email Archives » WrenMaxwell

CPanel Cannot Change Passwords after Migration

The title of this post is a very shortened version of the key words and the frustration that consumed hours of my day.

CPanel Cannot Change Passwords after Migration should be expanded to read, “After migrating from one CPanel server to another, a users email account could not have the Password reset.”

Even then, the process of Resetting the password, from the admin WHM side, and accessing the users Cpanel Account to Email admin section, and using Manage for the user and hitting up the Change password option, completed all ok. It ‘looked’ like it was changing the password.

But, trying to Check Email from that screen prompted for the users email address and password and repeatedly stated that it was an Invalid Login.

I then tried many times with multiple email accounts for that user. Then I tried another account and it was ok.

So what was happening with this specific account ?

After messing around a bit, I then tried to change the accounts CPanel password, just to confirm that I could login to CPanel for the user, but the following message appeared:

The password for 'usersaccountname' could not be changed because: Sorry, the user “usersaccountname” is currently suspended. Changing the user’s password would unsuspend the account.

Huh???

Checked the List Accounts panel and the account was not shown as suspended, i.e. no pink highlight.

So I issued this command to unsuspend the CPanel account:

# /usr/local/cpanel/scripts/unsuspendacct usersaccountname --retain-service-proxies

But got an error: 

An error occurred while attempting to unsuspend “usersaccountname”. The user “usersaccountname” is not in a suspended state.

Another “Huh??” so I tried to Suspend the account to see what was reported:

# /usr/local/cpanel/scripts/suspendacct usersaccountname
User 'usersaccountname' is already suspended. Provide '--force' argument if you wish to do this.

So the account is suspended but not completely. The next step was to –force the suspension as suggested.

# /usr/local/cpanel/scripts/suspendacct usersaccountname --force
Changing Shell to /bin/false...Done
Locking Password...Done
<...snip...>
usersaccountname's account has been suspended

The above ‘forced’ the partly suspended account to be suspended and then I requested unsuspend and it worked. Following that process:

# /usr/local/cpanel/scripts/unsuspendacct usersaccountname --retain-service-proxies
Unsuspending outgoing email....Done
<...snip...>
Unsuspending websites...
Unsuspending FTP accounts...
usersaccountname's account is now active
Unsuspending mysql users
Keep service proxying settings for this account...Done
usersaccountname's account has been unsuspended

Subsequently accessing the users email via webmail worked. The changed email passwords had actually been saved, but the mixed up ‘suspended’ state was preventing the access from taking place.

This could be summarised as “For CPanel rejecting Webmail Passwords, check for suspended state via command line” and hopefully you can avoid hours of pain.

October 24, 2023

Creating SPF Records for your Domain

The creation of a Sender Policy Framework (SPF) Record is something that is managed by the person or team that manages your Domain Name Service.

The creation of an SPF record is a relatively simple process.

Generally a domain name is hosted by a service provider like WrenMaxwell and it will be accessed via a control panel or interface that allows for the creation, editing or deletion of domain records.

An SPF record is simply a text or TXT record within the domain. This is an example of a basic SPF record.

Example SPF record

In this example the domain is wrenmaxwell.com.au (note the trailing full stop in the record as the termination of the domain).

The TTL or Time To Live provides the duration in seconds before this record should be checked again.

IN TXT is the record type (cPanel / WHM management always shows the IN while other interfaces may not)

The record content is enclosed in quote marks ( for cPanel / WHM this is standard. Other interfaces may hide the quotes or add the quotes in the background).

What is in the SPF Record ?

The example includes 3 settings:

v=spf1 is the version of SPF that is being used. Currently there is only spf version 1 so spf1 is standard.

+a says to accept the A record for the domain while +mx says accept the MX record for the domain.

-all says to fail All Other servers sending email using this domain name.

SPF Record Syntax

After the version instruction the rest of the record consists of mechanisms and qualifiers.

