Last modified: December 10, 2024
Looking for this interface?
Your hosting provider can enable or disable this interface for resellers in WHM's Edit Reseller Nameservers and Privileges interface (WHM >> Home >> Resellers >> Edit Reseller Nameservers and Privileges).
Overview
Select the Basic Editor tab in the Exim Configuration Manager interface to modify your server’s Exim configuration settings.
All
This tab displays all available settings. To filter the displayed settings, select a category tab. You can also use the Find text box to search for a specific Basic Editor setting.
ACL Options
These settings limit who can send mail to your server. Use these settings to minimize bandwidth usage, prevent spam, and block emails with a forged sender address (spoofed emails).
The system discards any email messages that it rejects at SMTP time.
Apache SpamAssassin™ reject spam score threshold
This setting sets the spam score that Apache SpamAssassin™ uses to reject incoming messages.
Enter a positive or negative number, which may contain a single decimal point.
If you enter a value that contains an integer greater than or less than 0
and a decimal point, Apache SpamAssassin multiplies the value that you enter by a measure of ten. For example, if you enter a spam score threshold of 1.6
, Apache SpamAssassin sets the threshold to 16
.
This setting defaults to No reject rule by spam score.
Dictionary attack protection
This setting allows you to drop and rate-limit hosts with more than four failed recipients, in order to block dictionary attacks. A dictionary attack is a method whereby a malicious user uses words in a dictionary to produce email addresses or password attempts.
This setting defaults to On.
Reject remote mail sent to the server’s hostname
This setting allows you to reject messages in which the recipient exists as an address of your server’s primary hostname. In general, the primary hostname, a common target for spammers, should not receive remote mail.
This setting defaults to Off.
Enable Apache SpamAssassin™ for secondary MX domains
This setting configures Apache SpamAssassin to scan email for domains that exist in the /etc/secondarymx
file which users send to the primary mail exchanger.
This setting defaults to On.
Ratelimit suspicious SMTP servers
This setting allows you to rate-limit incoming SMTP connections that violate RFCs. This setting rate-limits mail servers that do not send QUIT, recently matched an RBL, or recently attacked the server. Real mail servers must follow RFC specifications.
To ensure that the system does not rate-limit an SMTP connection, add the server to a whitelist. This allows the system to deliver mail from connections that violate RFCs to your inbox. To add a server to a whitelist, edit the Only-verify-recipient setting in the Access Lists tab, and enter the IP address of the trusted server.
This setting defaults to On.
Apache SpamAssassin™: ratelimit spam score threshold
This setting allows you to rate-limit hosts that send spam to your server. When you activate this setting, rate limits delay email from hosts that send you spam. The system activates rate limits when it meets both of the following conditions:
-
A host reaches or exceeds the Apache SpamAssassin score that you enter in the text box.
-
That host exceeds the number of emails that the rate-limit formula specifies. Exim averages rate limits over time. By default, the system uses the following rate-limit formula:
ratelimit = 1.2 / 1h / strict / per_conn / noupdate
This setting defaults to No ratelimiting by spam score.
Ratelimit incoming connections with only failed recipients
This setting allows you to rate-limit incoming SMTP connections that only send email to failed recipients during five separate connection times in the past hour.
This setting defaults to On.
Require HELO before MAIL
This setting allows you to require that incoming SMTP connections send a HELO command before they send a MAIL command.
A HELO is a command that mail servers send before an email, and that specifies the name of the sending domain. Apache SpamAssassin can perform various checks on this information (for example, it can ensure that the domain name matches the IP address that sent the message). This ensures that your server does not receive spam that reports a false domain name.
This setting defaults to On.
Introduce a delay into the SMTP transaction for unknown hosts and messages detected as spam.
This setting configures the SMTP receiver to wait a few additional seconds for a connection when it detects spam messages. Typically, legitimate mailing systems will wait past the delay, whereas spammers do not wait past the delay.
The system excludes the following remote hosts from the delay:
-
Neighbor IP addresses in the same netblock
-
Loopback addresses
-
Trusted Hosts
-
Relay Hosts
-
Backup MX Hosts
-
Skip SMTP Checks Host
-
Sender Verify Bypass Hosts
-
If you use third-party sites to diagnose mail server issues, this setting may falsely detect spam messages.
