cPanel

Recommended cPanel config

For all cPanel systems we recommend the following config:

  • Ensure your server hostname resolves and has a reverse dns record
  • Use WHM -> Email deliverability to ensure your hostname has both an SPF and DKIM key set up. cPanel will also confirm proper RDNS.

In WHM -> Home -> Service Configuration -> Exim Configuration Manager

  • Use the reverse DNS entry for the mail HELO/EHLO if available – Set to OFF
  • SPF include hosts for all domains on this system – Set to relay.mailbaby.net
  • Enable Sender Rewriting Scheme (SRS) Support – Set to ON

Optional Config

cPanel includes its own anti spam features for outbound. We recommend setting:

  • Scan messages for malware from authenticated senders (exiscan)
  • Scan outgoing messages for malware
  • Scan outgoing messages for spam and reject based on defined Apache SpamAssassin™ score
  • Do not forward mail to external recipients based on the defined Apache SpamAssassin™ score (Minimum: 0.1; Maximum: 99.9)

And limiting emails per hour in WHM -> tweak settings.

Having these settings will prevent easily detectable spam from leaving your systems and help reduce the amount of emails sent.

Option 1: Manual editing through Web Host Manager

In Web Host Manager go to Home »Service Configuration »Exim Configuration Manager

Click Advanced Editor

Find Section: AUTH and add

mailbaby_login: 
driver = plaintext 
public_name = LOGIN 
client_send = : YOURUSERNAME : YOURPASSWORD


Replace YOURUSERNAME with your mailbaby username
Replace YOURPASSWORD with your mailbaby password

Find Section: POSTMAILCOUNT

remoteserver_route:
driver = manualroute
transport = mailbaby_smtp
domains = !+local_domains
ignore_target_hosts = 127.0.0.0/8
route_list = * relay.mailbaby.net::25 randomize byname
host_find_failed = defer
no_more

Find Section: TRANSPORTSTART
IMPORTANT: ensure X-AuthUser is kept. Failure to do so will result in stricter email filtering

mailbaby_smtp:
driver = smtp
hosts_require_auth = *
tls_tempfail_tryclear = true
headers_add = X-AuthUser: ${if match {$authenticated_id}{.*@.*} {$authenticated_id} {${if match {$authenticated_id}{.+} {[email protected]$primary_hostname}{$authenticated_id}}}}
dkim_domain = ${lookup{$sender_address_domain}lsearch,ret=key{/etc/localdomains}}
dkim_selector = default
dkim_canon = relaxed
dkim_private_key = "/var/cpanel/domain_keys/private/${dkim_domain}"
# uncomment this if users get errors message has line too long for transport
#message_linelength_limit = 65536

Optional
Find Section: RETRYSTART

* data_4xx F,4h,1m
* rcpt_4xx F,4h,1m
* timeout F,4h,1m
* refused F,1h,5m
* lost_connection F,1h,1m
* * F,6h,5m

Find Section: RETRYBLOCK

+secondarymx * F,4h,5m; G,16h,1h,1.5; F,4d,8h
* * F,2h,15m; G,16h,1h,1.5; F,4d,8h
* auth_failed

 

Option 2: Create /etc/exim.conf.local

Edit /etc/exim.conf.local – if it exists already you will want to merge the config

%RETRYBLOCK%
+secondarymx * F,4h,5m; G,16h,1h,1.5; F,4d,8h
* * F,2h,15m; G,16h,1h,1.5; F,4d,8h
* auth_failed
@[email protected]
mailbaby_login:
driver = plaintext
public_name = LOGIN
client_send = : $YOURUSERNAME : $YOURPASSWORD

@[email protected]

@[email protected]

chunking_advertise_hosts = ""
local_from_check = true
# mailbaby max size limit is 100MB while the cpanel default may be less#message_size_limit = 100M
ignore_bounce_errors_after = 1h
timeout_frozen_after = 12h

@[email protected]

@[email protected]

@[email protected]

@[email protected]

@[email protected]

remoteserver_route:
driver = manualroute
transport = mailbaby_smtp
domains = !+local_domains
#uncomment to exclude specific emails or domains
#senders = :  [email protected]  :  !*@domain1.com
ignore_target_hosts = 127.0.0.0/8
route_list = * relay.mailbaby.net::25 randomize byname
host_find_failed = defer
no_more
@[email protected]

@[email protected]

@[email protected]

@[email protected]

@[email protected]

@[email protected]

@[email protected]

@[email protected]

@[email protected]

@[email protected]
* data_4xx F,4h,1m
* rcpt_4xx F,4h,1m
* timeout F,4h,1m
* refused F,1h,5m
* lost_connection F,1h,1m
* * F,6h,5m

@[email protected]

@[email protected]

@[email protected]

@[email protected]

@[email protected]

@[email protected]

@[email protected]
mailbaby_smtp:
driver = smtp
hosts_require_auth = *
tls_tempfail_tryclear = true
headers_add = X-AuthUser: ${if match {$authenticated_id}{.*@.*} {$authenticated_id} {${if match {$authenticated_id}{.+} {[email protected]$primary_hostname}{$authenticated_id}}}}
dkim_domain = ${lookup{$sender_address_domain}lsearch,ret=key{/etc/localdomains}}
dkim_selector = default
dkim_canon = relaxed
dkim_private_key = "/var/cpanel/domain_keys/private/${dkim_domain}"

 

When done run

/scripts/buildeximconf

 

Advanced Config in cPanel

Most advanced config occurs in POSTMAILCOUNT. Important – use postmailcount in order to be able to limit emails per hour with in cpanel.

 

  • Exclude a domain from MailBaby in exim

    Add to remoteserver route a senders section like

senders = : [email protected] : !*@domain2.com

* is a wild card match so *@domain1.com covers [email protected] and [email protected] covers just that sender. Note the ! needed.

remoteserver_route:
driver = manualroute
transport = mailbaby_smtp
domains = !+local_domains
# add senders exclude
senders = : [email protected]  :  !*@domain1.com

ignore_target_hosts = 127.0.0.0/8
route_list = * relay.mailbaby.net::25 randomize byname
host_find_failed = defer
no_more

 

  • Only use MailBaby when sending to specific domains

    To do this edit the domains line. Remove the +local_domains which indicates mailbaby is excluded for all local domains. Instead change to

domains = domain1.com : domain2.com : !*

This would force email to the destination domain1.com and domain2.com through MailBaby excluding the others

remoteserver_route:
driver = manualroute
transport = mailbaby_smtp
domains = domain1.com : domain2.com : !* 
ignore_target_hosts = 127.0.0.0/8
route_list = * relay.mailbaby.net::25 randomize byname
host_find_failed = defer
no_more

  • Only use MailBaby when sending from a specific domain

For this add a senders line and instead of ! to negate, remove that to only match the specific domains. * is a wildcard

senders = *@domain1.com : [email protected]

remoteserver_route:
driver = manualroute
transport = mailbaby_smtp
domains = !+local_domains
# add senders to include excluding all others
senders = *@domain1.com : [email protected]

ignore_target_hosts = 127.0.0.0/8
route_list = * relay.mailbaby.net::25 randomize byname
host_find_failed = defer
no_more

 

 

 

 

 

 

Leave a Reply

Your email address will not be published.