cPanel & WHM Version 92 has been released, and brings a slew of great updates. Take a look at what is included, and then upgrade today!

Ability to disable Default Mailbox

Nathan Lierbo shared this idea 8 years ago
Open Discussion

For what it's worth ...


The existence of a cPanel user's mailbox is a pain in the butt. I do not know of a single customer who uses it. They create their own email addresses and happily use those. Once or twice a month, I spend several hours manually reviewing the cPanel user's mailbox and usually just empty them out.


What I would like to see ...


The ability to not have such an account, but to REQUIRE the user to specify an account to receive such messages ON THE USER'S DOMAIN ONLY. Internally, cPanel can send all user account messages to the user-specified email account, and that account CANNOT BE DELETED until a new account is selected by the user to receive the system messages.


I also see having an email address that matches a username as being a potential security weakness.


Original thread: http://forums.cpanel.net/f145/existence-cpanel-users-mailbox-pain-case-44262-a-134421.html

Comments (19)

photo
4

I would like to request an option that removes the default email from the cPanel and the ability to send from and send to the default email. Any email active on the cPanel account has to be added or nothing would be available.

This would avoid confusion from customers using the default account and not knowing it.

This would avoid email issues from customers having the wrong default option.

It would have better spam tracking

It would have less spam in the queue and on the server.

It will block spammers that use the default address for compromised accounts or week scripts.

It will simplify the cPanel for new users

It would also allow the customer to only learn one option to manage email rather than what the default email and process is for.

Ideally an option in the tweak settings that would change the feature manager and the email system to remove all ability for default emails.

They could still do a catch all email but only based on an address added.

Allowing a catch all to an external email is just leaving the server to get blacklisted from free email services.

photo
3

This would be a nice feature, I often find boxes with 1,000,000+ emails in the catchall, wasting gig's of disk space.

photo
2

The ability to disable or turn off the default email address would be good enough for me. I often find accounts being hacked through poor scripts are using the default email address to send out tonnes of spam. If I could turn the default email address off I would at least be able to prevent accounts that are often hacked from sending out any more emails and blacklisting the server.

photo
2

Yes yes yes! How is it possible that this feature doesn't already exist? It's ludicrous to have each cPanel account building up hundreds of MB of junk that no one will EVER read, it just leaves us webmasters having to regularly clean up the mess. WHAT IS THE POINT??

photo
1

Too be clear, are we talking about the default address or the cpaneluser[at]server.example.tld email address?


These are really two different things that get confused a lot.


The default address refers to the email account that collects email for unrouteable email addresses, i.e. asdf[at]example.tld (assuming you don't have asdf[at]example.tld set up as a forwarder or mail account) or jkl[at]example.tld.


cpaneluser[at]server.example.tld refers to... well just that, cpaneluser[at]server.example.tld. This refers to the mail files (new, cur, tmp) located in /home/cpaneluser/mail


I think a lot of people confuse these two because commonly the default address is set to collect at cpaneluser[at]server.example.tld.


I don't think you can get rid of cpaneluser[at]server.example.tld. For one if you send an email through a PHP script on an account, and you don't set the envelope-sender (and assuming you aren't using mod_php in Apache) then this message will default it's envelope-sender to cpaneluser[at]server.example.tld and any bounceback message will go to cpaneluser[at]server.example.tld. This will happen regardless of what you have your default address set to. This just underscores that there is a difference between the default address and cpaneluser[at]server.example.tld.


For the default address, there is a setting in root's WHM, under Tweak Settings - Initial default/catch-all forwarder destination - that can be set to Fail (probably the recommended solution), Blackhole (probably not recommended), or System Account (i.e. cpaneluser[at]server.example.tld).


Fail is going to reject a message at SMTP time. When someone sends a message to asdf[at]example.tld (and again, assuming this doesn't exist as a forwarder or mail account) it's going to lookup the default address. When the default address is set to Fail, your server is not going to accept the message. It's going to be immediately rejected. The sending server will get a 550 response back and it will be up to the sending server to handle this, usually in the form of generating a bounceback message to the original envelope-sender.


Blackhole is a silent discard. When someone sends a message to asdf[at]example.tld and the default address is set to blackhole, your server will accept the message. It will process the message, but it won't deliver it any where, it will just delete it. The reason this typically isn't recommended is because it waste server resources (perhaps just a miniscule amount) processing the message only to delete it.


System Account is delivering the message, essentially to cpaneluser[at]server.example.tld.


Alternatively, a user can log into their cPanel and change the default address to deliver message to any email address, i.e. iexist[at]example.tld or iexist[at]hotmail.com, or even idontexist[at]hotmail.com. Generally setting your default address to deliver message to some remote email address is a bad, bad, bad idea. And I tend to agree that setting your default address to deliver to any email account is generally a bad idea, mostly it just receives spam. But if a user is educated enough to know what the default address is, they may have a need for it (just don't come crying to me complaining that it receives too much spam).