-
If your external monitoring system reports failures after you update your server, configure your monitoring system to allow 45 seconds timeout for connections to port
25
. For more information about how to adjust the timeout and polling settings, read your monitoring system’s documentation.-
If that does not resolve the problem, add the IP address of your monitoring system to the Trusted SMTP IP Addresses section of WHM’s Exim Configuration Manager interface (WHM » Home » Service Configuration » Exim Configuration Manager).
-
If you still encounter errors on your monitoring system, disable the Introduce a delay into the SMTP transaction for unknown hosts and messages detected as spam setting in the Basic Editor section of WHM’s Exim Configuration Manager interface (WHM » Home » Service Configuration » Exim Configuration Manager). However, this will likely result in an increase in spam that your server receives.
-
This setting defaults to On.
Do not delay the SMTP connections for hosts in the Greylisting “Trusted Hosts” list
This setting configures the SMTP receiver to not delay any hosts that you add to the list in the Trusted Hosts tab in WHM’s Greylisting interface (WHM » Home » Email » Greylisting).
This setting defaults to On.
Do not delay the SMTP connections for hosts in the Greylisting “Common Mail Providers” list
This setting configures the SMTP receiver to not delay any hosts that you add to the list in the Common Main Providers tab in WHM’s Greylisting interface (WHM » Home » Email » Greylisting).
This setting defaults to Off.
Require remote (hostname/IP address) HELO
This setting allows you to require that incoming SMTP connections send a HELO command that does not match the primary hostname or a local IP address (IPv4 or IPv6). Enable this setting to block emails with a forged sender address (spoofed emails).
This setting defaults to On.
Require remote (domain) HELO
This setting allows you to require that incoming SMTP connections send a HELO command that does not match your server’s local domains. Enable this setting to block emails with a forged sender address (spoofed emails).
This setting defaults to Off.
Require RFC-compliant HELO
This setting allows you to require that incoming SMTP connections send a HELO command that conforms with the internet standards in RFC 2821 4.1.1.1.
If you enable this setting, it overrides any entries in the /etc/alwaysrelay
and /etc/relayhosts
files.
This setting defaults to On.
Allow DKIM verification for incoming messages
This setting allows you to use DomainKeys Identified Mail (DKIM) verification to verify incoming messages.
This verification process can slow your server’s performance.
This setting defaults to Off.
Reject DKIM failures
This setting allows you to reject email at SMTP time if the sender fails DKIM key validation.
You must set the Allow DKIM verification for incoming messages setting to On to enable this setting.
This setting defaults to Off.
Maximum message recipients (soft limit)
This setting allows you to determine the number of recipient addresses your server accepts in a single message.
RFCs specify that SMTP servers must accept at least 100 RCPT commands for a single message.
This setting defaults to No rejection based on number of recipients.
Maximum message recipients before disconnect (hard limit)
This setting allows you to determine the number of recipient addresses that your server permits in a single message before it disconnects and rate-limits a connection.
RFCs specify that SMTP servers must accept at least 100 RCPT commands for a single message.
This setting defaults to No disconnection based on number of recipients.
Access Lists
These settings further limit who sends mail to your server.
Blacklisted SMTP IP addresses
This setting allows you to edit the list of blacklisted SMTP IP addresses. The system does not allow these IP addresses to connect to the SMTP server, and instead drops connections with a 550 error.
Click Edit to modify this setting.
Sender verification bypass IP addresses
This setting allows you to edit the list of IP addresses that the system excludes from SMTP sender verification checks.
Click Edit to modify this setting.
Only-verify-recipient
This setting allows you to edit the list of hosts or IP addresses that the system excludes from all spam checks at SMTP connection time, except recipient verification checks. The system adds any hosts or IP addresses you enter here to the /etc/trustedmailhosts
file.
Click Edit to modify this setting.
Trusted SMTP IP addresses
This setting allows you to edit the list of hosts or IP addresses that the system excludes from the following checks at SMTP connection time:
-
Recipient verification checks
-
Sender checks
Note:These senders must still use an RFC-compliant HELO name if the Require RFC-compliant HELO setting is enabled.
