#!!# cPanel Exim 4 Config disable_ipv6 = true hostlist loopback = <; @[]; 127.0.0.0/8 ; 0.0.0.0 ; ::1 ; 0000:0000:0000:0000:0000:ffff:7f00:0000/8 hostlist senderverifybypass_hosts = net-iplsearch;/etc/senderverifybypasshosts hostlist skipsmtpcheck_hosts = net-iplsearch;/etc/skipsmtpcheckhosts hostlist spammeripblocks = net-iplsearch;/etc/spammeripblocks hostlist blocked_incoming_email_country_ips = ${if exists{/etc/blocked_incoming_email_country_ips} {net-iplsearch;/etc/blocked_incoming_email_country_ips} {} } hostlist backupmx_hosts = lsearch;/etc/backupmxhosts hostlist trustedmailhosts = lsearch;/etc/trustedmailhosts hostlist recent_authed_mail_ips = net-iplsearch;/etc/recent_authed_mail_ips hostlist neighbor_netblocks = net-iplsearch;/etc/neighbor_netblocks hostlist greylist_trusted_netblocks = net-iplsearch;/etc/greylist_trusted_netblocks hostlist greylist_common_mail_providers = net-iplsearch;/etc/greylist_common_mail_providers hostlist cpanel_mail_netblocks = net-iplsearch;/etc/cpanel_mail_netblocks hostlist recent_recipient_mail_server_ips = net-iplsearch;/etc/recent_recipient_mail_server_ips domainlist user_domains = ${if exists{/etc/userdomains} {lsearch;/etc/userdomains} fail} domainlist local_domains = lsearch;/etc/localdomains domainlist secondarymx_domains = lsearch;/etc/secondarymx domainlist relay_domains = +local_domains : +secondarymx_domains domainlist blocked_domains = wildlsearch;/etc/blocked_incoming_email_domains domainlist manualmx_domains = ${if exists {/etc/manualmx} {lsearch;/etc/manualmx} {} } localpartlist path_safe_localparts = \N^\.*[^./][^/]*$\N smtp_accept_queue_per_connection = 30 remote_max_parallel = 10 smtp_receive_timeout = 165s ignore_bounce_errors_after = 1d rfc1413_query_timeout = 0s timeout_frozen_after = 5d auto_thaw = 7d callout_domain_negative_expire = 1h callout_negative_expire = 1h acl_not_smtp = acl_not_smtp acl_smtp_connect = acl_smtp_connect acl_smtp_data = acl_smtp_data acl_smtp_helo = acl_smtp_helo acl_smtp_mail = acl_smtp_mail acl_smtp_notquit = acl_smtp_notquit acl_smtp_rcpt = acl_smtp_rcpt message_body_newlines = true check_rfc2047_length = false keep_environment = X-SOURCE : X-SOURCE-ARGS : X-SOURCE-DIR add_environment = PATH=/usr/local/sbin::/usr/local/bin::/sbin::/bin::/usr/sbin::/usr/bin::/sbin::/bin chunking_advertise_hosts = 198.51.100.1 deliver_queue_load_max = 6 queue_only_load = 12 daemon_smtp_ports = 25 : 26 : 465 : 587 tls_on_connect_ports = 465 system_filter_user = cpaneleximfilter system_filter_group = cpaneleximfilter smtputf8_advertise_hosts = : openssl_options = +no_sslv2 +no_sslv3 +no_tlsv1 +no_tlsv1_1 tls_require_ciphers = ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384 timezone = America/Denver spamd_address = 127.0.0.1 783 retry=30s tmo=3m tls_certificate = ${if and \ { \ {gt{$tls_in_sni}{}} \ {!match{$tls_in_sni}{/}} \ } \ {${if exists {/var/cpanel/ssl/domain_tls/$tls_in_sni/combined} \ {/var/cpanel/ssl/domain_tls/$tls_in_sni/combined} \ {${if exists {${sg{/var/cpanel/ssl/domain_tls/$tls_in_sni/combined}{(.+/)[^.]+(.+/combined)}{\$1*\$2}}} \ {${sg{/var/cpanel/ssl/domain_tls/$tls_in_sni/combined}{(.+/)[^.]+(.+/combined)}{\$1*\$2}}} \ {/etc/exim.crt} \ }} \ }} \ {/etc/exim.crt} \ } tls_privatekey = ${if and \ { \ {gt{$tls_in_sni}{}} \ {!match{$tls_in_sni}{/}} \ } \ {${if exists {/var/cpanel/ssl/domain_tls/$tls_in_sni/combined} \ {/var/cpanel/ssl/domain_tls/$tls_in_sni/combined} \ {${if exists {${sg{/var/cpanel/ssl/domain_tls/$tls_in_sni/combined}{(.+/)[^.]+(.+/combined)}{\$1*\$2}}} \ {${sg{/var/cpanel/ssl/domain_tls/$tls_in_sni/combined}{(.+/)[^.]+(.+/combined)}{\$1*\$2}}} \ {/etc/exim.key} \ }} \ }} \ {/etc/exim.key} \ } # +incoming_port, +smtp_connection, +all_parents are needed for cPanel email tracking. # +retry_defer, +subject, +arguments, +received_recipients are suggested settings that may be disabled. log_selector = +incoming_port +smtp_connection +all_parents +retry_defer +subject +arguments +received_recipients system_filter = /etc/cpanel_exim_system_filter #!!# These options specify the Access Control Lists (ACLs) that #!!# are used for incoming SMTP messages - after the RCPT and DATA #!!# commands, respectively. #!!# This setting defines a named domain list called #!!# local_domains, created from the old options that #!!# referred to local domains. It will be referenced #!!# later on by the syntax "+local_domains". #!!# Other domain and host lists may follow. addresslist secondarymx = *@partial-lsearch;/etc/secondarymx ###################################################################### # Runtime configuration file for Exim # ###################################################################### # This is a default configuration file which will operate correctly in # uncomplicated installations. Please see the manual for a complete list # of all the runtime configuration options that can be included in a # configuration file. There are many more than are mentioned here. The # manual is in the file doc/spec.txt in the Exim distribution as a plain # ASCII file. Other formats (PostScript, Texinfo, HTML) are available from # the Exim ftp sites. The manual is also online via the Exim web sites. # This file is divided into several parts, all but the last of which are # terminated by a line containing the word "end". The parts