The Community Forums

Interact with an entire community of cPanel & WHM users!
  1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

How to add a Exim SPF Check Exception

Discussion in 'E-mail Discussions' started by keencs, Jan 8, 2015.

  1. keencs

    keencs Member

    Joined:
    Feb 16, 2013
    Messages:
    5
    Likes Received:
    1
    Trophy Points:
    3
    cPanel Access Level:
    Root Administrator
    Hello,

    I have been seeing a few messages showing as rejected in my server's Mail Delivery Reports. The reason for the rejections is a SPF checking failure of the sender.

    Example:
    "SPF: 66.43.20.52 is not allowed to send mail from sm.ancestry.com"

    I realize that this is a misconfiguration of the sender's SPF record which should be fixed and technically my cPanel server is operating as expected.

    I am attempting to determine how to whitelist this sender's server so the SPF record for them is not checked.

    I have researched on this forum and on google but can't find a solution.

    I have tried adding the sending server's ip to the Exim lists "Sender verification bypass IP addresses" and "Whitelist: IP addresses that should not be checked against RBLs" but neither worked.

    Any ideas or suggestions would be appreciated.

    Ryan
     
    avibodha likes this.
  2. cPanelMichael

    cPanelMichael Forums Analyst
    Staff Member

    Joined:
    Apr 11, 2011
    Messages:
    30,854
    Likes Received:
    675
    Trophy Points:
    113
    cPanel Access Level:
    Root Administrator
    Hello :)

    The following custom modification to SPF checking in the Exim configuration allows hosts listed in /etc/trustedmailhosts to bypass SPF verification:

    Code:
    deny message = SPF: $sender_host_address is not allowed to send mail from $sender_address_domain
        !condition = ${if match_ip{$sender_host_address}{iplsearch;/etc/trustedmailhosts}{1}{0}}
        spf = fail
    
    Thank you.
     
  3. bonbonbon

    bonbonbon Member

    Joined:
    Apr 8, 2015
    Messages:
    6
    Likes Received:
    0
    Trophy Points:
    1
    Location:
    Poland
    cPanel Access Level:
    Root Administrator
    Hey,

    Sorry that I'm opening up an older topic, but I figured it'd be better than making a new one.

    Anyhow, there's an acl in exim configuration:

    # BEGIN INSERT custom_begin_connect

    accept delay = 15s

    # END INSERT custom_begin_connect

    What I'd like to do is to make an exception so that trusted domains/IPs can send e-mails without any delay, in other words I'd like that rule omitted for these domains.

    I thought about something like this, but I'm not sure whether it makes any sense as I've barely read about it so far:
    accept delay = 15s
    deny delay= 15s
    condition = ${if match_ip{$sender_host_address}{iplsearch;/etc/trustedmailhosts}{1}{0}}

    Help appreciated.
     
  4. bonbonbon

    bonbonbon Member

    Joined:
    Apr 8, 2015
    Messages:
    6
    Likes Received:
    0
    Trophy Points:
    1
    Location:
    Poland
    cPanel Access Level:
    Root Administrator
    Eh, can't seem to make it work. Read about it a bit in here and apparently the condition should be first, so I tried setting it up like this:

    accept condition = ${if match_ip{$sender_host_address}{iplsearch;/etc/trustedmailhosts}{1}{0}}
    delay = 15s

    If I set it up like this, the delay is omitted for every e-mail.
    I probably still don't properly understand how it works.
     
  5. cPanelMichael

    cPanelMichael Forums Analyst
    Staff Member

    Joined:
    Apr 11, 2011
    Messages:
    30,854
    Likes Received:
    675
    Trophy Points:
    113
    cPanel Access Level:
    Root Administrator
    You may want to post to the Exim users mailing list for additional assistance with setting up the custom rule:

    Exim Users Mailing List

    Feel free to let us know the outcome.

    Thank you.
     
  6. bonbonbon

    bonbonbon Member

    Joined:
    Apr 8, 2015
    Messages:
    6
    Likes Received:
    0
    Trophy Points:
    1
    Location:
    Poland
    cPanel Access Level:
    Root Administrator
    Experimented with this rule today a little bit.

    The solution was simply adding another accept before the delay - I didn't realise ACL basically doesn't check other "accepts" if the first one in the specific section has passed. So now it's set up as this:

    accept condition = ${if match_ip{$sender_host_address}{iplsearch;/etc/trustedmailhosts}{1}{0}}
    accept delay = 15s

    Now if it matches an IP in the file, the delay doesn't happen. And happens other way around.

    Also got some help from a ticket I have opened - there's a helpful command "exim -bh" (or "exim -bh <IP>" in my case). It's a command which I haven't known or tried, but should have - as it is present in the documentation I have posted.
     
  7. cPanelMichael

    cPanelMichael Forums Analyst
    Staff Member

    Joined:
    Apr 11, 2011
    Messages:
    30,854
    Likes Received:
    675
    Trophy Points:
    113
    cPanel Access Level:
    Root Administrator
  8. avibodha

    avibodha Member

    Joined:
    Mar 23, 2013
    Messages:
    9
    Likes Received:
    0
    Trophy Points:
    1
    cPanel Access Level:
    Root Administrator
    Michael, can this be done in the Exim Advanced Editor? Could you explain what section to edit? Or does exim.conf have to be edited each time exim is updated?

    thanks
     
  9. avibodha

    avibodha Member

    Joined:
    Mar 23, 2013
    Messages:
    9
    Likes Received:
    0
    Trophy Points:
    1
    cPanel Access Level:
    Root Administrator
    For anyone else who hasn't modified Exim, here are the steps

    (from https://features.cpanel.net/topic/exclude-backup-mx-hosts-from-spf-validation-checks)

    ...it is currently possible to modify Exim (in a cPanel sanctioned and supported way) to exempt Backup MX Hosts from SPF validation checks.
    1. Go to WHM
    2. Go to "Exim Configuration"
    3. Go to the "Advanced Editor" tab
    4. Scroll to/locate the section labeled "spf_bl (Reject SPF failures)"
    5. If it is checked, uncheck it (this disabled the default SPF behavior)
    6. Make sure the section just above it labeled "custom_begin_mailauth" is checked (enabled) and paste the snippet from Michael above in the text box
     
  10. cPanelMichael

    cPanelMichael Forums Analyst
    Staff Member

    Joined:
    Apr 11, 2011
    Messages:
    30,854
    Likes Received:
    675
    Trophy Points:
    113
    cPanel Access Level:
    Root Administrator
Loading...

Share This Page