How to Update All cPanel Users’ SPF Records in One Go

Introduction
SPF (Sender Policy Framework) records are crucial for email authentication, helping prevent email spoofing and improving deliverability. Manually updating SPF records for each cPanel user can be time-consuming. This guide shows you how to automate this process using a single command.


What You’ll Need

  • Root SSH access to your cPanel server.
  • Basic understanding of terminal commands.

The Command Explained

Use the following command to update SPF records for all non-system cPanel users at once:

for user in $(cut -d: -f1 /etc/passwd | grep -v "nobody\|mysql\|system" | sort); do /usr/local/cpanel/bin/spf_installer $user "include:relay.mailchannels.net,include:smtp.mellow.solutions" 0 1 1; done

Breaking Down the Command

  1. User Selectioncut -d: -f1 /etc/passwd | grep -v "nobody\|mysql\|system" | sort
    • cut -d: -f1 /etc/passwd: Extracts all usernames from the system’s user list.
    • grep -v "nobody\|mysql\|system": Excludes system users (like nobodymysql, or system) to target only cPanel accounts.
    • sort: Orders the list alphabetically for consistency.
  2. SPF Update Command/usr/local/cpanel/bin/spf_installer $user "include:relay.mailchannels.net,include:smtp.mellow.solutions" 0 1 1
    • $user: Iterates through each valid cPanel username.
    • "include:relay.mailchannels.net,include:smtp.mellow.solutions": The SPF record to set. Replace these values with your own if needed (e.g., your email service providers).
    • 0 1 1: Flags for the spf_installer script (refer to cPanel documentation for exact meaning, but typically:
      • 0: Do not force overwrite.
      • 1 1: Save and enable the SPF record.

How to Run the Command

  1. SSH into your server as the root user.
  2. Copy and paste the command into the terminal.
  3. Press Enter to execute.

Important Notes & Precautions

  1. Backup First: Always backup your server’s configuration before making bulk changes.
  2. Verify the SPF Syntax: Ensure the SPF record values (include:relay.mailchannels.net, etc.) are correct and compatible with your email service providers.
  3. Check Record Length: SPF records must not exceed 255 characters. Test the final record using tools like MXToolbox.

Post-Execution Steps

  1. Check SPF Records:
    • Log in to WHM > Email Authentication > Manage SPF Records.
    • Verify that the SPF records for all users now include the new entries.
  2. Test Deliverability: Send test emails to confirm no delivery issues arise.

Troubleshooting

  • Command Errors: If the script fails, ensure:
    • The spf_installer tool is installed (common in cPanel versions 11.50+).
    • You’re running the command as root.
  • Existing SPF Entries: The command may overwrite or append to existing records. Review each user’s SPF settings if needed.

Why Automate This?

This method saves hours of manual work, ensuring all accounts comply with your email provider’s requirements in seconds.


Final Note
Automating SPF updates is efficient, but always prioritize accuracy. Mistakes in SPF records can lead to email delivery failures.

Ready to implement? Copy the command, test it on a staging server if possible, and ensure your SPF syntax is validated.


Share this guide with your team or save it for future reference. Let us know if you need further assistance!


Tags: #cPanel, #SPF, #EmailAuthentication, #Automation


This guide ensures your SPF records are updated seamlessly, enhancing email security and deliverability across all accounts.

550 Please turn on SMTP Authentication in your mail client.

Error Examples:

When someone tries to send you mail from gmail/outlook, they get a reply mail with the following errors:

550 Please turn on SMTP Authentication in your mail client. mail-lf1-f43.google.com [209.85.167.43]:42770 is not permitted to relay through this server without authentication.
Remote Server returned '550 5.7.368 Remote server returned authentication required to relay -> 550 Please turn on SMTP Authentication in your mail client. ;mail-oln040092255101.outbound.protection.outlook.com;(APC01-HK2-obe.outbound.protection.outlook.com) [40.92.255.101]:9693 is not;permitted to relay through this server without authentication.'

Error Solution

The error appears for several reasons. I will try to point out the most common ones I have faced for clients.

