Please whitelist cPanel in your adblocker so that you’re able to see our version release promotions, thanks!

Forums
Forums

Quick Links
- Search Forums
- New Posts
Search titles only

Posted by Member:

Separate names with a comma.

Newer Than:

Search this thread only

Search this forum only

Display results as threads

More...

Useful Searches

Recent Posts
Resources
Resources

Quick Links
Feature Requests
Defects
Menu

This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

How to add a Exim SPF Check Exception

Discussion in 'E-mail Discussions' started by keencs, Jan 8, 2015.

keencs Member

Joined:

Feb 16, 2013

Messages:

11

Likes Received:

1

Trophy Points:

3

cPanel Access Level:

Root Administrator

Hello,

I have been seeing a few messages showing as rejected in my server's Mail Delivery Reports. The reason for the rejections is a SPF checking failure of the sender.

Example:
"SPF: 66.43.20.52 is not allowed to send mail from sm.ancestry.com"

I realize that this is a misconfiguration of the sender's SPF record which should be fixed and technically my cPanel server is operating as expected.

I am attempting to determine how to whitelist this sender's server so the SPF record for them is not checked.

I have researched on this forum and on google but can't find a solution.

I have tried adding the sending server's ip to the Exim lists "Sender verification bypass IP addresses" and "Whitelist: IP addresses that should not be checked against RBLs" but neither worked.

Any ideas or suggestions would be appreciated.

Ryan

#1 keencs, Jan 8, 2015

avibodha likes this.
cPanelMichael Forums Analyst
Staff Member

Joined:

Apr 11, 2011

Messages:

42,734

Likes Received:

1,706

Trophy Points:

363

cPanel Access Level:

Root Administrator
Hello

The following custom modification to SPF checking in the Exim configuration allows hosts listed in /etc/trustedmailhosts to bypass SPF verification:

Code:

deny message = SPF: $sender_host_address is not allowed to send mail from $sender_address_domain !condition = ${if match_ip{$sender_host_address}{iplsearch;/etc/trustedmailhosts}{1}{0}} spf = fail

Thank you.
• Submit A Support Ticket • Submit A Feature Request

#2 cPanelMichael, Jan 9, 2015
bonbonbon Member

Joined:

Apr 8, 2015

Messages:

6

Likes Received:

0

Trophy Points:

1

Location:

Poland

cPanel Access Level:

Root Administrator

Hey,

Sorry that I'm opening up an older topic, but I figured it'd be better than making a new one.

Anyhow, there's an acl in exim configuration:

# BEGIN INSERT custom_begin_connect

accept delay = 15s

# END INSERT custom_begin_connect

What I'd like to do is to make an exception so that trusted domains/IPs can send e-mails without any delay, in other words I'd like that rule omitted for these domains.

I thought about something like this, but I'm not sure whether it makes any sense as I've barely read about it so far:
accept delay = 15s
deny delay= 15s
condition = ${if match_ip{$sender_host_address}{iplsearch;/etc/trustedmailhosts}{1}{0}}

Help appreciated.

#3 bonbonbon, Apr 8, 2015
bonbonbon Member

Joined:

Apr 8, 2015

Messages:

6

Likes Received:

0

Trophy Points:

1

Location:

Poland

cPanel Access Level:

Root Administrator

Eh, can't seem to make it work. Read about it a bit in here and apparently the condition should be first, so I tried setting it up like this:

accept condition = ${if match_ip{$sender_host_address}{iplsearch;/etc/trustedmailhosts}{1}{0}}
delay = 15s

If I set it up like this, the delay is omitted for every e-mail.
I probably still don't properly understand how it works.

#4 bonbonbon, Apr 9, 2015
cPanelMichael Forums Analyst
Staff Member

Joined:

Apr 11, 2011

Messages:

42,734

Likes Received:

1,706

Trophy Points:

363

cPanel Access Level:

Root Administrator

You may want to post to the Exim users mailing list for additional assistance with setting up the custom rule:

Exim Users Mailing List

Feel free to let us know the outcome.

Thank you.

• Submit A Support Ticket • Submit A Feature Request

#5 cPanelMichael, Apr 10, 2015
bonbonbon Member

Joined:

Apr 8, 2015

Messages:

6

Likes Received:

0

Trophy Points:

1

Location:

Poland

cPanel Access Level:

Root Administrator

Experimented with this rule today a little bit.

