OK
In order to optimally design our website and to show appropriate offers we are using cookies. By continuing to use our website you agree that we set cookies. More information
16Jan/200

Scheduled backups in cPanel and Plesk

Creating backups is a very important task for every server administrator. A loss of data often occurs suddenly without a warning. It is possible to create backups manually, but we would recommend to configure automatic backups. The steps below were tested by us, but you should always check yourself if the backups are still running from time to time and if it is possible to restore the required data from it! A backup should be stored outside of the system. In the examples below we are using the Contabo Backup Space. You can order it additionally to your server.

Scheduled backups in cPanel

To configure automatic backups in cPanel, please go to WHM > Backup > Backup configuration. At first you have to set the tick at "Enable Backups". Then we would recommend to set the backup to "compressed". With incremental backups, you can not save to FTP in cPanel. The other global settings should be left the way they are.

In the section "Scheduling and Retention", it is useful in most cases to select every day of the week except Sunday and to keep six of those daily backups. Furthermore you should enable weekly backups and keep four of them, just in case a problem is noticed later or with some delay. Please create the weekly backups on Sunday, the day we left out in the section for the daily backups.

If you are not sure what you should backup in the next section, you can just select everything as shown in the image below. If you need to save backup space, you can unselect the system files and change the database backups from "Per account and entire MySQL Directory" to "Per account only". Normally the files and databases of the accounts will contain the most important data and the other parts contain settings that can be reconfigured after reinstalling the server in case of a full loss of data.

The next settings should be left the way they are. Especially the option "Mount Backup Drive as Needed" should be left without a tick, as this will cause problems if /backup is no mount point for a separate partition or drive:

Then please click on "Additional Destinations" at the top of the site. There you can configure the remote storage for your backup. You will find the correct settings for the Contabo Backup Space below. Unfortunately cPanel does not support ftps, so you should leave the tick for "Transfer System Backups to the Destination" unselected. Please confirm and save your data with the option "Save and Validate Option".

Backups can be restored in WHM > Backup > Backup Restoration. There you can select "Restore by Date" and you will see all available backups in the calendar. Please select the date with the last known good state and move the users you want to restore into the restoration queue. With "Restore", you will restore all the listed accounts.

Scheduled backups in Plesk

To configure automatic backups in Plesk, please go to Tools & Settings > Tools & Resources > Backup Manager > Schedule .
On the site, please put a tick at "Activate this backup task". Then select a reasonable time for your backups. As backups require a lot of resources and might slow down your system, you should perform your backups in the night, for example at 2:00 am. In the most use cases it is a good idea to configure daily incremental backups and to perform a full backup once a week. Incremental backups will just store the changes, so it is possible to restore your data from every available day. But the required backup storage is less than with a daily full backup. In the section "Backup settings", you can add a remote ftp backup storage. This makes sense, as the backup is then stored independently from your system. Please fill in your credentials in the form that opens and enable passive mode and FTPS as shown in the image below:

After the remote backup storage got added, please select that you want to store the backups locally and on the remote FTP storage you just added. Also it makes sense to add an e-mail address where the server can inform you in case something goes wrong during your backup task. Please check your settings with the help of the image below and click on apply.

After the the first backup is done, you should see a list of the available backups listed by day and time in Tools & Settings > Tools & Resources > Backup Manager. To download or restore a backup, please klick on the required backup. In the section "Backup content", you can choose between restoring "Selected objects" and "All objects". In Selected Objects, you will have several options to only restore specific content like e-mail accounts from a selected domain. You have to move all units you want to restore from the left window to the right and confirm with "Restore".

18Oct/172

E-mail server in Windows Server, part 2: Security

This is a follow-up to the tutorial How to install an e-mail server in Windows, directed to those who already have an hMailserver and want to increase the security.

Spam protection

To activate the spam protection, please go to Settings >> Anti-spam in the hMailserver Administrator.

In the tab "General" you can leave the settings the way they are, as shown in the image. Of course you can adjust them later according to your needs.

In the second tab "Spam tests" you should select all four spam detection parameters:

- Use SPF (3)
- Check host in the HELO command (2)
- Check that sender has DNS-MX records (2)
- Verify DKIM-Signature header (5)

Malware protection

As already mentioned in the previous tutorial, you have the possibility to use different anti malware software in hMailServer. The most easy solution is to use the free ClamWin anti virus scanner. You can download it there:

https://sourceforge.net/projects/clamwin/

Please follow the installation wizard. Installing the browser extension is not required for your e-mail server. Normally ClamWin will now appear in the Windows system tray and start to update its database once a day. It will also protect your system from malware. You are of course free to change those settings individually in the ClamWin menu. The integration in the hMailServer is easy. Please go to Settings >> Anti-Virus >> ClamWin. The button "autodetect" will find the correct path to your ClamWin anti virus installation and you can finish the setup with "Save".

