Please whitelist cPanel in your adblocker so that you’re able to see our version release promotions, thanks!

The Community Forums

Interact with an entire community of cPanel & WHM users!

How to add a Exim SPF Check Exception

Discussion in 'E-mail Discussion' started by keencs, Jan 8, 2015.

  1. keencs

    keencs Member

    Joined:
    Feb 16, 2013
    Messages:
    14
    Likes Received:
    3
    Trophy Points:
    3
    cPanel Access Level:
    Root Administrator
    Hello,

    I have been seeing a few messages showing as rejected in my server's Mail Delivery Reports. The reason for the rejections is a SPF checking failure of the sender.

    Example:
    "SPF: 66.43.20.52 is not allowed to send mail from sm.ancestry.com"

    I realize that this is a misconfiguration of the sender's SPF record which should be fixed and technically my cPanel server is operating as expected.

    I am attempting to determine how to whitelist this sender's server so the SPF record for them is not checked.

    I have researched on this forum and on google but can't find a solution.

    I have tried adding the sending server's ip to the Exim lists "Sender verification bypass IP addresses" and "Whitelist: IP addresses that should not be checked against RBLs" but neither worked.

    Any ideas or suggestions would be appreciated.

    Ryan
     
    #1 keencs, Jan 8, 2015
    avibodha likes this.
  2. cPanelMichael

    cPanelMichael Technical Support Community Manager
    Staff Member

    Joined:
    Apr 11, 2011
    Messages:
    44,803
    Likes Received:
    1,897
    Trophy Points:
    363
    cPanel Access Level:
    Root Administrator
    Twitter:
    Hello :)

    The following custom modification to SPF checking in the Exim configuration allows hosts listed in /etc/trustedmailhosts to bypass SPF verification:

    Code:
    deny message = SPF: $sender_host_address is not allowed to send mail from $sender_address_domain
    !condition = ${if match_ip{$sender_host_address}{iplsearch;/etc/trustedmailhosts}{1}{0}}
    spf = fail
    Thank you.
     
    Stop hovering to collapse... Click to collapse... Hover to expand... Click to expand...
    #2 cPanelMichael, Jan 9, 2015
  3. bonbonbon

    bonbonbon Member

    Joined:
    Apr 8, 2015
    Messages:
    6
    Likes Received:
    0
    Trophy Points:
    1
    Location:
    Poland
    cPanel Access Level:
    Root Administrator
    Hey,

    Sorry that I'm opening up an older topic, but I figured it'd be better than making a new one.

    Anyhow, there's an acl in exim configuration:

    # BEGIN INSERT custom_begin_connect

    accept delay = 15s

    # END INSERT custom_begin_connect

    What I'd like to do is to make an exception so that trusted domains/IPs can send e-mails without any delay, in other words I'd like that rule omitted for these domains.

    I thought about something like this, but I'm not sure whether it makes any sense as I've barely read about it so far:
    accept delay = 15s
    deny delay= 15s
    condition = ${if match_ip{$sender_host_address}{iplsearch;/etc/trustedmailhosts}{1}{0}}

    Help appreciated.
     
    #3 bonbonbon, Apr 8, 2015
  4. bonbonbon

    bonbonbon Member

    Joined:
    Apr 8, 2015
    Messages:
    6
    Likes Received:
    0
    Trophy Points:
    1
    Location:
    Poland
    cPanel Access Level:
    Root Administrator
    Eh, can't seem to make it work. Read about it a bit in here and apparently the condition should be first, so I tried setting it up like this:

    accept condition = ${if match_ip{$sender_host_address}{iplsearch;/etc/trustedmailhosts}{1}{0}}
    delay = 15s

    If I set it up like this, the delay is omitted for every e-mail.
    I probably still don't properly understand how it works.
     
    #4 bonbonbon, Apr 9, 2015
  5. cPanelMichael

    cPanelMichael Technical Support Community Manager
    Staff Member

    Joined:
    Apr 11, 2011
    Messages:
    44,803
    Likes Received:
    1,897
    Trophy Points:
    363
    cPanel Access Level:
    Root Administrator
    Twitter:
    You may want to post to the Exim users mailing list for additional assistance with setting up the custom rule:

    Exim Users Mailing List

    Feel free to let us know the outcome.

    Thank you.
     
    Stop hovering to collapse... Click to collapse... Hover to expand... Click to expand...
    #5 cPanelMichael, Apr 10, 2015
  6. bonbonbon

    bonbonbon Member

    Joined:
    Apr 8, 2015
    Messages:
    6
    Likes Received:
    0
    Trophy Points:
    1
    Location:
    Poland
    cPanel Access Level:
    Root Administrator
    Experimented with this rule today a little bit.

