Recommended cPanel config for cpanel V108 with SRS rewriting

For all cPanel systems we recommend the following config:

• Ensure your server hostname resolves and has a reverse dns record
• Use WHM -> Email deliverability to ensure your hostname has both an SPF and DKIM key set up. cPanel will also confirm proper RDNS.

In WHM -> Home -> Service Configuration -> Exim Configuration Manager

• Use the reverse DNS entry for the mail HELO/EHLO if available – Set to OFF
• SPF include hosts for all domains on this system – Set to spf-c.mailbaby.net
• Enable Sender Rewriting Scheme (SRS) Support – Set to ON

Optional Config

cPanel includes its own anti spam features for outbound. We recommend setting:

• Scan messages for malware from authenticated senders (exiscan)
• Scan outgoing messages for malware
• Scan outgoing messages for spam and reject based on defined Apache SpamAssassin™ score
• Do not forward mail to external recipients based on the defined Apache SpamAssassin™ score (Minimum: 0.1; Maximum: 99.9)

And limiting emails per hour in WHM -> tweak settings.

Having these settings will prevent easily detectable spam from leaving your systems and help reduce the amount of emails sent.

Option 1: Manual editing through Web Host Manager

In Web Host Manager go to Home »Service Configuration »Exim Configuration Manager

Click Advanced Editor

Find Section: AUTH and add

mailbaby_login: 
driver = plaintext 
public_name = LOGIN 
client_send = : YOURUSERNAME : YOURPASSWORD


Replace YOURUSERNAME with your mailbaby username
Replace YOURPASSWORD with your mailbaby password

For cpanel v108 + srs
Find Section: POSTMAILCOUNT

remoteserver_route: 
driver = manualroute
.ifdef SRSENABLED
# if outbound, and forwarding has been done, use an alternate transport
transport = ${if eq {$local_part@$domain} \
{$original_local_part@$original_domain} \
{mailbaby_smtp} {mailbaby_forward_smtp}}
.else
transport = mailbaby_smtp
.endif
domains = !+local_domains 
ignore_target_hosts = 127.0.0.0/8 
route_list = * relay.mailbaby.net::25 randomize byname 
host_find_failed = defer 
no_more

For cpanel v106 and UNDER

remoteserver_route:
 driver = manualroute
 transport = mailbaby_smtp
 domains = !+local_domains
 ignore_target_hosts = 127.0.0.0/8
 route_list = * relay.mailbaby.net::25 randomize byname
 host_find_failed = defer
 no_more

Note: please ensure to chose either cpanel v108+ or cpanel v106 and under, and NOT both. Only one is needed based on your version.

For cpanel v108+ and srs
Find Section: TRANSPORTSTART
IMPORTANT: ensure X-AuthUser is kept. Failure to do so will result in stricter email filtering

mailbaby_smtp:
driver = smtp
hosts_require_auth = *
tls_tempfail_tryclear = true
headers_add = X-AuthUser: ${if match {$authenticated_id}{.*@.*}\
{$authenticated_id} {${if match {$authenticated_id}{.+}\
{$authenticated_id@$primary_hostname}{$authenticated_id}}}}
dkim_domain = ${lookup{$sender_address_domain}lsearch,ret=key{/etc/localdomains}}
dkim_selector = default
dkim_canon = relaxed
dkim_private_key = "/var/cpanel/domain_keys/private/${dkim_domain}"
# uncomment this if users get errors message has line too long for transport
#message_linelength_limit = 65536

mailbaby_forward_smtp:
driver = smtp
hosts_require_auth = *
tls_tempfail_tryclear = true
headers_add = X-AuthUser: ${if match {$authenticated_id}{.*@.*}\
{$authenticated_id} {${if match {$authenticated_id}{.+}\
{$authenticated_id@$primary_hostname}{$authenticated_id}}}}
dkim_domain = ${lookup{$sender_address_domain}lsearch,ret=key{/etc/localdomains}}
dkim_selector = default
dkim_canon = relaxed
dkim_private_key = "/var/cpanel/domain_keys/private/${dkim_domain}"
# uncomment this if users get errors message has line too long for transport
#message_linelength_limit = 65536
.ifdef SRSENABLED
return_path = ${srs_encode {SRS_SECRET} {$return_path} {$original_domain}}
.endif
max_rcpt = 1

