Page tree
Skip to end of metadata
Go to start of metadata

This document is for a previous release of cPanel & WHM. To view our latest documentation, visit our Home page.

For cPanel & WHM 11.46

(Home >> Service Configuration >> Exim Configuration Manager)

Overview

Select the Basic Editor tab in the Exim Configuration Manager interface to modify the settings for your server's Exim configuration.

Basic Editor options

Click on a tab below to view options for the associated tab in the WHM interface.

Note:

The All tab displays the options for all of the Exim Configuration Manager tabs. 

Note:

The ACL Options options limit who can send mail to your server, in order to minimize unwanted bandwidth usage.

OptionDescription
SpamAssassin™ reject spam score threshold

This option allows you to determine the spam score that Apache SpamAssassin™ uses to reject incoming messages. You can enter a positive or negative number, which may contain a single decimal point. You can also choose not to use this option.

For more information, visit Apache SpamAssassin's documentation

Dictionary attack protectionThis option allows you to drop and rate-limit hosts that have more than four failed recipients, in order to block dictionary attacks. A dictionary attack is a method whereby a malicious user tries to guess a password with words found in a dictionary.
Reject remote mail sent to the server's hostnameThis option allows you to reject messages in which the recipient is an address of your server's primary hostname. In general, the primary hostname, a common target for spammers, should not receive remote mail.
Ratelimit suspicious SMTP servers

This option allows you to rate-limit incoming SMTP connections that violate RFCs. This setting will rate-limit mail servers that do not send QUIT, have recently matched an RBL, or have attacked the server. Real mail servers must follow RFC specifications.

To ensure that the system does not rate-limit an SMTP connection, add the server to a whitelist. This allows the system to deliver mail from connections that violate RFCs to your inbox.

Note:

To ensure that the system does not rate-limit an  SMTP  connection, add the server to a whitelist. This allows the system to deliver mail from connections that violate RFCs to your inbox.

To add a server to a whitelist, edit the Trusted SMTP IP Addresses setting in the Access Lists tab, and enter the IP address of the trusted server.

SpamAssassin™: ratelimit spam score threshold

This option allows you to rate-limit hosts that send spam to your server. When you activate this option, ratelimits delay email from hosts that send you spam.

The system activates ratelimits when both of the following conditions are met:

  1. A host reaches or exceeds the Apache SpamAssassin score that you enter in the text box. You can enter a positive or negative number, which may contain a single decimal point.
  2. That host exceeds the number of emails sent within the time period that the ratelimit formula specifies.

Notes:

  • By default, the ratelimit formula is ratelimit = 1.2 / 1h / strict / per_conn / noupdate.
  • Exim averages ratelimits over time.
Ratelimit incoming connections with only failed recipientsThis option allows you to rate-limit incoming SMTP connections that have only sent email to failed recipients during five separate connection times in the past hour.
Require HELO before MAIL

This option allows you to require that incoming SMTP connections send a HELO before they send a MAIL command.

Note:

A HELO is a command that mail servers send before an email, and that specifies the name of the sending domain. Apache SpamAssassin can perform various checks on this information (for example, it can ensure that the domain name matches the  IP address  from which the message was sent). This ensures that your server does not receive  spam  that reports a false domain name.

Require remote (hostname/IP address) HELOThis option allows you to require that incoming SMTP connections send a HELO that does not match the primary hostname or a local IP address.
Require remote (domain) HELOThis option allows you to require that incoming SMTP connections send a HELO that does not match your server's local domains.
Require RFC-compliant HELOThis option allows you to require that incoming SMTP connections send a HELO that conforms with the Internet standards set forth in RFC2821 4.1.1.1. For more information, read the RFC website.
Reject SPF failures

This option allows you to reject messages from a sender that has failed SPF (Sender Policy Framework) checks. For more information, read the Sender Policy Framework Wikipedia article.

Allow DKIM verification for incoming messages

This option allows you to use DKIM verification to verify incoming messages.

Warning:

This verification process can slow your server's performance.

Reject DKIM failures

This option allows you to reject email at SMTP time if the sender fails DKIM key validation.