-
Spam checks
-
Relay checks.
Note:The system adds any hosts’ IP addresses that you enter here to the
/etc/skipsmtpcheckhosts
file.
Click Edit to modify this setting.
Backup MX hosts
This setting allows you to edit the list of hosts from which the system permits SMTP connections, regardless of rate limits. Make certain that you properly configure reverse DNS records for any hosts which you enter here.
Click Edit to modify this setting.
Trusted mail users
The Trusted mail users setting allows system administrators to designate certain users as trusted mail users. This setting affects the EXPERIMENTAL: Rewrite From: header to match actual sender setting in the Mail tab. Trusted users can bypass the EXPERIMENTAL: Rewrite From: header to match actual sender setting. The Trusted mail users setting allows the listed users to modify their From: header, and the EXPERIMENTAL: Rewrite From: header to match actual sender setting does not override these changes. Enter the trusted mail usernames or their email addresses, one per line.
Click Edit to modify this setting.
Blocked Domains
This setting allows you to filter your server’s incoming email by domain.
When you click Manage, a new browser tab will appear with WHM’s Filter Incoming Emails by Domain interface (WHM » Home » Email » Filter Incoming Emails by Domain).
Blocked Countries
This setting allows you to filter your server’s incoming email by region or country.
When you click Manage, a new browser tab will appear with WHM’s Filter Incoming Emails by Country interface (WHM » Home » Email » Filter Incoming Emails by Country).
Domains and IPs
These settings change the IP address from which Exim sends mail. When you disable them, Exim will automatically send mail from your server’s main shared IP address. For more information, read our How to Configure the Exim Outgoing IP Address documentation.
Send mail from the account’s IP address
This setting allows you to automatically send mail for users without a dedicated IP address from a reseller’s main shared IP address. It will not use the server’s main shared IP address. The system will also use the server’s hostname for reseller accounts that share an IP address. If you want to change this, you must use a custom configuration.
Make certain that you use the correct reverse DNS (rDNS) entries for your hosting provider. An invalid entry can cause mail servers to reject your server’s mail. For more information, read our How to Configure Reverse DNS in WHM documentation.
-
This setting only applies to IPv4 addresses.
-
When you enable this setting:
-
The
/usr/local/cpanel/scripts/updateuserdomains
script will automatically populate the/etc/mailhelo
and/etc/mailips
files. This will overwrite any manual changes in the/etc/mailhelo
and/etc/mailips
files. -
The system disables the Reference /etc/mailhelo for custom outgoing SMTP HELO and Reference /etc/mailips for custom IP on outgoing SMTP connections settings.
-
This setting defaults to Off.
Use the reverse DNS entry for the mail HELO/EHLO if available
The system will use the server’s IP address as the reverse DNS for all outgoing SMTP connections. This only applies during the HELO/EHLO request.
This setting defaults to On.
Rebuild Reverse DNS Cache and Update Mail HELO
This setting updates the reverse DNS cache and user domains for mail HELO. This setting only appears when you enable the Use the reverse DNS entry for the mail HELO/EHLO if available setting.
Reference /etc/mailhelo for custom outgoing SMTP HELO
This setting allows you to send a HELO command based on the domain name in the /etc/mailhelo
file. For more information, read our How to Configure the Exim Outgoing IP Address documentation.
The system disables this setting if you enable the Send mail from account’s IP address or the Use the reverse DNS entry for the mail HELO/EHLO if available settings.
This setting defaults to Off.
Reference /etc/mailips for custom IP on outgoing SMTP connections
This setting allows you to send outgoing mail from the IP address that matches the domain name in the /etc/mailips
file. For more information, read our How to Configure the Exim Outgoing IP Address documentation.
The system disables this setting if you enable the Send mail from account’s IP address setting.
This setting defaults to Off.
Filters
These settings allow you to select and configure filters that can block spam and potentially dangerous attachments.
System Filter File
Use this setting to enable or disable Exim’s system filter file, which the system stores in the /etc/cpanel_exim_system_filter
file. You can also choose to specify and customize another Exim system filter file.
