New to cPanel & WHM as an admin
Answered
Hello, while I've used cPanel via ISP's before, I'm new to installing and admin'ing it on my own. I have some questions before I even run the install, a bit about server naming convention and then a lot of wondering about ports to open on our border.
For our first web server FQDN I'm considering www1.example.com (note the subdomain). Since we may add additional servers in the future I want to make a server name pattern. In the DNS I'll have an A record to the IP and a CNAME to www. It looks like I need a CNAME of www1 for cPanel license use, but I'd rather not expose the actual server name if possible. It looks like there may a couple/few license validation methods, I'm not sure about the details.
For ports, I've been scouring https://docs.cpanel.net/knowledge-base/general-systems-administration/how-to-configure-your-firewall-for-cpanel-services/#ports
Perhaps a first question is to present the ports I don't plan on opening. See any problems?
20 - (use SFTP)
21 - (use SFTP)
25 - SMTP (use 465)
110 - POP3 (use IMAP)
143 - IMAP (use 993)
995 - POP3 SSL (use IMAP)
2077, 2078 - (No WebDAV)
2079, 2080 - (No CalDAV / CardDAV)
2082 - cPanel Licensing (use 2083)
2086 - WHM and cPanel Licensing (use 2087)
2095 - Webmail (use 2096)
3306 - SQL remote (not planning to use this)
My next question is about SpamAssassin. We don't plan to do a much email with this server, but we don't want to get flooded either. I don't think it will be a problem, but if it becomes one can cPanel add SpamAssassin reasonably easy later? If so, then I don't need these ports for now either. Am I understanding the SpamAssassin port group ok?
7 - Razor
783 - SpamAssassin
2703 - Razor
6277 - DCC for SpamAssassin
24441 - Pyzor for SpamAssassin
Thanks for reading this far, suggestions are appreciated!
-
Hey there! For the server name itself, it really is up to you. The only thing you *can't* do is use a name that you also plan to use a website. Most people choose something like host1 or www1, so I think you're good there.
While you may not need port 25 opened inbound for your clients, you'll definitely need it opened for outbound mail.
2082 may be helpful if your users enter domain.com/webmail or domain.com/cpanel to access those interfaces, as it initially connects over an insecure port before making the switch.
SpamAssassin is installed by default, so unless you specifically disable that in WHM >> Service Manager, you'll get lots of warnings and notifications if those ports aren't open. However, there's no reason you can't disable the service and then turn it on later.
Let me know if that helps!
0 -
Thanks, that helps a bunch! I'll go with SpamAssassin from the start.
For www1 as a server name does that necessarily have to be in the web site's DNS? Maybe you're saying it cannot be. The site will have www of course.
For port 25 do I just open it as an outbound port, or does it need inbound & outbound for proper negotiations for outbound email?
I see that ports 2086 & 2095 have the same note as 2082, so I think those would be similarly helpful?
A few other port detail questions if you don't mind...
1 - CPAN (just go ahead and open this for Perl module listing?)
26 - SMTP (this looks like an optional plan, do I start without it open?)579 - cPHulk ("only accept on the 127.0.0.x address". I'm a bit confused here, the chart shows to open it for TCP but there's no checkmark for inbound, outbound or localhost)
953 - PowerDNS ("only accept on the 127.0.0.x address". I'm confused here too, the chart shows to open it for localhost but there's no TCP/UDP/inbound/outbound checkmark)0 -
Yes, you would still add www1 to the main zone file for domain.com in order to get that to resolve.
For port 25 you could just have it opened outbound if you don't plan to receive mail on this machine.
For the other ports
1 - yes
26 - no, 26 is only used by providers that block 25 so users can send messages through a local mail client
579 - right, there's no external traffic, but the service wants to see the port open in the firewall
953 - same as the issue with 579 - it won't get external traffic, but PowerDNS won't work if it sees it closed.0 -
Thanks again for the help! <thumbs up>
I'll refine my list for our border admin, then give the cPanel install a go. :^)
0 -
You're very welcome!!!
0
Please sign in to leave a comment.
Comments
5 comments