When an SPF record is queried, the receiving server checks the ip address of the sending server against the SPF record for the sending domain. If a mechanism matches the ip address then the qualifier for that mechanism is used to determine what action should be taken in relation to the specific email that is being processed.

Mechanisms are always processed from left to right with each mechanism tested until a match is found. Once a match is found the query is stopped and the qualifier used to return the action or response to the receiving server.

SPF Record Qualifiers

The qualifiers are the symbols:

Qualifier	Recommendation	Comment
“-“	Fail	Fail tells the receiving server that the sending server is not allowed to send for this domain
“+”	Pass	Pass tells the receiving server that the sending server is allowed to send for this domain
“~”	SoftFail	SoftFail tells the receiving server that the sending server may be accepted but is not yet specified
“?”	Neutral	Fail tells the receiving server that nothing is specified about this server

Table of SPF Qualifier symbols

There are a few other results that come from the evaluation of an SPF record but the above cover the main ones.

SPF Record Mechanisms

The are a number of mechanisms that are more commonly used and some that are not.

Mechanism	Explanation
A or a	All the A records for domain are tested. If the client IP is found among them, this mechanism matches.
MX or mx	All the MX records for domain are tested. If the client IP is found among them, this mechanism matches.
IP4	Check a specific host IP address of type version 4
IP6	Check a specific host IP address of type version 6
include	include:{some.other.domain} to check the SPF record of the hosting or remote domain
all	refers to any other server (all other servers) and this mechanism will always match

Table of SPF Mechanisms

MX stands for MaileXchanger meaning a server or host that will manage email for the domain.

IP4 and IP6 refer to the type of IP address that is in use. A common error is to see IPv4 or IPv6 where the editor of the SPF record has inadvertently included the ‘v’ for version of the IP address, which is a common format in other forms of documentation of IP addresses but is invalid for SPF records.

The include mechanism caters for larger configurations where there may be clustered servers or regular changes to mail server hosts and the service provider, like Google gmail and Microsoft Mail, can manage their servers within domain structure that is linked from the client (your) domain SPF record.

The all mechanism should always be the last entry in an SPF record so that any other mechanisms are evaluated before this ‘catch-all’ mechanism is checked.

For a full list of all SPF Mechanisms and other parameters refer to the openspf.org page on SPF Record Syntax.

SPF Record Qualifiers and Mechanism Examples

Using the wrenmaxwell.com.au SPF record as an example.

The version instruction is standard. v=spf1

The +a says check the A records for the domain “wrenmaxwell.com.au” and if the assigned host ip address matches then ‘+’ accept it.

The +max says check the MX records for the domain “wrenmaxwell.com.au” and if the assigned host ip address matches then ‘+’ accept it.

The -all says if the sending server is any other server then “-” fail the server and do not accept the email message as it is not an authorised server.

SPF References

Configuring Microsoft Office 365 SPF Records https://technet.microsoft.com/en-au/library/dn789058(v=exchg.150).aspx

Scott Kitterman’s site at https://www.kitterman.com/spf/validate.html is a very useful set of tools.

Summary

Configuring a basic SPF record is not difficult if you are comfortable with managing your own DNS. If your email configuration is more complex than a single server or source of email, then there are many options that may be required to have a fully working SPF configuration. WrenMaxwell has been managing DNS systems for over 20 years and can assist you with your DNS support. Contact us any time for a free consultation.

This post was first published in our HelpDesk Knowledgebase at https://help.wrenmaxwell.com.au/index.php?/Knowledgebase/Article/View/27/0/Creating-SPF-Records-for-your-Domain on 26th July 2016. The information is still valid with this update 12th July 2022.

July 12, 2022

Updating Logins with Microsoft Authenticator

Over the last week I have had a number of issues with authentication and particularly ensuring that we have all our clients using MFA for Microsoft. Which lead to the title of this post “Updating Logins with Microsoft Authenticator”.