Regardless of the setting that you select, the Exim configuration includes all of the files in the /usr/local/cpanel/etc/exim/sysfilter/options/
directory.
This setting defaults to /etc/cpanel_exim_system_filter.
Attachments: Filter messages with dangerous attachments
Select this setting to filter email messages that contain potentially dangerous attachments. The system filters the following file extensions:
.ade
.adp
.bas
.bat
.chm
.cmd
.com
.cpl
.crt
.eml
.exe
.hlp
.hta
.inf
.ins
.isp
.js
.jse
.lnk
.mdb
.mde
.msc
.msi
.msp
.mst
.pcd
.pif
.reg
.scr
.sct
.shs
.url
.vbs
.vbe
.wsf
.wsh
.wsc
This setting defaults to On.
Apache SpamAssassin™: Global Subject Rewrite
Select this setting to prefix the Subject header with information from the X-Spam-Subject header and omit the X-Spam-Subject header.
This setting defaults to On.
Apache SpamAssassin™: bounce spam score threshold
Select this setting to define the spam score that Apache SpamAssassin uses to bounce incoming messages. Enter a positive or negative number, which may contain a single decimal point. For more information, read the Apache SpamAssassin documentation.
This setting defaults to No bouncing by spam score.
Apache SpamAssassin™: X-Spam-Subject/Subject header prefix for spam emails
Select this setting to use the default X-Spam-Subject header prefix for spam email or to enter a custom prefix.
You can use an Exim variable as a custom prefix. For a complete list of Exim’s variables, read Exim’s documentation.
This setting defaults to ***SPAM***.
Use these settings to configure specific mail settings.
Log sender rates in the exim mainlog. This can be helpful for tracking problems and/or spammers.
This setting allows you to log sender rates in the Exim mail log.
This setting defaults to Off.
Sender Verification Callouts
This setting allows Exim to connect to the mail exchanger for an address. This allows Exim to verify that the address exists before Exim accepts the message.
This setting defaults to Off.
Smarthost support
This setting allows you to use a smarthost for outgoing messages. To configure this setting, enter a valid route_list
value in the Smarthost support text box.
-
If you enter IPv6 addresses, you must enclose the IP addresses in quotes and begin the list with
</
to cause Exim to use slashes (/
) as separators. Otherwise, Exim will interpret the colons in each IPv6 address as separators, and use each segment of the IPv6 address as a separate host. For more information, read the Exim route_list documentation. -
If you do not enter an asterisk before the IP address or addresses, the smarthost will not function.
-
To configure a smarthost that uses one IP address, enter an asterisk (
*
) followed by an IPv4 or IPv6 address. For example:1 2
* 192.168.0.1 * "</ 2001:0db8:85a3:0042:1000:8a2e:0370:7334"
-
To configure a smarthost that uses multiple IP addresses, enter an asterisk, followed by the IP addresses. For example:
1 2
* 192.188.0.20:192.188.0.21:192.188.0.22 * "</ [2001:0db8:85a3:0042:1000:8a2e:0370:7334]:1225 / [::1]:1226 / 192.168.0.1"
-
To configure a smarthost that uses only specific domains from the hosts that you enter, replace the asterisk with the desired domain name. Separate entries for multiple domain names with a semicolon (
;
). For example:- For IPv4 domains:
example.com 192.188.0.20:192.188.0.21:192.188.0.22; exampletwo.com 192.168.0.1
- For IPv6 domains:
example.com "</ [2001:0db8:85a3:0042:1000:8a2e:0370:7334]:1225 / [::1]:1226 / 192.168.0.1"; exampletwo.com "</ 2001:0db8:85a3:0042:1000:8a2e:0370:7334"
- For IPv4 domains:
This setting defaults to None.
Smarthost requires SMTP authentication
You can use the Basic Editor to manage smarthost configuration for domains that use the same credentials. If you used the Advanced Editor tab to modify the default configuration of Exim for smarthosts, you may be able to use the Basic Editor function now.
Use this setting to provide a username and a password for Exim to use when connecting to the smarthost servers. You must enter a valid route_list
value in the Smarthost support text box in order to use this setting.
When you select the On button for the Smarthost requires SMTP authentication function, Exim will use SMTP authentication for all servers listed in the route_list
.
