Recommended cPanel config
For all cPanel systems we recommend the following config:
- Ensure your server hostname resolves and has a reverse dns record
- Use WHM -> Email deliverability to ensure your hostname has both an SPF and DKIM key set up. cPanel will also confirm proper RDNS.
In WHM -> Home -> Service Configuration -> Exim Configuration Manager
- Use the reverse DNS entry for the mail HELO/EHLO if available – Set to OFF
- SPF include hosts for all domains on this system – Set to relay.mailbaby.net
- Enable Sender Rewriting Scheme (SRS) Support – Set to ON
Optional Config
cPanel includes its own anti spam features for outbound. We recommend setting:
- Scan messages for malware from authenticated senders (exiscan)
- Scan outgoing messages for malware
- Scan outgoing messages for spam and reject based on defined Apache SpamAssassin™ score
- Do not forward mail to external recipients based on the defined Apache SpamAssassin™ score (Minimum: 0.1; Maximum: 99.9)
And limiting emails per hour in WHM -> tweak settings.
Having these settings will prevent easily detectable spam from leaving your systems and help reduce the amount of emails sent.
Option 1: Manual editing through Web Host Manager
In Web Host Manager go to Home »Service Configuration »Exim Configuration Manager
Click Advanced Editor
Find Section: AUTH and add
mailbaby_login: driver = plaintext public_name = LOGIN client_send = : $YOURUSERNAME : $YOURPASSWORD
Find Section: POSTMAILCOUNT
remoteserver_route: driver = manualroute transport = mailbaby_smtp domains = !+local_domains ignore_target_hosts = 127.0.0.0/8 route_list = * relay.mailbaby.net::25 randomize byname host_find_failed = defer no_more
Find Section: TRANSPORTSTART
IMPORTANT: ensure X-AuthUser is kept. Failure to do so will result in stricter email filtering
mailbaby_smtp: driver = smtp hosts_require_auth = * tls_tempfail_tryclear = true headers_add = X-AuthUser: ${if match {$authenticated_id}{.*@.*} {$authenticated_id} {${if match {$authenticated_id}{.+} {[email protected]$primary_hostname}{$authenticated_id}}}} dkim_domain = $sender_address_domain dkim_selector = default dkim_canon = relaxed dkim_private_key = "/var/cpanel/domain_keys/private/${dkim_domain}"
Optional
Find Section: RETRYSTART
* data_4xx F,4h,1m * rcpt_4xx F,4h,1m * timeout F,4h,1m * refused F,1h,5m * lost_connection F,1h,1m * * F,6h,5m
Find Section: RETRYBLOCK
+secondarymx * F,4h,5m; G,16h,1h,1.5; F,4d,8h * * F,2h,15m; G,16h,1h,1.5; F,4d,8h * auth_failed
Option 2: Create /etc/exim.conf.local
Edit /etc/exim.conf.local – if it exists already you will want to merge the config
%RETRYBLOCK% +secondarymx * F,4h,5m; G,16h,1h,1.5; F,4d,8h * * F,2h,15m; G,16h,1h,1.5; F,4d,8h * auth_failed @[email protected] mailbaby_login: driver = plaintext public_name = LOGIN client_send = : $YOURUSERNAME : $YOURPASSWORD @[email protected] @[email protected] chunking_advertise_hosts = "" local_from_check = true # mailbaby max size limit is 100MB while the cpanel default may be less#message_size_limit = 100M ignore_bounce_errors_after = 1h timeout_frozen_after = 12h @[email protected] @[email protected] @[email protected] @[email protected] @[email protected] remoteserver_route: driver = manualroute transport = mailbaby_smtp domains = !+local_domains #uncomment to exclude specific emails or domains #senders = : [email protected] : !*@domain1.com ignore_target_hosts = 127.0.0.0/8 route_list = * relay.mailbaby.net::25 randomize byname host_find_failed = defer no_more @[email protected] @[email protected] @[email protected] @[email protected] @[email protected] @[email protected] @[email protected] @[email protected] @[email protected] @[email protected] * data_4xx F,4h,1m * rcpt_4xx F,4h,1m * timeout F,4h,1m * refused F,1h,5m * lost_connection F,1h,1m * * F,6h,5m @[email protected] @[email protected] @[email protected] @[email protected] @[email protected] @[email protected] @[email protected] mailbaby_smtp: driver = smtp hosts_require_auth = * tls_tempfail_tryclear = true headers_add = X-AuthUser: ${if match {$authenticated_id}{.*@.*} {$authenticated_id} {${if match {$authenticated_id}{.+} {[email protected]$primary_hostname}{$authenticated_id}}}} dkim_domain = $sender_address_domain dkim_selector = default dkim_canon = relaxed dkim_private_key = "/var/cpanel/domain_keys/private/${dkim_domain}"
When done run
/scripts/buildeximconf
Advanced Config in cPanel
Most advanced config occurs in POSTMAILCOUNT. Important – use postmailcount in order to be able to limit emails per hour with in cpanel.
-
Exclude a domain from MailBaby in exim
Add to remoteserver route a senders section like
senders = : [email protected] : !*@domain2.com
* is a wild card match so *@domain1.com covers [email protected] and [email protected] covers just that sender. Note the ! needed.
remoteserver_route: driver = manualroute transport = mailbaby_smtp domains = !+local_domains # add senders exclude senders = : [email protected] : !*@domain1.com ignore_target_hosts = 127.0.0.0/8 route_list = * relay.mailbaby.net::25 randomize byname host_find_failed = defer no_more
-
Only use MailBaby when sending to specific domains
To do this edit the domains line. Remove the +local_domains which indicates mailbaby is excluded for all local domains. Instead change to
domains = domain1.com : domain2.com : !*
This would force email to the destination domain1.com and domain2.com through MailBaby excluding the others
remoteserver_route: driver = manualroute transport = mailbaby_smtp domains = domain1.com : domain2.com : !* ignore_target_hosts = 127.0.0.0/8 route_list = * relay.mailbaby.net::25 randomize byname host_find_failed = defer no_more
-
Only use MailBaby when sending from a specific domain
For this add a senders line and instead of ! to negate, remove that to only match the specific domains. * is a wildcard
senders = *@domain1.com : [email protected]
remoteserver_route: driver = manualroute transport = mailbaby_smtp domains = !+local_domains # add senders to include excluding all others senders = *@domain1.com : [email protected] ignore_target_hosts = 127.0.0.0/8 route_list = * relay.mailbaby.net::25 randomize byname host_find_failed = defer no_more