In my role as a client-facing systems administrator I have a lot of Microsoft accounts for various testing scenarios and administration functions. Using Microsoft Authenticator on my mobile as a primary 2-factor/multi-factor (2FA or MFA) tool is an obvious solution.

During a session of checking documentation and validating account access I had a need to update a number of logins. As a result of logging into Microsoft around 20 times I have found that the quickest and easiest method to check or update any of the account information is with this link https://mysignins.microsoft.com/.

Standard Microsoft Password screen prompt.

What happens with that link ? First up it redirects to a https://login.microsoftonline.com/ OAuth2 URL and prompts for your login email or phone number.

Enter an email address and select Next.

Using the existing strong (long) passphrase. Yes, passphrase rather than password. I wrote a post on that topic many years ago and have updated it recently.

After selecting Sign In the MFA login screen is shown, assuming you already had MFA configured. In my case I was unable to access some of these accounts via Authenticator due to swapping phones and having another phone break-down in the last 6 months, but I digress.

Selecting in this case either to use the Authenticator, or an alternative method “Can’t use authenticator now” provides for a second confirmation of my identity.

Using an alternative method assumes that you had originally configured other options like an email address or a phone number that can receive text messages.

The “Don’t ask again for 180 days” option is not guaranteed. I have not confirmed it, but I am sure it is just a cookie in the browser and if you use different browsers for various tasks then the 180 days only applies on that computer or device and only for that web browser. Use another device or another web browser and you will be prompted again, potentially just 5 minutes later!

So now that we are logged in, we are automatically re-routed back to the URL we started with which is https://mysignins.microsoft.com. Which looks like this with multiple panels and options.

Microsoft https://mysignins.microsoft.com overview screenshot

I’ll leave most of the options for another post as the one I needed to use today was the Security Info section.

Microsoft https://mysignins.microsoft.com security info screenshot

From here the process is fairly straight-forward. Select the + Add sign-in method, add a new phone, or Authenticator App, or email address for multi-factor authentication. Select the Default sign-in method, which I have set as Microsoft Authenticator. Its generally quick and simple, while an email takes a bit longer and requires copy/paste of a code or similar.

Removal of an old authentication method, like my now-dead iphone 4, is as simple as hitting the Delete option.

Another useful screen is the Organizations panel which helps when you have more than one organization that you deal with.

Microsoft https://mysignins.microsoft.com organisations screenshot

The only obvious thought here is that the Home organisation may change for some people and I am not sure what happens if you leave an organisation but have it as your Home? I will look at that another day.

July 10, 2022

Creating SPF Records for your Domain

The creation of a Sender Policy Framework (SPF) Record is something that is managed by the person or team that manages your Domain Name Service.

The creation of an SPF record is a relatively simple process.

Generally a domain name is hosted by a service provider like WrenMaxwell and it will be accessed via a control panel or interface that allows for the creation, editing or deletion of domain records.

An SPF record is simply a text or TXT record within the domain. This is an example of a basic SPF record.

Domain	TTL	Record Type	Record
wrenmaxwell.com.au.	14400	TXT	“v=spf1 +a +mx -all”

In this example the domain is wrenmaxwell.com.au (note the trailing full stop in the record as the termination of the domain).

The TTL or Time To Live provides the duration in seconds before this record should be checked again.

TXT is the record type

The record content is enclosed in quote marks ( for cPanel / WHM this is standard. Other interfaces may add the quotes in the background)

What is in the SPF Record ?

v=spf1 is the version of SPF that is being used. Currently there is only spf version 1 so spf1 is standard.

+a says to accept the A record for the domain while +mx says accept the MX record for the domain.

-all says to fail All other servers sending email using this domain name.

SPF Record Syntax

After the version instruction the rest of the record consists of mechanisms and qualifiers.

