
Recommended cPanel config for cpanel V108 with SRS rewriting
For all cPanel systems we recommend the following config:
- Ensure your server hostname resolves and has a reverse dns record
- Use WHM -> Email deliverability to ensure your hostname has both an SPF and DKIM key set up. cPanel will also confirm proper RDNS.
In WHM -> Home -> Service Configuration -> Exim Configuration Manager
- Use the reverse DNS entry for the mail HELO/EHLO if available – Set to OFF
- SPF include hosts for all domains on this system – Set to relay.mailbaby.net
- Enable Sender Rewriting Scheme (SRS) Support – Set to ON
Optional Config
cPanel includes its own anti spam features for outbound. We recommend setting:
- Scan messages for malware from authenticated senders (exiscan)
- Scan outgoing messages for malware
- Scan outgoing messages for spam and reject based on defined Apache SpamAssassin™ score
- Do not forward mail to external recipients based on the defined Apache SpamAssassin™ score (Minimum: 0.1; Maximum: 99.9)
And limiting emails per hour in WHM -> tweak settings.
Having these settings will prevent easily detectable spam from leaving your systems and help reduce the amount of emails sent.
Option 1: Manual editing through Web Host Manager
In Web Host Manager go to Home »Service Configuration »Exim Configuration Manager
Click Advanced Editor
Find Section: AUTH and add
mailbaby_login: driver = plaintext public_name = LOGIN client_send = : YOURUSERNAME : YOURPASSWORD Replace YOURUSERNAME with your mailbaby username Replace YOURPASSWORD with your mailbaby password
For cpanel v108 + srs
Find Section: POSTMAILCOUNT
remoteserver_route: driver = manualroute .ifdef SRSENABLED # if outbound, and forwarding has been done, use an alternate transport transport = ${if eq {[email protected]$domain} \ {[email protected]$original_domain} \ {mailbaby_smtp} {mailbaby_forward_smtp}} .else transport = mailbaby_smtp .endif domains = !+local_domains ignore_target_hosts = 127.0.0.0/8 route_list = * relay.mailbaby.net::25 randomize byname host_find_failed = defer no_more
For cpanel v106 and UNDER
remoteserver_route: driver = manualroute transport = mailbaby_smtp domains = !+local_domains ignore_target_hosts = 127.0.0.0/8 route_list = * relay.mailbaby.net::25 randomize byname host_find_failed = defer no_more
Note: please ensure to chose either cpanel v108+ or cpanel v106 and under, and NOT both. Only one is needed based on your version.
For cpanel v108+ and srs
Find Section: TRANSPORTSTART
IMPORTANT: ensure X-AuthUser is kept. Failure to do so will result in stricter email filtering
mailbaby_smtp: driver = smtp hosts_require_auth = * tls_tempfail_tryclear = true headers_add = X-AuthUser: ${if match {$authenticated_id}{.*@.*}\ {$authenticated_id} {${if match {$authenticated_id}{.+}\ {[email protected]$primary_hostname}{$authenticated_id}}}} dkim_domain = ${lookup{$sender_address_domain}lsearch,ret=key{/etc/localdomains}} dkim_selector = default dkim_canon = relaxed dkim_private_key = "/var/cpanel/domain_keys/private/${dkim_domain}" # uncomment this if users get errors message has line too long for transport #message_linelength_limit = 65536 mailbaby_forward_smtp: driver = smtp hosts_require_auth = * tls_tempfail_tryclear = true headers_add = X-AuthUser: ${if match {$authenticated_id}{.*@.*}\ {$authenticated_id} {${if match {$authenticated_id}{.+}\ {[email protected]$primary_hostname}{$authenticated_id}}}} dkim_domain = ${lookup{$sender_address_domain}lsearch,ret=key{/etc/localdomains}} dkim_selector = default dkim_canon = relaxed dkim_private_key = "/var/cpanel/domain_keys/private/${dkim_domain}" # uncomment this if users get errors message has line too long for transport #message_linelength_limit = 65536 .ifdef SRSENABLED return_path = ${srs_encode {SRS_SECRET} {$return_path} {$original_domain}} .endif max_rcpt = 1
For cpanel v106 and UNDER use
mailbaby_smtp: driver = smtp hosts_require_auth = * tls_tempfail_tryclear = true headers_add = X-AuthUser: ${if match {$authenticated_id}{.*@.*} {$authenticated_id} {${if match {$authenticated_id}{.+} {[email protected]$primary_hostname}{$authenticated_id}}}} dkim_domain = ${lookup{$sender_address_domain}lsearch,ret=key{/etc/localdomains}} dkim_selector = default dkim_private_key = "/var/cpanel/domain_keys/private/${dkim_domain}" # uncomment this if users get errors message has line too long for transport #message_linelength_limit = 65536
Note: please ensure to chose either cpanel v108+ or cpanel v106 and under, and NOT both. Only one is needed based on your version.