Note:

 This option appears when the Allow DKIM verification for incoming messages option is set to On.

Maximum message recipients (soft limit)

This option allows you to determine the number of recipient addresses your server will accept in a single message. You can also choose not to use this option.

Note:

RFCs specify that SMTP servers should accept at least 100 RCPT commands for a single message. For more information, read the RFC website.

Maximum message recipients before disconnect (hard limit)

This option allows you to determine the number of recipient addresses that your server will permit in a single message before it disconnects and rate-limits a connection. You can also choose not to use this option.

Note:

RFCs specify that SMTP servers should accept at least 100 RCPT commands for a single message. For more information, read the RFC website.

Note:

The  Access Lists  options further limit who is able to send mail to your server.

OptionDescription
Automatically whitelist known mobile device providers

This option allows you to automatically place known mobile device providers on a whitelist. If you choose to enable this option, messages from known mobile device providers will bypass the mail filter.

Note:

The system stores information about mail providers in the /etc/mailproviders/* directory.

Blacklisted SMTP IP addressesThis option allows you to edit the list of blacklisted SMTP  IP addresses. The system does not allow these IP addresses to connect to the SMTP  server, and instead drops connections with a 550 error.
Sender verification bypass IP addressesThis option allows you to edit the list of IP addresses that the system will exclude from  SMTP  sender verification checks.
Only-verify-recipientThis option allows you to edit the list of IP addresses and hosts that the system will exclude from all SMTP -time spam  checks except recipient verification checks.
Trusted SMTP IP addressesThis option allows you to edit the list of IP addresses that the system will exclude from SMTP -time recipient, sender, spam, and relay checks.
Backup MX hostsThis option allows you to edit the list of hosts (with reverse DNS ) from which the system permits SMTP  connections, regardless of ratelimits.
Trusted mail users

The Trusted mail users option allows system administrators to designate certain users as trusted mail users. This option will affect the EXPERIMENTAL: Rewrite From: header to match actual sender setting in the Mail tab.

The trusted users who you list can bypass the EXPERIMENTAL: Rewrite From: header to match actual sender setting. The Trusted mail users option allows the listed users to modify their From: header, and the EXPERIMENTAL: Rewrite From: header to match actual sender setting will not override these changes.

Enter the trusted mail usernames or their email addresses, one per line.

Note:

The  Domains and IPs  options change the IP address  from which Exim  sends mail. If you disable these options (the default), Exim  will automatically send mail from your server's main shared IP address .

For more information about how to manually configure the IP addresses from which Exim will send mail, read our How to Configure the Exim Outgoing IP Address  documentation. 

OptionDescription
Send mail from account's dedicated IP address

This option allows you to automatically send outgoing mail from your account's IP address  instead of the main  IP address . If you enable this option, the /usr/local/cpanel/scripts/updateuserdomains file will automatically populate the /etc/mailhelo  and /etc/mailips files, which prevent the use of the other two options in the Domains and IPs section.

Warning:

If you turn on this setting, make certain that the reverse DNS entries that your provider has on file match those in the /etc/mail_reverse_dns file.

For more information about how to configure reverse DNS entries, read our How to Configure Reverse DNS for BIND in WHM documentation.

Reference /etc/mailhelo for outgoing SMTP HELO

This option allows you to send a HELO that is based on the domain name in the /etc/mailhelo file.

For more information about how to edit this file, read our  How to Configure the Exim Outgoing IP Address  documentation.

Reference /etc/mailips for outgoing SMTP connections

This option allows you to send outgoing mail from the IP address that matches the domain name in the /etc/mailips file.

For more information about how to edit this file, read our How to Configure the Exim Outgoing IP Address documentation.

Note:

The Filters options allows you to select and configure filters that can block spam and potentially dangerous attachments.

