Per domain Enable/disable "verify sender", "callouts" and RBL lookups

[gpilot]

II have an unusual situation where most of my clients are happy with "verify sender", "use callouts" and RBL lookups all enabled. There is one customer who insists he is not getting emails and demands these checks be disabled.

Is there any way to do this on a per-domain basis? A whitelist will not work as I would have to go through the rejectlog often to
see what addresses are being bounced. I have found about five percent of his rejects which are due to failed sender verify callouts _may_ be legit.....however even though these servers may not be RFC compliant the customer still wants these mails.

Running WHM 11.2.0, cpanel 11.10.0 stable, CentOS 4.5, Exim 4.63

(edited 8-29-2007)

OK, I found some code which appearently worked on the older exim ACL format;

Add this line to the exim.conf options (first box) in the advanced editor:

domainlist rbl_bypass = lsearch;/etc/rblbypass

Touch /etc/rblbypass, add to it the domain.com you want bypassed

Modify the ACL:

# RBL Bypass Local Domain List
!domains = +rbl_bypass

But my problem is that I need to know where to enter this in the new Exim ACL. More detailed info is at: "http://www.webhostgear.com/175.html" but this info is old and does not seem to apply to cpanel 11.

Can anyone help with this????

 

[innsites]

Exempt a domain from RBL check on incoming mail.

I would also like to exempt one or more client domains from RBL checks. Were you able successfully implement that? If so, how?

 

[gpilot]

Still looking for an answer...

Innsites, I have tried opening a support ticket with cpanel, my first two emails from them referred to this line in the exim config editor:

"** A comma or colon seperated list of ip addresses that should not be rbl checked (whitelist)."

They said this will perform the RBL bypass I seek. I (politely) disagreed with them, as this line allows you to enter a SENDER IP which you want to
whitelist and not bounce their emails, even if the sender IP is on an RBL list. On my third email to them I provided them with the results of actual testing, which proved
my statement true. I won't bore you with the details (I will email them if you want) however I am convinced this line is for whitelisting a particular, known sender to
to exempt them from RBL checking.

So, back to modding the ACL or cpanel_exim_filters file to bypass all RBL checks for all incoming email to one particular domain on my server, does anyone have any ideas??

Any leads appreciated. We are willing to pay a modest sum for some consulting help, I really believe this only involves a simple edit to exim.conf or the file which is called by exim.conf for the RBL lookups.

Insofar as enabling the sender verify and callouts, on a per-domain basis, I think I'll put
that on the back burner for a while. I have looked at many of the bounces as a result of these and it appears my original statement at the beginning of this thread was incorrect, I can't find any false positives in the rejectlogs.

Thanks!!

 

[innsites]

Still unable to exempt a domain from rbl checks.

Am getting incredibly frustrated that nobody at cpanel seems to know how to exempt a domain from spam filtering or rbl checks. I tried the exim users list and got a recommendation for exim 4.67, but WHM 11x is running 4.66.

 

[gpilot]

I understand

Insites:

I agree. cpanel support with this issue is slim. I may have found someone who can offer some help, however if he is able to provide an answer I need his permission to post it here. I may be paying him a small fee for this, but if he gives his OK. I plan on making the fix available for all.

As far as disabling spam _filtering_ on a per-domain basis, that should be pretty straightforward. Dont check "globally enable" spam assassin on exim config basic mode. Then your accounts can decide for themselves if
they want spam assassin enabled.

 

[innsites]

Testing code right now

I am testing some coding right now and will post the how-to if it is successful.

 

[innsites]

Success - exempt domain from incoming RBL checks

Tested with exim 4.66 on
WHM 11.2.0 cPanel 11.11.0-R16789

In the Exim Configuration Editor;

In the first box, add:
domainlist skip_rbl_domains = domain.com : domain.com


*Where domain.com = domain names of those that wish to bypass rbl checks on incoming mail

In the second ACL box of Exim Configuration Editor, make these changes:

Find this line
[% ACL_RBL_BLOCK %]

and comment it out to disable it. It should now look like this:
#[% ACL_RBL_BLOCK %]

and then also add these lines;


deny message= Rejected because $sender_host_address is in a blacklist at $dnslist_domain\n$dnslist_text
dnslists = zen.spamhaus.org:bl.spamcop.net
domains = ! +skip_rbl_domains

So now the full final edit in 2nd ACL BOX looks like this

#[% ACL_RBL_BLOCK %]
deny message= Rejected because $sender_host_address is in a blacklist at $dnslist_domain\n$dnslist_text
dnslists = zen.spamhaus.org:bl.spamcop.net
domains = ! +skip_rbl_domains


Since implementing this for 3 domains, none of them have had any spamhaus or spamcop mails rejected. Their choosing! Not mine.

