cPanel/WHM IP-based Authentication

This method allows you to filter emails via our Outgoing filter, while using IP authentication.

Basic Configuration

The BASIC setup relays all outgoing mail through SpamExperts using IP - based authentication. It ensures outbound messages are sent securely and supports DKIM signing for domains with DKIM keys. This configuration is simple to implement and suitable for most standard cPanel/WHM environments where advanced forwarding or sender rewriting is not required.

  1. In WHM, navigate to the Exim Configuration Editor
  2. Select Advanced Editor
  3. Add the following code to the POSTMAILCOUNT section
  4. smarthost_dkim:
      driver = manualroute
      domains = !+local_domains
      require_files = "+/var/cpanel/domain_keys/private/${lookup{$sender_address_domain}dsearch{/var/cpanel/domain_keys/private/}}"
      # Exclude null sender messages from relaying via the smarthost
      condition = ${if or {{!eq{$sender_address}{}} {!eq{$sender_host_address}{}}}}
      transport = remote_smtp_smart_dkim
      route_list = $domain SMARTHOST::587
    
    smarthost_regular:
      driver = manualroute
      domains = !+local_domains
      # Exclude null sender messages from relaying via the smarthost
      condition = ${if or {{!eq{$sender_address}{}} {!eq{$sender_host_address}{}}}}
      transport = remote_smtp_smart_regular
      route_list = $domain SMARTHOST::587 

    Replace all instances of SMARTHOST with your SMTP hostname

  5. Add the following to the TRANSPORTSTART section:
  6. remote_smtp_smart_dkim:
      driver = smtp
      hosts_require_tls = *
      interface = ${if exists {/etc/mailips}{${lookup{$sender_address_domain}lsearch*{/etc/mailips}{$value}{}}}{}}
      helo_data = ${if exists {/etc/mailhelo}{${lookup{$sender_address_domain}lsearch*{/etc/mailhelo}{$value}{$primary_hostname}}}{$primary_hostname}}
      dkim_domain = $sender_address_domain
      dkim_selector = default
      dkim_private_key = "/var/cpanel/domain_keys/private/${lookup{$dkim_domain}dsearch{/var/cpanel/domain_keys/private/}}"
      dkim_canon = relaxed
      headers_add = "${perl{check_mail_permissions_headers}}"
     
    remote_smtp_smart_regular:
      driver = smtp
      hosts_require_tls = *
      interface = ${if exists {/etc/mailips}{${lookup{$sender_address_domain}lsearch*{/etc/mailips}{$value}{}}}{}}
      helo_data = ${if exists {/etc/mailhelo}{${lookup{$sender_address_domain}lsearch*{/etc/mailhelo}{$value}{$primary_hostname}}}{$primary_hostname}}
      headers_add = "${perl{check_mail_permissions_headers}}" 
  7. Save and restart
  8. All traffic from the cPanel/WHM server will be routed to the Spam Experts filtering nodes.

Advanced Configuration

The ADVANCED setup provides enhanced handling for complex mail flows. It supports DKIM signing for outbound mail and uses SRS (Sender Rewriting Scheme) for forwarded messages, preventing SPF failures when forwarding mail. This configuration is recommended for environments where mail forwarding is common or where maximum deliverability and compliance with modern email authentication standards are required.

Please ensure that the SRSENABLED variable is enabled in your Exim configuration. If it is missing or incorrectly configured, the SRS functionality will not work.
Navigate to Home -> Service Configuration -> Exim Configuration Manager -> Basic Editor and look for Enable Sender Rewriting Scheme (SRS) Support: On.

Please follow Step 1 and Step 2 as stated in the Basic Configuration section.