One, this domain is listed in /etc/remotedomains, while the domain is actually a local domain or shall use a local exchanger. As the domain is set not to use local mail exchange, hence the MTA is bouncing the mail back from receiving. To resolve this problem, you need to go to:

WHM >> DNS Zone Manager >> Search your domain that is having problem >> Manage

Now, click on the ‘Email Routing Configuration’ just beside the ‘Actions’ button as shown in the screenshot.

In the MX, make sure to set your local MX, and then select ‘Local Mail Exchanger’, then save.

If the domain was in remotedomains, and you did the above, and the issue is still not fixed, then you may want to run the following command to rebuild the remotedomains and localdomains file for Cpanel

/scripts/checkalldomainsmxs –yes

The second reason, the issue can appear, if you have defined two different MX and one of them, does not have the user, to whom the mail is trying to deliver. You should try to avoid such ambiguity. If you use multiple different MX, then you need to make sure, both of them accepts the same set of the user list.

Hope this works for you. Let me know the result.

Error: The websocket handshake failed at PM – Cpanel Terminal

Error:

When you try to open the terminal from Cpanel, it shows you an error in the red screen like the following:

The WebSocket handshake failed at 1:34:27 PM.

Solution

The error is appearing because Cpanel uses a socket to create a terminal window for you from the Cpanel. But this verifies the origin of your URL. If you are behind a proxy, then Cpanel won’t let the socket establish.

Most of the time, I have seen the user using Cloudflare behind the domain and using the same domain to access the Cpanel. Unfortunately, Cloudflare’s proxied IP won’t be able to create the websocket. Hence, you must use a domain or hostname or the server IP to access the Cpanel, to use Terminal.

Cpanel Hosting Tries to Send Mail using Localhost for Remote Relay from PHP Script

Question: When I try to send mail using a PHP script in Cpanel, it automatically switches the SMTP hostname to localhost, even if I use a remote relay like sparkpost or mailgun. How to fix this?

Solution:

The reason behind the behavior is, by default Cpanel doesn’t let your customers use remote SMTP using PHP. This is controlled using a feature called ‘SMTP Restriction’. Go to WHM, log in using root, from Security Center select “SMTP Restrictions” and now, disable this. Your script shall now be able to send mail using remote SMTP like sparkpost/mailgun/pepipost.

Apache detected an error in the Rewrite config. httpd_ls_bak: Syntax error in -C/-c directive: Include/IncludeOptional: Could not open directory /usr/local/apache/conf.modules.d: No such file or directory Please try again. – Cpanel Error

You might see the following set of errors with Cpanel

When trying to remove the redirect from Cpanel

Apache detected an error in the Rewrite config. <pre>httpd_ls_bak: Syntax error in -C/-c directive: Include/IncludeOptional: Could not open directory /usr/local/apache/conf.modules.d: No such file or directory </pre> Please try again.

/scripts/rebuildhttpdconf generates an error like the following:

httpd: Syntax error in -C/-c directive: Include/IncludeOptional: Could not open directory /usr/local/apache/conf.modules.d: No such file or directory

Resolution

Previously, we reinstalled apache24 to solve the issue like the following:

yum reinstall ea-apache24

Although you may also reinstall the apache config runtime extension, that shall fix the issue as well.

rpm -e --nodeps --justdb ea-apache24-config-runtime.noarch
yum install ea-apache24-config-runtime.noarch

Now you may rebuild the httpd conf or remove the redirect from cpanel without any problem.

failed to open db file /var/spool/exim/db/ratelimit: permission denied

Cpanel incoming mails are failing, with an error in the exim_mainlog as following:

failed to open db file /var/spool/exim/db/ratelimit: permission denied

The error is appearing due to some permission issues with the exim db or the files are corrupted. These files recreate when the exim restart. Hence, we can do the following:

# delete the db files
rm -rf /var/spool/exim/db/*

# restart exim
service exim restart

# fix permission of exim spool
chown -Rf mailnull.mail /var/spool/exim
chmod 0750 /var/spool/exim

You should be done now.

How to run composer with different PHP versions in Cpanel?

Question:

When we try to run a composer command, like update, we usually do the following:

composer update

Cpanel has multiple PHP binaries, but in this case, we are unable to select a specific PHP binary to use, instead we have to run it with the default one, how to run composer update with a different php binary in cpanel?