For cpanel v106 and UNDER use

mailbaby_smtp:
 driver = smtp
 hosts_require_auth = *
 tls_tempfail_tryclear = true
 headers_add = X-AuthUser: ${if match {$authenticated_id}{.*@.*} {$authenticated_id} {${if match {$authenticated_id}{.+} {$authenticated_id@$primary_hostname}{$authenticated_id}}}}
 dkim_domain = ${lookup{$sender_address_domain}lsearch,ret=key{/etc/localdomains}}
 dkim_selector = default
 dkim_private_key = "/var/cpanel/domain_keys/private/${dkim_domain}"
 # uncomment this if users get errors message has line too long for transport
 #message_linelength_limit = 65536

Note: please ensure to chose either cpanel v108+ or cpanel v106 and under, and NOT both. Only one is needed based on your version.

Optional

Find Section: RETRYSTART

* data_4xx F,4h,1m
* rcpt_4xx F,4h,1m
* timeout F,4h,1m
* refused F,1h,5m
* lost_connection F,1h,1m
* * F,6h,5m

Find Section: RETRYBLOCK

+secondarymx * F,4h,5m; G,16h,1h,1.5; F,4d,8h
* * F,2h,15m; G,16h,1h,1.5; F,4d,8h
* auth_failed

 

Finally save the config.

 

Greylisting Trusted Hosts

If using greylisting add mailbaby ips to trusted mailhosts. The ips to add are

 

162.220.160.0/28
68.168.211.160/28
66.45.233.16/29
209.159.153.232/29
208.73.205.248/29
67.217.63.248/29
199.231.189.152/29
64.20.38.24/29
174.138.190.32/29
64.20.36.192/29
199.231.189.96/29
206.72.200.40/29
66.45.229.224/28
174.138.180.168/29
174.138.180.160/29
174.138.180.152/29
67.217.53.0/24
205.209.127.0/24
68.168.210.0/24
205.209.124.0/24

VIA CLI/terminal/ssh

whmapi1 --output=jsonpretty   create_cpgreylist_trusted_host ip='162.220.160.0/28' comment='MailBaby'
whmapi1 --output=jsonpretty   create_cpgreylist_trusted_host ip='68.168.211.160/28' comment='MailBaby'
whmapi1 --output=jsonpretty   create_cpgreylist_trusted_host ip='66.45.233.16/29' comment='MailBaby'
whmapi1 --output=jsonpretty   create_cpgreylist_trusted_host ip='209.159.153.232/29' comment='MailBaby'
whmapi1 --output=jsonpretty   create_cpgreylist_trusted_host ip='208.73.205.248/29' comment='MailBaby'
whmapi1 --output=jsonpretty   create_cpgreylist_trusted_host ip='67.217.63.248/29' comment='MailBaby'
whmapi1 --output=jsonpretty   create_cpgreylist_trusted_host ip='199.231.189.152/29' comment='MailBaby'
whmapi1 --output=jsonpretty   create_cpgreylist_trusted_host ip='64.20.38.24/29' comment='MailBaby'
whmapi1 --output=jsonpretty   create_cpgreylist_trusted_host ip='174.138.190.32/29' comment='MailBaby'
whmapi1 --output=jsonpretty   create_cpgreylist_trusted_host ip='64.20.36.192/29' comment='MailBaby'
whmapi1 --output=jsonpretty   create_cpgreylist_trusted_host ip='199.231.189.96/29' comment='MailBaby'
whmapi1 --output=jsonpretty   create_cpgreylist_trusted_host ip='206.72.200.40/29' comment='MailBaby'
whmapi1 --output=jsonpretty   create_cpgreylist_trusted_host ip='66.45.229.224/28' comment='MailBaby'
whmapi1 --output=jsonpretty   create_cpgreylist_trusted_host ip='174.138.180.168/29' comment='MailBaby'
whmapi1 --output=jsonpretty   create_cpgreylist_trusted_host ip='174.138.180.160/29' comment='MailBaby'
whmapi1 --output=jsonpretty   create_cpgreylist_trusted_host ip='174.138.180.152/29' comment='MailBaby'
whmapi1 --output=jsonpretty create_cpgreylist_trusted_host ip='67.217.53.0/24' comment='MailBaby'
whmapi1 --output=jsonpretty create_cpgreylist_trusted_host ip='205.209.127.0/24' comment='MailBaby'
whmapi1 --output=jsonpretty create_cpgreylist_trusted_host ip='68.168.210.0/24' comment='MailBaby'
whmapi1 --output=jsonpretty create_cpgreylist_trusted_host ip='205.209.124.0/24' comment='MailBaby'