must appear # in the correct order, and all must be present (even if some of them are # in fact empty). Blank lines, and lines starting with # are ignored. ###################################################################### # MAIN CONFIGURATION SETTINGS # ###################################################################### perl_startup = do '/etc/exim.pl' #dns_retry = 1 #dns_retrans = 1s # Specify your host's canonical name here. This should normally be the fully # qualified "official" name of your host. If this option is not set, the # uname() function is called to obtain the name. smtp_banner = "${primary_hostname} ESMTP Exim ${version_number} \ \#${compile_number} ${tod_full} \n\ We do not authorize the use of this system to transport unsolicited, \n\ and/or bulk e-mail." #nobody as the sender seems to annoy people untrusted_set_sender = * local_from_check = false split_spool_directory = yes smtp_connect_backlog = 50 smtp_accept_max = 100 # primary_hostname = # Specify the domain you want to be added to all unqualified addresses # here. An unqualified address is one that does not contain an "@" character # followed by a domain. For example, "caesar@rome.ex" is a fully qualified # address, but the string "caesar" (i.e. just a login name) is an unqualified # email address. Unqualified addresses are accepted only from local callers by # default. See the receiver_unqualified_{hosts,nets} options if you want # to permit unqualified addresses from remote sources. If this option is # not set, the primary_hostname value is used for qualification. # qualify_domain = # If you want unqualified recipient addresses to be qualified with a different # domain to unqualified sender addresses, specify the recipient domain here. # If this option is not set, the qualify_domain value is used. # qualify_recipient = # Specify your local domains as a colon-separated list here. If this option # is not set (i.e. not mentioned in the configuration file), the # qualify_recipient value is used as the only local domain. If you do not want # to do any local deliveries, uncomment the following line, but do not supply # any data for it. This sets local_domains to an empty string, which is not # the same as not mentioning it at all. An empty string specifies that there # are no local domains; not setting it at all causes the default value (the # setting of qualify_recipient) to be used. #!!# message_filter renamed system_filter message_body_visible = 5000 # Specify a set of options to control the behavior of OpenSSL. The default is to # disable SSLv2 and SSLv3 due to weaknesses in these protocols. # If you want to accept mail addressed to your host's literal IP address, for # example, mail addressed to "user@[111.111.111.111]", then uncomment the # following line, or supply the literal domain(s) as part of "local_domains" # above. # local_domains_include_host_literals # No local deliveries will ever be run under the uids of these users (a colon- # separated list). An attempt to do so gets changed so that it runs under the # uid of "nobody" instead. This is a paranoic safety catch. Note the default # setting means you cannot deliver mail addressed to root as if it were a # normal user. This isn't usually a problem, as most sites have an alias for # root that redirects such mail to a human administrator. never_users = root # The use of your host as a mail relay by any host, including the local host # calling its own SMTP port, is locked out by default. If you want to permit # relaying from the local host, you should set # # host_accept_relay = localhost # # If you want to permit relaying through your host from certain hosts or IP # networks, you need to set the option appropriately, for example # # # # If you are an MX backup or gateway of some kind for some domains, you must # set relay_domains to match those domains. This will allow any host to # relay through your host to those domains. # # See the section of the manual entitled "Control of relaying" for more # information. # The setting below causes Exim to do a reverse DNS lookup on all incoming # IP calls, in order to get the true host name. If you feel this is too # expensive, you can specify the networks for which a lookup is done, or # remove the setting entirely. #host_lookup = 0.0.0.0/0 # By default, Exim expects all envelope addresses to be fully qualified, that # is, they must contain both a local part and a domain. If you want to accept # unqualified addresses (just a local part) from certain hosts, you can specify # these hosts by setting one or both of # # receiver_unqualified_hosts = # sender_unqualified_hosts = # # to control sender and receiver addresses, respectively. When this is done, # unqualified addresses are qualified using the settings of qualify_domain # and/or qualify_recipient (see above). # Exim contains support for the Realtime Blocking List (RBL) that is being # maintained as part of the DNS. See http://maps.vix.com/rbl/ for background. # Uncommenting the first line below will make Exim reject mail from any # host whose IP address is blacklisted in the RBL at maps.vix.com. Some # others have followed the RBL lead and have produced other lists: DUL is # a list of dial-up addresses, and ORBS is a list of open relay systems. The # second line below checks all three lists. # rbl_domains = rbl.maps.vix.com # rbl_domains = rbl.maps.vix.com # If you want Exim to support the "percent hack" for all your local domains, # uncomment the following line. This is the feature by which mail addressed # to x%y@z (where z is one of your local domains) is locally rerouted to # x@y and sent on. Otherwise x%y is treated as an ordinary local part. # percent_hack_domains = * #sender_host_accept = +include_unknown:* #sender_host_reject = +include_unknown:lsearch*;/etc/spammers tls_advertise_hosts = * helo_accept_junk_hosts = * smtp_enforce_sync = false #!!