TLS encryption

To enable your clients to start an encrypted connection to your server, so nobody can steal your data, you have to enable this in your settings first. You will need an SSL certificate to achieve this. If you do not have already one for the host name of your server, you can create a self signed one on your own. Self signed certificates are free. But you will have to add an exception manually each time you set up a new client for your server. Most clients like Thunderbird or Outlook will ask you for that after the credentials got entered and they start the first connection. You can use XCA to create such a certificate:

https://sourceforge.net/projects/xca/

After the software got installed and opened, you have to create a new database on the upper left side. You can choose any name, you do not even have to remember the password. We will need this tool only once to create the new certificate. You can remove it again afterwards.

After the new database got created you can choose the tab "Certificates". In the following menu please choose "New Certificate" on the right side. A new window will open. In this new window please choose the tab "Subject" and add your host name next to "commonName". In our example screenshot this is mail.yourdomain.com. Now please create a key for the certificate by pressing the button "Generate a new key". The options in the window normally will be  inserted correctly per default as shown in the image. You can finish the creation with "create".

The next step is to switch to the tab "Extensions". Enter a date until the certificate will be valid. You can be generous at this point. In our example we set a date in the year 2030 for "Validity not after". With the "OK" button in the bottom right corner you will finally create the certificate.

Now you have to export the certificate and the according key. Please choose in the tab "Certificates" the certificate and click on "Export" on the right side. You can let the path the way it is. In our case it is:

C:\Program Files (x86)\xca\mail.yourdomain.com.crt

In the tab "Private Keys" please do the same for the previously created key. The path should be:

C:\Program Files(x86)\xca\mail.yourdomain.com.pem

Please open the hMailServer Administrator and navigate to Settings >> Advanved >> SSL certificates and click on "Add". Now you have to add the previously exported certificate and key as shown in the image below and save the settings.

For the last step please go to Settings >> Advanced >> TCP/IP ports. There you have to modify the three entries below "0.0.0.0 / 25 / SMTP" as shown in the following images. At "SSL Certificate", please choose your recently created certificate. "0.0.0.0 / 25 / SMTP" has to stay in its original state as the only one. If you change it, your e-mail server will not work properly!

Now you have to open the new ports in your firewall. For that you can edit the rule from the previous tutorial. We called it "Ports for hMailServer" there. Please change the "local ports" from 25, 110, 143, 587 to 25, 465, 993, 995. (Windows Firewall with Advanced Security on Local computer >> Inbound Rules >> Ports for hMailServer >> Protocols and Ports)

The settings for your clients have changed too:

ingoing server:

protocol: IMAP; port: 143; security: SSL/TLS; server: the IP or hostname of your server

outgoing server:

protocol: SMTP; port: 587; security: SSL/TLS; server: the IP or hostname of your server

9Oct/1710

How to install an e-mail server in Windows Server

You want to send and receive e-mails with your Windows server and connect to it by using your clients on PC, smartphone or tablet? In this tutorial we will explain how you can setup your own e-mail server on a Windows system with a static public IP. This tutorial will work for our VPS as well as for our dedicated servers. hMailServer is a free open source program, the setup is rather simple and can be done in just a few easy steps. Next to the default features like SMTP, POP3 and IMAP, the software is capable to detect spam and also a free virus protection like ClamWin can be added.

Installation

hMailServer needs NET Framework 3.5. to run correctly. Therefore you should add it to Windows before you install hMailServer. To do so, please open the Server Manager. The next steps will differ a little in the different versions of Windows Server. We will explain it by using the example of Windows Server 2012. Please click on "Manage" on the right upper side and choose "Add Features and Roles". In the window that opens you can click four times on "Next" and leave all the settings the way they are. Now you can choose the features you need to install. You just have to choose the NET Framework 3.5 like shown in the image. With "Next" again, you confirm this selection and "Install" will start the installation. As soon as the process is finished, you can close the window and proceed with the installation of your e-mail server.

Please download the latest version of the software from this site:

https://www.hmailserver.com/download

Please do not choose a version that is still in beta, since it might contain bugs and vulnerabilities. After you received the installation package, you can execute it and accept the terms of service.

