Limit access to your email inbox on cPanel with a firewall

Procédure

To prevent unauthorised access to an email address, you can use the Email firewall tool on our cPanel servers to restrict access to these inboxes using the POP and IMAP protocols. This way, despite a password leak, your email address can only be accessed in POP and IMAP from the countries or IP addresses you have chosen.

What restrictions can be configured on Email Firewall?

You can authorise or block access to segments of the Internet network. Authorisation or blocking applies to the POP and IMAP protocols, i.e. to email software (Outlook, Thunderbird, etc.) and does not apply to webmail access.

To select a segment of the Internet network, you can use :

• An IP address or address range
• An AS (Autonomous System) number: each ISP has its own AS number, so you can restrict access to a specific ISP.
• A country

You can also authorise or block IP addresses identified as non-residential, i.e. IP addresses that do not correspond to traditional internet subscriptions (internet box, 4G connection, etc.) but to servers, data centre equipment, VPNs, etc.

How do I configure blocking/authorisation rules?

In your cPanel control panel, click on the Email Firewall icon in the E-mail section.

A list of your mailboxes will then be displayed. Click on the"Configure rules" button corresponding to the email address you wish to configure:

You will then be presented with a list of the rules currently in effect:

You can then :

1. Change the default action: what happens when a connection does not match any of the rules
2. Add a new rule

Create a new rule

By clicking on the"Add a rule" button (2), you can add a new rule to the firewall:

You can then enter the part of the network to which you want to control access:

• IP address or network range in CIDR notation. Examples:
  • 1.2.3.4 to block or allow IP address 1.2.3.4
  • 1.2.3.4/24 to block the IP address 1.2.3.0 to 1.2.3.255(find out more about CIDR notation).
• AS (Autonomous System) number. Example: 210403. You can find your ISP's AS number usingCloudflare's Radar tool or PeeringDB.
• Country. Example: France
• Non-residential IP address.

Choose the action you want to take, i.e. block or authorise all connections from an internet connection matching the criterion mentioned, and click"Save" to save your settings.

You can then rearrange the order of priority of the newly created rules using the 'Up' and 'Down' buttons.

Rule priority

With rule priority, you can set up exclusions on your rules. The firewall system applies rules from top to bottom. In the case of the previous screenshot :

• Blocking non-residential IP addresses (rule no. 1) takes precedence over authorising the IP address block 1.2.3.4/32 (rule no. 2). This means that the IP address 1.2.3.4 will be blocked by rule no. 1 if it corresponds to a non-residential IP address, even if it is authorised by rule no. 2.
• The authorisation of the 1.2.3.4/32 IP address block (rule no. 2) overrides the blocking of the United States (rule no. 3). This means that the IP address 1.2.3.4 will be authorised by rule no. 2 even if it comes from the United States.

If the connection does not match any rule in the list, then it will be handled by the default action.

Deleting a rule

To delete an existing rule, simply click on the Delete button corresponding to the rule line you wish to delete.

Diagnosing a POP/IMAP connection problem

If you are having trouble connecting to an email box, it may be because of one of the firewall rules associated with it. The reason is indicated in the error message returned by the server:

In this example, the error message returned by the server is:"Access denied by email firewall rule no. 1". Here are the two types of error message returned by the server in connection with the email firewall tool:

• Access denied by email firewall rule no. XX: your connection is blocked by a particular rule. You can search for the rule by its priority number in the interface.
• Access denied by email firewall default behavior settings: your connection does not correspond to any particular rule and has been blocked by the default action of the email firewall.

Unfortunately, some email programs (such as Mozilla Thunderbird) do not display the error message returned by the server, and only provide a generic message:

In this type of situation, you need to consult the connection logs to find out the reason for the block. To do this, first retrieve the IP address of your current Internet connection from https://monip.lws.fr (or any other public IP address detection tool).

Once you have this, go to the "Logs" tool in cPanel :

In the "Email log files" section (1), retrieve the history of connections to your IMAP or POP (2) email boxes:

Then select the mailbox concerned:

The blocking events linked to the mailbox will then be listed, so you can find the events linked to your IP address:

You can use the filter tool to restrict the display to a particular IP address or message.

Here are the messages linked to the email firewall tool:

• Authentication blocked by email firewall rule no. XX (non-residential IP). IP: 0.0.0.0, Username: johndoe@example.com: this means that the rule indicated has blocked the IP address, because this IP address is a non-residential address.
• Authentication blocked by email firewall rule no. XX (restricted IP/net block). IP: 0.0.0.0, Username: johndoe@example.com: this means that the rule indicated has blocked the IP address, as it corresponds to the IP address block indicated.
• Authentication blocked by email firewall rule no. XX (restricted AS number). IP: 0.0.0.0, Username: johndoe@example.com: this means that the rule indicated has blocked the IP address, as it belongs to the AS number indicated.
• Authentication blocked by email firewall rule no. XX (restricted country). IP: 0.0.0.0, Username: johndoe@example.com: this means that the rule indicated has blocked the IP address, because it is in the country indicated.
• Authentication blocked by default email firewall behaviour. IP: 0.0.0.0, Username:johndoe@example.com: this means that the connection comes from an IP address that does not correspond to any rule, and that the default action blocks the connection.

Once you've identified the rule, you can reorganise the order of your rules, readjust the default action or add or remove any rules that don't suit you.