This setting defaults to Off.
Smarthost username
Use this setting to provide the username that Exim will use to connect to the smarthost servers.
- You must set the Smarthost requires SMTP authentication setting to On to enable this setting.
- Due to limitations with Exim, the username and password cannot start or end with spaces or start with a caret character (
^
). - You cannot use this setting if multiple smarthosts require different login credentials. Use the Advanced Editor tab on WHM’s Exim Configuration Manager interface (WHM » Service Configuration » Exim Configuration Manager) instead.
Smarthost password
Use this setting to provide the password that Exim will use to connect to the smarthost servers.
- You must set the Smarthost requires SMTP authentication setting to On to enable this setting.
- Due to limitations with Exim, the username and password cannot start or end with spaces or start with a caret character (
^
). - You cannot use this setting if multiple smarthosts require different login credentials. Use the Advanced Editor tab on WHM’s Exim Configuration Manager interface (WHM » Service Configuration » Exim Configuration Manager) instead.
Autodiscovery SPF include hosts from the smarthost route list
This setting allows the system to check the smarthost route list labels for SPF entries and insert an include entry to the SPF records. For example, example.com
has an SPF record and the * outbound.example.com
smarthost routelist setting. The system adds an include entry for all SPF-enabled domains.
This setting defaults to On.
SPF include hosts for all domains on this system
This setting allows you to enter hosts that the system will add as SPF include entries for all SPF enabled-domains.
Use commas (,
) to separate multiple host entries.
This setting defaults to None.
EXPERIMENTAL: Rewrite From: header to match actual sender
This setting rewrites the From header in emails to show the original identity of the actual sender for messages sent from your server. Email recipients can see the original From header as the X-From-Rewrite header as well as the rewritten From header. This setting is useful to determine the actual mail sender.
In order to conduct an attack or send unsolicited email, a malicious user can alter the From header in an email to confuse the recipient. For example, a user may authenticate as [email protected]
and send a message with the From header set to [email protected]
. When you enable this setting, Exim rewrites the From header to show the authenticated sender ([email protected]
).
You can enable this setting to ensure that the From header for mail sent from their servers always matches one of the following methods:
-
The actual sender. — If you authenticate as
[email protected]
, the From header will always display[email protected]
. -
An email address that has been forwarded to the actual sender. — If
[email protected]
is an email address on your server and it forwards mail to[email protected]
, then[email protected]
may set the From header to either address. -
An email address to which the sender has access. — If you authenticate as the
username
user, set the From header to any email account that theusername
user controls.
- This setting does not affect mail that you receive from a remote host. The system only rewrites the From header for mail that it sends from the local machine because it is not possible to determine or validate the actual mail sender from remote machines.
- Trusted mail users can bypass this setting.
You can select the following settings:
-
remote — This setting uses SMTP to rewrite the From header in outgoing emails to match the actual sender.
- If a local user sends mail to a user on a remote host, this setting rewrites the From header.
- If a local user receives mail from a user on a remote host, this setting does not rewrite the From header because it is not possible to determine the authenticated sender.
- If a local user sends mail to another local user on the same server, this setting does not rewrite the From header because this is not a remote delivery.
- If a local user receives mail from another local user on the same server, this setting does not rewrite the From header.
-
all — This setting rewrites the From header in all outgoing emails to match the actual sender.
- If a local user sends mail to a user on a remote host, the system rewrites the From header.
- If a local user receives mail from a user on a remote host, this setting does not rewrite the From header because it is not possible to determine the authenticated sender.
- If a local user sends mail to another local user on the same server, this setting rewrites the From header because this setting includes local deliveries.
- If a local user receives mail from another local user on the same server, this setting rewrites the From header because the sender already rewrote the From header.
-
disable — This setting does not rewrite the From header in any email. This is the default setting.
Allow mail delivery if malware scanner fails
This setting allows the system to deliver mail if the malware scanner if it fails. If you select On, in the event of a malware scanner failure, the server delivers all mail normally.
If you select Off and the malware scanner fails, users will not receive new messages until you repair the malware scanner.
This setting defaults to On.
Sender Verification
This setting allows you to verify the origin of mail senders.
