The Community Forums

Interact with an entire community of cPanel & WHM users!
  1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

Email laundering

Discussion in 'E-mail Discussions' started by nordkontakt, Nov 9, 2011.

  1. nordkontakt

    nordkontakt Registered

    Joined:
    Nov 9, 2011
    Messages:
    3
    Likes Received:
    0
    Trophy Points:
    1
    cPanel Access Level:
    Root Administrator
    Hi everyone!

    i've just recently installed my first Cpanel.

    Question.

    i have a customer that does not have an account on the cpanel, but i would like to offer him to scan the email for spam/viruses and then send that email to their exchange server. and also act as a secondary mx so i can hold the email if their exchange is down for whatever reason.

    how can i accomplish this ?
     
  2. beddo

    beddo Well-Known Member

    Joined:
    Jan 19, 2007
    Messages:
    157
    Likes Received:
    0
    Trophy Points:
    16
    Location:
    England
    cPanel Access Level:
    DataCenter Provider
    This is how I do it: http://forums.cpanel.net/f43/exim-smart-relay-verification-123501.html, although it has been improved a little as follows:

    Go to the exim configuration editor, scroll to the bottom and click advanced.
    Find:
    Code:
    democheck:
        driver = redirect
        require_files = "+/etc/demouids"
        condition = "${if eq {${lookup {$originator_uid} lsearch {/etc/demouids} {$value}}}{}{false}{true}}"
        allow_fail
        data = :fail: demo accounts are not permitted to relay email
    
    AFTER, insert

    Code:
    static_route:
     driver = manualroute
     transport = remote_smtp_smart
     route_data = ${lookup{$domain}lsearch{/etc/staticroutes}}
    Find "begin transports", AFTER ADD:

    Code:
    remote_smtp_smart:
      driver = smtp
      delay_after_cutoff = false
      hosts = ${lookup{$domain}lsearch{/etc/staticroutes}}
    FIND:

    Code:
    check_recipient:
      # Exim 3 had no checking on -bs messages, so for compatibility
      # we accept if the source is local SMTP (i.e. not over TCP/IP).
      # We do this by testing for an empty sending host field.
    
      # ignore authenticated hosts
    
      accept authenticated = *
    REPLACE with:

    Code:
    check_recipient:
      # Exim 3 had no checking on -bs messages, so for compatibility
      # we accept if the source is local SMTP (i.e. not over TCP/IP).
      # We do this by testing for an empty sending host field.
    
    deny
           condition  =  ${if eq {1}{${lookup{$domain}lsearch \
                           {/etc/staticroutes}{1}{0}}}}
           !verify = recipient/callout=30s,defer_ok,use_sender
           log_message = $local_part@$domain : Recipient verify failed in staticroute file
    
      # ignore authenticated hosts
    
      accept authenticated = *
    Then create the file /etc/staticroutes and put into it your routing data as follows:

    For a single domain with a single destination, the line would be:

    example.com: 1.1.1.1
    or
    example.com: office.example.com

    The left part being the domain name to route email for and the right being the destination, either an IP or valid CNAME record.

    If your destination has two external IP addresses, you can put it as follows:
    example.com: primaryoffice.example.com:backupoffice.example.com

    Email will first be routed to primaryoffice.example.com and then to backupoffice.example.com if the primary is unsuccessful.

    Configure your Exchange server to only accept mail from your hosted server's IP address too in order to prevent spammers from bypassing the filtering and delivering directly.
     
  3. nordkontakt

    nordkontakt Registered

    Joined:
    Nov 9, 2011
    Messages:
    3
    Likes Received:
    0
    Trophy Points:
    1
    cPanel Access Level:
    Root Administrator
    Thank your for the best reply i've seen.

    i will try this out.

    oh and also.

    incase of the customer's mail server having downtime.
    will the mail be queued for later delivery ? and where can i define for how long.
     
    #3 nordkontakt, Nov 14, 2011
    Last edited: Nov 14, 2011
  4. beddo

    beddo Well-Known Member

    Joined:
    Jan 19, 2007
    Messages:
    157
    Likes Received:
    0
    Trophy Points:
    16
    Location:
    England
    cPanel Access Level:
    DataCenter Provider
    The setup acts as follows.

    1) On receiving mail, Exim will try to call forward to the destination in order to verify the recipient. If the recipient is accepted, the message continues. If the recipient is rejected, the message is rejected. This prevents backscatter issues. If the remote server does not response, the message will be accepted and queued regardless as verification cannot be done.

    2) Accepted mail will then be processed as normal by Exim. Right at the bottom of the Exim advanced editor is the RETRY CONFIGURATION section. The default rule is:

    * * F,2h,15m; G,16h,1h,1.5; F,4d,8h

    This means mail will be retried every 15 minutes for two hours. Then for 16 hours at a time gap that increases by a factor of 1.5 - starting at 1 hour. Then for 4 days at a retry period of 8h.

    To override for a specific domain you can put something like this in the section immediately above the default retry line:
    domain.com * F,16d,15m

    You cannot override the default line from WHM although you can edit some templates to change it.
     
