FAQ for this step is available here.

Read TimeWork TimeVideo Time
Around 12 minutes

In this step, we'll do the following

  • Increase the security of your control panel
  • Generate SSL for your control panel
  • Enable Basic Auth
  • Enable Google Authentication
  • Change panels port and entrance
  • Remove unused menu items
  • Change SSH port
  • Set the correct time and date
  • Enable SSL on tracking domains
  • Set up Brand Indicators for Message Identification (BIMI)
  • Make the server ready to host websites
  • What to do if you get locked out?

Increase the security of your control panel

There are a few ways to prevent unwanted access to your site. Enabling all of them can be a bit annoying when a legitimate user tries to log in so there is no need to enable all of them.

Generate SSL for your control panel

aapanel CONTROL PANEL - MAIN SERVER & MTA SERVERS

In your control panel (Main or MTA server) click "Settings" in the left menu.

Start by disabling "Panel SSL". We'll turn it back on soon, so don't worry.

You will be redirected from HTTPS to HTTP and will probably have to log in again. Go back to settings and enter the hostname of your server into the "Domain" field. Click "Save" next to it. A and AAAA records should already be there.


Content Locked

Login or sign up to see how to install SSL for the control panel.

Your control panel now has a valid SSL certificate and there is no warning anymore about your connection being insecure. You should do this on all of your servers.

Enable Basic Auth

Still in the control panel settings. Enable "BasicAuth". Pick a username and password and click save. You will be logged out but this time you will see a different login window.

Enter the username and password you just set. Now you will see the normal login where you use the username and password you used until now for the control panel.

This prevents brute force attacks.

Enable Google Authentication

Go back to the control panel settings and enable "Google authentication".

A new window will open with a QR code. Use "Authenticator" on your phone and scan the QR code. Now use the random code Authenticator generates when logging in.

Either go with Basic Auth or Google Authentication. No need to enable both of them. You should do this on all of your servers.

Change panels port and entrance

If you want you can also change the port and entrance URL for the control panel. This isn't needed but if you prefer to not bookmark your panels you can do this for easier access.

To change the port control panel is running on first add a new rule in the firewall for the port you are going to use. Next change the "Panel port" field under Settings. Click save and remove the old port panel that was used in the firewall.

You can also change the random string of letters and numbers to make the panel entrance more memorable. To do so change the "Security Entrance" to whatever you want. You will have to re-login.

Remove unused menu items

If you want to make your control panel easier to navigate you can remove unused menu items. Go to "Settings" and click "Set" next to "Menu bar hidden". In the window that opens you can disable FTP, Docker, and WAF. I personally also disable Terminal. No need to save just close the windows and press F5 to reload. Your left menu should now have fewer items.

Change SSH port

aapanel CONTROL PANEL - MAIN SERVER & MTA SERVERS

To increase server security it's recommended to change the default SSH port to something else than port 22. Login to your MTAs control panel and in the left panel go to "Security" and click on the "SSH" tab.


Content Locked

Login or sign up to see how to change port used for SSH form the control panel.

Click the green "Confirm" button. Your SSH port is now changed. You should do this on all of your servers.

IMPORTANT: You have to change the port in your SSH client (Bitvise SSH, Putty, ...) otherwise you will not be able to connect to your server via SSH anymore. If you already set up PowerMTA inside EMS you will need to edit each MTA server with a changed SSH port. To do this in EMS's left menu click on "Setup>PowerMTA" and use "Edit" under "Actions".

Set the correct time and date

aapanel CONTROL PANEL - MAIN SERVER & MTA SERVERS


Content Locked

Login or sign up to see how to set the correct time and date on your server form the control panel.

Enable SSL on tracking domains

You are almost done. Now let's make sure your tracking domains have SSL enabled. We can do everything in the Cloudflare dashboard.

cloudflare CLOUDFLARE - DNS RECORDS

In your CloudFlare account go to SSL/TLS (left menu). On the page that will open switch "SSL/TLS encryption mode" from "Flexible" to "Full" and confirm your selection.

Cloudflare encryption mode

Below this also turn on "SSL/TLS Recommender". Now click the "Configuration Rule" link.

Cloudflare rule configuration

Click the blue "Create Rule" button. A new page will open. First, let's name our new rule. Use something like "Tracking Domains SSL".

Cloudflare domain SSL

Under this select "Custom filter expression".


Content Locked

Login or sign up to see how to set SSL for your tracking domain.

Add more Tracking Domains

There is no need to create a rule for each of your tracking domains. We can simply add more tracking domains to the rule we just made. In the line where you entered your tracking domain clock on "Or"

Cloudflare and or

Content Locked

Login or sign up to see how to add more tracking domains to your SSL rule.

That's it. If you decide to add or change any domains used in your bulk email system don't forget to edit this rule and add your tracking domains.

You can test if it works by going to your tracking domain in the browser. You should see the login screen to your EMS with a valid SSL connection. You need to wait about 10 minutes after you make your rule for changes to come into effect.

Ninja EMS tracking domains

BIMI Set up

BIMI stands for Brand Indicators for Message Identification. It's an email authentication standard that allows companies to display their brand logos next to authenticated emails in the recipient's inbox. This helps in enhancing the brand visibility and trustworthiness of emails by providing a visual indicator of authenticity. Click here to see which email provider supports BIMI.

Creating a BIMI Record

Here are the steps detailing how to generate a BIMI record for your domain:


Content Locked

Login or sign up to see how to set up BIMI for your sending domains.

  • Click the blue "Save" button and wait for about 10 minutes.
  • Verify if BIMI is configured correctly with this tool.

IMPORTANT: BIMI will not work if your domain/IP reputation is too low. Sometimes low reputation isn't your fault as you probably inherited your server IPs from previous user(s).

Make the server ready to host websites

You can host other web pages on your servers (or at least on Main). You have most things ready and if you are happy with php7.4 there is nothing to do.

aapanel CONTROL PANEL - MAIN SERVER & MTA SERVERS

If however, you want another PHP version go to "App Store" and search for PHP. Click "Install" next to the version you want (suggested 8.3) and wait for the installation to finish. You can now select the PHP version when adding a new Website (domain). You should probably install some extensions, change the configuration, and enable some disabled functions. Since we already did that for PHP7.4 you now know how to do that. If you don't go back to Step 2.

What to do if you get locked out?

If you ever get locked out from your control panel because you either forgot login credentials or lost access to Authenticator, ... you can always fix things via SSH.

Connect to the server you are having problems with and run the following command

ssh SSH - MAIN SERVER & MTA SERVERS


Content Locked

Login or sign up to see which command to use in case you ever get locked out from the control panel.

You will get a list of things you can do. Just enter the number before it and you can change the password, restart the panel, disable Authenticator, and much more.

Congratulations! You finished Step 4!

Continue to Step 5 and Start sending, or check the FAQ if you encounter any problems during installation.