mail from account’s dedicated IP address", as it should have been.

This is a known issue related to the option "Reference /etc/mailips for outgoing SMTP connections" already being enabled when the dedicated ip option was enabled. This causes a conflict in which the mailips file is silently overwritten as being empty. We have an internal case(CPANEL-2711) to have this behavior remedied. Unfortunately, an estimated time for resolution is not currently available.

Fortunately, there is a documented work around.

First disable the initial options where everything is off, and save the configuration.

OFF - Send mail from account’s dedicated IP address
OFF - Reference /etc/mailhelo for outgoing SMTP HELO
OFF - Reference /etc/mailips for outgoing SMTP connections

Then go back and turn on ONLY the option for the dedicated IP address.

ON - Send mail from account’s dedicated IP address
OFF - Reference /etc/mailhelo for outgoing SMTP HELO
OFF - Reference /etc/mailips for outgoing SMTP connections

Now email will be sent out according to the ip address dedicated to the account. Should you have any further questions or concerns, please do let us know.
----------------------------------------------------------------
 
  • Like
Reactions: VoX
Just ssh into your server and edit the mailips file located in /etc/mailips
It will look something like
Code:
*: 123.45.67.89
Which means ALL emails go out on that ip.
Change it to add the IP you want the specific domain to use, for example...
Code:
mydomain.com: 89.67.45.123
*: 123.45.67.89
which now makes the desired domain to use the ip you specify and all others use the wild card IP.

More info can be found: https://documentation.cpanel.net/display/CKB/How+to+Configure+Exim's+Outgoing+IP+Address

What you set of course will work too.
 
one question, on the VPS (default KH setup) I have the shared SSL certificate that came with the server. Currently to send mail over SSL the smtp server has to be set as host.server-domain.com rather than mail.customersdomain.com.

With the setup above, can SSL still be used and will it still use the specified IP address rather than the shared one that the SSL is on?
 
You could do a simple test email for each SMTP domain, then check the sending server's IP in the header.

But to answer your question, yes. It won't matter what you use for the SMTP server, you can use any domain that points to your server or just an IP. Once that email gets to the server it will send it using the specified IP for the user's domain.

Additionally, you can issue a self signed SSL cert to the users domain to allow them to use their own domain for the POP/IMAP/SMTP server, but they'll get untrusted cert warnings. To get around the cert warning, just buy a wild card SSL cert for that users domain, or if you really want to save just a few bucks you can just get a cert for mail.yourdomain.com. In either case they don't cost much anymore.

For my important accounts I just set them to use mail.mydomain.com for secure email, they really don't care or know the difference, because really there is none. My less profitable accounts that ask about SSL I have them pay for or buy their own cert.

Cheers!
 
Top