Solution

composer binary file, is a phar file. PHAR is necessarily a PHP Archive and usually automatically detect the running php. But as it is essentially written in php, you may explicitly run it with a different php binary, if you want. To run composer with different php binary, first, you need to find the location of composer. You may do so, using the following:

root@mirage [~]# which composer
/opt/cpanel/composer/bin/composer

Cpanel different php binaries are available under the following kind of directory:

/opt/cpanel/ea-phpXX/usr/bin/php

XX is the version number of PHP. So for example if you need to use PHP 7.4, you would need to run using the following:

/opt/cpanel/ea-php74/usr/bin/php

Now, to run composer update along with PHP 7.4 binary, you may do something like the following:

/opt/cpanel/ea-php74/usr/bin/php /opt/cpanel/composer/bin/composer update

First, make sure you are in the directory where you want to install laravel, for example, something like the following:

cd /home/username/public_html

Then, you may run the above command:

/opt/cpanel/ea-php74/usr/bin/php /opt/cpanel/composer/bin/composer update
or in case, you want to to install
/opt/cpanel/ea-php74/usr/bin/php /opt/cpanel/composer/bin/composer install
or may be, you wan to run update with no-scripts
/opt/cpanel/ea-php74/usr/bin/php /opt/cpanel/composer/bin/composer update --no-scripts

Uncaught ErrorException: require(/home/username/public_html/vendor/composer/../../app/Helpers/helper.php): failed to open stream: No such file or directory in /home/username/public_html/vendor/composer/autoload_real.php:71

Error Details

While trying to run any of the following with Laravel composer installer, you see an error similar to the following:

Uncaught ErrorException: require(/home/username/public_html/vendor/composer/../../app/Helpers/helper.php): failed to open stream: No such file or directory in /home/username/public_html/vendor/composer/autoload_real.php:71

How to fix this?

Solution

The error is appearing, most likely you forgot to add the ‘app’ directory of laravel in your root directory. Make sure, you have the ‘app’ directory in your root directory, then run any of the following:

If this is the first time, you need all laravel packages, run:

composer install

If this is not the first time, you may run the following:

composer update

Good luck.

How to Uninstall Let’s Encrypt from Cpanel / WHM

To uninstall the Cpanel / WHM plugin for Let’s Encrypt, login to your SSH for root and run the following:

/usr/local/cpanel/scripts/uninstall_lets_encrypt_autossl_provider

It might take sometime, once completed, it should remove let’s encrypt as a provider from your AutoSSL plugin.

How to Install Let’s Encrypt in Cpanel

Let’s Encrypt is a popular tool to use free SSL for your website. Cpanel comes with Sectigo free ssl service through requesting and pooling system. Although, you might feel interested in getting the SSL released immediately without a queue based approach, and would prefer to use Let’s Encrypt that’s why.

There are two ways, you may install Let’s Encrypt in Cpanel.

  1. Using Cpanel Plugin

First one would be using the plugin created by Cpanel. Login to your server as root:

ssh root@server_ip

Then, run the following to install Let’s Encrypt in your cpanel system

/usr/local/cpanel/scripts/install_lets_encrypt_autossl_provider

It might take a couple of minutes, then it should install Let’s Encrypt as a provider in AutoSSL.

Now, go to WHM >> Manage AutoSSL and select Let’s Encrypt as the provider instead of Sectigo Cpanel default. You need to check the Agreement rules under the Let’s Encrypt selection and you may create the account in Let’s Encrypt using the same tool.

Once done, your new SSLs would be issued using the Let’s Encrypt tool through Cpanel AutoSSL plugin.

2. Using FleetSSL

There is a 3rd party tool, existed before Cpanel provided a plugin for Let’s Encrypt. It’s FleetSSL. One key benefit of using FleetSSL is that, it allows the Cpanel end users to control issuing and renewing the SSL from Cpanel. One key cons of using FleetSSL is that, it is not free of charge, it comes with 30$ one time fees. But mainly hosting provider would not mind to use this as it is a nice addition for the end user feature set in a hosting provider’s point of view.

You may check for details here:

https://letsencrypt-for-cpanel.com/

Now, once you complete installing Let’s Encrypt SSL, you may now use Let’s Encrypt for different cpanel services like webmail/cpanel/whm/calenders/MTA services. You may check the following to know how to: