Recommended cPanel config for cpanel V108 with SRS rewriting
For all cPanel systems we recommend the following config:
- Ensure your server hostname resolves and has a reverse dns record
- Use WHM -> Email deliverability to ensure your hostname has both an SPF and DKIM key set up. cPanel will also confirm proper RDNS.
In WHM -> Home -> Service Configuration -> Exim Configuration Manager
- Use the reverse DNS entry for the mail HELO/EHLO if available – Set to OFF
- SPF include hosts for all domains on this system – Set to relay.mailbaby.net
- Enable Sender Rewriting Scheme (SRS) Support – Set to ON
Optional Config
cPanel includes its own anti spam features for outbound. We recommend setting:
- Scan messages for malware from authenticated senders (exiscan)
- Scan outgoing messages for malware
- Scan outgoing messages for spam and reject based on defined Apache SpamAssassin™ score
- Do not forward mail to external recipients based on the defined Apache SpamAssassin™ score (Minimum: 0.1; Maximum: 99.9)
And limiting emails per hour in WHM -> tweak settings.
Having these settings will prevent easily detectable spam from leaving your systems and help reduce the amount of emails sent.
Option 1: Manual editing through Web Host Manager
In Web Host Manager go to Home »Service Configuration »Exim Configuration Manager
Click Advanced Editor
Find Section: AUTH and add
mailbaby_login: driver = plaintext public_name = LOGIN client_send = : YOURUSERNAME : YOURPASSWORD Replace YOURUSERNAME with your mailbaby username Replace YOURPASSWORD with your mailbaby password
For cpanel v108 + srs
Find Section: POSTMAILCOUNT
remoteserver_route: driver = manualroute .ifdef SRSENABLED # if outbound, and forwarding has been done, use an alternate transport transport = ${if eq {$local_part@$domain} \ {$original_local_part@$original_domain} \ {mailbaby_smtp} {mailbaby_forward_smtp}} .else transport = mailbaby_smtp .endif domains = !+local_domains ignore_target_hosts = 127.0.0.0/8 route_list = * relay.mailbaby.net::25 randomize byname host_find_failed = defer no_more
For cpanel v106 and UNDER
remoteserver_route: driver = manualroute transport = mailbaby_smtp domains = !+local_domains ignore_target_hosts = 127.0.0.0/8 route_list = * relay.mailbaby.net::25 randomize byname host_find_failed = defer no_more
Note: please ensure to chose either cpanel v108+ or cpanel v106 and under, and NOT both. Only one is needed based on your version.
For cpanel v108+ and srs
Find Section: TRANSPORTSTART
IMPORTANT: ensure X-AuthUser is kept. Failure to do so will result in stricter email filtering
mailbaby_smtp: driver = smtp hosts_require_auth = * tls_tempfail_tryclear = true headers_add = X-AuthUser: ${if match {$authenticated_id}{.*@.*}\ {$authenticated_id} {${if match {$authenticated_id}{.+}\ {$authenticated_id@$primary_hostname}{$authenticated_id}}}} dkim_domain = ${lookup{$sender_address_domain}lsearch,ret=key{/etc/localdomains}} dkim_selector = default dkim_canon = relaxed dkim_private_key = "/var/cpanel/domain_keys/private/${dkim_domain}" # uncomment this if users get errors message has line too long for transport #message_linelength_limit = 65536 mailbaby_forward_smtp: driver = smtp hosts_require_auth = * tls_tempfail_tryclear = true headers_add = X-AuthUser: ${if match {$authenticated_id}{.*@.*}\ {$authenticated_id} {${if match {$authenticated_id}{.+}\ {$authenticated_id@$primary_hostname}{$authenticated_id}}}} dkim_domain = ${lookup{$sender_address_domain}lsearch,ret=key{/etc/localdomains}} dkim_selector = default dkim_canon = relaxed dkim_private_key = "/var/cpanel/domain_keys/private/${dkim_domain}" # uncomment this if users get errors message has line too long for transport #message_linelength_limit = 65536 .ifdef SRSENABLED return_path = ${srs_encode {SRS_SECRET} {$return_path} {$original_domain}} .endif max_rcpt = 1
For cpanel v106 and UNDER use
mailbaby_smtp: driver = smtp hosts_require_auth = * tls_tempfail_tryclear = true headers_add = X-AuthUser: ${if match {$authenticated_id}{.*@.*} {$authenticated_id} {${if match {$authenticated_id}{.+} {$authenticated_id@$primary_hostname}{$authenticated_id}}}} dkim_domain = ${lookup{$sender_address_domain}lsearch,ret=key{/etc/localdomains}} dkim_selector = default dkim_private_key = "/var/cpanel/domain_keys/private/${dkim_domain}" # uncomment this if users get errors message has line too long for transport #message_linelength_limit = 65536
Note: please ensure to chose either cpanel v108+ or cpanel v106 and under, and NOT both. Only one is needed based on your version.