OptionDescription
System Filter File

Use this option to enable or disable Exim's system filter file, which is typically in the /etc/cpanel_exim_system_filter file. Choose one of the following settings:

    • None (default) — Choose this option to disable Exim's system filter file 
    • /etc/cpanel_exim_system_filter — Choose this option to enable Exim's system filter file. This is the default setting the default configuration.
    • You can also choose to Customize the Exim System Filter File

Warning:

Regardless of the option that you select, the Exim configuration will include all of the files within the /usr/local/cpanel/etc/exim/sysfilter/options/ directory.

Attachments: Filter messages with dangerous attachments

Select this option to filter email messages that contain potentially dangerous attachments.

The system detects the following extensions by default...
.ade
.adp
.bas
.bat
.chm
.cmd
.com
.cpl
.crt
.eml
.exe
.hlp
.hta
.inf
.ins
.isp
.js
.jse
.lnk
.mdb
.mde
.msc
.msi
.msp
.mst
.pcd
.pif
.reg
.scr
.sct
.shs
.url
.vbs
.vbe
.wsf
.wsh
.wsc
SpamAssassin: Global Subject Rewrite

Select this option to prefix the Subject header with information from the X-Spam-Subject header and omit the X-Spam-Subject header.

SpamAssassin: bounce spam score threshold

Select this option to define the spam score that Apache SpamAssassin uses to bounce incoming messages. You can enter a positive or negative number, which may contain a single decimal point. By default, this option is disabled.

For more information about spam scores, read the Apache SpamAssassin documentation.

SpamAssassin: X-Spam-Subject/Subject header prefix for spam emails

Select this option to use the default  X-Spam-Subject header prefix for spam email or to enter a custom prefix.

Note:

Note:

The Mail options allow you to configure specific incoming mail options.

OptionDescription
Log sender rates in the exim mainlogThis option allows you to log sender rates in the  Exim  mail log.
Sender Verification CalloutsThis option allows  Exim  to connect to the mail exchanger for an address to verify that it exists before Exim accepts messages from it.
Smarthost support

This option allows you to use a smart host for outgoing messages. To configure this option, enter a valid route_list in the Smarthost support text box:

  • To configure a smart host that uses one IP address, enter an asterisk (*) followed by an IP address. For example, you might use the following entry:

    * 192.188.0.20
  • To configure a smart host that uses multiple domains, enter an asterisk, followed by the IP addresses. Separate each IP address with a colon. For example, you might use the following entry:

    * 192.188.0.20 : 192.188.0.21: 192.188.0.22

    Warning:

    If you do not enter an asterisk before the IP address or addresses, the smart host does not function.

For more information about route_lists, read the Exim route_list documentation.

EXPERIMENTAL: Rewrite From: header to match actual sender

This option rewrites the From header in emails to show the original identity of the actual sender for messages sent from your server. Email recipients can see the original From header as X-From-Rewrite, as well as the rewritten From header. This option is useful to determine the actual mail sender. For more information, read the EXPERIMENTAL: Rewrite From: header to match actual sender section below.

Send generic recipient failure messages

This option allows you to send the following message to senders who attempt to send an undeliverable message: 

The recipient cannot be verified. Please check all recipients of this message to verify they are valid.
Allow mail delivery if malware scanner fails

This option allows you to disable the malware scanner if it fails. If you select  On,  in the event of a malware scanner failure, the server will deliver all mail normally.

Note:

If you select Off and the malware scanner fails, users will not receive new messages until you repair the malware scanner.

Reject mail for users over quotaThis option allows you to reject  SMTP -time mail for users who exceed their quotas.
Sender VerificationThis option allows you to verify the origin of mail senders.
Set SMTP Sender: headers

This option allows you to set the  Sender:  header as  -f flag passed to sendmail  when a mail sender changes.

Notes:

  • The default setting is Off.
  • If you set this option to Off, Microsoft® Outlook will not add an On behalf of header. This may limit your ability to track abuse of the mail system.
 Allow mail delivery if spam scanner fails

 This option allows you to disable the  spam  scanner if it fails. If you select  On, the system will deliver all mail normally in the event of a spam scanner failure.