When an SPF record is queried, the receiving server checks the ip address of the sending server against the SPF record for the sending domain. If a mechanism matches the ip address then the qualifier for that mechanism is used to determine what action should be taken in relation to the specific email that is being processed.

Mechanisms are always processed from left to right with each mechanism tested until a match is found. Once a match is found the query is stopped and the qualifier used to return the action or response to the receiving server.

SPF Record Qualifiers

The qualifiers are the symbols:

Qualifier	Recommendation	Comment
“-“	Fail	Fail tells the receiving server that the sending server is not allowed to send for this domain
“+”	Pass	Pass tells the receiving server that the sending server is allowed to send for this domain
“~”	SoftFail	SoftFail tells the receiving server that the sending server may be accepted but is not yet specified
“?”	Neutral	Fail tells the receiving server that nothing is specified about this server

There are a few other results that come from the evaluation of an SPF record but the above cover the main ones.

SPF Record Mechanisms

The are a number of mechanisms that are more commonly used and some that are not.

Mechanism	Explanation
A or a	All the A records for domain are tested. If the client IP is found among them, this mechanism matches.
MX or mx	All the MX records for domain are tested. If the client IP is found among them, this mechanism matches.
IP4	Check a specific host IP address of type version 4
IP6	Check a specific host IP address of type version 6
include	include:{some.other.domain} to check the SPF record of the hosting or remote domain
all	refers to any other server (all other servers) and this mechanism will always match

MX stands for MaileXchanger meaning a server or host that will manage email for the domain.

IP4 and IP6 refer to the type of IP address that is in use. A common error is to see IPv4 or IPv6 where the editor of the SPF record has inadvertently included the ‘v’ for version of the IP address, which is a common format in other forms of documentation of IP addresses but is invalid for SPF records.

The include mechanism caters for larger configurations where there may be clustered servers or regular changes to mail server hosts and the service provider, like Google gmail and Microsoft Mail, can manage their servers within domain structure that is linked from the client (your) domain SPF record.

The all mechanism should always be the last entry in an SPF record so that any other mechanisms are evaluated before this ‘catch-all’ mechanism is checked.

For a full list of all SPF Mechanisms and other parameters refer to the openspf.org page on SPF Record Syntax.

SPF Record Qualifiers and Mechanism Examples

Using the wrenmaxwell.com.au SPF record as an example.

Domain	TTL	Record Type	Record
wrenmaxwell.com.au.	14400	TXT	“v=spf1 +a +mx -all”

The version instruction is standard. v=spf1

The +a says check the A records for the domain “wrenmaxwell.com.au” and if the assigned host ip address matches then ‘+’ accept it.

The +max says check the MX records for the domain “wrenmaxwell.com.au” and if the assigned host ip address matches then ‘+’ accept it.

The -all says if the sending server is any other server then “-” fail the server and do not accept the email message as it is not an authorised server.

SPF References:

Configuring Microsoft Office 365 SPF Records https://technet.microsoft.com/en-au/library/dn789058(v=exchg.150).aspx

Scott Kitterman’s site at https://www.kitterman.com/spf/validate.html is a very useful set of tools.

Summary

Configuring a basic SPF record is not difficult if you are comfortable with managing your own DNS. If your email configuration is more complex than a single server or source of email, then there are many options that may be required to have a fully working SPF configuration. WrenMaxwell has been managing DNS systems for over 20 years and can assist you with your DNS support. Contact us any time for a free consultation.

March 24, 2021

Tag: email

CPanel Cannot Change Passwords after Migration

Creating SPF Records for your Domain

What is in the SPF Record ?

SPF Record Syntax

SPF Record Qualifiers

SPF Record Mechanisms

SPF Record Qualifiers and Mechanism Examples

Summary

Updating Logins with Microsoft Authenticator

Creating SPF Records for your Domain

What is in the SPF Record ?

SPF Record Syntax

SPF Record Qualifiers

SPF Record Mechanisms

SPF Record Qualifiers and Mechanism Examples

Summary