How to Correct Email SSL Hostname in cPanel Interface

Users in cPanel have the convenient option of automatically setting up their mail clients using a downloaded setup file, or the printed list of configurable values that displays in the cPanel interface under Mail -> Email Accounts -> Configure Email Client.  If you’re offering secure email services under a specific SSL hostname for the user to connect to, there are times where the Configure Email Client hostname may be incorrect.  This is especially true if you are using a wildcard SSL certificate for service SSL access, which will cause this feature to default to the server’s hostname.

To correct this, all you need to do is edit the following files in /var/cpanel/ssl:

  • courier-imapd-DOMAINS
  • courier-pop3d-DOMAINS
  • exim-DOMAINS
  • dovecot-DOMAINS


The files should contain the secure hostname that you want your customers to use when accessing email over SSL.  To make this simpler, you can use the following script:

SSL_HOST=secure.hostname # Replace this with the desired hostname
SERVICES=(courier-imapd courier-pop3d exim dovecot)
for file in ${SERVICES[@]}
echo $SSL_HOST >  /var/cpanel/ssl/$file-DOMAINS

Save the above script into a file, set the permissions to 755, and run it normally.

How to Change the Apache Default Document Root on a cPanel Server

By default, cPanel configures Apache to load its default website from /usr/local/apache/htdocs.  This page will redirect to the template of the default page that is set up by cPanel, which is configurable via WHM -> Web Template Editor.

If you want to change the location of the default site altogether, you’re going to need to modify one of the EasyApache templates.   This particular modification is easy to do:

cd /var/cpanel/templates/apache2/

cp main.default main.local


The main.default is used to build the structure of the entire httpd.conf, which in turn also pulls in other templates from various locations.  When you copy this to main.local, you’re telling EasyApache to use the .local file instead.  If the main.local already exists, you can probably just edit the existing version.

In this file, you’re looking for a defined VirtualHost entry that starts with this:

<VirtualHost [% vh %]>
ServerName [% servername %]
DocumentRoot [% serverroot %]/htdocs


You’ll want to change the DocumentRoot setting to the location of the files you want to serve.  You may also need to set SuPHP_UserGroup to the user/group of the cPanel account that owns the files.  Here’s a DocumentRoot example:


DocumentRoot /home/user/public_html/


Once you’ve changed this, run the following to apply your settings:


service httpd reload


Perfect Forward Secrecy with Apache 2.2 on a cPanel Server

Perfect Forward Secrecy (PFS) is a security measure that helps to ensure that a session key cannot be compromised if one of the long-term keys in its set is compromised at a later date.  With PFS, if a single key is compromised, only data protected by that key has the potential to be compromised as well.  This is a feature specific to SSL connections that is now a somewhat standard requirement for passing PCI scans.

Apache 2.4 has this ability built-in, but Apache 2.2 supports the PFS-required ciphers as of 2.2.26.  To enable this, you’ll need to make a few adjustments to the main Apache template.  First, you need to change the SSLCipherSuite value. You can adjust this in WHM -> Apache Configuration -> Global Configuration, in the SSL Cipher Suite box.  Change this value to:


Then save the file.  You can also adjust this in /var/cpanel/conf/apache/local.

From here, you will need to add an additional setting to tell Apache to honor the cipher order you just defined.  To do this:

cp /var/cpanel/templates/apache2/main.default /var/cpanel/templates/apache2/main.local

If main.local already exists, just use the existing file.

look for “SSLCipherSuite” in the template, it will look something like this:

[% IF main.sslciphersuite.item.sslciphersuite.length %]SSLCipherSuite [% main.sslciphersuite.item.sslciphersuite %][% END %]

Above this, add the following line:

SSLHonorCipherOrder on

Save the file, then apply the settings:


service httpd restart


To confirm PFS is working, you can run an SSL test here: