SMTP Security Tweak in WHM

[webresellers]

I am experiencing something and I am not 100% sure.

I am using SMTP to send WHMCS emails. I have the domain, user, password fields populated with the dropdown set to SMTP.

I am using an acutuall pop3 account with above information.

If I turn on the TWEAK SECURITY / SMTP TWEAK, my email fails to leave WHMCS, yet if I turn it off, everything works.

I have checked and uncehck the localhost connect to port 25, doesn't make any difference.

I dont see why this should be popping up if I am using smtp and authenticating to pop3/smtp.

Any ideas?

[brianoz]

The "tweak security" box stops connections on port 25 outbound, so presumably it's blocking WHMCS's attempts to connect to your SMTP server. The problem here is probably that you're using your server IP or hostname instead of "localhost" which (I think) avoids the port 25 restriction. Try using localhost and see if that solves the problem, that'd be my next step.

 

Based on what you've said above, it looks like you've tried localhost, so perhaps the Tweak SMTP setting is actually blocking localhost access as well. You may also want to look at using a better firewall on your server - providing it's cpanel the best firewall out is http://www.configserver.com/cp/csf.htm. (In this case, best = most recent, with most security checks built in).

 

Hopefully you're running phpsuexec on the server you're running WHMCS on - without it, you are allowing some incredibly serious future security problems (you might as well post your WHMCS database up for open access on the web somewhere! )

[xTiNcTion]

Hopefully you're running phpsuexec on the server you're running WHMCS on - without it, you are allowing some incredibly serious future security problems (you might as well post your WHMCS database up for open access on the web somewhere! )

are you talking about some specific issue you found? or it's just the risks any webserver have when running withou phpsuexec?

[brianoz]

It's **not** a bug, problem or weakness in WHMCS, just to emphasize that.

 

It's a generic problem with insecurity of PHP files - they're all readable to all users on the server if you don't run under PHPsuxec, simple as that. Guess what those files contain - will leave the rest to your imagination! Any package with database files running on a non-PHPsuexec server would be vulnerable like this. Granted, you need a local account, of course, but subverting an insecure script somewhere else on the server would give the varmints the same access as having a local account.

 

It's important to understand this weakness takes on a whole new level of importance when it's a sensitive billing database - containing user passwords, WHM passwords (although encrypted), and cc info. I suspect all this is encrypted in WHMCS and so is probably safer than nothing, but I like to see several strong barriers between the public and information this sensitive.