Optional
Find Section: RETRYSTART
* data_4xx F,4h,1m * rcpt_4xx F,4h,1m * timeout F,4h,1m * refused F,1h,5m * lost_connection F,1h,1m * * F,6h,5m
Find Section: RETRYBLOCK
+secondarymx * F,4h,5m; G,16h,1h,1.5; F,4d,8h * * F,2h,15m; G,16h,1h,1.5; F,4d,8h * auth_failed
Finally save the config.
Greylisting Trusted Hosts
If using greylisting add mailbaby ips to trusted mailhosts. The ips to add are
162.220.160.0/28 68.168.211.160/28 66.45.233.16/29 209.159.153.232/29 208.73.205.248/29 67.217.63.248/29 199.231.189.152/29 64.20.38.24/29 174.138.190.32/29 64.20.36.192/29 199.231.189.96/29 206.72.200.40/29 66.45.229.224/28 174.138.180.168/29 174.138.180.160/29 174.138.180.152/29
VIA CLI/terminal/ssh
whmapi1 --output=jsonpretty create_cpgreylist_trusted_host ip='162.220.160.0/28' comment='MailBaby' whmapi1 --output=jsonpretty create_cpgreylist_trusted_host ip='68.168.211.160/28' comment='MailBaby' whmapi1 --output=jsonpretty create_cpgreylist_trusted_host ip='66.45.233.16/29' comment='MailBaby' whmapi1 --output=jsonpretty create_cpgreylist_trusted_host ip='209.159.153.232/29' comment='MailBaby' whmapi1 --output=jsonpretty create_cpgreylist_trusted_host ip='208.73.205.248/29' comment='MailBaby' whmapi1 --output=jsonpretty create_cpgreylist_trusted_host ip='67.217.63.248/29' comment='MailBaby' whmapi1 --output=jsonpretty create_cpgreylist_trusted_host ip='199.231.189.152/29' comment='MailBaby' whmapi1 --output=jsonpretty create_cpgreylist_trusted_host ip='64.20.38.24/29' comment='MailBaby' whmapi1 --output=jsonpretty create_cpgreylist_trusted_host ip='174.138.190.32/29' comment='MailBaby' whmapi1 --output=jsonpretty create_cpgreylist_trusted_host ip='64.20.36.192/29' comment='MailBaby' whmapi1 --output=jsonpretty create_cpgreylist_trusted_host ip='199.231.189.96/29' comment='MailBaby' whmapi1 --output=jsonpretty create_cpgreylist_trusted_host ip='206.72.200.40/29' comment='MailBaby' whmapi1 --output=jsonpretty create_cpgreylist_trusted_host ip='66.45.229.224/28' comment='MailBaby' whmapi1 --output=jsonpretty create_cpgreylist_trusted_host ip='174.138.180.168/29' comment='MailBaby' whmapi1 --output=jsonpretty create_cpgreylist_trusted_host ip='174.138.180.160/29' comment='MailBaby' whmapi1 --output=jsonpretty create_cpgreylist_trusted_host ip='174.138.180.152/29' comment='MailBaby'
Option 2: Create /etc/exim.conf.local
Edit /etc/exim.conf.local – if it exists already you will want to merge the config
%RETRYBLOCK% +secondarymx * F,4h,5m; G,16h,1h,1.5; F,4d,8h * * F,2h,15m; G,16h,1h,1.5; F,4d,8h * auth_failed @AUTH@ mailbaby_login: driver = plaintext public_name = LOGIN client_send = : $YOURUSERNAME : $YOURPASSWORD @BEGINACL@ @CONFIG@ chunking_advertise_hosts = "" local_from_check = true # mailbaby max size limit is 100MB while the cpanel default may be less#message_size_limit = 100M ignore_bounce_errors_after = 1h timeout_frozen_after = 12h @DIRECTOREND@ @DIRECTORMIDDLE@ @DIRECTORSTART@ @ENDACL@ @POSTMAILCOUNT@ remoteserver_route: driver = manualroute .ifdef SRSENABLED # if outbound, and forwarding has been done, use an alternate transport transport = ${if eq {$local_part@$domain} \ {$original_local_part@$original_domain} \ {mailbaby_smtp} {mailbaby_forward_smtp}} .else transport = mailbaby_smtp .endif domains = !+local_domains ignore_target_hosts = 127.0.0.0/8 route_list = * relay.mailbaby.net::25 randomize byname host_find_failed = defer no_more @PREDOTFORWARD@ @PREFILTER@ @PRELOCALUSER@ @PRENOALIASDISCARD@ @PREROUTERS@ @PREVALIASNOSTAR@ @PREVALIASSTAR@ @PREVIRTUALUSER@ @RETRYEND@ @RETRYSTART@ * data_4xx F,4h,1m * rcpt_4xx F,4h,1m * timeout F,4h,1m * refused F,1h,5m * lost_connection F,1h,1m * * F,6h,5m @REWRITE@ @ROUTEREND@ @ROUTERMIDDLE@ @ROUTERSTART@ @TRANSPORTEND@ @TRANSPORTMIDDLE@ @TRANSPORTSTART@ mailbaby_smtp: driver = smtp hosts_require_auth = * tls_tempfail_tryclear = true headers_add = X-AuthUser: ${if match {$authenticated_id}{.*@.*}\ {$authenticated_id} {${if match {$authenticated_id}{.