Optional
Find Section: RETRYSTART
* data_4xx F,4h,1m * rcpt_4xx F,4h,1m * timeout F,4h,1m * refused F,1h,5m * lost_connection F,1h,1m * * F,6h,5m
Find Section: RETRYBLOCK
+secondarymx * F,4h,5m; G,16h,1h,1.5; F,4d,8h * * F,2h,15m; G,16h,1h,1.5; F,4d,8h * auth_failed
Finally save the config.
Greylisting Trusted Hosts
If using greylisting add mailbaby ips to trusted mailhosts. The ips to add are
162.220.160.0/28 68.168.211.160/28 66.45.233.16/29 209.159.153.232/29 208.73.205.248/29 67.217.63.248/29 199.231.189.152/29 64.20.38.24/29 174.138.190.32/29 64.20.36.192/29 199.231.189.96/29 206.72.200.40/29 66.45.229.224/28 174.138.180.168/29 174.138.180.160/29 174.138.180.152/29
VIA CLI/terminal/ssh
whmapi1 --output=jsonpretty create_cpgreylist_trusted_host ip='162.220.160.0/28' comment='MailBaby' whmapi1 --output=jsonpretty create_cpgreylist_trusted_host ip='68.168.211.160/28' comment='MailBaby' whmapi1 --output=jsonpretty create_cpgreylist_trusted_host ip='66.45.233.16/29' comment='MailBaby' whmapi1 --output=jsonpretty create_cpgreylist_trusted_host ip='209.159.153.232/29' comment='MailBaby' whmapi1 --output=jsonpretty create_cpgreylist_trusted_host ip='208.73.205.248/29' comment='MailBaby' whmapi1 --output=jsonpretty create_cpgreylist_trusted_host ip='67.217.63.248/29' comment='MailBaby' whmapi1 --output=jsonpretty create_cpgreylist_trusted_host ip='199.231.189.152/29' comment='MailBaby' whmapi1 --output=jsonpretty create_cpgreylist_trusted_host ip='64.20.38.24/29' comment='MailBaby' whmapi1 --output=jsonpretty create_cpgreylist_trusted_host ip='174.138.190.32/29' comment='MailBaby' whmapi1 --output=jsonpretty create_cpgreylist_trusted_host ip='64.20.36.192/29' comment='MailBaby' whmapi1 --output=jsonpretty create_cpgreylist_trusted_host ip='199.231.189.96/29' comment='MailBaby' whmapi1 --output=jsonpretty create_cpgreylist_trusted_host ip='206.72.200.40/29' comment='MailBaby' whmapi1 --output=jsonpretty create_cpgreylist_trusted_host ip='66.45.229.224/28' comment='MailBaby' whmapi1 --output=jsonpretty create_cpgreylist_trusted_host ip='174.138.180.168/29' comment='MailBaby' whmapi1 --output=jsonpretty create_cpgreylist_trusted_host ip='174.138.180.160/29' comment='MailBaby' whmapi1 --output=jsonpretty create_cpgreylist_trusted_host ip='174.138.180.152/29' comment='MailBaby'
Option 2: Create /etc/exim.conf.local
Edit /etc/exim.conf.local – if it exists already you will want to merge the config
%RETRYBLOCK% +secondarymx * F,4h,5m; G,16h,1h,1.5; F,4d,8h * * F,2h,15m; G,16h,1h,1.5; F,4d,8h * auth_failed @[email protected] mailbaby_login: driver = plaintext public_name = LOGIN client_send = : $YOURUSERNAME : $YOURPASSWORD @[email protected] @[email protected] chunking_advertise_hosts = "" local_from_check = true # mailbaby max size limit is 100MB while the cpanel default may be less#message_size_limit = 100M ignore_bounce_errors_after = 1h timeout_frozen_after = 12h @[email protected] @[email protected] @[email protected] @[email protected] @[email protected] remoteserver_route: driver = manualroute .ifdef SRSENABLED # if outbound, and forwarding has been done, use an alternate transport transport = ${if eq {[email protected]$domain} \ {[email protected]$original_domain} \ {mailbaby_smtp} {mailbaby_forward_smtp}} .else transport = mailbaby_smtp .endif domains = !+local_domains ignore_target_hosts = 127.0.0.0/8 route_list = * relay.mailbaby.net::25 randomize byname host_find_failed = defer no_more @[email protected] @[email protected] @[email protected] @[email protected] @[email protected] @[email protected] @[email protected] @[email protected] @[email protected] @[email protected] * data_4xx F,4h,1m * rcpt_4xx F,4h,1m * timeout F,4h,1m * refused F,1h,5m * lost_connection F,1h,1m * * F,6h,5m @[email protected] @[email protected] @R[email protected] @[email protected] @[email protected] @[email protected] @[email protected] mailbaby_smtp: driver = smtp hosts_require_auth = * tls_tempfail_tryclear = true headers_add = X-AuthUser: ${if match {$authenticated_id}{.