cPanel/WHM IP-based Authentication (selected domains)

This method allows you to filter selected domains via our Outgoing filter, while using IP authentication. Any domains not configured will continue to use the standard cPanel router and transport for outbound mail.

Basic Configuration

The BASIC setup relays all outgoing mail through SpamExperts using IP - based authentication. It ensures outbound messages are sent securely and supports DKIM signing for domains with DKIM keys. This configuration is simple to implement and suitable for most standard cPanel/WHM environments where advanced forwarding or sender rewriting is not required.

1. Log in to Spam Experts, ensure the IP address is added as an authenticating method by following the Add an Outgoing User > Authenticating IP or Range instructions
   1. When adding the Authenticating IP, ensure the correct limits are set matching your traffic volumes
2. SSH to the cPanel/WHM node
3. Create a text file /etc/spamexperts_domains
4. Add the domain(s) that you wish to filter outbound mail for in this new file, one domain per line
5. Save the file
6. Open WHM and navigate to the Exim Configuration Editor
7. Select Advanced Editor
8. Add the following to the POSTMAILCOUNT section:

smarthost_dkim:
  driver = manualroute
  domains = !+local_domains
  condition = ${if match_domain{$sender_address_domain}{lsearch;/etc/spamexperts_domains}}
  require_files = "+/var/cpanel/domain_keys/private/${lookup{$sender_address_domain}dsearch{/var/cpanel/domain_keys/private/}}"
  # Exclude null sender messages from relaying via the smarthost
  condition = ${if or {{!eq{$sender_address}{}} {!eq{$sender_host_address}{}}}}
  transport = remote_smtp_smart_dkim
  route_list = $domain SMARTHOST::587
 
smarthost_regular:
  driver = manualroute
  domains = !+local_domains
  condition = ${if match_domain{$sender_address_domain}{lsearch;/etc/spamexperts_domains}}
  # Exclude null sender messages from relaying via the smarthost
  condition = ${if or {{!eq{$sender_address}{}} {!eq{$sender_host_address}{}}}}
  transport = remote_smtp_smart_regular
  route_list = $domain SMARTHOST::587 

Replace SMARTHOST with the your SMTP hostname

9. Add the following to the TRANSPORTSTART section

remote_smtp_smart_dkim:
  driver = smtp
  hosts_require_tls = *
  interface = ${if exists {/etc/mailips}{${lookup{$sender_address_domain}lsearch*{/etc/mailips}{$value}{}}}{}}
  helo_data = ${if exists {/etc/mailhelo}{${lookup{$sender_address_domain}lsearch*{/etc/mailhelo}{$value}{$primary_hostname}}}{$primary_hostname}}
  dkim_domain = $sender_address_domain
  dkim_selector = default
  dkim_private_key = "/var/cpanel/domain_keys/private/${lookup{$dkim_domain}dsearch{/var/cpanel/domain_keys/private/}}"
  dkim_canon = relaxed
  headers_add = "${perl{check_mail_permissions_headers}}"
 
remote_smtp_smart_regular:
  driver = smtp
  hosts_require_tls = *
  interface = ${if exists {/etc/mailips}{${lookup{$sender_address_domain}lsearch*{/etc/mailips}{$value}{}}}{}}
  helo_data = ${if exists {/etc/mailhelo}{${lookup{$sender_address_domain}lsearch*{/etc/mailhelo}{$value}{$primary_hostname}}}{$primary_hostname}}
  headers_add = "${perl{check_mail_permissions_headers}}" 

10. Save and restart

All traffic from the cPanel/WHM server for the selected domains will be routed to the Spam Experts filtering nodes.

Advanced Configuration

The ADVANCED setup provides enhanced handling for complex mail flows. It supports DKIM signing for outbound mail and uses SRS (Sender Rewriting Scheme) for forwarded messages, preventing SPF failures when forwarding mail. This configuration is recommended for environments where mail forwarding is common or where maximum deliverability and compliance with modern email authentication standards are required.

Please ensure that the SRSENABLED variable is enabled in your Exim configuration. If it is missing or incorrectly configured, the SRS functionality will not work.
Navigate to Home -> Service Configuration -> Exim Configuration Manager -> Basic Editor and look for Enable Sender Rewriting Scheme (SRS) Support: On.

Please follow the steps (Step 1 - Step 7) as stated in the Basic Configuration section.

