Relay all mail through spam filtering appliance

park6469

Registered
PartnerNOC
Aug 17, 2009
3
0
51
I need to configure my cPanel servers to relay messages sent through exim to a spam filtering appliance that resides on our network.

How can I go about doing this through the exim.conf?

We were going to try and use iptables, but this is not going to be a valid option since the iptables modules are unavailable for these particular servers. We do use several control panel software packages and on one of these, we edited the "lookuphost:" portion of the exim.conf file, but this does not seem to work for cPanel.

Thanks
 

WiredTree Joe

Well-Known Member
Dec 13, 2006
68
1
158
Chicago, IL
Why not directly point your MX records for the domains that are going to use the spam appliance to the IPs on spam appliance itself? Most spam appliances can then send filtered mail to where ever you need from there. It just seems like unneeded work to try to have Exim send the email off server when you can just bypass it with your MX records to get the same results. Maybe your set up is different than what I normally see.

On a side note, the default RBLs and Spam Assassin provided by cPanel do pretty darn well out of the box for spam filtering. Anything that gets through the server level spam filtering on my personal domain is then handled by my mail client.
 

park6469

Registered
PartnerNOC
Aug 17, 2009
3
0
51
Changing the MX records is not an option because this applies to OUTGOING mail not incoming. The spam appliance prevents hosting accounts on our server from sending out spam by filtering out the junk mail once it hits the spam appliance.

Configuring through exim is the most desired option.
 

Grimster

Registered
Feb 16, 2010
1
0
51
Why not directly point your MX records for the domains that are going to use the spam appliance to the IPs on spam appliance itself? Most spam appliances can then send filtered mail to where ever you need from there. It just seems like unneeded work to try to have Exim send the email off server when you can just bypass it with your MX records to get the same results. Maybe your set up is different than what I normally see.

On a side note, the default RBLs and Spam Assassin provided by cPanel do pretty darn well out of the box for spam filtering. Anything that gets through the server level spam filtering on my personal domain is then handled by my mail client.
RBL's don't do much good for OUTGOING spam. And I don't believe spamassassin filters email sent FROM the system either, though it'd almost be kinda nice if it did!

I've also tried to get cpanel to RELAY through an external smtp server with no luck, I'm sure I'm missing a very simple setting.

In Directadmin, which also uses Exim/Dovecot I simply replace the default lookuphost: section with this:

Code:
lookuphost:
  driver = manualroute
  domains = ! +local_domains
  ignore_target_hosts = 127.0.0.0/8
  condition = "${perl{check_limits}}"
  transport = remote_smtp
  route_list = * RELAYIP byname
  no_more
Doing the same in Cpanel's exim setup breaks it, horribly!

So back to the real question, HOW do you get Cpanel/Exim to RELAY ALL OUTGOING EMAIL through another server?
 

mopar93

Registered
Jan 3, 2011
4
0
51
The fix is very simple. It can't be done from the WHM panel, at least not as of Version 11.28, but you can do it manually with a text editor and very little editing.

Log into your server through SSH to a command shell as the root user. Using the text editor "pico" or "nano", we'll edit the exim config file. Issue the following command:

pico /etc/exim.conf

This loads exim.conf into the editor.

Scroll down until you find the "lookuphost" router. This will be a series of lines that look like the following:

lookuphost:
driver = dnslookup
domains = ! +local_domains
#ignore verisign to prevent waste of bandwidth
ignore_target_hosts = 0.0.0.0 : 127.0.0.0/8 : 64.94.110.0/24
headers_add = "${perl{mailtrapheaders}}"
transport = remote_smtp

Change the "driver = dnslookup" line to the following:

driver = manualroute

Then below the last line that says "transport = remote_smtp", add the following lines:

route_list = * xx.xx.xx.xx
host_find_failed = defer
no_more

The "xx.xx.xx.xx" should be replaced with the IP address of the remote email server. Use the actual IP address rather than the domain name so that exim doesn't have to repeatedly look up the IP address on every outgoing email. Make sure there is a space between the asterisk and the IP address. The asterisk indicates that ALL outgoing mail will go to the remote email server.

The "host_find_failed = defer" line will tell exim to hold the mail in its mail queue if the remote host is down for any reason. It will send the mail out once the remote host is available.

