We recommend that you install and use the MailChannels cPanel plugin for setup and configuration. This document contains instructions on how to manually setup a cPanel server to route outbound messages through the MailChannels anti-abuse platform and should only be used if you are incapable of installing and using the cPanel plugin.
The MailChannels cPanel plugin configures your routing in the POSTMAILCOUNT section of your cPanel mail configuration and not under ROUTERSTART to preserve and honor any outbound quotas you may have created.
MailChannels cPanel & WHM plugin for Outbound Filtering
If you have reached the outbound configuration area for the MailChanels cPanel plugin and would like to also setup Inbound protections for your domain(s), the following article outlines how to configure the Inbound settings of your plugin:
MailChannels cPanel & WHM Plugin for Inbound Filtering
Note: If you have previously configured cPanel manually for outbound protection, you will need to remove those settings from your configuration files manually before installing and configuring the plugin. Those steps are provided in the applicable MailChannels cPanel & WHM plugin guides linked above.
MailChannels Outbound cPanel Configuration - Manual non-plugin Guide
In order to relay mails through MailChannels, your Mail Transfer Agent (MTA) must authenticate with MailChannels using the credentials provided to you. This article provides instructions for setting up authentication.
If you are using cPanel with Exim and want to relay your email through MailChannels, navigate to Main > Service Configuration > Exim Configuration Editor, click on the Advanced Editor button, and enter the following in Section:AUTH:
begin authenticators
mailchannels_login:
driver = plaintext
public_name = LOGIN
client_send = : MailChannelsUsername : MailChannelsPassword
Next, replace MailChannelsUsername and MailChannelsPassword with the username and password assigned by MailChannels.
NOTE: Only include “begin authenticators” if it is not already in the configuration.
The next two sections can be used interchangeably. Use the POSTMAILCOUNT instructions to preserve the CPanel max hourly mail limits if you use them. Otherwise, you can skip to the ROUTERSTART section. ONLY implement 1 of the following two sections depending on your needs!
Section: POSTMAILCOUNT (Option A - Choose POSTMAILCOUNT or ROUTERSTART not both)
The POSTMAILCOUNT section must be used instead of ROUTERSTART if you wish for max hourly mail limits to be followed and used. You must also add the domains = section if you wish for the server to still accept mail for the localdomains and only relaying mail out. Otherwise, all email, incoming and outgoing gets relayed.
On cPanel v108 or above: (SRS doesn't rewrite the Return-Path header when using a smarthost in cPanel v108)
send_via_mailchannels:
driver = manualroute
domains = ! +local_domains
.ifdef SRSENABLED
# if outbound, and forwarding has been done, use an alternate transport
transport = ${if eq {$local_part@$domain} \
{$original_local_part@$original_domain} \
{mailchannels_smtp} {mailchannels_forwarded_smtp}}
.else
transport = mailchannels_smtp
.endif
route_list = * smtp.mailchannels.net::25 randomize byname
On cPanel v106 or below:
send_via_mailchannels:
driver = manualroute
transport = mailchannels_smtp
domains = !+local_domains
route_list = * smtp.mailchannels.net::25 randomize byname
Section: ROUTERSTART (Option B - Choose POSTMAILCOUNT or ROUTERSTART not both)
send_via_mailchannels:
driver = manualroute
domains = ! +local_domains
transport = mailchannels_smtp
hosts_randomize = true
route_list = * smtp.mailchannels.net::25 randomize byname
host_find_failed = defer
no_more
Add the following transport to the Section: TRANSPORTSTART configuration box as shown in the following image:
mailchannels_smtp:
driver = smtp
hosts_require_auth = *
hosts_require_tls = *
tls_tempfail_tryclear = true
headers_add = X-AuthUser: ${if match {$authenticated_id}{.*@.*}\
{$authenticated_id} {${if match {$authenticated_id}{.+}\
{$authenticated_id@$primary_hostname}{$authenticated_id}}}}
dkim_domain = $sender_address_domain
dkim_selector = default
dkim_canon = relaxed
dkim_private_key = "/var/cpanel/domain_keys/private/${dkim_domain}"
Additionally, on servers running v108 or above, add the following to the TRANSPORTSTART section as well:
.ifdef SRSENABLED
mailchannels_forwarded_smtp:
driver = smtp
hosts_require_auth = *
hosts_require_tls = *
max_rcpt = 1
return_path = ${srs_encode {SRS_SECRET} {$return_path} {$original_domain}}
tls_tempfail_tryclear = true
headers_add = X-AuthUser: ${if match {$authenticated_id}{.*@.*}\
{$authenticated_id} {${if match {$authenticated_id}{.+}\
{$authenticated_id@$primary_hostname}{$authenticated_id}}}}
dkim_domain = $sender_address_domain
dkim_selector = default
dkim_canon = relaxed
dkim_private_key = "/var/cpanel/domain_keys/private/${dkim_domain}"
.endif
Go to the bottom of the page and click "Save".
Note:
Enabling Mailing List X-Header
This step is required if you have a mailing list setup within cPanel. Exim.conf (/etc/exim.conf) has to be edited directly to add this.
If you have mailing list setup within your cPanel environment you should also enable X-MC-MailingList headers to enable us to identify the sending account. You can do this by adding the following line to mailman_virtual_transport section:
mailman_virtual_transport:
driver = pipe
command = /usr/local/cpanel/3rdparty/mailman/mail/mailman \
'${if def:local_part_suffix \
{${sg{$local_part_suffix}{-(\\w+)(\\+.*)?}{\$1}}} \
{post}}' \
${lc:$local_part}_${lc:$domain}
current_directory = /usr/local/cpanel/3rdparty/mailman
home_directory = /usr/local/cpanel/3rdparty/mailman
user = mailman
group = mailman
headers_add = "X-MC-MailingList:$original_local_part@$original_domain\n"
Routing only one Specific Sender Domain
If you want to route only email traffic from a specific sender domain through MailChannels Outbound Filtering, then replace the line starting with "senders" with the following (replace example.com with your own domain):
senders = *@example.com
To route email only from a specific user, specify the full address:
senders = user@example.com
Excluding Specific Sender Domains
Follow the steps below if you want to exclude certain domains from being routed through MailChannels Outbound Filtering.
Add the following line to the in the route Section: ROUTERSTART configuration box:
senders = !*@example.com : !*@example2.com
Following is an example of how this will appear in the configuration file:
send_via_mailchannels:
driver = manualroute
domains = ! +local_domains
senders = !*@example.com : !*@example2.com
transport = mailchannels_smtp
route_list = "* smtp.mailchannels.net::25 byname"
host_find_failed = defer
no_more
Once you have completed and saved all changes to Exim’s configuration files, you will need to restart it to activate those changes using the following command:
$ /etc/init.d/exim4 restart
Note: Please see the following article to exclude both sender and recipient domains from being routed through mailchannels using a file that includes the list of domains
Excluding Specific Receiver Domains
Follow the steps below if you want to exclude mails to certain domains from being routed through MailChannels Outbound Filtering.
Add the following line to the in the route Section: ROUTERSTART configuration box:
domains = ! receivingdomain.com: +local_domains
Following is an example of how this will appear in the configuration file:
send_via_mailchannels:
driver = manualroute
domains = ! recevingdomain.com : ! +local_domains
senders = !*@example.com : !*@example2.com
transport = mailchannels_smtp
route_list = "* smtp.mailchannels.net::25 byname"
host_find_failed = defer
no_more
Once you have completed and saved all changes to Exim’s configuration files, you will need to restart it to activate those changes using the following command:
$ /etc/init.d/exim4 restart
Note: Please see the following article to exclude both sender and recipient domains from being routed through MailChannels using a file that includes the list of domains
DKIM Key Configuration
DKIM keys can be added for Cpanel using our Cpanel - DKIM Configuration Guide.
Exim Optimization
The following steps would be useful keeping the queues clean and optimizing the delivery retry intervals in Exim, which are known to cause delays in email delivery.
1) Change retry interval as follows
Under section: RETRYSTART
* data_4xx F,4h,1m
* rcpt_4xx F,4h,1m
* timeout F,4h,1m
* refused F,1h,5m
* lost_connection F,1h,1m
* * F,6h,5m
2) Remove all the Junk messages sitting in the queue periodically
The following cron entry removes all junk messages if they are more than 1 day old.
Edit /etc/crontab and add these entries;
Clean up the Exim retry database at the quietest time of day.
25 5 * * * root /usr/sbin/exim_tidydb -t 1d /var/spool/exim retry
35 5 * * * root /usr/sbin/exim_tidydb -t 1d /var/spool/exim wait-remote_smtp
It is recommended to run the cron job when the volume of mail flow is expected to the low.