#######################################################!!# #!!# This new section of the configuration contains ACLs #!!# #!!# (Access Control Lists) derived from the Exim 3 #!!# #!!# policy control options. #!!# #!!#######################################################!!# #!!# These ACLs are crudely constructed from Exim 3 options. #!!# They are almost certainly not optimal. You should study #!!# them and rewrite as necessary. begin acl ######################################################################################## # DO NOT ALTER THIS BLOCK ######################################################################################## # # cPanel Default ACL Template Version: 108.002 # Template: universal.dist # ######################################################################################## # DO NOT ALTER THIS BLOCK ######################################################################################## acl_not_smtp: #BEGIN ACL-OUTGOING-NOTSMTP-CHECKALL-BLOCK # BEGIN INSERT resolve_vhost_owner warn condition = ${if eq{$originator_uid}{${perl{user2uid}{nobody}}}{1}{0}} set acl_c_vhost_owner = ${perl{resolve_vhost_owner}} # END INSERT resolve_vhost_owner # BEGIN INSERT end_default_outgoing_notsmtp_checkall accept # END INSERT end_default_outgoing_notsmtp_checkall #END ACL-OUTGOING-NOTSMTP-CHECKALL-BLOCK #BEGIN ACL-NOT-SMTP-BLOCK #END ACL-NOT-SMTP-BLOCK acl_not_smtp_mime: #BEGIN ACL-NOT-SMTP-MIME-BLOCK #END ACL-NOT-SMTP-MIME-BLOCK acl_not_smtp_start: #BEGIN ACL-NOT-SMTP-START-BLOCK #END ACL-NOT-SMTP-START-BLOCK acl_smtp_auth: #BEGIN ACL-SMTP-AUTH-BLOCK #END ACL-SMTP-AUTH-BLOCK acl_smtp_connect: #BEGIN ACL-CONNECT-BLOCK # BEGIN INSERT blockedcountryips drop message = Your country is not allowed to connect to this server. log_message = Country is banned hosts = +blocked_incoming_email_country_ips # END INSERT blockedcountryips # BEGIN INSERT delay_unknown_hosts warn !hosts = : +loopback : +neighbor_netblocks : +trustedmailhosts : +recent_authed_mail_ips : +backupmx_hosts : +skipsmtpcheck_hosts : +senderverifybypass_hosts : +greylist_trusted_netblocks : +cpanel_mail_netblocks #only rate limit port 25 condition = ${if eq {$received_port}{25}{yes}{no}} delay = 20s # END INSERT delay_unknown_hosts # BEGIN INSERT ratelimit accept hosts = : +loopback : +recent_authed_mail_ips : +backupmx_hosts accept hosts = +trustedmailhosts accept condition = ${if match_ip{$sender_host_address}{net-iplsearch;/etc/trustedmailhosts}{1}{0}} defer #only rate limit port 25 condition = ${if eq {$received_port}{25}{yes}{no}} message = The server has reached its limit for processing requests from your host. Please try again later. log_message = "Host is ratelimited ($sender_rate/$sender_rate_period max:$sender_rate_limit)" ratelimit = 1.2 / 1h / strict / per_conn / noupdate # END INSERT ratelimit # BEGIN INSERT spammerlist drop message = Your host is not allowed to connect to this server. log_message = Host is banned !hosts = : +skipsmtpcheck_hosts : +trustedmailhosts hosts = +spammeripblocks # END INSERT spammerlist #END ACL-CONNECT-BLOCK #BEGIN ACL-CONNECT-POST-BLOCK # BEGIN INSERT default_connect_post # do not change the comment in the line below, it is required for /usr/local/cpanel/bin/check_exim_config #acl_smtp_notquit is required for this to work (exim 4.68) accept # END INSERT default_connect_post #END ACL-CONNECT-POST-BLOCK acl_smtp_data: # exiscan only # exiscan only #BEGIN ACL-OUTGOING-SMTP-CHECKALL-BLOCK #END ACL-OUTGOING-SMTP-CHECKALL-BLOCK #BEGIN ACL-CHECK-MESSAGE-PRE-BLOCK # BEGIN INSERT default_check_message_pre # # Enabling this will make the server non-rfc compliant # require verify = header_sender # accept hosts = : +loopback : +recent_authed_mail_ips : +backupmx_hosts accept authenticated = * hosts = * accept condition = ${extract \ {size} \ {${stat:/etc/trustedmailhosts}} \ } hosts = +trustedmailhosts accept condition = ${extract \ {size} \ {${stat:/etc/trustedmailhosts}} \ } condition = ${if match_ip{$sender_host_address}{net-iplsearch;/etc/trustedmailhosts}{1}{0}} # END INSERT default_check_message_pre #END ACL-CHECK-MESSAGE-PRE-BLOCK #BEGIN ACL-PRE-SPAM-SCAN # BEGIN INSERT mailproviders # Research in Motion - Blackberry white list accept condition = ${if exists {/etc/mailproviders/rim/ips}{${if match_ip{$sender_host_address}{iplsearch;/etc/mailproviders/rim/ips}{1}{0}}}{0}} # END INSERT mailproviders #END ACL-PRE-SPAM-SCAN #BEGIN ACL-SPAM-SCAN-BLOCK # BEGIN INSERT default_spam_scan warn # Remove spam headers from outside sources condition = ${perl{spamd_is_available}} !hosts = +skipsmtpcheck_hosts remove_header = x-spam-subject : x-spam-status : x-spam-score : x-spam-bar : x-spam-report : x-spam-flag : x-ham-report warn condition = ${perl{spamd_is_available}} condition = ${if eq {${acl_m0}}{1}{1}{0}} spam = ${acl_m1}/defer_ok # Always make sure cPanel support mail can get through !hosts = : +trustedmailhosts : +cpanel_mail_netblocks log_message = "SpamAssassin as ${acl_m1} detected message as spam ($spam_score)" add_header = X-Spam-Subject: $rh_subject add_header = X-Spam-Status: Yes, score=$spam_score add_header = X-Spam-Score: $spam_score_int add_header = X-Spam-Bar: $spam_bar add_header = X-Spam-Report: ${sg{$spam_report}{\N\n \n\N}{\n}} add_header = X-Spam-Flag: YES set acl_m2 = 1 warn condition = ${perl{spamd_is_available}} condition = ${if eq {$spam_score_int}{}{0}{${if <= {${spam_score_int}}{8000}{${if >= {${spam_score_int}}{50}{${perl{store_spam}{$sender_host_address}{$spam_score}}}{0}}}{0}}}} warn condition = ${perl{spamd_is_available}} condition = ${if eq {${acl_m0}}{1}{${if eq {${acl_m2}}{1}{0}{1}}}{0}} add_header = X-Spam-Status: No, score=$spam_score add_header = X-Spam-Score: $spam_score_int add_header = X-Spam-Bar: $spam_bar add_header = X-Ham-Report: ${sg{$spam_report}{\N\n \n\N}{\n}} add_header = X-Spam-Flag: NO log_message = "SpamAssassin as ${acl_m1} detected message as NOT spam ($spam_score)" # END INSERT default_spam_scan #END ACL-SPAM-SCAN-BLOCK # exiscan only # exiscan only #BEGIN ACL-RATELIMIT-SPAM-BLOCK #END ACL-RATELIMIT-SPAM-BLOCK #BEGIN ACL-SPAM-BLOCK #END ACL-SPAM-BLOCK #BEGIN ACL-CHECK-MESSAGE-POST-BLOCK # BEGIN INSERT default_check_message_post accept # END INSERT default_check_message_post #END ACL-CHECK-MESSAGE-POST-BLOCK acl_smtp_etrn: #BEGIN ACL-SMTP-ETRN-BLOCK #END ACL-SMTP-ETRN-BLOCK acl_smtp_helo: #BEGIN ACL-SMTP-HELO-BLOCK #END ACL-SMTP-HELO-BLOCK #BEGIN ACL-SMTP-HELO-POST-BLOCK # BEGIN INSERT default_smtp_helo accept # END INSERT default_smtp_helo #END ACL-SMTP-HELO-POST-BLOCK acl_smtp_mail: #BEGIN ACL-MAIL-PRE-BLOCK # BEGIN INSERT default_mail_pre # ignore authenticated hosts accept authenticated = * warn condition = ${if match_ip{$sender_host_address}{+loopback}{${perl{identify_local_connection}{$sender_host_address}{$sender_host_port}{$received_ip_address}{$received_port}{1}}}{0}} set acl_c_authenticated_local_user = ${perl{get_identified_local_connection_user}} accept hosts = : +loopback : +recent_authed_mail_ips : +backupmx_hosts # END INSERT default_mail_pre #END ACL-MAIL-PRE-BLOCK #BEGIN ACL-MAIL-BLOCK # BEGIN INSERT requirehelo deny condition = ${if eq{$sender_helo_name}{}} message = HELO required before MAIL # END INSERT requirehelo # BEGIN INSERT requirehelonoforge drop # if ($sender_helo_name eq $primary_hostname) { # if (defined $interface_address) { # return is_loopback($interface_address) ? 0 : 1; #ok from localhost # } else { # return 0; #exim -bs # } # } else { # return 0; # } condition = ${if eq{${lc:$sender_helo_name}}{${lc:$primary_hostname}}{${if def:interface_address {${if match_ip{$interface_address}{+loopback}{0}{1}}}{0}}}{0}} message = "REJECTED - Bad HELO - Host impersonating [$sender_helo_name]" drop condition = ${if eq{[$interface_address]}{$sender_helo_name}} message = "REJECTED - Interface: $interface_address is _my_ address" # END INSERT requirehelonoforge # BEGIN INSERT requirehelosyntax drop condition = ${if isip{$sender_helo_name}} message = Access denied - Invalid HELO name (See RFC2821 4.1.3) drop # Required because "[IPv6:<address>]" will have no .s condition = ${if match{$sender_helo_name}{\N^\[\N}{no}{yes}} condition = ${if match{$sender_helo_name}{\N\.\N}{no}{yes}} message = Access denied - Invalid HELO name (See RFC2821 4.1.1.1) drop condition = ${if match{$sender_helo_name}{\N\.$\N}} message = Access denied - Invalid HELO name (See RFC2821 4.1.1.1) drop condition = ${if match{$sender_helo_name}{\N\.\.\N}} message = Access denied - Invalid HELO name (See RFC2821 4.1.1.1) # END INSERT requirehelosyntax #END ACL-MAIL-BLOCK #BEGIN ACL-MAIL-POST-BLOCK # BEGIN INSERT default_mail_post accept # END INSERT default_mail_post #END ACL-MAIL-POST-BLOCK acl_smtp_mailauth: #BEGIN ACL-SMTP-MAILAUTH-BLOCK #END ACL-SMTP-MAILAUTH-BLOCK acl_smtp_mime: #BEGIN ACL-SMTP-MIME-BLOCK #END ACL-SMTP-MIME-BLOCK acl_smtp_notquit: #BEGIN ACL-NOTQUIT-BLOCK # BEGIN INSERT ratelimit # ignore authenticated hosts accept authenticated = * accept hosts = : +recent_authed_mail_ips : +loopback : +backupmx_hosts warn #only rate limit port 25 condition = ${if eq {$received_port}{25}{yes}{no}} condition = ${if match {$smtp_notquit_reason}{command}{yes}{no}} log_message = "Connection Ratelimit - $sender_fullhost because of notquit: $smtp_notquit_reason ($sender_rate/$sender_rate_period max:$sender_rate_limit)" ratelimit = 1.2 / 1h / strict / per_conn # END INSERT ratelimit #END ACL-NOTQUIT-BLOCK acl_smtp_predata: #BEGIN ACL-SMTP-PREDATA-BLOCK #END ACL-SMTP-PREDATA-BLOCK acl_smtp_quit: #BEGIN ACL-SMTP-QUIT-BLOCK #END ACL-SMTP-QUIT-BLOCK acl_smtp_rcpt: #BEGIN ACL-RATELIMIT-BLOCK #END ACL-RATELIMIT-BLOCK #BEGIN ACL-PRE-RECIPIENT-BLOCK # BEGIN INSERT default_pre_recipient warn !domains = +relay_domains set acl_m_outbound_recipient = 1 # END INSERT default_pre_recipient # BEGIN INSERT delay_unknown_hosts warn !authenticated = * !hosts = : +loopback : +neighbor_netblocks : +trustedmailhosts : +recent_authed_mail_ips : +backupmx_hosts : +skipsmtpcheck_hosts : +senderverifybypass_hosts : +greylist_trusted_netblocks : +cpanel_mail_netblocks #only rate limit port 25 condition = ${if eq {$received_port}{25}{yes}{no}} delay = 20s # END INSERT delay_unknown_hosts # BEGIN INSERT dkim_disable warn control = dkim_disable_verify # END INSERT dkim_disable #END ACL-PRE-RECIPIENT-BLOCK #BEGIN ACL-RECIPIENT-BLOCK # BEGIN INSERT blockeddomains deny message = Your host is not allowed to connect to this server. log_message = Sender domain is banned sender_domains = !