8. Add the following to the POSTMAILCOUNT section:
   

   ######################################################################################
   # POSTMAILCOUNT
   # BEGIN: SpamExperts - Smarthost routing for SELECTED domains
   
   # Router 1: Handles unauthenticated forwards for domains listed in /etc/spamexperts_domains.
   smarthost_forwards:
     driver = manualroute
     condition = ${if and { \
       {def:original_domain} \
       {!def:sender_host_authenticated} \
       {match_domain{$original_domain}{lsearch;/etc/spamexperts_domains}} \
     }}
     .ifdef SRSENABLED
       transport = spamexperts_outbound_srs_smtp
     .else
       transport = spamexperts_outbound_smtp
     .endif
     domains = !+local_domains
     route_list = $domain SMARTHOST::587
     no_more
   
   # Router 2: Handles direct sends and authenticated forwards for domains with DKIM that are listed in /etc/spamexperts_domains.
   smarthost_direct_dkim:
     driver = manualroute
     condition = ${if and { \
       {match_domain{$sender_address_domain}{lsearch;/etc/spamexperts_domains}} \
       {eq{${perl{sender_domain_can_dkim_sign}}}{1}} \
       {or {{!eq{$sender_address}{}} {!eq{$sender_host_address}{}}}} \
     }}
     transport = spamexperts_outbound_smtp
     domains = !+local_domains
     route_list = $domain SMARTHOST::587  
     no_more
   
   
   # Router 3: Handles all remaining outbound mail for domains listed in /etc/spamexperts_domains.
   smarthost_direct_regular:
     driver = manualroute
     condition = ${if and { \
       {match_domain{$sender_address_domain}{lsearch;/etc/spamexperts_domains}} \
       {or {{!eq{$sender_address}{}} {!eq{$sender_host_address}{}}}} \
      }}
      transport = spamexperts_outbound_smtp
      domains = !+local_domains
      route_list = $domain SMARTHOST::587
      no_more
   
   # END: SpamExperts - Smarthost routing for SELECTED domains
   ######################################################################################
   

   Replace SMARTHOST with the your SMTP hostname
   

   
   

9. Add the following to the TRANSPORTSTART section:
   

   ######################################################################################
   # TRANSPORTSTART
   # BEGIN: SpamExperts - Smarthost Transports
   # Use a dedicated outbound IP if one is configured in /etc/mailips.
   # Use a custom HELO name if one is configured in /etc/mailhelo.
   
   # Transport 1: Handles direct sends and authenticated forwards requiring DKIM signing.
   spamexperts_outbound_smtp:
     driver = smtp
     hosts_require_tls = *
     interface = ${if exists {/etc/mailips}{${lookup{$sender_address_domain}lsearch*{/etc/mailips}{$value}{}}}{}} 
     helo_data = ${if exists {/etc/mailhelo}{${lookup{$sender_address_domain}lsearch*{/etc/mailhelo}{$value}{$primary_hostname}}}{$primary_hostname}}
     headers_add = "${perl{check_mail_permissions_headers}}
     dkim_domain = ${perl{get_dkim_domain}}
     dkim_selector = default
     dkim_private_key = ${if exists{/var/cpanel/domain_keys/private/${dkim_domain}}{/var/cpanel/domain_keys/private/${dkim_domain}}{}}
     dkim_canon = relaxed
     dkim_strict = 0
   
   
   # Transport 2: Handles unauthenticated forwards requiring SRS rewriting.
   spamexperts_outbound_srs_smtp:
     driver = smtp
     hosts_require_tls = *
     interface = ${if exists {/etc/mailips}{${lookup{$original_domain}lsearch*{/etc/mailips}{$value}{}}}{}}
     helo_data = ${if exists {/etc/mailhelo}{${lookup{$original_domain}lsearch*{/etc/mailhelo}{$value}{$primary_hostname}}}{$primary_hostname}}
     headers_add = "${perl{check_mail_permissions_headers}}"
     .ifdef SRSENABLED
       return_path = ${srs_encode {SRS_SECRET} {$return_path} {$original_domain}}
     .endif
   
   # END: SpamExperts - Smarthost Transports
   ######################################################################################
   

Please follow Step 10 in the Basic Configuration section.

All traffic from the cPanel/WHM server for the selected domains will be routed to the SpamExperts filtering nodes.

Disclaimer: This documentation may contain references to third party software or websites. N-able has no control over third party software or content and is not responsible for the availability, security, or operation, of any third-party software. If you decide to utilize a release involving third-party software, you do so entirely at your own risk and subject to the applicable third party’s terms and conditions of the use of such software. No information obtained by you from N-able or this documentation shall create any warranty for such software.