Option 2: Create /etc/exim.conf.local

Edit /etc/exim.conf.local – if it exists already you will want to merge the config

%RETRYBLOCK%
+secondarymx * F,4h,5m; G,16h,1h,1.5; F,4d,8h
* * F,2h,15m; G,16h,1h,1.5; F,4d,8h
* auth_failed
@AUTH@
mailbaby_login:
driver = plaintext
public_name = LOGIN
client_send = : $YOURUSERNAME : $YOURPASSWORD

@BEGINACL@

@CONFIG@

chunking_advertise_hosts = ""
local_from_check = true
# mailbaby max size limit is 100MB while the cpanel default may be less#message_size_limit = 100M
ignore_bounce_errors_after = 1h
timeout_frozen_after = 12h

@DIRECTOREND@

@DIRECTORMIDDLE@

@DIRECTORSTART@

@ENDACL@

@POSTMAILCOUNT@


remoteserver_route: 
driver = manualroute
.ifdef SRSENABLED
# if outbound, and forwarding has been done, use an alternate transport
transport = ${if eq {$local_part@$domain} \
{$original_local_part@$original_domain} \
{mailbaby_smtp} {mailbaby_forward_smtp}}
.else
transport = mailbaby_smtp
.endif
domains = !+local_domains 
ignore_target_hosts = 127.0.0.0/8 
route_list = * relay.mailbaby.net::25 randomize byname 
host_find_failed = defer 
no_more

@PREDOTFORWARD@

@PREFILTER@

@PRELOCALUSER@

@PRENOALIASDISCARD@

@PREROUTERS@

@PREVALIASNOSTAR@

@PREVALIASSTAR@

@PREVIRTUALUSER@

@RETRYEND@

@RETRYSTART@
* data_4xx F,4h,1m
* rcpt_4xx F,4h,1m
* timeout F,4h,1m
* refused F,1h,5m
* lost_connection F,1h,1m
* * F,6h,5m

@REWRITE@

@ROUTEREND@

@ROUTERMIDDLE@

@ROUTERSTART@

@TRANSPORTEND@

@TRANSPORTMIDDLE@

@TRANSPORTSTART@
mailbaby_smtp:
driver = smtp
hosts_require_auth = *
tls_tempfail_tryclear = true
headers_add = X-AuthUser: ${if match {$authenticated_id}{.*@.*}\
{$authenticated_id} {${if match {$authenticated_id}{.+}\
{$authenticated_id@$primary_hostname}{$authenticated_id}}}}
dkim_domain = ${lookup{$sender_address_domain}lsearch,ret=key{/etc/localdomains}}
dkim_selector = default
dkim_canon = relaxed
dkim_private_key = "/var/cpanel/domain_keys/private/${dkim_domain}"
# uncomment this if users get errors message has line too long for transport
#message_linelength_limit = 65536