The solution was simply adding another accept before the delay - I didn't realise ACL basically doesn't check other "accepts" if the first one in the specific section has passed. So now it's set up as this:

accept condition = ${if match_ip{$sender_host_address}{iplsearch;/etc/trustedmailhosts}{1}{0}}
accept delay = 15s

Now if it matches an IP in the file, the delay doesn't happen. And happens other way around.

Also got some help from a ticket I have opened - there's a helpful command "exim -bh" (or "exim -bh <IP>" in my case). It's a command which I haven't known or tried, but should have - as it is present in the documentation I have posted.

#6 bonbonbon, Apr 10, 2015
cPanelMichael Forums Analyst
Staff Member

Joined:

Apr 11, 2011

Messages:

42,734

Likes Received:

1,706

Trophy Points:

363

cPanel Access Level:

Root Administrator

I am happy to see you were able to address the issue. Thank you for updating us with the outcome.

• Submit A Support Ticket • Submit A Feature Request

#7 cPanelMichael, Apr 13, 2015
avibodha Member

Joined:

Mar 23, 2013

Messages:

9

Likes Received:

0

Trophy Points:

1

cPanel Access Level:

Root Administrator
cPanelMichael said: ↑

Hello

The following custom modification to SPF checking in the Exim configuration allows hosts listed in /etc/trustedmailhosts to bypass SPF verification:

Code:

deny message = SPF: $sender_host_address is not allowed to send mail from $sender_address_domain !condition = ${if match_ip{$sender_host_address}{iplsearch;/etc/trustedmailhosts}{1}{0}} spf = fail

Thank you.
Click to expand...

Michael, can this be done in the Exim Advanced Editor? Could you explain what section to edit? Or does exim.conf have to be edited each time exim is updated?

thanks
#8 avibodha, Jul 20, 2015
avibodha Member

Joined:

Mar 23, 2013

Messages:

9

Likes Received:

0

Trophy Points:

1

cPanel Access Level:

Root Administrator
For anyone else who hasn't modified Exim, here are the steps

(from https://features.cpanel.net/topic/exclude-backup-mx-hosts-from-spf-validation-checks)

...it is currently possible to modify Exim (in a cPanel sanctioned and supported way) to exempt Backup MX Hosts from SPF validation checks.

Go to WHM

Go to "Exim Configuration"

Go to the "Advanced Editor" tab

Scroll to/locate the section labeled "spf_bl (Reject SPF failures)"

If it is checked, uncheck it (this disabled the default SPF behavior)

Make sure the section just above it labeled "custom_begin_mailauth" is checked (enabled) and paste the snippet from Michael above in the text box
#9 avibodha, Jul 20, 2015
cPanelMichael Forums Analyst
Staff Member

Joined:

Apr 11, 2011

Messages:

42,734

Likes Received:

1,706

Trophy Points:

363

cPanel Access Level:

Root Administrator

Hello

Thank you for taking the time to update this thread with the solution to your question.

• Submit A Support Ticket • Submit A Feature Request

#10 cPanelMichael, Jul 27, 2015

(You must log in or sign up to post here.)

Loading...

Similar Threads - Exim Check Exception

HTML email redirect via exim

tivilardo, Apr 18, 2018 at 3:33 PM, in forum: E-mail Discussions

Replies:

3

Views:

35

cPanelLauren

Apr 19, 2018 at 9:26 AM
Exim smarthost do not split emails

Al Gilson, Apr 13, 2018, in forum: E-mail Discussions

Replies:

3

Views:

59

cPanelMichael

Apr 16, 2018 at 10:51 AM
Stop Exim Sending "Mail delivery failed" Emails

loginid, Apr 10, 2018, in forum: E-mail Discussions

Replies:

4

Views:

142

cPanelMichael

Apr 12, 2018
Exim retry times after being greylisted

sneader, Apr 8, 2018, in forum: E-mail Discussions

Replies:

5

Views:

91

cPanelMichael

Apr 10, 2018
Configure EXIM to handle all forwards locally

PeteS, Mar 22, 2018, in forum: E-mail Discussions

Replies:

2

Views:

86

PeteS

Mar 22, 2018

Share This Page