+local_domains : +blocked_domains # END INSERT blockeddomains # BEGIN INSERT default_recipient accept hosts = : endpass verify = recipient # Accept from any of the domain’s cached remote MX hosts. # As an optimization, we only check this for local domains because # only local domains will be in the remote MX cache. accept domains = +local_domains condition = ${if exists {/etc/domain_remote_mx_ips.cdb}{1}{0}} hosts = ${lookup{$domain}cdb{/etc/domain_remote_mx_ips.cdb}} endpass verify = recipient accept condition = ${extract{size}{${stat:/etc/skipsmtpcheckhosts}}} hosts = +skipsmtpcheck_hosts endpass verify = recipient # implemented for "suspend incoming email" feature deny domains = !$primary_hostname : +local_domains condition = ${if exists {${extract{5}{:}{${lookup passwd{${lookup{$domain}lsearch{/etc/userdomains}}}}}{$value}}/etc/.${sg{$local_part}{\N[/+].*\N}{}}@${domain}.suspended_incoming}} message = 525 5.7.13 Disabled recipient address log_message = Mail to ${local_part}@${domain} has been suspended # implemented for "suspend outgoing email" feature for domains and individual webmail/pop accounts deny domains = ! +local_domains condition = ${perl{check_outgoing_mail_suspended}} message = ${perl{get_outgoing_mail_suspended_message}} log_message = ${perl{get_outgoing_mail_suspended_message}} # END INSERT default_recipient #END ACL-RECIPIENT-BLOCK #mailman only #BEGIN ACL-RECIPIENT-MAILMAN-BLOCK # BEGIN INSERT default_recipient_mailman # Accept bounces to lists even if callbacks or other checks would fail accept domains = +local_domains condition = ${if match{$local_part}{\N^(\.*[^./][^/]*)-bounces(\+.*)?$\N}} condition = ${if exists{/usr/local/cpanel/3rdparty/mailman/lists/${1}${if !eq{$domain}{$primary_hostname}{_${domain}}{}}/config.pck}} add_header = X-WhitelistedRCPT-nohdrfromcallback: Yes #if it gets here it isn't mailman # END INSERT default_recipient_mailman #END ACL-RECIPIENT-MAILMAN-BLOCK #mailman only #BEGIN ACL-IDENTIFY-SENDER-BLOCK # BEGIN INSERT default_identify_sender # Accept authenticated connections when the connection comes from the main # account (foo@foo.com, where foo.com's user is foo). Otherwise, we end up # unintentionally rejecting mail if the user is set to :fail:. accept authenticated = * condition = ${if eq{${lookup{$sender_address_domain}lsearch{/etc/userdomains}}}{$sender_address_local_part}} endpass verify = recipient # deny must be on the same line as hosts so it will get removed by buildeximconf if turned off deny hosts = ! +loopback : ! +senderverifybypass_hosts ! verify = sender accept authenticated = * endpass verify = recipient # if they used "pop before smtp" and its not bound for a localdomain we remember the recent_authed_mail_ips_domain warn domains = ! +local_domains hosts = ! +loopback hosts = +recent_authed_mail_ips set acl_c_recent_authed_mail_ips_text_entry = ${perl{get_recent_authed_mail_ips_text_entry}{1}} add_header = ${if exists{/etc/eximpopbeforesmtpwarning}{${perl{popbeforesmtpwarn}{$sender_host_address}}}{}} # if they used "pop before smtp" then we just accept accept condition = ${if exists{/etc/popbeforesmtp}{1}{0}} hosts = ! +loopback hosts = +recent_authed_mail_ips endpass verify = recipient # we need to check alwaysrelay since we don't require recentauthedmailiptracker to be enabled accept hosts = ! +loopback condition = ${if or {{eq{$acl_c_recent_authed_mail_ips_text_entry}{}}{!exists{/etc/popbeforesmtp}}}{${if exists {/etc/alwaysrelay}{${lookup{$sender_host_address}iplsearch{/etc/alwaysrelay}{1}{0}}}{0}}}{0}} set acl_c_recent_authed_mail_ips_text_entry = ${perl{get_recent_authed_mail_ips_text_entry}{1}} set acl_c_alwaysrelay = 1 endpass verify = recipient #recipient verifications are now done after smtp auth and pop before smtp so the users get back bounces instead of # a clogged outbox in outlook # If we skipped identifying the sender in acl_smtp_mail (ie !def:acl_c_authenticated_local_user) # We need to do it here before we can test the two drops warn condition = ${if !def:acl_c_authenticated_local_user} condition = ${if match_ip{$sender_host_address}{+loopback}} condition = ${perl{identify_local_connection}{$sender_host_address}{$sender_host_port}{$received_ip_address}{$received_port}{1}} set acl_c_authenticated_local_user = ${perl{get_identified_local_connection_user}} # drop connections to localhost that are from demo accounts (required for manual connections) drop condition = ${if def:acl_c_authenticated_local_user} condition = ${if !eq{$acl_c_authenticated_local_user}{root}} condition = ${if match_ip{$sender_host_address}{+loopback}} condition = ${lookup{$acl_c_authenticated_local_user}lsearch{/etc/demousers}{1}} message = Demo accounts may not send mail # drop connections to localhost that fail auth (required for Horde) drop condition = $authentication_failed condition = ${if match_ip{$sender_host_address}{+loopback}} message = Authentication failed # we learned this in the acl_smtp_mail block accept condition = ${if def:acl_c_authenticated_local_user} endpass verify = recipient # END INSERT default_identify_sender # BEGIN INSERT default_message_submission # Reject unauthenticated relay on port 587 drop condition = ${if eq{$received_port}{587}{1}{0}} message = SMTP AUTH is required for message submission on port 587 # END INSERT default_message_submission #END ACL-IDENTIFY-SENDER-BLOCK #BEGIN ACL-RECP-VERIFY-BLOCK # BEGIN INSERT default_recp_verify # recipient verification to confirm the address is routable. # no callouts to remote systems are performed by default. require verify = recipient # skip content scanning for suspended recipients that are being queued, blackholed or relayed accept condition = ${extract{suspended}{$address_data}} # END INSERT default_recp_verify #END ACL-RECP-VERIFY-BLOCK #BEGIN ACL-POST-RECP-VERIFY-BLOCK # BEGIN INSERT dictionary_attack warn log_message = "Detected Dictionary Attack (Let $rcpt_fail_count bad recipients though before engaging)" condition = ${if > {${eval:$rcpt_fail_count}}{4}{yes}{no}} set acl_m7 = 1 warn condition = ${if eq {${acl_m7}}{1}{1}{0}} ratelimit = 0 / 1h / strict / per_conn log_message = "Increment Connection Ratelimit - $sender_fullhost because of Dictionary Attack" drop condition = ${if eq {${acl_m7}}{1}{1}{0}} message = "Number of failed recipients exceeded. Come back in a few hours." # END INSERT dictionary_attack #END ACL-POST-RECP-VERIFY-BLOCK #BEGIN ACL-TRUSTEDLIST-BLOCK # BEGIN INSERT trustedmailhosts accept hosts = +trustedmailhosts accept condition = ${if match_ip{$sender_host_address}{net-iplsearch;/etc/trustedmailhosts}{1}{0}} # END INSERT trustedmailhosts #END ACL-TRUSTEDLIST-BLOCK #BEGIN ACL-RBL-BLOCK #END ACL-RBL-BLOCK #BEGIN ACL-MAILAUTH-BLOCK #END ACL-MAILAUTH-BLOCK #BEGIN ACL-GREYLISTING-BLOCK #END ACL-GREYLISTING-BLOCK #BEGIN ACL-RCPT-HARD-LIMIT-BLOCK #END ACL-RCPT-HARD-LIMIT-BLOCK #BEGIN ACL-RCPT-SOFT-LIMIT-BLOCK #END ACL-RCPT-SOFT-LIMIT-BLOCK #BEGIN ACL-SPAM-SCAN-CHECK-BLOCK # BEGIN INSERT default_spam_scan_check # The only problem with this setup is that if the message is for multiple users on the same server # and they are on different unix accounts, the settings for the first recipient which has spamassassin enabled will be used. # This shouldn't be a problem 99.9% of the time, however its a very small price to pay for a massive speed increase. warn domains = +local_domains condition = ${if <= {$message_size}{1000K}} condition = ${if !eq{${acl_m0}}{1}} condition = ${if exists{/etc/global_spamassassin_enable}{1}{${if exists{${extract{5}{::}{${lookup passwd{${if eq{$domain}{$primary_hostname}{${sg{$local_part}{\N[/+].*\N}{}}}{${lookup{$domain}lsearch{/etc/userdomains}}}}}}}}/.spamassassinenable}}}} set acl_m0 = 1 # $local_part should work here rather than $local_part_data, but # $local_part_data sidesteps a taint-checking bug in Exim 4.94. # # Commit 12b7f811de is advertised as the fix for it, but during # testing an Exim built with that change still had the bug. # cf. https://www.mail-archive.com/exim-users@exim.org/msg54624.html # set acl_m1 = ${if eq{$domain}{$primary_hostname}{${sg{$local_part_data}{\N[/+].*\N}{}}}{${lookup{$domain}lsearch{/etc/userdomains}}}} # END INSERT default_spam_scan_check # BEGIN INSERT spam_scan_secondarymx # Support for scanning secondarymx domains warn domains = ! +local_domains : +secondarymx_domains condition = ${if <= {$message_size}{1000K}{1}{0}} set acl_m0 = 1 set acl_m1 = cpaneleximscanner # END INSERT spam_scan_secondarymx #END ACL-SPAM-SCAN-CHECK-BLOCK #BEGIN ACL-POST-SPAM-SCAN-CHECK-BLOCK # BEGIN INSERT delay_unknown_hosts warn #acl_m2 is spam = YES condition = ${if eq {${acl_m2}}{1}{1}{0}} !hosts = : +loopback : +neighbor_netblocks : +trustedmailhosts : +recent_authed_mail_ips : +backupmx_hosts : +skipsmtpcheck_hosts : +senderverifybypass_hosts : +greylist_trusted_netblocks : +cpanel_mail_netblocks delay = 40s # END INSERT delay_unknown_hosts # BEGIN INSERT mailproviders # Research in Motion - Blackberry white list warn condition = ${if exists {/etc/mailproviders/rim/ips}{${if match_ip{$sender_host_address}{iplsearch;/etc/mailproviders/rim/ips}{1}{0}}}{0}} set acl_m0 = 0 # END INSERT mailproviders #END ACL-POST-SPAM-SCAN-CHECK-BLOCK #BEGIN ACL-RECIPIENT-POST-BLOCK # BEGIN INSERT default_recipient_post accept domains = +relay_domains deny message = ${expand:${lookup{host_accept_relay}lsearch{/etc/eximrejects}{$value}}} log_message = Rejected relay attempt: '$sender_host_address' From: '$sender_address' To: '$local_part@$domain' # END INSERT default_recipient_post #END ACL-RECIPIENT-POST-BLOCK acl_smtp_starttls: #BEGIN ACL-SMTP-STARTTLS-BLOCK #END ACL-SMTP-STARTTLS-BLOCK acl_smtp_vrfy: #BEGIN ACL-SMTP-SMTP-VRFY-BLOCK #END ACL-SMTP-SMTP-VRFY-BLOCK acl_smtp_dkim: #BEGIN ACL-SMTP-DKIM-BLOCK #END ACL-SMTP-DKIM-BLOCK begin authenticators dovecot_plain: driver = dovecot public_name = PLAIN server_socket = /var/run/dovecot/auth-client server_set_id = $auth1 server_condition = ${if and {{!match {$auth1}{\N[/]\N}}{eq{${if match {$auth1}{\N[+%:@]\N}{${lookup{${extract{2}{+%:@}{$auth1}}}lsearch{/etc/demodomains}{yes}}}{${lookup{$auth1}lsearch{/etc/demousers}{yes}}}}}{}}}{true}{false}} dovecot_login: driver = dovecot public_name = LOGIN server_socket = /var/run/dovecot/auth-client server_set_id = $auth1 server_condition = ${if and {{!match {$auth1}{\N[/]\N}}{eq{${if match {$auth1}{\N[+%:@]\N}{${lookup{${extract{2}{+%:@}{$auth1}}}lsearch{/etc/demodomains}{yes}}}{${lookup{$auth1}lsearch{/etc/demousers}{yes}}}}}{}}}{true}{false}} # smarthost authentication disabled ###################################################################### # REWRITE CONFIGURATION # ###################################################################### # There are no rewriting specifications in this default configuration file. begin rewrite #!!