How to add a Exim SPF Check Exception

[keencs]

Hello,

I have been seeing a few messages showing as rejected in my server's Mail Delivery Reports. The reason for the rejections is a SPF checking failure of the sender.

Example:
"SPF: 66.43.20.52 is not allowed to send mail from sm.ancestry.com"

I realize that this is a misconfiguration of the sender's SPF record which should be fixed and technically my cPanel server is operating as expected.

I am attempting to determine how to whitelist this sender's server so the SPF record for them is not checked.

I have researched on this forum and on google but can't find a solution.

I have tried adding the sending server's ip to the Exim lists "Sender verification bypass IP addresses" and "Whitelist: IP addresses that should not be checked against RBLs" but neither worked.

Any ideas or suggestions would be appreciated.

Ryan

 

[cPanelMichael]

Hello

The following custom modification to SPF checking in the Exim configuration allows hosts listed in /etc/trustedmailhosts to bypass SPF verification:

deny message = SPF: $sender_host_address is not allowed to send mail from $sender_address_domain
    !condition = ${if match_ip{$sender_host_address}{iplsearch;/etc/trustedmailhosts}{1}{0}}
    spf = fail

Thank you.

 

[bonbonbon]

Hey,

Sorry that I'm opening up an older topic, but I figured it'd be better than making a new one.

Anyhow, there's an acl in exim configuration:

# BEGIN INSERT custom_begin_connect

accept delay = 15s

# END INSERT custom_begin_connect

What I'd like to do is to make an exception so that trusted domains/IPs can send e-mails without any delay, in other words I'd like that rule omitted for these domains.

I thought about something like this, but I'm not sure whether it makes any sense as I've barely read about it so far:
accept delay = 15s
deny delay= 15s
condition = ${if match_ip{$sender_host_address}{iplsearch;/etc/trustedmailhosts}{1}{0}}

Help appreciated.

 

[bonbonbon]

Eh, can't seem to make it work. Read about it a bit in here and apparently the condition should be first, so I tried setting it up like this:

accept condition = ${if match_ip{$sender_host_address}{iplsearch;/etc/trustedmailhosts}{1}{0}}
delay = 15s

If I set it up like this, the delay is omitted for every e-mail.
I probably still don't properly understand how it works.

 

[cPanelMichael]

You may want to post to the Exim users mailing list for additional assistance with setting up the custom rule:

Exim Users Mailing List

Feel free to let us know the outcome.

Thank you.

 

[bonbonbon]

Experimented with this rule today a little bit.

The solution was simply adding another accept before the delay - I didn't realise ACL basically doesn't check other "accepts" if the first one in the specific section has passed. So now it's set up as this:

accept condition = ${if match_ip{$sender_host_address}{iplsearch;/etc/trustedmailhosts}{1}{0}}
accept delay = 15s

Now if it matches an IP in the file, the delay doesn't happen. And happens other way around.

Also got some help from a ticket I have opened - there's a helpful command "exim -bh" (or "exim -bh <IP>" in my case). It's a command which I haven't known or tried, but should have - as it is present in the documentation I have posted.

 

[cPanelMichael]

I am happy to see you were able to address the issue. Thank you for updating us with the outcome.

 

[avibodha]

Hello

The following custom modification to SPF checking in the Exim configuration allows hosts listed in /etc/trustedmailhosts to bypass SPF verification:

deny message = SPF: $sender_host_address is not allowed to send mail from $sender_address_domain
    !condition = ${if match_ip{$sender_host_address}{iplsearch;/etc/trustedmailhosts}{1}{0}}
    spf = fail

Thank you.

Michael, can this be done in the Exim Advanced Editor? Could you explain what section to edit? Or does exim.conf have to be edited each time exim is updated?

thanks

 

[avibodha]

For anyone else who hasn't modified Exim, here are the steps

(from https://features.cpanel.net/topic/exclude-backup-mx-hosts-from-spf-validation-checks)

...it is currently possible to modify Exim (in a cPanel sanctioned and supported way) to exempt Backup MX Hosts from SPF validation checks.

1. Go to WHM
2. Go to "Exim Configuration"
3. Go to the "Advanced Editor" tab
4. Scroll to/locate the section labeled "spf_bl (Reject SPF failures)"
5. If it is checked, uncheck it (this disabled the default SPF behavior)
6. Make sure the section just above it labeled "custom_begin_mailauth" is checked (enabled) and paste the snippet from Michael above in the text box

 

[cPanelMichael]

Hello

Thank you for taking the time to update this thread with the solution to your question.