3) Exim queue configuration
- Change how many queue runners that are spawned off. In /etc/default/exim (In cPanel create or update /etc/sysconfig/exim) change the option to the following: QUEUE=60s This ensures that a new queue runner is created every 60s.
- Change max number of queue runners that can exist simultaneously in /etc/exim.conf: queue_run_max = 50
- Restart the server: /etc/init.d/exim restart
4) Set "timeout_frozen_after" to 12 hours
Type: time
Default: 0s
If timeout_frozen_after is set to a time greater than zero, a frozen message of any description that has been on the queue for longer than the given time is automatically canceled at the next queue run. If it is a bounce message, it is just discarded; otherwise, a bounce is sent to the sender, in a similar manner to cancellation by the -Mg command line option.
5) Set "ignore_bounce_errors_after" parameter to 1 hour
This option affects the processing of bounce messages that cannot be delivered, that is, those that suffer a permanent delivery failure. (Bounce messages that suffer temporary delivery failures are of course retried in the usual way.)
After a permanent delivery failure, bounce messages are frozen, because there is no sender to whom they can be returned. When a frozen bounce message has been in the queue for more than the given time, it is unfrozen at the next queue run, and a further delivery is attempted. If delivery fails again, the bounce message is discarded. This makes it possible to keep failed bounce messages around for a shorter time than the normal maximum retry time for frozen messages.
Note: A simpler way to make the changes is to edit /etc/exim.conf.local file. A sample exim.conf.local file is attached for reference.
If the password contains a circumflex accent, you must escape it with other accent.
References -> http://www.exim.org/exim-html-current/doc/html/spec_html/ch-the_plaintext_authenticator.html
Hello,
We are testing your service but we need know if there are any web interface to track the emails, view statistics, load balance etc..
Th
If the password contains a circumflex accent, you must escape it with other accent.
References -> http://www.exim.org/exim-html-current/doc/html/spec_html/ch-the_plaintext_authenticator.html
Would it be possible in the exim routing to have a file for both sender and recipient domains to be excluded from being routed through mailchannels? For example:
These would be destination domains...
/etc/mailchannels_exclude_to
domain1.com
domain2.com ....etc
These would be local domains you don't want routed through.
/etc/mailchannels_exclude_from
localdomain3.com
localdomain4.com ...etc.
Eric
For an easy set up create /etc/exim.conf.local
change
MAILCHANNELSUSER : MAILCHANNELSPASSWORD
and YOURSERVERHOSTNAME
keep the : between login and password
Then run /scripts/buildeximconf
and add the below
@AUTH@
mailchannels_login:
driver = plaintext
public_name = LOGIN
client_send = : MAILCHANNELSUSER : MAILCHANNELSPASSWORD
@BEGINACL@
@CONFIG@
local_from_check = true
allow_mx_to_ip = yes
@DIRECTOREND@
@DIRECTORMIDDLE@
@DIRECTORSTART@
@ENDACL@
@POSTMAILCOUNT@
@PREDOTFORWARD@
@PREFILTER@
@PRELOCALUSER@
@PRENOALIASDISCARD@
@PREROUTERS@
@PREVALIASNOSTAR@
@PREVALIASSTAR@
@PREVIRTUALUSER@
@RETRYEND@
@RETRYSTART@
@REWRITE@
@ROUTEREND@
@ROUTERMIDDLE@
@ROUTERSTART@
send_via_mailchannels:
driver = manualroute
domains = ! +local_domains
senders = !@YOURSERVERHOSTNAME
transport = mailchannels_smtp
route_list = " smtp.mailchannels.net::25 byname"
host_find_failed = defer
no_more
@TRANSPORTEND@
@TRANSPORTMIDDLE@
@TRANSPORTSTART@
Additional note rewrite headers should be disabled
rewrite_from=disable
in /etc/exim.conf.localops
use the below to add in the forwarder and mailchannels. It can run from cron
#!/bin/bash
if [ ! -e /usr/local/cpanel ]; then
exit;
fi
checkmail=
cat /etc/exim.conf.local | grep mailch
;if [ "$checkmail" = "" ]; then
echo 'Mailchannels not installed';
fi
if [ -e /root/exim.tmp ]; then
fi
check1=
cat /etc/exim.conf | grep X-MC-Forward
;if [ "$check1" = "" ]; then
var1="headers_add = \"X-MC-Forward: \$original_local_part\@\$original_domain\\n\""
search="virtual_aliases_nostar:"
awk -v S="$search" -v V1="$var1" '{if ($0~S) print $0 "\n" V1 ; else print $0}' /etc/exim.conf > /root/exim.tmp
var1="headers_add = \"X-MC-MailingList: \$original_local_part\@\$original_domain\\n\""
search="mailman_virtual_transport:"
awk -v S="$search" -v V1="$var1" '{if ($0~S) print $0 "\n" V1 ; else print $0}' /root/exim.tmp > /root/exim.tmp2
mv -f /root/exim.tmp2 /etc/exim.conf
chmod 644 /etc/exim.conf
/admin/exi res
/bin/rm /root/exim.tmp
/bin/rm /root/exim.tmp2
else
echo "already exists";
fi
Hey John!