#######################################################!!# #!!# Here follow routers created from the old routers, #!!# #!!# for handling non-local domains. #!!# #!!#######################################################!!# begin routers ###################################################################### # ROUTERS CONFIGURATION # # Specifies how remote addresses are handled # ###################################################################### # ORDER DOES MATTER # # A remote address is passed to each in turn until it is accepted. # ###################################################################### # Remote addresses are those with a domain that does not match any item # in the "local_domains" setting above. blackhole_dovenull: driver= redirect local_parts = "@dovenull" allow_fail = true data = :fail: Unrouteable address deliver_local_outside_jail: driver = manualroute require_files = "+/jail_owner" # users outside the jail will not be in /etc/passwd => We need to check if $local_part is in /jail_owner # we can't just check to see if they exist # because we still want to be able to mail root domains = +local_domains transport = remote_smtp route_list = "* 127.0.0.1" # self = send allows us to send outside the jail # we make sure /home/virtfs does not exist before we get here # to be safe self = send suspendedcheck: driver = redirect domains = +local_domains local_parts = ${if eq {$domain} \ {$primary_hostname} \ {+path_safe_localparts} \ {*} \ } require_files = \ +/etc/exim_suspended_list \ : +/var/cpanel/suspended/${if eq {$domain} {$primary_hostname} \ {$local_part} \ {${lookup \ {$domain} \ lsearch{/etc/userdomains} \ {$value} \ {::::invalid::::} \ }} \ } local_part_suffix = +* local_part_suffix_optional allow_fail allow_defer allow_freeze # Sets r_suspendinfo to the contents of the suspendinfo file, # r_suspended_shell to the original shell of the suspended account, # r_suspended_redirect to the real mapped redirect setting. set = r_suspended_shell=${perl \ {get_suspended_shell} \ {${if eq {$domain} {$primary_hostname} \ {$local_part} \ {${lookup \ {$domain_data} \ lsearch{/etc/userdomains} \ {$value}}} \ }} \ } # This skips content scanning for the primary account address with # live-transfers and handles the special :queue: setting by pretending # those are :blackhole: deliveries during address verification address_data = \ router=$router_name \ ${if \ !match {${lookup \ {$local_part@$domain} \ wildlsearch{/etc/exim_suspended_list} \ {$value} \ {:unknown:} \ }} \ {\N^\s*(:unknown:.*)?$\N} \ { \ suspended=1 \ redirect=${quote:${if \ !match{${lookup \ {$local_part@$domain} \ wildlsearch{/etc/exim_suspended_list} \ {$value} \ {:unknown:} \ }} \ {\N^\s*:\N} \ {${if eq \ {$verify_mode} \ {} \ {${lookup{$local_part@$domain} \ wildlsearch{/etc/exim_suspended_list} \ {$value} \ {:unknown:} \ }} \ {:blackhole:} \ }} \ {${sg \ {${lookup {$local_part@$domain} \ wildlsearch{/etc/exim_suspended_list} \ {$value} \ {:unknown:} \ }} \ {\N^\s*:queue:\N} \ {${if eq \ {$verify_mode} \ {} \ {:defer:} \ {:blackhole:} \ }} \ }} \ }} \ } \ } data = ${extract \ {redirect} \ {$address_data} \ } # The main routers handle traffic to the lists themselves and the suffixed ones # handle mail to administrative aliases. We have to use a two step process # because otherwise mail to a list such as foo-admin@example.tld will not be # handled properly. mailman_virtual_router: driver = accept domains = !$primary_hostname : +local_domains local_parts = +path_safe_localparts require_files = /usr/local/cpanel/3rdparty/mailman/lists/${lc::$local_part}_${lc::$domain}/config.pck : /usr/local/cpanel/3rdparty/mailman/mail/mailman transport = mailman_virtual_transport mailman_virtual_router_suffixed: driver = accept require_files = /usr/local/cpanel/3rdparty/mailman/lists/${lc::$local_part}_${lc::$domain}/config.pck : /usr/local/cpanel/3rdparty/mailman/mail/mailman domains = !$primary_hostname : +local_domains local_parts = +path_safe_localparts local_part_suffix = -admin : \ -bounces : -bounces+* : \ -confirm : -confirm+* : \ -join : -leave : \ -owner : -request : \ -subscribe : -unsubscribe transport = mailman_virtual_transport mailman_virtual_router_nodns: driver = accept require_files = /usr/local/cpanel/3rdparty/mailman/lists/${lc::$local_part}/config.pck : /usr/local/cpanel/3rdparty/mailman/mail/mailman condition = \ ${if or {{match{$local_part}{.*_.*}} \ {eq{$local_part}{mailman}}} \ {1}{0}} domains = $primary_hostname local_parts = +path_safe_localparts transport = mailman_virtual_transport_nodns mailman_virtual_router_nodns_suffixed: driver = accept require_files = /usr/local/cpanel/3rdparty/mailman/lists/${lc::$local_part}/config.pck : /usr/local/cpanel/3rdparty/mailman/mail/mailman condition = \ ${if or {{match{$local_part}{.