Main Menu

WHM / cPanel spam bypassing mx record

I’m running several WHM/cPanel systems, and am using a dedicated Barracuda anti-spam firewall for all incoming and outgoing email to these systems.  I have recently had the problem where spammers are not honoring the MX record for the domains hosted on the cPanel systems.  The spammers are connecting directly to the websites IP address to deliver the email, thereby bypassing all filtering.

The problem is described rather well in this Exim configuration question on Web Hosting Talk.

The solution on that page, provided by Samuraid was the correct solution for the most part.  However, that post is old enough that the interface and locations where the changes are necessary is no longer valid.  So I’m taking Samuraid’s instructions and modifying them to show how I made the settings work for me.

Step 1 : Edit MX records
In WHM, edit your DNS zone, and make sure that any and all MX records are pointing to Postini, or to your Barracuda anti-spam firewall.

Step 2: Exim Settings Configuration
In WHM, select
“Service Configuration -> Exim Configuration Manager -> Basic Editor -> Access Lists -> Trusted SMTP IP addresses”

Then, add the IP address (#.#.#.#) of your barracuda spam firewall, multiple if you have more than one, and multiple if you need to list all of the Postini servers.

Step 3 : Exim Advanced Configuration
In WHM, select
“Service Configuration -> Exim Configuration Manager -> Advanced Editor”.  Locate the custom_begin_recipient_post setting.  It is probably an empty field.

You’ll want to insert the following text into this area, replacing the YOUR COMPANY NAME HERE part, with your company name.


# By this point, we know that the current connecting mail server:
# - Is not an authenticated user
# - Is not the local host
# - Is not a host in the "Whitelist: Trusted Mail Hosts/Ip Blocks"
# So we need to DENY them at this point
	deny hosts = *
		message = $sender_fullhost is not allowed to relay \
		through this server. If you are attempting to send \
		mail and see this message, please contact \
		YOUR COMPANY NAME HERE directly and report this \

Hope this is helpful to others.

Comments are closed.

Powered by WordPress. Designed by WooThemes