Note:

  • The default setting is On.
  • If you select Off and the spam scanner fails, users will not receive new messages until you repair the spam scanner.
Trust X-PHP-Script headers to determine the sender of email messages sent from processes running as nobody

This option allows Exim to trust messages that the nobody user sends with X-PHP-Script headers. This option also enables the mail server to determine the true sender. This will provide a faster delivery process than a query to the  Apache  server to determine the sender.

Note:

It is possible for an advanced user to forge this header. If your users may misuse this function, disable this option and send a query to the Apache server to determine the sender of nobody messages.

Query Apache server status to determine the sender of email messages sent from processes running as nobody

This option allows the mail delivery process to query the Apache server to determine the true sender of a message when the nobody user sends a message. This option requires an additional connection to the webserver for each message that the nobody user account sends when suPHP and mod_ruid2 are both disabled.

This option is more secure, but it is faster to trust the X-PHP-Script headers.

This option defaults to On.

 

EXPERIMENTAL: Rewrite From: header to match actual sender

This option rewrites the From header in emails to show the original identity of the actual sender for messages sent from your server. Email recipients can see the original From header as X-From-Rewrite, as well as the rewritten From header. This option is useful to determine the actual mail sender.

Note:

This option does not affect mail that you receive from a remote host. The From header is only rewritten for mail that is sent from the local machine because it is not possible to determine or validate the actual mail sender from remote machines.

 

System administrators can choose the following settings for this option:

SettingDescriptionConditions
remoteThis option uses SMTP to rewrite the From header in outgoing emails to match the actual sender.
  • If a local user sends mail to a user on a remote host, this setting rewrites the From header.
  • If a local user receives mail from a user on a remote host, this setting will not rewrite the From header because it is impossible to determine the authenticated sender.
  • If a local user sends mail to another local user on the same server, this setting will not rewrite the From header because this is not a remote delivery.
  • If a local user receives mail from another local user on the same server, this setting will not rewrite the From header.
allThis option rewrites the From header in all outgoing emails to match the actual sender.
  • If a local user sends mail to a user on a remote host, this setting rewrites the From header.
  • If a local user receives mail from a user on a remote host, this setting will not rewrite the From header because it is impossible to determine the authenticated sender.
  • If a local user sends mail to another local user on the same server, this setting rewrites the From header because this option includes local deliveries.
  • If a local user receives mail from another local user on the same server, this setting rewrites the From header because the sender has already rewritten the From header.
disable

This option will not rewrite the From header in any email.

Note:

This is the default setting.

Not applicable.

 

In order to conduct an attack or send unsolicited email, a malicious user can alter the From text box in an email to confuse the recipient. For example, a user may authenticate as user@example.com and send a message with the From header set to account@forged.example.com. When you enable this option, Exim rewrites the From header to show the actual sender, which in this case is user@example.com.

To avoid a potential problem, system administrators can enable this option to ensure that the From header for mail sent from their servers always matches one of the following methods:

MethodExample
The actual senderIf you are authenticated as user@example.com, user@example.com will always be in the From header.
An email address to which the sender has accessIf you are authenticated as the user user, set the From header to any email account that the user user controls.
An email address that has been forwarded to the actual senderIf user@example.com is on your server and it was forwarded to account@domain.org, then account@domain.org may set the From header to either address.

Note:

The RBLs options allow you to configure your mail server to check incoming mail against the available RBLs. Your server will block the incoming messages if the IP address or hostname matches an RBL entry.

RBL is short for “Real-time Blackhole List.” RBL servers keep lists of spam-heavy IP addresses and hostnames so that you can easily block them. The WHM interface accesses two RBLs: bl.spamcop.net and zen.spamhaus.org.

OptionDescription
Manage Custom RBLs

Click Manage to view and manage your server's RBLs. A new interface will appear.

The Current RBLs table lists the following information for each RBL:

ColumnDescription
Origin

The source of the RBL.

  • Custom indicates that you added the RBL.
  • System indicates cPanel-included RBLs.
RBL nameThe RBL's name.
DNS listThe RBL's DNS list.
Info URLThe RBL information URL.
Action

For custom RBLs, click Delete to remove the RBL.

Note:

You cannot delete cPanel-included RBLs. 