You should leave the default installation directory as is and continue with "Next". Now you can choose the required products for installation. You will need the full installation, so please let "Server" and "Administrative Tools" checked and proceed with "Next". For an easy installation, we do recommend to choose "Use built-in database engine" in the next step. In the following window let the name be hMailServer and proceed. hMailServer will need a password for administrative tasks in the future. So please create a password you want to use to protect your service and write it down. The last step will be to start the installation. It should finish without error.

hMailServer Configuration

Please open the hMailServer Administrator. In the first window you have to activate "Automatically connect on Start-up" and click on "Connect".

In the next window, please go to "Domains", choose "Add..." and insert your domain you want to use for sending e-mails.

After the domain got saved, you can add new e-mail addresses in the menu "Accounts".

Now please go to Settings >> Protocols >> SMTP >> Delivery of e-mail. There, please add the local host name of your server that should be used for introducing your server to other e-mail servers. It has to be a valid domain and has to resolve to the IP of your server. So please add an A record to your DNS zone if necessary. You also should set an identical PTR for the IP address of your server. This can be done in the Contabo customer control panel. The host name should consist of three parts. That means it has to be an FQDN and it may not contain too many numbers, since it might seem to be generic. A good name for example might be: "mail.justanexample.com". When you are done, please save your new settings.

Firewall Configuration

The main configuration is done. But you still have to open all used e-mail ports in the firewall to make it work. Please open the Windows Firewall settings and choose "Inbound Rules". On the right side click on "New Rule". A window will open and you have to choose "Port" and click on "Next". In the next window please insert the ports 25, 110, 143 and 587, as shown in the image.

In the following window please choose "Allow The Connection" and after "Next", please check "Domain", "Private" and "Public".

In the last window you can enter a name for the new rule. For example "Ports for hMailServer". Please finish the setup and close the firewall settings.

Now you should add an SPF record to your DNS zone. Many e-mail servers will reject e-mails from your server if it does not exist. Therefore please add this TXT record to your zone:

justanexample.com 86400 in TXT "v=spf1 ip4:1.2.3.4 ~all"

"justanexample.com" has of course to be replaced with your domain and 1.2.3.4 with your IP.

You should also add an MX record to your DNS zone, if it does not exist already. The MX record should look like this:

justanexample.com 86400 in MX 10 "mail.justanexample.com"

The value "mail.justanexample.com" has to be replaced with the the host name you have chosen for your e-mail server.

The basic setup of your e-mail server is now complete. It should be able to send and receive e-mails as soon as the DNS changes are active and you can now connect with any e-mail client like Outlook, Thunderbird or Apple Mail.

Client Configuration

Please use the following settings for your e-mail client.

ingoing server:

protocol: IMAP; port: 143; security: none; server: the IP or host name of your server

outgoing server:

protocol: SMTP; port: 587; security: none; server: the IP or host name of your server

Security

If you want to do some optimizations to the server security like transport encryption, spam checks and malware protection, please take a look at our second tutorial: E-mail server in Windows Server, part 2: Security.

10Jun/162

DomainKeys and DKIM in Plesk and cPanel

DomainKeys and DKIM can help you to increase the reputation of your e-mail server and preventing others to manipulate or fake your e-mails. In this tutorial, we want to show you how you can activate this feature in cPanel and Plesk. Firstly, we have to clarify that Plesk allows you to activate DomainKeys in the web interface and that cPanel is using the newer version called DKIM. Those are both quite similar in many points, but we will use those terms separately. All the images in this tutorial can be shown in a bigger version with all the details, by clicking on them. We will often use the example domain "yourdomain.com". It has to replaced with your own one, whenever it appears.

DKIM in cPanel

After you logged into your cPanel account, please search for "Email Deliverability" in the search bar. After opening the matching tool, you might see that a p with DKIM and SPF at some of your listed domains. In this case, please click on the "Manage" button in the line of the required sending domain. The opening site should now look like this, possibly with an error message that your system does not control the DNS server:

If you have your own server with cPanel and you are using it as a name server, the configuration of DKIM might be finished already. In that case, the status of your DKIM configuration is not "PROBLEMS EXIST", as shown in the image above. It is then already shown as "VALID". If problems exist, please click on "INSTALL THE REQUESTED RECORD". Afterwards, DKIM is shown as valid.