mailbaby_forward_smtp:
driver = smtp
hosts_require_auth = *
tls_tempfail_tryclear = true
headers_add = X-AuthUser: ${if match {$authenticated_id}{.*@.*}\
{$authenticated_id} {${if match {$authenticated_id}{.+}\
{$authenticated_id@$primary_hostname}{$authenticated_id}}}}
dkim_domain = ${lookup{$sender_address_domain}lsearch,ret=key{/etc/localdomains}}
dkim_selector = default
dkim_canon = relaxed
dkim_private_key = "/var/cpanel/domain_keys/private/${dkim_domain}"
# uncomment this if users get errors message has line too long for transport
#message_linelength_limit = 65536
.ifdef SRSENABLED
return_path = ${srs_encode {SRS_SECRET} {$return_path} {$original_domain}}
.endif

 

When done run

/scripts/buildeximconf

 

Advanced Config in cPanel Examples

The below configs were tested on cpanel v 11.106 and exim 4.95 and below. It is possible newer versions of exim require changes for advanced configs which is beyond the scope of support MailBaby can provide. The below gives examples that can be used to build and create potential advanced EXIM configs to relay certain types of email. These should be done by a qualified system administrator with an understanding of EXIM as it may require trial and error. As a smart host mailbaby accepts the email your server sends with a valid login and password and will scan the mail, and determine if the email should be relayed. An advanced config to prevent certain emails from being relayed is done at the EXIM level to use a different EXIM transport.

* Most advanced config occurs in POSTMAILCOUNT. Important – use postmailcount in order to be able to limit emails per hour with in cpanel.

* To test use exim -bt and the email which will give an output like

 exim -bt [email protected]
[email protected]
router = remoteserver_route, transport = mailbaby_smtp
host relay.mailbaby.net [209.159.154.242] port=25

 

• Exclude a domain from MailBaby in exim

  Add to remoteserver route a senders section like

senders = : [email protected] : !*@domain2.com

* is a wild card match so *@domain1.com covers [email protected] and [email protected] covers just that sender. Note the ! needed.

remoteserver_route: 
driver = manualroute
.ifdef SRSENABLED
# if outbound, and forwarding has been done, use an alternate transport
transport = ${if eq {$local_part@$domain} \
{$original_local_part@$original_domain} \
{mailbaby_smtp} {mailbaby_forward_smtp}}
.else
transport = mailbaby_smtp
.endif
domains = !+local_domains
# add senders exclude
senders = : [email protected]  :  !*@domain1.com
ignore_target_hosts = 127.0.0.0/8 
route_list = * relay.mailbaby.net::25 randomize byname 
host_find_failed = defer 
no_more

 

• Only use MailBaby when sending to specific domains

  To do this edit the domains line. Remove the +local_domains which indicates mailbaby is excluded for all local domains. Instead change to

domains = lsearch:/etc/exim_domains_include

Then add in /etc/exim_domains_include the domains one at a time like

domain1.com
domain2.com

This would force email to the destination domain1.com and domain2.com through MailBaby excluding the others

* Set permissions chown root:mail /etc/exim_domains_include

remoteserver_route:
driver = manualroute
transport = mailbaby_smtp
domains = lsearch:/etc/exim_domains_include  
ignore_target_hosts = 127.0.0.0/8
route_list = * relay.mailbaby.net::25 randomize byname
host_find_failed = defer
no_more

• Only use MailBaby when sending from a specific domain

For this add a senders line and instead of ! to negate, remove that to only match the specific domains. * is a wildcard

senders = *@domain1.com : [email protected]

remoteserver_route: 
driver = manualroute
.ifdef SRSENABLED
# if outbound, and forwarding has been done, use an alternate transport
transport = ${if eq {$local_part@$domain} \
{$original_local_part@$original_domain} \
{mailbaby_smtp} {mailbaby_forward_smtp}}
.else
transport = mailbaby_smtp
.endif

domains = domain1.com : domain2.com : !* 

ignore_target_hosts = 127.0.0.0/8 
route_list = * relay.mailbaby.net::25 randomize byname 
host_find_failed = defer 
no_more