Protecting from Mail Interception
resumen: When Plesk is used for shared hosting, customers and resellers can create websites with domain names that they do not own. This may cause mail sent from a Plesk server to a third-party website to be intercepted. For example, mail sent from a Plesk server to Gmail would be intercepted by a customer who has created a website with the name «gmail.com» on that Plesk server.
Plesk administrators can avoid this issue by preventing the creation of websites with domain names not owned by customers or resellers.
In this topic, you will learn how to prohibit the creation of websites with specific domain names, and also with domain names that do not resolve to the Plesk server.
Información general
When an email is being sent from a Plesk server, Plesk first checks if the destination mailbox exists on the server. If it does, Plesk delivers the email to that mailbox. An attacker can create a domain with the same name as a popular email provider (for example, «gmail.com» or «mail.com») on a shared hosting server. If they do, they may receive mail that other users on that Plesk server (but not from any other server) send to that email provider. We call this «mail interception».
Plesk offers two methods for preventing mail interception:
- The ability to prevent the creation of websites with domain names that do not resolve to the Plesk server.
- The ability to prevent the creation of websites with domain names found in an editable list of domain names.
Either method can be used on its own, or both can be used at once.
Prohibiting the Use of Domain Names that do not Resolve to the Plesk Server
This is the preferred, catch-all method for preventing mail interception. When it is used, attempts to create a website with a name that does not resolve to the Plesk server (for example, «gmail.com» or «mail.com») will fail. This does not affect the creation of websites with names that do not resolve anywhere.
To prohibit the use of domain names that do not resolve to the Plesk server:
-
Go to Tools & Settings, and then click Prohibited Domain Names (under «Security»).
-
Click the «Prohibit creating domains that resolve to other servers» toggle button so that it shows «Enabled».
Creating a website with a name that does not resolve to the Plesk server is now prohibited. Anyone trying to do so will receive an error.
Nota: Prohibiting the use of domain names that do not resolve to the Plesk server does not affect existing websites with such names. To prevent mail interception, make sure that there are no websites using names of email providers in Plesk.
Prohibiting the Use of Domain Names from the Prohibited List
Another method for preventing mail interception is to forbid the creation of websites with names found in the prohibited list. The list is populated with 100 names of popular websites by default, and new names can be added to it as well. This method requires more effort, but allows for more granularity.
To prohibit the use of domain names from the prohibited list:
-
Go to Tools & Settings, and then click Prohibited Domain Names (under «Security»).
-
Click the «Prohibit creating domains from the list below» toggle button so that it shows «Enabled».
Creating a website with a name from the prohibited list is now prohibited. Anyone trying to do so will receive an error.
Nota: Prohibiting the use of domain names from the prohibited list does not affect existing websites with such names. To prevent mail interception, make sure that there are no websites using names of email providers in Plesk.
To add or remove domain names to or from the prohibited list:
- Acceso a Plesk.
- Go to Tools & Settings, and then click Prohibited Domain Names (under «Security»).
- To add a name to the list, click Add Domain Name, enter the name, and then click OK.
- To remove one or more names from the list, select them, click Remove, and then confirm the removal.
The changes you make to the list take effect immediately.