Now, press CTRL-x to save the file and exit pico. Your changes will go into effect once you restart exim. You can do that from the WHM panel or from CentOS while you are still in the shell, the following command works:

/etc/init.d/exim restart

Of course, it's beyond the scope of this message, but the remote email server will also have to be configured to relay email from your server.

One thing to remember is if you do an update to exim, your changes will most likely be overwritten and you'll have to manually edit the file again. Maybe this feature can be added to a future WHM release. It would be very easy to implement.

-Maurice
 

cPanelTristan

Quality Assurance Analyst
Staff member
Oct 2, 2010
7,607
43
348
somewhere over the rainbow
cPanel Access Level
Root Administrator
Actually, you can setup a smarthost in WHM > Exim Configuration Editor > Advanced Editor section, which would handle this using these steps:

1. Log into WHM
2. Click on Exim Configuration Editor > Advanced Editor
3. Find this section:

######################################################################
# ROUTERS CONFIGURATION #
# Specifies how remote addresses are handled #
######################################################################
# ORDER DOES MATTER #
# A remote address is passed to each in turn until it is accepted. #
######################################################################

# Remote addresses are those with a domain that does not match any item
# in the "local_domains" setting above.

#
# Demo Safety Router
#

democheck:
driver = redirect
require_files = "+/etc/demouids"
condition = "${if eq {${lookup {$originator_uid} lsearch {/etc/demouids} {$value}}}{}{false}{true}}"
allow_fail
data = :fail: demo accounts are not permitted to relay email
Directly below it in the box there, put the following:

Code:
send_to_smart_host:
driver = manualroute
route_list = !+local_domains mailfilterserver.domain.com
transport = remote_smtp
Change mailfilterserver.domain.com to the name of the filtering server. Save the area.
 

mopar93

Registered
Jan 3, 2011
4
0
51
cPanelTristan's method is better because you don't have to worry about exim.conf getting replaced periodically. I've run into that problem twice now in the past week. So, I decided to use cPanelTristan's suggestion.

However, in my case, I changed it around a little because I use two smarthosts. This way, if one email server is down for any reason, the other one will still get the mail delivered. Plus I added the defer line in case both are down. Here's the code I put in the box where cPanelTristan described:

send_to_smart_host:
driver = manualroute
domains = !+local_domains
route_list = * "xx.xx.xx.xx : yy.yy.yy.yy" randomize
host_find_failed = defer
transport = remote_smtp

xx.xx.xx.xx and yy.yy.yy.yy are my two outgoing mail servers. Replace those with the IP addresses of your two mail servers. If you have 3 outgoing servers, just add another one separated by a colon. The "randomize" command will tell exim to pick an outgoing server randomly. Without that, I think it will always choose the first one. You can put the domain names there instead of the IP addresses, but I like to use the actual IP addresses to save a DNS lookup on every outgoing email. The IP's don't change anyway.

Hopefully this will hold up between updates and overwrites.

Thanks Tristan, for the hint on where to put this code.

-Maurice
 

cPanelTristan

Quality Assurance Analyst
Staff member
Oct 2, 2010
7,607
43
348
somewhere over the rainbow
cPanel Access Level
Root Administrator
We would need to know what MTA and filtering appliance you will be using for the machine that will be handling email relayed from the cPanel one. It isn't possible currently to answer that question. I would presume the smart host machine must accept email relayed through it, though, so that it filters the email, then sends it on its merry way.
 

SoftDux

Well-Known Member
May 27, 2006
1,023
5
168
Johannesburg, South Africa
cPanel Access Level
Root Administrator
Actually, you can setup a smarthost in WHM > Exim Configuration Editor > Advanced Editor section, which would handle this using these steps:

1. Log into WHM
2. Click on Exim Configuration Editor > Advanced Editor
3. Find this section:



Directly below it in the box there, put the following:

Code:
send_to_smart_host:
driver = manualroute
route_list = !+local_domains mailfilterserver.domain.com
transport = remote_smtp
Change mailfilterserver.domain.com to the name of the filtering server. Save the area.

Tristan,

How do I tell Exim inside WHM (i.e. following these steps) to use SMTP authentication?