*@.*}\ {$authenticated_id} {${if match {$authenticated_id}{.+}\ {[email protected]$primary_hostname}{$authenticated_id}}}} dkim_domain = ${lookup{$sender_address_domain}lsearch,ret=key{/etc/localdomains}} dkim_selector = default dkim_canon = relaxed dkim_private_key = "/var/cpanel/domain_keys/private/${dkim_domain}" # uncomment this if users get errors message has line too long for transport #message_linelength_limit = 65536 mailbaby_forward_smtp: driver = smtp hosts_require_auth = * tls_tempfail_tryclear = true headers_add = X-AuthUser: ${if match {$authenticated_id}{.*@.*}\ {$authenticated_id} {${if match {$authenticated_id}{.+}\ {[email protected]$primary_hostname}{$authenticated_id}}}} dkim_domain = ${lookup{$sender_address_domain}lsearch,ret=key{/etc/localdomains}} dkim_selector = default dkim_canon = relaxed dkim_private_key = "/var/cpanel/domain_keys/private/${dkim_domain}" # uncomment this if users get errors message has line too long for transport #message_linelength_limit = 65536 .ifdef SRSENABLED return_path = ${srs_encode {SRS_SECRET} {$return_path} {$original_domain}} .endif
When done run
/scripts/buildeximconf
Advanced Config in cPanel
Most advanced config occurs in POSTMAILCOUNT. Important – use postmailcount in order to be able to limit emails per hour with in cpanel.
-
Exclude a domain from MailBaby in exim
Add to remoteserver route a senders section like
senders = : [email protected] : !*@domain2.com
* is a wild card match so *@domain1.com covers [email protected] and [email protected] covers just that sender. Note the ! needed.
remoteserver_route: driver = manualroute .ifdef SRSENABLED # if outbound, and forwarding has been done, use an alternate transport transport = ${if eq {[email protected]$domain} \ {[email protected]$original_domain} \ {mailbaby_smtp} {mailbaby_forward_smtp}} .else transport = mailbaby_smtp .endif domains = !+local_domains # add senders exclude senders = : [email protected] : !*@domain1.com ignore_target_hosts = 127.0.0.0/8 route_list = * relay.mailbaby.net::25 randomize byname host_find_failed = defer no_more
-
Only use MailBaby when sending to specific domains
To do this edit the domains line. Remove the +local_domains which indicates mailbaby is excluded for all local domains. Instead change to
domains = domain1.com : domain2.com : !*
This would force email to the destination domain1.com and domain2.com through MailBaby excluding the others
remoteserver_route: driver = manualroute transport = mailbaby_smtp domains = domain1.com : domain2.com : !* ignore_target_hosts = 127.0.0.0/8 route_list = * relay.mailbaby.net::25 randomize byname host_find_failed = defer no_more
-
Only use MailBaby when sending from a specific domain
For this add a senders line and instead of ! to negate, remove that to only match the specific domains. * is a wildcard
senders = *@domain1.com : [email protected]
remoteserver_route: driver = manualroute .ifdef SRSENABLED # if outbound, and forwarding has been done, use an alternate transport transport = ${if eq {[email protected]$domain} \ {[email protected]$original_domain} \ {mailbaby_smtp} {mailbaby_forward_smtp}} .else transport = mailbaby_smtp .endif domains = domain1.com : domain2.com : !* ignore_target_hosts = 127.0.0.0/8 route_list = * relay.mailbaby.net::25 randomize byname host_find_failed = defer no_more