This setting defaults to On.
Set SMTP Sender: headers
This setting allows you to set the Sender: header as -f flag passed to sendmail when a mail sender changes.
If you set this setting to Off, Microsoft® Outlook® will not add an On behalf of header. This may limit your ability to track abuse of the mail system.
This setting defaults to Off.
Allow mail delivery if spam scanner fails
This setting allows you to disable the spam scanner if it fails. If you select On, the system delivers all mail normally in the event of a spam scanner failure.
If you select Off and the spam scanner fails, users will not receive new messages until you repair the spam scanner.
This setting defaults to On.
Enable Sender Rewriting Scheme (SRS) Support
This setting rewrites sender addresses so that the email appears to come from the forwarding mail server. This allows forwarded email to pass an SPF check on the receiving server.
This setting uses the default configuration for SRS. If you wish to customize the SRS configuration, use the Advanced Editor interface.
This setting defaults to Off.
Query Apache server status to determine the sender of email sent from processes running as nobody
This setting allows the mail delivery process to query the Apache server to determine the true sender of a message when the nobody
user sends a message.
-
This setting requires an additional connection to the server for each message that the
nobody
user account sends when suPHP and the mod_ruid2 module are both disabled. -
This setting is more secure, but it is faster to trust the X-PHP-Script headers.
This setting defaults to On.
Trust X-PHP-Script headers to determine the sender of email sent from processes running as nobody
This setting allows Exim to trust messages that the nobody
user sends with X-PHP-Script headers. This setting also enables the mail server to determine the true sender. This provides a faster delivery process than a query to the Apache server to determine the sender.
Advanced users may forge this header. If your users may misuse this function, disable this setting and send a query to the Apache server to determine the sender of nobody
messages.
This setting defaults to On.
Hosts to which to advertise the SMTP DSN option
This setting allows you to specify a list of hostnames to which to advertise SMTP Delivery Status Notification (DSN) support. Enter a list of hostnames to which to advertise the SMTP DSN extension in the text box, or an asterisk ( *
) to advertise to all of the hosts on the internet.
For more information about SMTP DSN support, read ietf.org’s RFC 3461 documentation.
This setting defaults to Disabled for all hosts.
Hosts to which to advertise the SMTPUTF8 SMTP option
This setting allows you to specify a list of hostnames to which to advertise SMTP support for international email addresses that contain UTF-8 characters. Enter a list of hostnames to which to advertise the SMTP UTF-8 support in the text box, or an asterisk ( *
) to advertise to all of the hosts on the internet.
For more information about SMTPUTF8 support, read ietf.org’s RFC 6531 documentation.
This setting defaults to Disabled for all hosts.
Delivery behavior for suspended cPanel accounts
This setting configures what action the server should perform when an email message is sent to a suspended account. To read more information about suspended accounts, read our Manage Account Suspension documentation.
Delivering email to a suspended account requires the evaluation of filters, redirection lists, and other data that can be abused to retain access to the server. For more information, read our What Happens When You Suspend an Account documentation.
This setting defaults to Accept and queue messages.
Maximum line length for SMTP transports
This setting allows you to set the maximum line length for SMTP transports in bytes. The system will refuse to send (bounce) any messages longer than the maximum line length. On bouncing a message, the system will attempt to return a failure message to the sender.
This setting defaults to 2048.
RBLs
These settings allow you to configure your mail server to check incoming mail against the available Real-time Blackhole Lists (RBLs). Your server blocks the incoming messages if the IP address or hostname matches an RBL entry.
RBL servers store lists of spam-heavy IP addresses and hostnames so that you can easily block them. The WHM interface accesses two RBLs: bl.spamcop.net
and zen.spamhaus.org
.
Manage Custom RBLs
Click Manage to view and manage your server’s RBLs. A new interface will appear. The Current RBLs table lists the following information for each RBL:
-
Origin — The source of the RBL.
- Custom — Indicates that you added the RBL.
- System — Indicates cPanel-included RBLs.
-
RBL name — The RBL’s name.
-
DNS list — The RBL’s DNS list.
-
Info URL — The RBL information URL.