If you are not using your cPanel as nameserver, as it is always the case when using our Webspace,  you will have to manually transfer the record to the DNS zone on the responsible DNS server for your domain. Please log into the web interface of your domain registrar and add  a TXT record for the subdomain "default._domainkey.yourdomain.com". "your domain.com" has to be replaced with your own domain. The data part of the record has to be filled with the character string you see next to "Value" in cPanel. It begins with: "v=DKIM1...". If you are using our Contabo nameservers for your domain, please log into the Customer Control Panel, navigate to: DNS Zone Management and edit your domain. Please fill in the fields below "create a new entry" like in the following example:

newnew

When you now reload the tool "Email Deliverability" in cPanel and click on "Manage" next to your domain again, the following should be shown:

If you can see the same message, DKIM has been activated successfully!

If there is still an error shown, you should recheck all the points so far. Are you using the nameservers from Contabo or different ones? Did you create the records properly? If you have any questions, you can ask our support. We are reachable over the e-mail address support@contabo.com. It would be a pleasure to help you in this matter!

Regarding the SPF errors that might be shown below the DKIM section, please ignore those messages and check the SPF section in our other tutorial: Link

DomainKeys in Plesk

Please search in the search bar for: "Mail Server settings" and open the tool. At the point : "DomainKeys spam protection", please check the Box "Allow signing outgoing mail". Afterwards, you have to change to the "Mail Settings" of your domain and activate "Use DomainKeys spam protection system to sign outgoing email messages " there, like in the following screenshot:

newnewnew

Then you can open the "DNS Settings" for the affected Domain. An additional TXT entry for the subdomain: "default._domainkey.yourdomain.com" should have appeared.

neeeeew

If it is missing, please repeat all the steps so far, but firstly delete the tick at "Allow signing outgoing mail" in the Mail Server Settings and set it again after saving. If you are using your Plesk as nameserver, the configuration should be finished now. You should now test the configuration. More about this step in the later point: How to test DomainKeys and DKIM.

If you are using other nameservers for your domain, for example the ones provided by Contabo, you have to copy the data part completely and add an identical record in the zone there. To do so, please log into the Customer Control Panel of Contabo, go to the DNS Zone Management and edit the Domain. Please add, like in the following example, a TXT record for the subdomain "default._domainkey.yourdomain.com" with the data part generated by Plesk.

finnew

As you can see in the picture, a second record has to be added. This one defines the policy, that every e-mail has to have a DomainKeys signature. Please add the subdomain "_domainkes.yourdomain.com" with the TXT record: "o=-". With this last step, the configuration of DomainKeys has been finished. To ensure that everything is working perfectly, you should do a test now!

 How to test DomainKeys and DKIM

A good way to test a DKIM or DomainKey configuration, is the DKIMValidator.

After opening the site, you can see a randomly generated e-mail address. Please write an e-mail from your server to this address and, after a few seconds of waiting, open the analysis report with the button "view results". With Strg + F, you can search the site, which gives you a lot information. To check if DomainKeys and DKIM are working, search for: "result =". If it reads "pass", everything is working fine. If there is a "fail" you should start a search for the cause. If you are stuck at some point, you can contact us anytime under the e-mail address support@contabo.com. Our team of experts will stand by your side to get it working!

Posted by: Johannes | Tagged as: , , , , , , , 2 Comments
17May/160

How can I prevent my e-mails getting marked as spam?

You have your own e-mail server, but your e-mails are landing in the spam folder or do not even arrive? This can have several reasons. This tutorial will show you the most important tricks and often overseen configuration mistakes. If you have a webspace package, you will only need the point SPF of this tutorial. In this tutorial we will often use the fictional domain server.yourdomain.com and the IP address 1.2.3.4. Please replace them with your own ones when you are doing the tests or configuration.

SMTP banner

The SMTP banner is the label of your e-mail server. When it connects to a different e-mail server, it is introducing itself with it. If you have a server from us, it will, at the beginning, answer with something like this:

m1234.contabo.net

A lot of e-mail providers will not accept such a label and send your e-mail directly into the spam folder. So it is better to choose a less generic one like:

server.yourdomain.com

Please note that it has to  be a fully qualified domain name (FQDN). That means there has to be a subdomain like "server" in front of yourdomain.com. You can request the current SMTP banner by connecting to your server with Telnet over port 25. You can do this in Windows by entering the following command into the Windows  command prompt:

telnet 1.2.3.4 25

Please use your own server IP here. If you are using Windows, you will have to activate Telnet first! (Start --> Control Panel --> Programs and Features --> Turn Windows features on or off--> wait a moment, then check the Telnet Client check box and finish with clicking on OK)
The output might look like this:

220 m1234.contabo.net ESMTP Postfix (Debian/GNU)

"m1234.contabo.net" is the important information in this line. You can leave the session by entering "quit" and hitting enter. In cPanel and Plesk, the mailserver's name in the SMTP banner is equal to the hostname. So you can alter it by changing the hostname in the administration panel.
If you are using Plesk on a Windows server, it is not so easy to change the banner. Please log into your server over RDP, open the tool "MailEnable" and go to: MailEnable Management --> Servers --> localhost --> Connectors. Then choose in the opening list SMTP, click on it with you right mouse key and open "Properties". In the opening window, there are four fields you have to fill in:

Local Domain Name

Here you have to enter you main domain. For example: yourdomain.com.

