cPanel/WHM IP-based Authentication

This method allows you to filter emails via our Outgoing filter, while using IP authentication.

Basic Configuration

The BASIC setup relays all outgoing mail through SpamExperts using IP - based authentication. It ensures outbound messages are sent securely and supports DKIM signing for domains with DKIM keys. This configuration is simple to implement and suitable for most standard cPanel/WHM environments where advanced forwarding or sender rewriting is not required.

1. In WHM, navigate to the Exim Configuration Editor
2. Select Advanced Editor
3. Add the following code to the POSTMAILCOUNT section

smarthost_dkim:
  driver = manualroute
  domains = !+local_domains
  require_files = "+/var/cpanel/domain_keys/private/${lookup{$sender_address_domain}dsearch{/var/cpanel/domain_keys/private/}}"
  # Exclude null sender messages from relaying via the smarthost
  condition = ${if or {{!eq{$sender_address}{}} {!eq{$sender_host_address}{}}}}
  transport = remote_smtp_smart_dkim
  route_list = $domain SMARTHOST::587

smarthost_regular:
  driver = manualroute
  domains = !+local_domains
  # Exclude null sender messages from relaying via the smarthost
  condition = ${if or {{!eq{$sender_address}{}} {!eq{$sender_host_address}{}}}}
  transport = remote_smtp_smart_regular
  route_list = $domain SMARTHOST::587 

Replace all instances of SMARTHOST with your SMTP hostname

4. Add the following to the TRANSPORTSTART section:

remote_smtp_smart_dkim:
  driver = smtp
  hosts_require_tls = *
  interface = ${if exists {/etc/mailips}{${lookup{$sender_address_domain}lsearch*{/etc/mailips}{$value}{}}}{}}
  helo_data = ${if exists {/etc/mailhelo}{${lookup{$sender_address_domain}lsearch*{/etc/mailhelo}{$value}{$primary_hostname}}}{$primary_hostname}}
  dkim_domain = $sender_address_domain
  dkim_selector = default
  dkim_private_key = "/var/cpanel/domain_keys/private/${lookup{$dkim_domain}dsearch{/var/cpanel/domain_keys/private/}}"
  dkim_canon = relaxed
  headers_add = "${perl{check_mail_permissions_headers}}"
 
remote_smtp_smart_regular:
  driver = smtp
  hosts_require_tls = *
  interface = ${if exists {/etc/mailips}{${lookup{$sender_address_domain}lsearch*{/etc/mailips}{$value}{}}}{}}
  helo_data = ${if exists {/etc/mailhelo}{${lookup{$sender_address_domain}lsearch*{/etc/mailhelo}{$value}{$primary_hostname}}}{$primary_hostname}}
  headers_add = "${perl{check_mail_permissions_headers}}" 

5. Save and restart

All traffic from the cPanel/WHM server will be routed to the Spam Experts filtering nodes.

Advanced Configuration

The ADVANCED setup provides enhanced handling for complex mail flows. It supports DKIM signing for outbound mail and uses SRS (Sender Rewriting Scheme) for forwarded messages, preventing SPF failures when forwarding mail. This configuration is recommended for environments where mail forwarding is common or where maximum deliverability and compliance with modern email authentication standards are required.

Please ensure that the SRSENABLED variable is enabled in your Exim configuration. If it is missing or incorrectly configured, the SRS functionality will not work.
Navigate to Home -> Service Configuration -> Exim Configuration Manager -> Basic Editor and look for Enable Sender Rewriting Scheme (SRS) Support: On.

Please follow Step 1 and Step 2 as stated in the Basic Configuration section.