-
Action — For custom RBLs, click Delete to remove the RBL.
Note:-
You cannot delete cPanel-included RBLs.
-
To add an RBL, enter the appropriate information in the text boxes and click Add.
- Make certain that you choose an RBL name that allows you to remember the DNS list for this RBL.
- After you add custom RBLs, each custom RBL will appear at the bottom of the RBLs settings tab. Select On to enable a custom RBL.
- Custom RBLs default to Off.
-
RBL: bl.spamcop.net
This setting allows you to reject mail at SMTP-time if the sender’s host is in the bl.spamcop.net RBL.
This setting defaults to Off.
RBL: zen.spamhaus.org
This setting allows you to reject mail at SMTP-time if the sender’s host is in the zen.spamhaus.org RBL.
This setting defaults to Off.
Exempt servers in the same netblock as this one from RBL checks
This setting allows you to disable RBL checks of mail from servers in the same IANA netblock.
This setting defaults to On.
Exempt servers in the Greylisting “Common Mail Providers” list from RBL checks
This setting allows you to disable RBL checks of mail from an IP address block that you include in the Common Mail Providers list in WHM’s Greylisting interface (WHM » Home » Email » Greylisting).
This setting defaults to On.
Exempt servers in the Greylisting “Trusted Hosts” list from RBL checks
This setting allows you to disable RBL checks of mail from IP address blocks that you include in the Trusted Hosts list in WHM’s Greylisting interface (WHM » Home » Email » Greylisting).
This setting defaults to Off.
Whitelist: IP addresses that should not be checked against RBLs
This setting allows you to choose a list of IP addresses to whitelist. Exim does not RBL-check these addresses.
Enter one IP address per line in the text box. You may also use CIDR notation to specify an address range. For example, to whitelist the IP addresses 10.88.135.144
and 10.88.135.145
, you would whitelist the CIDR range 10.88.135.144/31
.
Security
These settings allow you to configure security settings for your mail server.
Allow weak SSL/TLS ciphers
This setting allows you to use weak SSL/TLS encryption ciphers.
- Weak SSL/TLS encryption ciphers violate PCI compliance. For more information about PCI compliance, read the PCI Compliance Guide.
- cPanel & WHM supports Transport Layer Security (TLS) protocol version 1.2 and Transport Layer Security (TLS) protocol version 1.3:
- cPanel & WHM only supports TLSv1.2 or later. The system enables TLSv1.2 by default.
- Not all clients will support TLSv1.3, which requires OpenSSL 1.1.1 or higher.
This setting defaults to Off.
Require clients to connect with SSL or issue the STARTTLS command before they are allowed to authenticate with the server.
This setting allows you to specify whether clients must connect with SSL or issue the STARTTLS
command before they authenticate.
This setting defaults to On.
Scan messages for malware from authenticated senders (exiscan).
To view this setting, you must install ClamAV on your server.
This setting configures the ClamAVconnector plugin to scan all outbound messages for malware. The system rejects any mail that tests positive for malware.
This setting defaults to Off.
Scan outgoing messages for malware
To view this setting, you must install ClamAV on your server.
This setting configures the ClamAVconnector plugin to scan mail from non-whitelisted domains for malware. The system rejects any mail from non-whitelisted domains that tests positive for malware.
This setting defaults to Off.
Options for OpenSSL
This setting configures SSL and TLS protocols in OpenSSL that Exim will use to securely communicate with client software. Either select the default setting or enter a space-separated list of protocols that you wish to disallow in the text box. For more information about OpenSSL’s protocol settings, read OpenSSL’s Client documentation.
SSL/TLS Cipher Suite List
This setting allows you to configure the cipher suites in OpenSSL that Exim uses to securely communicate with client software. Either select the default setting or enter a cipher suite that you wish to use. For more information about cipher suites available to OpenSSL, read OpenSSL’s Cipher documentation.
Apache SpamAssassin™ Options
These settings allow you to configure Apache SpamAssassin to suit your server’s needs. Apache SpamAssassin is a spam detection and blocking program which examines the content of an email message and assigns it an overall score. Apache SpamAssassin bases this score on the number of spam-related traits that it finds in the message. If the message’s score exceeds a predefined limit, Apache SpamAssassin discards it as spam.