I would suggest setting the Initial default/catch-all forwarder destination in Tweak Settings to Fail. Perhaps cPanel should consider setting this to Fail by default on new installs. But otherwise administrators should change this setting on any new server setups.

photo
2

If there is no default email than any php scripts will have the email go nowhere which is better. Just like any un-routed email when you choose Fail like almost all admins do now.


PHP scripts should be trouble shooted with error logs not email. All this does is fill up the email with thousands of pointless messages that 90% of web hosting users don't ever check. It's an outdated feature that has no relevant purpose now.

photo
1

EXACTLY! The default email (catch-all) option should have been deprecated long ago, because all it does is exactly what you said - fills up with tons of messages that the end-user never bothers to check or read, and then a year down the road we get a ticket asking "how come we're getting inbox quota alerts?" or "how am I using so many iNodes" etc...


I simply implemented the strategy years ago of not allowing the "Default Address Manager" to appear in user cPanels, and "Initial default/catch-all forwarder destination" is set to FAIL.


That way users cannot create a "default / catch-all" account, and are responsible for just monitoring the email accounts that they create.


And that's kind of the point of this feature request, isn't it? To put an end to the many issues that the "Default Address" creates for us?


Thanks for your post WebHost.pro - I'm glad to see that someone gets it. There's almost no such thing as a shared hosting user that doesn't have a PHP script these days (WordPress is everywhere) and those scripts are generating email notices 24/7 which if left up to the end user would just sit in a "default" account untouched & not viewed forever. The catch-all mindset needs to be deprecated. It's dangerous in a lot more ways than just PHP script alert buildup. Allow a default / catch-all on your service and just see how long it takes before your user's start getting listed as backscatterers (especially the ones who just have to have that "vacation auto responder" despite the fact that the only people contacting them have their phone number and know their on vacation already any way, so it's just the spammers who get joy out of the catch-all accounts with auto-responders, while making the lives of shared hosting admins a living hell & spending hours each day doing damage control.


Sorry, I'm a little crabby today, but it's because of the ridiculous issues that crop up every day when complete novice users are given the power to do really dumb stuff with their email setups and scripts. ;)

photo
photo
1

No, your confusing default address with server user email address.


Set up a new web hosting account on your server. Set the default address for that account to fail messages. Send a message to theaccountusername@yourfullyqualifiedserverhostname.tld. Log into webmail for theaccountusername (http://yourfullyqualifiedserverhostname.tld/webmail Username: theaccountusername / Password: itspassword). Tada! There be your message. (Because in this example, we aren't using the "default" address).


You can't get rid of theaccountusername@yourfullyqualifiedserverhostname.tld email address. You just can't. Besides that, you should never send an email using an envelope-sender that rejects mail (if you want to blackhole it or /dev/null it, that's fine by me). Sending an email out using an envelope-sender that rejects messages (i.e. fails) means that that message will fail a sender callout if a recipient's server is so inclined to do a sender callout.


By default, PHP scripts that send mail, unless they explicitly set an envelope-sender (and assuming you are using suPHP or some form of PHP handler that runs PHP as the VirtualHost's owner) mail is going to be sent out with an envelope-sender of theaccountusername@yourfullyqualifiedserverhostname.tld. That means that if someone sets a PHP script to send a message to idontexist@someothermailserver.tld, then that message is going to bounce back to theaccountusername@yourfullyqualifiedserverhostname.tld (the envelope-sender). You want this to happen. Now if you don't want the bounce back message, the question should be "why are you sending an email to idontexist@someothermailserver.tld?" Which usually results in a response that equates to "I don't know." Well, come on people, get a little bit smarter. Don't send emails to addresses that you don't know if they exist. And if you mistakenly send an email to a wrong email address, one that doesn't exist, then you want the bounce back message that tells you as such.

photo
3

No I'm not, the default email in CPanel is a catch all for junk from the site even if you use the default fail option. If I searched our server network right now even with the default email set to fail on all accounts. We will still will find hundreds of accounts with tens of thousands of default emails with mass amounts of junk, from php errors, to bounced, emails, cpanel alerts.


On top of all the wasted resources on the server to keep track of the massive pointless email the default email also confuses customers.


There should be an option to remove all email from an account.

photo
2

It also triggers open relays errors.

photo
2

Hello.


We need this feature!


You can turn off this default email address OR automatically remove email message from inbox of default email address.


Default email address in general have only SPAM messages which take a lot of web spaces.

photo
1

Hello,

Default web mail is a pain, confuse users about disk space.

photo
1

Hello.

We are using filter to remove all emails from default email box.

photo
1

Agree! This is an artifact of an old ISP reality where many people used their personal domains for mail and web as a matter of course. Now almost every client is going to either be on corporate Exchange, GSuite, free email, or Office 365.

We too have developed scripts to purge spam - and also remove the automatically created mail.domain addresses (which cause their own headaches), but an option to turn off mail for accounts as part of the WHM package/feature manager would be VASTLY preferred.

photo
1

This already exists;


"The default email account is used to catch mail that is unrouted. " Therefore:

Goto CPanel --> Email --> Default Address --> More options --> Discard (not recommended)

and select.