Default mail domain name

This is your e-mail server name in the SMTP banner. For example: server.yourdomain.com

DNS Addresses

Here you have to enter the DNS servers. If you have your server in one of our datacenters, the following addresses would work perfectly:

for Nuremberg:
213.136.95.10 213.136.95.11

for Munich:
79.143.183.251 79.143.183.252

Notification email address

Please enter an existing e-mail address.

If you are using Postfix instead of an administration panel, you can change the SMTP banner by using this command in the terminal:

postconf -e "myhostname = server.yourdomain.com" && postfix reload

Please replace "server.yourdomain.com" with the new domain name of the e-mail server.

PTR

The PTR, or also called reverse DNS record, is the counterpart of the A-record in a DNS zone.

A-record:

server.yourdomain.com --> 1.2.3.4

PTR:

1.2.3.4 --> server.yourdomain.com

Most e-mail servers only accept an e-mail, if the PTR is exactly the same as the name of the mailserver in the SMTP-Banner! If you have for example the following SMTP-Banner:

220 server.yourdomain.com  ESMTP Postfix (Debian/GNU)

You have to change your PTR like in the upper example, what can be done easily in the Customer Control Panel. Please notice, that you have to change the PTR of the IPv6 address too, if you are using IPv6 additionally to IPv4. It will not harm to do it anyway, if you are not sure.

SPF

With the SPF record you determine that it is only allowed to send e-mails from specific IP addresses. Many e-mail servers are considering e-mails from domains without SPF record as spam. You can add an SPF record in the Customer Control Panel with the DNS Zone Management. The following one should work in most cases:

86400 in TXT "v=spf1 +a +mx ~all"

It will allow the IP named in the A-record and the one of the mailserver, named in the MX-record.

If you use one of our webspace packages, please use the following one:

86400 in TXT "v=spf1 +a +mx +include:mail-relay.contabo.net ~all"

If you have a special configuration, you can use a tool like this to generate an individual SPF:

SPF-Wizard

Blacklists

We always do test our IP addresses, before we give them to our customers. But it is not impossible, that your IP is currently on a blacklist. This will cause your sending attempts to fail despite all your tries to achieve a perfect configuration. If you assume that your IP might be on such a list, you can test for the most important ones on this site:

MX-Toolbox Blacklist Check

Please enter the IP address of your server and wait some seconds for the test! If the IP is listed somewhere (marked in red), you should contact the owners of this list. They will offer a removal form on their home page. The IP should be removed in a few days. Some e-mail providers have their own lists, that can not be reviewed so easily. They normally will send you a bounce e-mail to signal, that the sending attempt failed, with the reason included in it. If they mention an internal blacklist, you can find below some links to the removal forms of such providers:

Microsoft
Yahoo
Google

If you have problems getting your IP removed from such a list, please write an e-mail with the error message and the IP to support@contabo.com. We will help you solving this problem.

Additional points

If you have paid attention to all the points so far, and your e-mails have still problems with reaching the recipient or are landing in the spam folder, it is time to look for the reason in close detail. Have you got a reply when the e-mail was not accepted? Read this e-mail carefully. Often there stands the reason for this behaviour! If you have found such a message, but it does not help you, you are free to sent it with the complete header to our support. Our team of experts at support@contabo.com has a lot of experience with solving such problems!

If the e-mail is arriving but landing in spam, the header of the received e-mail will often contain useful hints. Especially Google makes it easy for the owners of small e-mail servers and often adds a link to its e-mail guidelines. Therefore, it might be useful to send a test e-mail to a Gmail address too, for a further analysis!

Please also take a look on the Website mail-tester.com. You can send an e-mail to the server here and the site will show you possible optimizations for your server and the e-mails!

If nothing helped

If you have worked through the whole tutorial, and there are still problems with sending e-mails, or you need help at some point, you can contact our support. We are there for you everyday from 8:00 to 23:00 (German time) at support@contabo.com.