To add an RBL, enter the appropriate information in the text boxes and click Add.

Notes:

  • Make certain that you choose an RBL name that will remind you of the DNS list for this RBL.
  • After you add custom RBLs, each custom RBL will appear at the bottom of the RBLs options tab. Select On to enable a custom RBL. 
  • Custom RBLs default to Off.
RBL: bl.spamcop.netThis option allows you to reject mail at  SMTP -time if the sender's host is in the bl.spamcop.net RBL. For more information, visit the  bl.spamcop.net  website.
RBL: zen.spamhaus.orgThis option allows you to reject mail at  SMTP -time if the sender's host is in the zen.spamhaus.org RBL. For more information, visit the  zen.spamhaus.org  website.
Whitelist: IP addresses that should not be checked against RBLs

This option allows you to choose a list of IP addresses to whitelist. Exim will not RBL-check these addresses.

Note:

Enter one IP address per line in the text box.

Skip RBLs on specific domains

To skip RBLs for specific domains, log in as the root user and use your preferred text editor to create and edit the /etc/skiprbldomains file. Add the domains to the file, with one domain name per line.

After you create the /etc/skiprbldomains file, enable the skip_rbl_domains function in the Advanced Editor tab of the Exim Configuration Manager interface.

Note:

The Security options allow you to configure security settings for your mail server.

OptionDescription
Allow weak SSL/TLS ciphers

This option allows you to use weak SSL/TLS encryption ciphers.

Important:

Weak SSL/TLS encryption ciphers violate PCI compliance. For more information about PCI compliance, read the PCI Compliance Guide.

Require clients to connect with SSL or issue the STARTTLS command before they are allowed to authenticate with the serverThis option allows you to specify whether clients must connect with SSL or issue the STARTTTLS command before they may authenticate.
Scan messages for malware from authenticated senders (exiscan)This option will enable ClamAVconnector to scan outbound messages from authenticated senders for malware. If disabled, Exim will not scan messages from authenticated senders.
Scan outgoing messages for malwareIf you enable this option, the ClamAVconnector plugin will reject mail for non-local domains that have tested positive for malware.

Note:

The SpamAssassin™ Options options allow you to configure Apache SpamAssassin™ to suit your server’s needs.

Apache SpamAssassin is a spam detection and blocking program which examines the content of an email message and assigns it an overall score. The score is based on the number of spam-related traits that Apache SpamAssassin finds in the message. If the message’s score exceeds a predefined limit, SpanAssassin discards it as spam. For more information, visit the Apache SpamAssassin documentation.

Any changes made to Apache SpamAssassin's configuration may require you to run /usr/bin/sa-compile before they take effect:

OptionDescription
Old Style Spam System

This option allows you to use the  deprecated  transport-based Spam System instead of the new ACL-style Apache SpamAssassin.

Note:

The deprecated spam system is not recommended because it operates slowly.

SpamAssassin: Forced Global ONThis option allows you to turn on Apache SpamAssassin for all accounts on the server without an option for the users to disable it.
SpamAssassin: message size threshold to scanThis option allows you to set the maximum size (in kilobytes) of messages that Apache SpamAssassin will scan. It is generally inefficient to scan large messages because  spam  messages are typically small (1-4 KB).
Scan outgoing messages for spam and reject based on SpamAssassin internal spam_score setting

This option allows Apache SpamAssassin to scan and reject messages sent to non-local domains which have a higher spam score than Apache SpamAssassin's internal spam_score setting of 5.

This option is disabled by default. To enable this option, select On.

Note:

Apache SpamAssassin will not scan messages that have been forwarded to remote email addresses.

Scan outgoing messages for spam and reject based on defined SpamAssassin score

This option allows you to set the spam_score threshold that Apache SpamAssassin will use to determine when it will reject messages sent to non-local domains.

This option is disabled by default. To enable this option, select the empty text box and e nter the number for Apache SpamAssassin to use as a minimum spam score. The number that you enter must be between 0.1 and 99.9 , and can use up to two decimal places.

Note:

Apache SpamAssassin will not scan messages that are forwarded to remote email addresses.