3. Add the following to the POSTMAILCOUNT section:
   

   ######################################################################################
   # POSTMAILCOUNT
   # BEGIN: SpamExperts - Smarthost routing for ALL domains
   
   # Router 1: Handles unauthenticated forwards for ALL domains.
   smarthost_forwards:
     driver = manualroute
     condition = ${if and {{def:original_domain}{!def:sender_host_authenticated}}}
     .ifdef SRSENABLED
       transport = spamexperts_outbound_srs_smtp
     .else
       transport = spamexperts_outbound_smtp
     .endif
     domains = !+local_domains  
     route_list = $domain SMARTHOST::587
     no_more
   
   # Router 2: Handles direct sends and authenticated forwards for ALL domains that have DKIM.
   smarthost_direct_dkim:
     driver = manualroute
     condition = ${if and { \
       {eq{${perl{sender_domain_can_dkim_sign}}}{1}} \
       {or {{!eq{$sender_address}{}} {!eq{$sender_host_address}{}}}} \
     }}
     transport = spamexperts_outbound_smtp
     domains = !+local_domains
     route_list = $domain SMARTHOST::587
     no_more
   
   
   # Router 3: Handles all remaining outbound mail for ALL domains.
   smarthost_direct_regular: 
     driver = manualroute
     condition = ${if or {{!eq{$sender_address}{}} {!eq{$sender_host_address}{}}}}
     transport = spamexperts_outbound_smtp 
     domains = !+local_domains
     route_list = $domain SMARTHOST::587 
     no_more
   
   
   # END: SpamExperts - Smarthost routing for ALL domains
   ######################################################################################

   Replace the SMARTHOST in the POSTMAILCOUNT configurations with SpamExperts cluster hostname.

4. Add the following to the POSTMAILCOUNT section:
   

   ######################################################################################
   # TRANSPORTSTART
   # BEGIN: SpamExperts - Smarthost Transports
   # Use a dedicated outbound IP if one is configured in /etc/mailips.
   # Use a custom HELO name if one is configured in /etc/mailhelo.
   
   # Transport 1: Handles direct sends and authenticated forwards requiring DKIM signing.
   spamexperts_outbound_smtp:
     driver = smtp
     hosts_require_tls = *
     interface = ${if exists {/etc/mailips}{${lookup{$sender_address_domain}lsearch*{/etc/mailips}{$value}{}}}{}}
     helo_data = ${if exists {/etc/mailhelo}{${lookup{$sender_address_domain}lsearch*{/etc/mailhelo}{$value}{$primary_hostname}}}{$primary_hostname}} 
     headers_add = "${perl{check_mail_permissions_headers}}"
     dkim_domain = ${perl{get_dkim_domain}} 
     dkim_selector = default
     dkim_private_key = ${if exists{/var/cpanel/domain_keys/private/${dkim_domain}}{/var/cpanel/domain_keys/private/${dkim_domain}}{}}
     dkim_canon = relaxed
     dkim_strict = 0
   
   
   # Transport 2: Handles unauthenticated forwards requiring SRS rewriting.
   spamexperts_outbound_srs_smtp:
     driver = smtp
     hosts_require_tls = *
     interface = ${if exists {/etc/mailips}{${lookup{$original_domain}lsearch*{/etc/mailips}{$value}{}}}{}}
     helo_data = ${if exists {/etc/mailhelo}{${lookup{$original_domain}lsearch*{/etc/mailhelo}{$value}{$primary_hostname}}}{$primary_hostname}}
     headers_add = "${perl{check_mail_permissions_headers}}"
    .ifdef SRSENABLED
      return_path = ${srs_encode {SRS_SECRET} {$return_path} {$original_domain}}
   .endif
   
   # END: SpamExperts - Smarthost Transports
   ######################################################################################
   

Please follow Step 5 in the Basic Configuration section.

All traffic from the cPanel/WHM server will be routed to the SpamExperts filtering nodes.

Disclaimer: This documentation may contain references to third party software or websites. N-able has no control over third party software or content and is not responsible for the availability, security, or operation, of any third-party software. If you decide to utilize a release involving third-party software, you do so entirely at your own risk and subject to the applicable third party’s terms and conditions of the use of such software. No information obtained by you from N-able or this documentation shall create any warranty for such software.