FAQ for this step is available here.
In this step, we'll do the following
- Increase the security of your control panel
- Generate SSL for your control panel
- Enable Basic Auth
- Enable Google Authentication
- Change panels port and entrance
- Remove unused menu items
- Change SSH port
- Set the correct time and date
- Enable SSL on tracking domains
- Set up Brand Indicators for Message Identification (BIMI)
- Make the server ready to host websites
- What to do if you get locked out?
Increase the security of your control panel
There are a few ways to prevent unwanted access to your site. Enabling all of them can be a bit annoying when a legitimate user tries to log in so there is no need to enable all of them.
Generate SSL for your control panel
CONTROL PANEL - MAIN SERVER & MTA SERVERS
In your control panel (Main or MTA server) click "Settings" in the left menu.
Start by disabling "Panel SSL". We'll turn it back on soon, so don't worry.
You will be redirected from HTTPS to HTTP and will probably have to log in again. Go back to settings and enter the hostname of your server into the "Domain" field. Click "Save" next to it. A and AAAA records should already be there.
LOCKED CONTENT!
Create an account
Unlock guide parts, Unblur images in guide, Access members area and downloads page.
Your control panel now has a valid SSL certificate and there is no warning anymore about your connection being insecure. You should do this on all of your servers.
Enable Basic Auth
Still in the control panel settings. Enable "BasicAuth". Pick a username and password and click save. You will be logged out but this time you will see a different login window.
Enter the username and password you just set. Now you will see the normal login where you use the username and password you used until now for the control panel.
This prevents brute force attacks.
Enable Google Authentication
Go back to the control panel settings and enable "Google authentication".
A new window will open with a QR code. Use "Authenticator" on your phone and scan the QR code. Now use the random code Authenticator generates when logging in.
Either go with Basic Auth or Google Authentication. No need to enable both of them. You should do this on all of your servers.
Change panels port and entrance
If you want you can also change the port and entrance URL for the control panel. This isn't needed but if you prefer to not bookmark your panels you can do this for easier access.
To change the port control panel is running on first add a new rule in the firewall for the port you are going to use. Next change the "Panel port" field under Settings. Click save and remove the old port panel that was used in the firewall.
You can also change the random string of letters and numbers to make the panel entrance more memorable. To do so change the "Security Entrance" to whatever you want. You will have to re-login.
Remove unused menu items
If you want to make your control panel easier to navigate you can remove unused menu items. Go to "Settings" and click "Set" next to "Menu bar hidden". In the window that opens you can disable FTP, Docker, and WAF. I personally also disable Terminal. No need to save just close the windows and press F5 to reload. Your left menu should now have fewer items.
Change SSH port
CONTROL PANEL - MAIN SERVER & MTA SERVERS
To increase server security it's recommended to change the default SSH port to something else than port 22. Login to your MTAs control panel and in the left panel go to "Security" and click on the "SSH" tab.
LOCKED CONTENT!
Create an account
Unlock guide parts, Unblur images in guide, Access members area and downloads page.
Click the green "Confirm" button. Your SSH port is now changed. You should do this on all of your servers.
IMPORTANT: You have to change the port in your SSH client (Bitvise SSH, Putty, ...) otherwise you will not be able to connect to your server via SSH anymore. If you already set up PowerMTA inside EMS you will need to edit each MTA server with a changed SSH port. To do this in EMS's left menu click on "Setup>PowerMTA" and use "Edit" under "Actions".
Set the correct time and date
CONTROL PANEL - MAIN SERVER & MTA SERVERS
LOCKED CONTENT!
Create an account
Unlock guide parts, Unblur images in guide, Access members area and downloads page.
Enable SSL on tracking domains
You are almost done. Now let's make sure your tracking domains have SSL enabled. We can do everything in the Cloudflare dashboard.
CLOUDFLARE - DNS RECORDS
In your CloudFlare account go to SSL/TLS (left menu). On the page that will open switch "SSL/TLS encryption mode" from "Flexible" to "Full" and confirm your selection.
Below this also turn on "SSL/TLS Recommender". Now click the "Configuration Rule" link.
Click the blue "Create Rule" button. A new page will open. First, let's name our new rule. Use something like "Tracking Domains SSL".
Under this select "Custom filter expression".
LOCKED CONTENT!
Create an account
Unlock guide parts, Unblur images in guide, Access members area and downloads page.
Add more Tracking Domains
There is no need to create a rule for each of your tracking domains. We can simply add more tracking domains to the rule we just made. In the line where you entered your tracking domain clock on "Or"
LOCKED CONTENT!
Create an account
Unlock guide parts, Unblur images in guide, Access members area and downloads page.
That's it. If you decide to add or change any domains used in your bulk email system don't forget to edit this rule and add your tracking domains.
You can test if it works by going to your tracking domain in the browser. You should see the login screen to your EMS with a valid SSL connection. You need to wait about 10 minutes after you make your rule for changes to come into effect.
BIMI Set up
BIMI stands for Brand Indicators for Message Identification. It's an email authentication standard that allows companies to display their brand logos next to authenticated emails in the recipient's inbox. This helps in enhancing the brand visibility and trustworthiness of emails by providing a visual indicator of authenticity. Click here to see which email provider supports BIMI.
Creating a BIMI Record
Here are the steps detailing how to generate a BIMI record for your domain:
LOCKED CONTENT!
Create an account
Unlock guide parts, Unblur images in guide, Access members area and downloads page.
- Click the blue "Save" button and wait for about 10 minutes.
- Verify if BIMI is configured correctly with this tool.
IMPORTANT: BIMI will not work if your domain/IP reputation is too low. Sometimes low reputation isn't your fault as you probably inherited your server IPs from previous user(s).
Make the server ready to host websites
You can host other web pages on your servers (or at least on Main). You have most things ready and if you are happy with php7.4 there is nothing to do.
CONTROL PANEL - MAIN SERVER & MTA SERVERS
If however, you want another PHP version go to "App Store" and search for PHP. Click "Install" next to the version you want (suggested 8.3) and wait for the installation to finish. You can now select the PHP version when adding a new Website (domain). You should probably install some extensions, change the configuration, and enable some disabled functions. Since we already did that for PHP7.4 you now know how to do that. If you don't go back to Step 2.
What to do if you get locked out?
If you ever get locked out from your control panel because you either forgot login credentials or lost access to Authenticator, ... you can always fix things via SSH.
Connect to the server you are having problems with and run the following command
SSH - MAIN SERVER & MTA SERVERS
LOCKED CONTENT!
Create an account
Unlock guide parts, Unblur images in guide, Access members area and downloads page.
You will get a list of things you can do. Just enter the number before it and you can change the password, restart the panel, disable Authenticator, and much more.
Congratulations! You finished Step 4!
Continue to Step 5 and Start sending, or check the FAQ if you encounter any problems during installation.