Any changes that you make to Apache SpamAssassin’s configuration may require you to run /usr/local/cpanel/3rdparty/bin/sa-compile
before they take effect.
Apache SpamAssassin™: Forced Global ON
This setting allows you to turn on Apache SpamAssassin for all accounts on the server without a setting for the users to disable it.
This setting defaults to Off.
Apache SpamAssassin™: message size threshold to scan
This setting allows you to set the maximum size, in Kilobytes (KB), for messages that Apache SpamAssassin scans. It is generally inefficient to scan large messages because spam messages are typically small (4
KB or smaller).
This setting defaults to 1000 KB.
Scan outgoing messages for spam and reject based on the Apache SpamAssassin™ internal spam_score setting
This setting allows Apache SpamAssassin to scan and reject messages to non-local domains with a higher spam score than Apache SpamAssassin’s internal spam_score
setting of 5
.
- This setting does not affect outbound forwarded mail. Forwarders use the Do not forward mail to external recipients if it matches the Apache SpamAssassin™ internal spam_score setting setting.
- Enabling this setting disables the Scan outgoing messages for spam and reject based on defined Apache SpamAssassin™ score setting.
This setting defaults to Off.
Scan outgoing messages for spam and reject based on defined Apache SpamAssassin™ score
This setting allows you to set the spam_score
threshold that Apache SpamAssassin uses to determine when it rejects messages to non-local domains. To enable this setting, enter a number to use as a minimum spam score in the text box.
- This value must be a number between
0.1
and99.9
. - This value only accepts one decimal place.
- This setting does not affect outbound forwarded mail. Forwarders use the Do not forward mail to external recipients based on the defined Apache SpamAssassin™ score setting.
- Enabling this setting disables the Scan outgoing messages for spam and reject based on the Apache SpamAssassin™ internal spam_score setting setting.
This setting defaults to Disabled.
Do not forward mail to external recipients if it matches the Apache SpamAssassin™ internal spam_score setting
This setting allows Apache SpamAssassin to scan and reject messages in the forwarder queue with a higher spam score than Apache SpamAssassin’s internal spam_score
setting of 5
. The system disables this setting by default.
This setting defaults to Off.
To use this setting, each user must have enabled Apache SpamAssassin™. Your server administrator may also enable the Apache SpamAssassin™: Forced Global ON setting to ensure that the Apache SpamAssassin has access to each user.
Do not forward mail to external recipients based on the defined Apache SpamAssassin™ score
This setting allows you to set the spam_score
threshold that Apache SpamAssassin uses to determine whether it rejects messages that users forward to non-local domains. To enable this setting, enter a number to use as a minimum spam score in the text box.
- This value must be a number between
0.1
and99.9
. - This value only accepts one decimal place.
This setting defaults to Disabled.
To use this setting, each user must have enabled Apache SpamAssassin™. Your server administrator may also enable the Apache SpamAssassin™: Forced Global ON setting to ensure that the Apache SpamAssassin has access to each user.
Enable BAYES_POISON_DEFENSE Apache SpamAssassin™ ruleset
This setting increases the scoring thresholds that the Bayes Poison Defense module needs to learn SPAM and HAM (not spam). This helps Apache SpamAssassin to better protect the system against spammers who use Bayes poisoning.
This setting defaults to On.
Enable Passive OS Fingerprinting for Apache SpamAssassin™
This setting allows Apache SpamAssassin to use Passive OS Fingerprinting.
You must enable the Passive OS Fingerprinting setting in WHM’s Service Manager interface (WHM » Home » Service Configuration » Service Manager) for this setting to function.
This setting defaults to On.
Enable KAM Apache SpamAssassin™ ruleset
This setting allows Apache SpamAssassin to use the Kevin A. McGrail’s KAM ruleset, with significant contributions from Joe Quinn. For more information about the KAM ruleset, read the module’s website.
This setting defaults to On.
Enable the Apache SpamAssassin™ ruleset that cPanel uses on cpanel.net
This setting allows Apache SpamAssassin to use the ruleset that WebPros International, LLC uses on the cpanel.net
servers.
This setting defaults to On.