This will discard any emails that are unrouted, rather than sending them to the default address. By default, the default address doesn't have it's own email address.

This is in WHM 76 but it's been in for many versions.

photo
1

The requester is asking to have this at the WHM level, not having to set it in each client cPanel account ;) Doing this on on a server that has 500+ cPanel accounts (for example), is not ideal.

photo
1

You can define the default for new accounts in WHM, but users can still adjust that default.

2e52e983265eb47fc36ec31dd835ccf9

It seems that this request is more a request to require the definition of an account email, rather than wanting to disable the default email address. If that's true, we may need to adjust the wording. @nathan do you have more input to provide?

photo
1

@benny@cpanel.net

Thank you for that (was able to get that updated - catch-all). But how do we change the default email. For example, users (and admin) get email from cpanel@<domainname.com> - But because cpanel@* does not exists, users have reported (to us) email clients are relegating such email to spam (and they never see it). I cannot find the server wide setting to change that email to something else (along the lines of a human accessible email address, like admin-email@admin-domain.com). Appreciate any input, thanks. :)

photo
photo
1

One perfect example of why this default email presents us with a dilemma - a user runs a WordPress site with a contact form on it, a visitor with a Yahoo email address submits a message through the contact form, and for whatever reason Yahoo rejects / bounces the email back. The site owner never sees the message (because many site owners don't ever even log in to their cPanel and it's sitting in the "default" box) and the site visitor never gets a reply from the site owner. This also results in the "default" box filling up with tons of undeliverable messages, wasting space and iNodes.


Sure - in a perfect world every site owner would have DMARC set up correctly and use a domain email address for their WordPress, but in reality that is often not the case.

I keep the "Default Address" icon disabled / removed from user's cPanels to avoid them making it a "catch-all" in order to cut down on the massive amounts of spam / spambots that send to random non-existent addresses (and other good reasons that go in-hand with it).

Wishing there was a better way, such as making it so that by default, all the main "default" addresses for all domains bypasses the "default" inbox and forwards straight to an actual existing email address (which also present the dilemma that some users don't want to set up a domain email address at all).

Maybe I'm overlooking something, but there doesn't seem to be an exact / easy solution in the above scenario. Hopefully either someone will point out something I'm overlooking, or that maybe this response offers some kind of valuable feedback to cPanel developers.

photo
1

I think there is a simple solution?...

Adding the ability to input ANY email address (on or off) the server. AND ensure a validation email is sent first (to ensure the entered email address really does exist at that time.

Also, when cPanel sends an email message, instead of the default (cpanel@...) - Again, it should be sent from an email address that really does exist (to avoid spam systems marking it, and the server, as spam for using fake email addresses).

photo
photo
1

This really all needs to go back to end-user education (I know... that's impossible!)


Users need to be aware of the differences between the envelope-sender (return-path, bounce address... whatever you want to refer it it) and the From message headers. These aren't necessarily going to be the same thing.


Using the WordPress example... if the contact form or whatever form that is sending mail from the website isn't properly setting an envelope-sender, then it is going to default to <cpanelusername>@<servername> ... there's no way around this. An envelope-sender HAS to be set.


There also needs to be some education on the difference between the default address (i.e. <cpanelusername>@<servername>) and where unrouteable mail for a domain name goes. People tend to think that because the address where unrouteable mail goes defaults to <cpanelusername>@<servername> then <cpanelusername>@<servername> and unrouteable mail are the same thing. This is not true.


Unrouteable mail refers to where mail goes when mail is sent to xyz@example.tld and xyz@example.tld does not exist. Maybe this is the default address (<cpanelusername>@<servername> .. or just simply <cpanelusername> because <servername> is not required when talking locally on the server), maybe this is set to :fail: or maybe this is set to :blackhole: Users get confused because they set the unrouteable address to :fail: and then wonder why they still have mail collecting in the <cpanelusername>@<servername> from their contact forms or crontab entries. This is because they aren't the same thing.


If you want mail for <cpanelusername>@<servername> to be delivered somewhere else other than /home/cpanelusername/mail - then you would place a .forward file in <cpanelusername>'s home directory with the email address that you want that mail to forward to. But what are you going to default this to? We're going to go around in circles if we're not careful.

photo
1

I have already set the default account to reject inbound emails but I want my server to stop acting as a catch-all. E.g. my server accepts fsdifsduiwruit1235464@my-domain.com as a valid recipient, (where my-domain.com is the FQDN).


Is there any update to this? Has it / can this be accepted and given a rough ETA?


Thank you.

photo
3

It is also a HUGE security issue. cPanel created the default email address with the admin login name (credential), hence, when a hacker-bot sends emails, it already receives the cPanel default login admin name of the domain.

photo
1

While this is valid, a sidestep to this would be to use the ::Blackhole approach so that spam emails to a WHM domain do not "notice" the account holder email address. The email is always sent and then never heard from again....

photo
1

Thank you , Bastiaan

photo
photo
1

cPanel, please should allow disabling the main mail account, currently hackers use the backdoor of any script to use the mail exchanger without authentication using the main mail account