The Community Forums

Interact with an entire community of cPanel & WHM users!
  1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

Only accept authenticated mail

Discussion in 'E-mail Discussions' started by beddo, Oct 22, 2011.

  1. beddo

    beddo Well-Known Member

    Joined:
    Jan 19, 2007
    Messages:
    157
    Likes Received:
    0
    Trophy Points:
    16
    Location:
    England
    cPanel Access Level:
    DataCenter Provider
    Hi folks,

    I am commissioning a new server. The server will not accept mail directly from the Internet, all mail comes through spam filtering relays.
    Currently I simply have port 25 firewalled to only allow mail from the relays.

    Unfortunately due to some reseller setups, there are many clients who send email using DNS records that must point to the server. That means in order to accept these emails port 25 must be opened up.

    So, I need to change all of the default ACLs and have something that simply says:

    1) If mail comes from any of the inbound mailservers and the recipient is valid, accept and deliver
    2) If mail comes from anywhere else and the sender is using valid credentials, accept and relay
    3) If mail is not from a relay and not authenticated, drop with a message saying that the server does not accept mail directly.

    If I understand the standard ACLs, I can achieve 1) by adding the IPs to /etc/relayhosts - is this correct?
    2) is pretty much in place because the ACLs start with accept authenticated = *

    The thing I need help with is knowing which parts of the ACLs instruct Exim to accept unauthenticated mail for local domains. I believe it is simply the presence of the domain in /etc/localdomains that does this, so I need an entirely new line in the acls but because there is a lot of cPanel customisations in there I am unsure of how to achieve this.

    It is probably fairly simply, is there anyone with a better understanding of cPanel's ACLs that can point me in the right direction?

    Thanks.
     
  2. beddo

    beddo Well-Known Member

    Joined:
    Jan 19, 2007
    Messages:
    157
    Likes Received:
    0
    Trophy Points:
    16
    Location:
    England
    cPanel Access Level:
    DataCenter Provider
    Google came through, I found an answer here:

    Mailserver changes to only accept from the filter systems - SpamExperts

    The only difference is that I put my IPs in Only-verify-recipient SMTP hosts/IPs because I still want recipient validation to work (my front end servers call forward for that)

    Now I need to figure out how to make it play nice with static routes..
     
    #2 beddo, Oct 22, 2011
    Last edited: Oct 22, 2011
  3. dca

    dca Registered

    Joined:
    Apr 13, 2012
    Messages:
    2
    Likes Received:
    0
    Trophy Points:
    1
    cPanel Access Level:
    Root Administrator
    is there an updated guide for this setup?

    i believe we used this same method before (link is dead) but, after updating to 11.32.2 recently the config file changed and now we don't know where and what to add to get the same outcome.

    any help is appreciated
     
  4. beddo

    beddo Well-Known Member

    Joined:
    Jan 19, 2007
    Messages:
    157
    Likes Received:
    0
    Trophy Points:
    16
    Location:
    England
    cPanel Access Level:
    DataCenter Provider
    It took me a while to get the changes into 11.32

    I *think* this is all that is needed in custom_begin_pre_recipient.

    My front end mailservers are listed in /etc/trustedmailhosts which is found under "Only-verify-recipient" in WHM.

    Code:
    accept
        hosts = +trustedmailhosts
        require verify = recipient
        
     
    accept
        condition = ${if match_ip{$sender_host_address}{iplsearch;/etc/trustedmailhosts}{1}{0}}
        require verify = recipient
    
    accept authenticated = *
    
    accept
        hosts = 127.0.0.1
        require verify = recipient
    
    deny
        log_message = Unauthenticated connection dropped
        message = This server does not accept unauthenticated connections.
        ! authenticated = *
     
  5. cPanelTristan

    cPanelTristan Quality Assurance Analyst
    Staff Member

    Joined:
    Oct 2, 2010
    Messages:
    7,623
    Likes Received:
    21
    Trophy Points:
    38
    Location:
    somewhere over the rainbow
    cPanel Access Level:
    Root Administrator
  6. dca

    dca Registered

    Joined:
    Apr 13, 2012
    Messages:
    2
    Likes Received:
    0
    Trophy Points:
    1
    cPanel Access Level:
    Root Administrator
    thank you very much
    i will try to get this working as soon as my boss OKs it
     
Loading...

Share This Page