You sayd:
"Additional note rewrite headers should be disabled
rewrite_from=disable
in /etc/exim.conf.localops"
Why?
I am not sure what I need to send to my datacenter?
I think the datacenter finally fixed it?
https://support.cpanel.net/hc/en-us/articles/10433924612759-SRS-doesn-t-rewrite-the-Return-Path-header-when-using-a-smarthost-in-v108
SRS doesn't rewrite the Return-Path header when using a smarthost in v108
In the latest cpanel update return-path is not set.
The following in my tests has resolved the error
send_via_mailchannels:
driver = manualroute
domains = ! +local_domains
transport = mailchannels_smtp
hosts_randomize = true
route_list = * smtp.mailchannels.net::25 randomize byname
host_find_failed = defer
no_more
becomes
remoteserver_route:
driver = manualroute
.ifdef SRSENABLED
# if outbound, and forwarding has been done, use an alternate transport
transport = ${if eq {$local_part@$domain} \
{$original_local_part@$original_domain} \
{mailchannels_smtp} {mailchannels_forward_smtp}}
.else
transport = mailchannels_smtp
.endif
domains = !+local_domains
ignore_target_hosts = 127.0.0.0/8
route_list = * smtp.mailchannels.net::25 randomize byname
host_find_failed = defer
no_more
Transport start now has TWO entries
mailchannels_smtp:
driver = smtp
hosts_require_auth = *
tls_tempfail_tryclear = true
headers_add = X-AuthUser: ${if match {$authenticated_id}{.*@.*}\
{$authenticated_id} {${if match {$authenticated_id}{.+}\
{$authenticated_id@$primary_hostname}{$authenticated_id}}}}
becomes
mailchannels_smtp:
driver = smtp
hosts_require_auth = *
tls_tempfail_tryclear = true
headers_add = X-AuthUser: ${if match {$authenticated_id}{.*@.*}\
{$authenticated_id} {${if match {$authenticated_id}{.+}\
{$authenticated_id@$primary_hostname}{$authenticated_id}}}}
dkim_domain = ${lookup{$sender_address_domain}lsearch,ret=key{/etc/localdomains}}
dkim_selector = default
dkim_canon = relaxed
dkim_private_key = "/var/cpanel/domain_keys/private/${dkim_domain}"
#message_linelength_limit = 900900900
mailchannels_forward_smtp:
driver = smtp
hosts_require_auth = *
tls_tempfail_tryclear = true
headers_add = X-AuthUser: ${if match {$authenticated_id}{.*@.*}\
{$authenticated_id} {${if match {$authenticated_id}{.+}\
{$authenticated_id@$primary_hostname}{$authenticated_id}}}}
dkim_domain = ${lookup{$sender_address_domain}lsearch,ret=key{/etc/localdomains}}
dkim_selector = default
dkim_canon = relaxed
dkim_private_key = "/var/cpanel/domain_keys/private/${dkim_domain}"
#message_linelength_limit = 900900900
.ifdef SRSENABLED
return_path = ${srs_encode {SRS_SECRET} {$return_path} {$original_domain}}
.endif
* Uncomment message_linelength if needed
* DKIM entries are to resolve https://support.cpanel.net/hc/en-us/articles/1500003957961-Unable-to-send-mail-due-to-DKIM-Tainted-errors-in-cPanel-94-when-using-MailChannels-as-a-smarthost
Good morning,
I would like to know the following.
I want to block a specific domain from sending email to another specific domain.
The domain you are going to send is hosted on our server, the domain you are going to receive is hosted outside our server.
Is there any way I can do this?