+}\ {$authenticated_id@$primary_hostname}{$authenticated_id}}}} dkim_domain = ${lookup{$sender_address_domain}lsearch,ret=key{/etc/localdomains}} dkim_selector = default dkim_canon = relaxed dkim_private_key = "/var/cpanel/domain_keys/private/${dkim_domain}" # uncomment this if users get errors message has line too long for transport #message_linelength_limit = 65536 mailbaby_forward_smtp: driver = smtp hosts_require_auth = * tls_tempfail_tryclear = true headers_add = X-AuthUser: ${if match {$authenticated_id}{.*@.*}\ {$authenticated_id} {${if match {$authenticated_id}{.+}\ {$authenticated_id@$primary_hostname}{$authenticated_id}}}} dkim_domain = ${lookup{$sender_address_domain}lsearch,ret=key{/etc/localdomains}} dkim_selector = default dkim_canon = relaxed dkim_private_key = "/var/cpanel/domain_keys/private/${dkim_domain}" # uncomment this if users get errors message has line too long for transport #message_linelength_limit = 65536 .ifdef SRSENABLED return_path = ${srs_encode {SRS_SECRET} {$return_path} {$original_domain}} .endif
When done run
/scripts/buildeximconf
Advanced Config in cPanel
The below configs were tested on cpanel v 11.106 and exim 4.95 and below. It is possible newer versions of exim require changes for advanced configs. The below gives examples that can be used to build and create potential advanced EXIM configs to relay certain types of email. These should be done by a qualified system administrator with an understanding of EXIM as it may require trial and error. As a smart host mailbaby accepts the email your server sends with a valid login and password and will scan the mail, and determine if the email should be relayed. An advanced config to prevent certain emails from being relayed is done at the EXIM level.
Most advanced config occurs in POSTMAILCOUNT. Important – use postmailcount in order to be able to limit emails per hour with in cpanel.
-
Exclude a domain from MailBaby in exim
Add to remoteserver route a senders section like
senders = : [email protected] : !*@domain2.com
* is a wild card match so *@domain1.com covers [email protected] and [email protected] covers just that sender. Note the ! needed.
remoteserver_route: driver = manualroute .ifdef SRSENABLED # if outbound, and forwarding has been done, use an alternate transport transport = ${if eq {$local_part@$domain} \ {$original_local_part@$original_domain} \ {mailbaby_smtp} {mailbaby_forward_smtp}} .else transport = mailbaby_smtp .endif domains = !+local_domains # add senders exclude senders = : [email protected] : !*@domain1.com ignore_target_hosts = 127.0.0.0/8 route_list = * relay.mailbaby.net::25 randomize byname host_find_failed = defer no_more
-
Only use MailBaby when sending to specific domains
To do this edit the domains line. Remove the +local_domains which indicates mailbaby is excluded for all local domains. Instead change to
domains = domain1.com : domain2.com : !*
This would force email to the destination domain1.com and domain2.com through MailBaby excluding the others
remoteserver_route: driver = manualroute transport = mailbaby_smtp domains = domain1.com : domain2.com : !* ignore_target_hosts = 127.0.0.0/8 route_list = * relay.mailbaby.net::25 randomize byname host_find_failed = defer no_more
-
Only use MailBaby when sending from a specific domain
For this add a senders line and instead of ! to negate, remove that to only match the specific domains. * is a wildcard
senders = *@domain1.com : [email protected]
remoteserver_route: driver = manualroute .ifdef SRSENABLED # if outbound, and forwarding has been done, use an alternate transport transport = ${if eq {$local_part@$domain} \ {$original_local_part@$original_domain} \ {mailbaby_smtp} {mailbaby_forward_smtp}} .else transport = mailbaby_smtp .endif domains = domain1.com : domain2.com : !* ignore_target_hosts = 127.0.0.0/8 route_list = * relay.mailbaby.net::25 randomize byname host_find_failed = defer no_more