  5. nordkontakt

    nordkontakt Registered

    Joined:
    Nov 9, 2011
    Messages:
    3
    Likes Received:
    0
    Trophy Points:
    1
    cPanel Access Level:
    Root Administrator
    seems i have some troubles after implementing this.

    exim bounces the email with a relay error

    i just added the domain to /etc/localdomains

    is this file dynamicly updated by WHM ?
     
  6. beddo

    beddo Well-Known Member

    Joined:
    Jan 19, 2007
    Messages:
    157
    Likes Received:
    0
    Trophy Points:
    16
    Location:
    England
    cPanel Access Level:
    DataCenter Provider
    localdomains should be updated automatically. If you make a change manually, you should also ensure that the domain is not in /etc/remotedomains.

    The way to set this through WHM is to open up the zonefile for the domain in "Edit DNS". At the bottom there is an option to set "Local Mail Exchanger". If you have never changed this, it will be on auto and should work it out correctly but maybe it hasn't.
     
  7. mhdi

    mhdi Member

    Joined:
    Sep 21, 2011
    Messages:
    8
    Likes Received:
    0
    Trophy Points:
    1
    cPanel Access Level:
    Root Administrator
    I got to the above step and found the following code in my exim config. What should I do?

    Code:
    check_recipient:
      # Exim 3 had no checking on -bs messages, so for compatibility
      # we accept if the source is local SMTP (i.e. not over TCP/IP).
      # We do this by testing for an empty sending host field.
    
    [% ACL_RATELIMIT_BLOCK %]
    
      accept  hosts = :
    
      accept hosts = +skipsmtpcheck_hosts
    
    
      # Accept bounces to lists even if callbacks or other checks would fail
      warn     message      = X-WhitelistedRCPT-nohdrfromcallback: Yes
               condition    = \
               ${if and {{match{$local_part}{(.*)-bounces\+.*}} \
                         {exists {/usr/local/cpanel/3rdparty/mailman/lists/${lc:$1}/config.pck}}} \
                    {yes}{no}}
    
      accept   condition    = \
               ${if and {{match{$local_part}{(.*)-bounces\+.*}} \
                         {exists {/usr/local/cpanel/3rdparty/mailman/lists/${lc:$1}/config.pck}}} \
                    {yes}{no}}
    
    
      # Accept bounces to lists even if callbacks or other checks would fail
      warn     message      = X-WhitelistedRCPT-nohdrfromcallback: Yes
               condition    = \
               ${if and {{match{$local_part}{(.*)-bounces\+.*}} \
                         {exists {/usr/local/cpanel/3rdparty/mailman/lists/${lc:$1}_${lc:$domain}/config.pck}}} \
                    {yes}{no}}
    
      accept   condition    = \
               ${if and {{match{$local_part}{(.*)-bounces\+.*}} \
                         {exists {/usr/local/cpanel/3rdparty/mailman/lists/${lc:$1}_${lc:$domain}/config.pck}}} \
                    {yes}{no}}
    
      #if it gets here it isn't mailman
    
     
  8. beddo

    beddo Well-Known Member

    Joined:
    Jan 19, 2007
    Messages:
    157
    Likes Received:
    0
    Trophy Points:
    16
    Location:
    England
    cPanel Access Level:
    DataCenter Provider
    Just replace the top 4 lines I think. Areyou running an olderversion of cpanel because I know things change around a bit. My instructions came from a clean install on CentOS6
     
  9. thejrp

    thejrp Registered

    Joined:
    Feb 3, 2012
    Messages:
    2
    Likes Received:
    0
    Trophy Points:
    1
    cPanel Access Level:
    Root Administrator
    Thanks for the info on how to achieve this. I have this setup for a client and the mail is getting to their exchange server.

    How do I verify that the spam filtering is taking place on the mail? I am just using the built in Spam Assassin.

    Looking at the exim_mainlog this is what I get, no reference to spam assassin.

    2012-02-03 12:05:03 H=mercolamail3.mercola.com (mercola.com) [63.208.77.116] Warning: Sender rate 0.2 / 1h
    2012-02-03 12:05:03 1RtPNX-00034q-Gb <= bounce@****.com H=mercolamail3.mercola.com (mercola.com) [63.208.77.116] P=esmtp S=26084 id=20120203081132.23ECB3EDBDA67FA4@****.com
    2012-02-03 12:05:05 1RtPNX-00034q-Gb => ***@*******.com R=static_route T=remote_smtp_smart H=***.***.***.*** [***.***.***.***]
    2012-02-03 12:05:05 1RtPNX-00034q-Gb Completed
     
    #9 thejrp, Feb 3, 2012
    Last edited: Feb 3, 2012
  10. thejrp

    thejrp Registered

    Joined:
    Feb 3, 2012
    Messages:
    2
    Likes Received:
    0
    Trophy Points:
    1
    cPanel Access Level:
    Root Administrator
    I added the site to the /etc/localdomains and it now shows user nobody spamassassin. Looks like it is working.
     
Loading...

Share This Page