Special thanks to Darton on the exim-users mailing list for pointing me in the right direction.

 

[gpilot]

Nice work!

I am going to test this today and I will report back on the results.

It looks like you are completely disabling the new RBL check by commenting out the [% ACL_RBL_BLOCK %] function and writing a new RBL check which enables the bypassed domains.

Thanks!

gm

 

[innsites]

Definitely works for me!

Correct. It disabled the new rbl checks but then adds the code back manually.

Definitely is working for me by NOT doing RBL tests on those clients that don't want it, yet still doing RBL checking for all others as evidenced by reviewing exim_rejectlog

2007-09-07 15:18:12 H=(C82CA49FFECA433) [221.131.61.22] F=<[email protected] om> rejected RCPT <[email protected]>: Rejected because 221.131.61.22 is in a blacklist at bl.spamcop.net

 

[jerrybell]

So, an issue that is pervasive in the cpanel exim config is that the settings ignore the possibility an email could be send to multiple domains. I believe that the "domains =" condition is nonsensical in emails with multiple recipient domains.

A way I have fixed that in the past is by only accepting mail for one domain at a time when a remote mail server connects.

Here is how I have done that:

#!!# ACL that is used after the RCPT command
check_recipient:
  # Exim 3 had no checking on -bs messages, so for compatibility
  # we accept if the source is local SMTP (i.e. not over TCP/IP).
  # We do this by testing for an empty sending host field.
  defer message = Try this address again shortly
        condition = ${if and {{and \
                                {\
                                        {def:acl_m3} \
                                        {!eq {${acl_m3}} \
                                            {} \
                                        } \
                                } \
                              } \
                              {!eq {${domain}} \
                                   {${acl_m3}} \
                              }} \
                       {1}{0}}

What it does is check to see if the value of acl_m3 is set, if not it sets it to the recipient domain. If it is set, it compares the value of acl_m3 with the currently processed recipient domain. If there is a difference, the message gets deferred, and the sending mail server will retry just that recipient, thus ensuring that each recipient domain's spam settings are honored.

So, in concert with what innsites posted to take care of RBLs, you can do this:

require 
  domains = +skip_sender_verify_domains
  verify = sender

For my next trick, I want to enable per-domain settings of thresholds to flag spam and for rejecting spam.

 

[moronhead]

Should that last line be domains = ! +skip_sender_verify_domains ?

 

[majoosh]

Tested with exim 4.66 on
WHM 11.2.0 cPanel 11.11.0-R16789

In the Exim Configuration Editor;

In the first box, add:
domainlist skip_rbl_domains = domain.com : domain.com


*Where domain.com = domain names of those that wish to bypass rbl checks on incoming mail

In the second ACL box of Exim Configuration Editor, make these changes:

Find this line
[% ACL_RBL_BLOCK %]

and comment it out to disable it. It should now look like this:
#[% ACL_RBL_BLOCK %]

and then also add these lines;


deny message= Rejected because $sender_host_address is in a blacklist at $dnslist_domain\n$dnslist_text
dnslists = zen.spamhaus.org:bl.spamcop.net
domains = ! +skip_rbl_domains

So now the full final edit in 2nd ACL BOX looks like this

#[% ACL_RBL_BLOCK %]
deny message= Rejected because $sender_host_address is in a blacklist at $dnslist_domain\n$dnslist_text
dnslists = zen.spamhaus.org:bl.spamcop.net
domains = ! +skip_rbl_domains


Since implementing this for 3 domains, none of them have had any spamhaus or spamcop mails rejected. Their choosing! Not mine.

Special thanks to Darton on the exim-users mailing list for pointing me in the right direction.

Hi all

How can we do the same thing in exim-4.69-23.1_cpanel_maildir ??

Basically I want to skip some domains in my server from RBL check.

Thanks
Majoosh