    The solution was simply adding another accept before the delay - I didn't realise ACL basically doesn't check other "accepts" if the first one in the specific section has passed. So now it's set up as this:

    accept condition = ${if match_ip{$sender_host_address}{iplsearch;/etc/trustedmailhosts}{1}{0}}
    accept delay = 15s

    Now if it matches an IP in the file, the delay doesn't happen. And happens other way around.

    Also got some help from a ticket I have opened - there's a helpful command "exim -bh" (or "exim -bh <IP>" in my case). It's a command which I haven't known or tried, but should have - as it is present in the documentation I have posted.
     
    #6 bonbonbon, Apr 10, 2015
  7. cPanelMichael

    cPanelMichael Technical Support Community Manager
    Staff Member

    Joined:
    Apr 11, 2011
    Messages:
    44,803
    Likes Received:
    1,897
    Trophy Points:
    363
    cPanel Access Level:
    Root Administrator
    Twitter:
    I am happy to see you were able to address the issue. Thank you for updating us with the outcome.
     
    Stop hovering to collapse... Click to collapse... Hover to expand... Click to expand...
    #7 cPanelMichael, Apr 13, 2015
  8. avibodha

    avibodha Member

    Joined:
    Mar 23, 2013
    Messages:
    9
    Likes Received:
    0
    Trophy Points:
    1
    cPanel Access Level:
    Root Administrator
    Michael, can this be done in the Exim Advanced Editor? Could you explain what section to edit? Or does exim.conf have to be edited each time exim is updated?

    thanks
     
    #8 avibodha, Jul 20, 2015
  9. avibodha

    avibodha Member

    Joined:
    Mar 23, 2013
    Messages:
    9
    Likes Received:
    0
    Trophy Points:
    1
    cPanel Access Level:
    Root Administrator
    For anyone else who hasn't modified Exim, here are the steps

    (from https://features.cpanel.net/topic/exclude-backup-mx-hosts-from-spf-validation-checks)

    ...it is currently possible to modify Exim (in a cPanel sanctioned and supported way) to exempt Backup MX Hosts from SPF validation checks.
    1. Go to WHM
    2. Go to "Exim Configuration"
    3. Go to the "Advanced Editor" tab
    4. Scroll to/locate the section labeled "spf_bl (Reject SPF failures)"
    5. If it is checked, uncheck it (this disabled the default SPF behavior)
    6. Make sure the section just above it labeled "custom_begin_mailauth" is checked (enabled) and paste the snippet from Michael above in the text box
     
    #9 avibodha, Jul 20, 2015
  10. cPanelMichael

    cPanelMichael Technical Support Community Manager
    Staff Member

    Joined:
    Apr 11, 2011
    Messages:
    44,803
    Likes Received:
    1,897
    Trophy Points:
    363
    cPanel Access Level:
    Root Administrator
    Twitter:
    Hello :)

    Thank you for taking the time to update this thread with the solution to your question.
     
    Stop hovering to collapse... Click to collapse... Hover to expand... Click to expand...
    #10 cPanelMichael, Jul 27, 2015
(You must log in or sign up to post here.)
Loading...
Similar Threads - Exim Check Exception
  1. goodmove

    Question about eximstats_spam_check

    goodmove, Aug 27, 2018, in forum: E-mail Discussion
    Replies:
    1
    Views:
    99
    cPanelLauren
    Aug 27, 2018
  2. ruiz

    Change eximstats_spam_check in crontab

    ruiz, Jul 29, 2018, in forum: E-mail Discussion
    Replies:
    3
    Views:
    104
    cPanelMichael
    Aug 2, 2018
  3. mehdix92

    Disable Exim Reverse DNS check

    mehdix92, Jun 14, 2018, in forum: E-mail Discussion
    Replies:
    1
    Views:
    218
    cPanelMichael
    Jun 14, 2018
  4. smartrange

    warn [eximstats_spam_check]

    smartrange, May 24, 2018, in forum: E-mail Discussion
    Replies:
    6
    Views:
    275
    cPanelLauren
    Jun 5, 2018
  5. swbrains

    SOLVED [CPANEL-20345] eximstats_spam_check cron job always sends root notification

    swbrains, Apr 2, 2018, in forum: E-mail Discussion
    Replies:
    14
    Views:
    1,471
    cPanelMichael
    Aug 7, 2018

Share This Page

  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.
    Accept Learn More...
    Dismiss Notice