  1. Add the following to the POSTMAILCOUNT section:

    ######################################################################################
    # POSTMAILCOUNT
    # BEGIN: SpamExperts - Smarthost routing for ALL domains
    
    # Router 1: Handles unauthenticated forwards for ALL domains.
    smarthost_forwards:
      driver = manualroute
      condition = ${if and {{def:original_domain}{!def:sender_host_authenticated}}}
      .ifdef SRSENABLED
        transport = spamexperts_outbound_srs_smtp
      .else
        transport = spamexperts_outbound_smtp
      .endif
      domains = !+local_domains  
      route_list = $domain SMARTHOST::587
      no_more
    
    # Router 2: Handles direct sends and authenticated forwards for ALL domains that have DKIM.
    smarthost_direct_dkim:
      driver = manualroute
      condition = ${if and { \
        {eq{${perl{sender_domain_can_dkim_sign}}}{1}} \
        {or {{!eq{$sender_address}{}} {!eq{$sender_host_address}{}}}} \
      }}
      transport = spamexperts_outbound_smtp
      domains = !+local_domains
      route_list = $domain SMARTHOST::587
      no_more
    
    
    # Router 3: Handles all remaining outbound mail for ALL domains.
    smarthost_direct_regular: 
      driver = manualroute
      condition = ${if or {{!eq{$sender_address}{}} {!eq{$sender_host_address}{}}}}
      transport = spamexperts_outbound_smtp 
      domains = !+local_domains
      route_list = $domain SMARTHOST::587 
      no_more
    
    
    # END: SpamExperts - Smarthost routing for ALL domains
    ######################################################################################

    Replace the SMARTHOST in the POSTMAILCOUNT configurations with SpamExperts cluster hostname.

  2. Add the following to the POSTMAILCOUNT section:

    ######################################################################################
    # TRANSPORTSTART
    # BEGIN: SpamExperts - Smarthost Transports
    # Use a dedicated outbound IP if one is configured in /etc/mailips.
    # Use a custom HELO name if one is configured in /etc/mailhelo.
    
    # Transport 1: Handles direct sends and authenticated forwards requiring DKIM signing.
    spamexperts_outbound_smtp:
      driver = smtp
      hosts_require_tls = *
      interface = ${if exists {/etc/mailips}{${lookup{$sender_address_domain}lsearch*{/etc/mailips}{$value}{}}}{}}
      helo_data = ${if exists {/etc/mailhelo}{${lookup{$sender_address_domain}lsearch*{/etc/mailhelo}{$value}{$primary_hostname}}}{$primary_hostname}} 
      headers_add = "${perl{check_mail_permissions_headers}}"
      dkim_domain = ${perl{get_dkim_domain}} 
      dkim_selector = default
      dkim_private_key = ${if exists{/var/cpanel/domain_keys/private/${dkim_domain}}{/var/cpanel/domain_keys/private/${dkim_domain}}{}}
      dkim_canon = relaxed
      dkim_strict = 0
    
    
    # Transport 2: Handles unauthenticated forwards requiring SRS rewriting.
    spamexperts_outbound_srs_smtp:
      driver = smtp
      hosts_require_tls = *
      interface = ${if exists {/etc/mailips}{${lookup{$original_domain}lsearch*{/etc/mailips}{$value}{}}}{}}
      helo_data = ${if exists {/etc/mailhelo}{${lookup{$original_domain}lsearch*{/etc/mailhelo}{$value}{$primary_hostname}}}{$primary_hostname}}
      headers_add = "${perl{check_mail_permissions_headers}}"
     .ifdef SRSENABLED
       return_path = ${srs_encode {SRS_SECRET} {$return_path} {$original_domain}}
    .endif
    
    # END: SpamExperts - Smarthost Transports
    ######################################################################################
    

Please follow Step 5 in the Basic Configuration section.

All traffic from the cPanel/WHM server will be routed to the SpamExperts filtering nodes.

Disclaimer: This documentation may contain references to third party software or websites. N-able has no control over third party software or content and is not responsible for the availability, security, or operation, of any third-party software. If you decide to utilize a release involving third-party software, you do so entirely at your own risk and subject to the applicable third party’s terms and conditions of the use of such software. No information obtained by you from N-able or this documentation shall create any warranty for such software.