# service exim restart
Shutting down clamd:                                       [FAILED]
Shutting down exim:                                        [FAILED]
Shutting down spamd:                                       [FAILED]


# service exim status
exim dead but subsys locked

There may be 2 issues to check.

-The presence of /etc/eximdisable, just move this file to eximdisable-bak and restart exim

# mv /etc/eximdisable /etc/eximdisable-bak
# service exim restart
Shutting down clamd:                                       [FAILED]
Shutting down exim:                                        [FAILED]
Shutting down spamd:                                       [  OK  ]
Starting clamd:                                            [  OK  ]
Starting exim:                                             [  OK  ]
0 processes (antirelayd) sent signal 9
/usr/local/cpanel/scripts/update_sa_rules: running in background

-The server being out of disk space and/or inodes, use ‘df -h’ and ‘df -i’ to confirm.

When you login to WHM and all the IP’s are missing.

If you have avahi improperly configured and running on your machine, it will withdraw the IPs on running either a) a reboot, or b) a network restart, so you can check you logs at /var/log/messages for avahi.
You can either stop avahi or properly register your IPs in avahi for these to be recognized. That service is what is causing the issue to occur.

Run the following to restore the IP addresses:

# /etc/rc.d/init.d/ipaliases restart

You may have to restart named to get DNS going again as well. Restart named again cause it cannot bind on the new IPs from ipaliases.

# service named restart

The issue of why is explained here:

https://forums.cpanel.net/threads/cpanel-loses-all-but-primary-ip-address.160393/

CSF Firewall is blocking these attacks in /var/log/messages


Feb 25 02:13:33 servidor kernel: Firewall: *SYNFLOOD Blocked* IN=eth1 OUT= MAC=00:25:90:de:d3:d5:00:19:e8:f4:7a:3f:08:00 SRC=120.43.114.117 DST=64.150.187.59 LEN=52 TOS=0x00 PREC=0x00 TTL=47 ID=21531 DF PROTO=TCP SPT=4760 DPT=80 WINDOW=65535 RES=0x00 SYN URGP=0

Check with

# netstat -alntp | grep SYN | wc -l

You have set the following in your csf configuration but having such a setting, we definitely block SYN connections but legit connections as well.


SYNFLOOD = "1"
SYNFLOOD_RATE = "1/s"
SYNFLOOD_BURST = "3"

With the above settings, you will see a drop down in SYN connections but you won’t be able to browse your websites as well since it blocks legit clients as well.

The proper solution for the heavy attacks is a Hardware Firewall OR CloudFlare.

So if the attack is too heavy, go for any of the above 2 options since re-installation and blocking ports won’t solve the problem.

If you want everyone on the server to send out on the same IP, just add the following to


# nano /etc/mailips:
*: xxx.xxx.xxx.xxx

Then add the IP and it’s matching PTR to /etc/mail_reverse_dns:

# nano /etc/mail_reverse_dns
# xxx.xxx.xxx.xxx hostname.tld

This will tell Exim to use that IP for any sender on the server.

Restart exim

# service exim restart

Check /etc/mailips permissions:

Code:


# ls -lah /etc/mailips

It should show the following:


# ls -lah /etc/mailips
-rw-r----- 1 root mail 0 Mar 11 21:40 /etc/mailips

If it does not show root:mail for ownership, then fix that:

# chown root:mail /etc/mailips

If it doesn’t show 640 for file permissions, fix that:


# chmod 640 /etc/mailips

If it does have the right ownership and permissions, then next check the file isn’t set to be immutable:


# lsattr /etc/mailips

It might look like the following if it is okay:


# lsattr /etc/mailips
-------A----- /etc/mailips

Or below if it is unwritable

# lsattr /etc/mailips
----i--------e- /etc/mailips

An uppercase A is fine. If it has a lowercase i or a lowercase a, then it isn’t fine, and those need removed:


# chattr -ia /etc/mailips

Now it looks like

# lsattr /etc/mailips
-------------e- /etc/mailips

To enable WHM to automatically configure Exim to send mail from each domain’s dedicated IP address, perform the following steps:
You must have root user privileges on the server to configure Exim in this way.

If you manage the rDNS for your IP addresses, modify the rDNS for the IP address of each domain so that it points to that domain. If you do not manage the rDNS for your IP addresses, contact the owner of the IP addresses and request that they modify the rDNS for each IP address to point to each domain.

An incorrect rDNS configuration may cause mail servers to reject your server’s mail.

Enable the Send mail from account’s dedicated IP address option in WHM’s Exim Configuration Manager interface (Home >> Service Configuration >> Exim Configuration Manager).

If you select this option, cPanel & WHM uses the /usr/local/cpanel/scripts/updateuserdomains script to automatically configure Exim, and overrides any manual changes in the following files:


/etc/mailhelo
/etc/mailips
/etc/mail_reverse_dns  

How to manually configure Exim’s outgoing IP addresses

To use a custom Exim configuration, enable the following options in WHM’s Exim Configuration Manager – Basic Editor interface (Home >> Service Configuration >> Exim Configuration Manager):

Reference /etc/mailhelo for outgoing SMTP HELO
Reference /etc/mailips for outgoing SMTP connections
The /etc/mailhelo file

The /etc/mailhelo file contains Exim’s configuration for the HELO command. Exim uses the HELO command to initiate dialog between a mail server and a client. This file governs which domain should send the HELO command.
To create the /etc/mailhelo file, use a text editor such as nano, vi, or vim.
The following is example content of a /etc/mailhelo file:


example.com: example.com
sub.example.com: example.com
example.net: example.net
addon.example.net: example.net
*: hostname.example.com 

The /etc/mailips file
This file controls the IP address from which each domain should send mail. Your file should be similar to the following example:


example.com: 192.168.0.2
sub.example.com: 192.168.0.2
example.net: 192.168.0.3
addon.example.net: 192.168.0.3
*: 192.168.0.1

In the example above, the system will use the asterisk (*) entry to direct outbound mail for domains without entries within this file. In this case, this is your server’s main shared IP address. You can set it to another IP address if you ensure that the asterisk entry in the /etc/mailhelo file has the appropriate domain name.

Be sure to use only valid IP addresses that are publicly accessible via the Internet.

The /etc/mail_reverse_dns file
This file controls the domains that are associated with the IP addresses from which mail should send. Your file should be similar to the following example:


192.168.0.2: example.com
192.168.0.2: sub.example.com
192.168.0.3: example.net
192.168.0.3: addon.example.net

Go to cpanel > cron jobs > standard.
At the top is an email field
Change to an alternate email

Or

FThe way to change the email account WHMCS sends the daily cron reports to…

1. Log in to WHMCS.
2. Click on Configuration -> Administrators.
3. Click on the little edit-button for the full administrator.
4. Change the email address.

Alternatively, if you want to prevent these emails being sent out altogether, go to ..
1. Configuration -> Administrator Roles -> Full Administrator.
2. Uncheck the box right at the bottom that says ‘System Emails’.