*_.*}} \ {eq{$local_part}{mailman}}} \ {1}{0}} local_part_suffix = -admin : \ -bounces : -bounces+* : \ -confirm : -confirm+* : \ -join : -leave : \ -owner : -request : \ -subscribe : -unsubscribe domains = $primary_hostname local_parts = +path_safe_localparts transport = mailman_virtual_transport_nodns democheck: driver = redirect require_files = "+/etc/demouids" condition = ${if >= {$originator_uid}{100}{1}{0}} condition = "${extract{size}{${stat:/etc/demouids}}}" condition = "${if eq \ {${lookup \ {$originator_uid} \ lsearch{/etc/demouids} \ {$value} \ }} \ {} \ {false} \ {true} \ }" allow_fail data = :fail: demo accounts are not permitted to relay email # # This is to make sure that cpanel@* always passes sender verification # so that the system notifications don't get rejected by spam filters # doing a sender verification check. # blackhole_cpanel_at: driver = redirect local_parts = cpanel domains = !$primary_hostname verify_only data = :blackhole: # cPanel Mail Archiving is disabled # # Handles identification of messages, nobody and webspam and mail trap checks # in check_mail_permissions and notifies if we are defering a message # boxtrapper_autowhitelist: driver = accept condition = ${if eq {$authenticated_id}{}{0}{${if eq {$sender_address}{$local_part@$domain}{0}{${if match{$received_protocol}{\N^e?smtps?a$\N}{${perl{checkbx_autowhitelist}{$authenticated_id}}}{${if eq{$received_protocol}{local}{${perl{checkbx_autowhitelist}{$sender_ident}}}{0}}}}}}}} require_files = "+/usr/local/cpanel/bin/boxtrapper" transport = boxtrapper_autowhitelist no_verify unseen check_mail_permissions: domains = ! +local_domains condition = ${if eq {$authenticated_id}{root}{0}{1}} ignore_target_hosts = +loopback : 64.94.110.0/24 driver = redirect allow_filter reply_transport = address_reply user = mailnull no_verify expn = false condition = "${perl{check_mail_permissions}}" data = "${perl{check_mail_permissions_results}}" # # discover_sender_information is not included # because from_rewrites are not enabled # # # If check_mail_permissions needs to defer or fail a message it is done here # enforce_mail_permissions: domains = ! +local_domains ignore_target_hosts = +loopback : 64.94.110.0/24 condition = ${if eq {$authenticated_id}{root}{0}{1}} driver = redirect allow_fail allow_defer no_verify expn = false condition = "${perl{enforce_mail_permissions}}" data = "${perl{enforce_mail_permissions_results}}" # # Increments max emails per hour if needed # increment_max_emails_per_hour_if_needed: domains = ! +local_domains ignore_target_hosts = +loopback : 64.94.110.0/24 condition = ${if eq {$authenticated_id}{root}{0}{1}} driver = redirect allow_fail no_verify one_time expn = false condition = "${perl{increment_max_emails_per_hour_if_needed}}" data = ":unknown:" # # reject_forwarded_mail_marked_as_spam is not included # because no_forward_outbound_spam and no_forward_outbound_spam_over_int # are both disabled # # This router routes to a statically defined host from /etc/manualmx # so that any mail received for the domain will skip MX lookups and attempt to # deliver the message directly to the specified host. manualmx: driver = manualroute domains = +manualmx_domains transport = remote_smtp route_data = ${lookup \ {$domain} \ lsearch{/etc/manualmx} \ } # # lookuphost router # # # Lookup host router for remote smtp and ignores verisign site finder 'service' # This matches lookup exactly except we look for X-Precedence and Precedence so # we can determinte what is an auto responder message in the log. # Note: there is nothing to # prevent X-Precedence from being added to non-autoresponded messages so this is for # logging reasons only # # Note: Boxtrapper sets Precedence to auto_reply # autoreply_dkim_lookuphost: driver = dnslookup domains = ! +local_domains condition = "${perl{sender_domain_can_dkim_sign}}" condition = "${if \ or { \ {match{$h_precedence:}{auto}} \ {match{$h_x-precedence:}{auto}} \ } \ {1}{0} \ }" #ignore verisign to prevent waste of bandwidth ignore_target_hosts = +loopback : 64.94.110.0/24 headers_add = "${perl{mailtrapheaders}}" transport = dkim_remote_smtp # # Lookup host router for remote smtp and ignores verisign site finder 'service' and uses domain keys # dkim_lookuphost: driver = dnslookup domains = ! +local_domains condition = "${perl{sender_domain_can_dkim_sign}}" #ignore verisign to prevent waste of bandwidth ignore_target_hosts = +loopback : 64.94.110.0/24 headers_add = "${perl{mailtrapheaders}}" .ifdef SRSENABLED # if outbound, and forwarding has been done, use an alternate transport transport = ${if eq {$local_part@$domain} \ {$original_local_part@$original_domain} \ {dkim_remote_smtp} {dkim_remote_forwarded_smtp}} .else transport = dkim_remote_smtp .endif # # Lookup host router for remote smtp and ignores verisign site finder 'service' # This matches lookup exactly except we look for X-Precedence and Precedence so # we can determinte what is an auto responder message in the log. # Note: there is nothing to # prevent X-Precedence from being added to non-autoresponded messages so this is for # logging reasons only # # Note: Boxtrapper sets Precedence to auto_reply # autoreply_lookuphost: driver = dnslookup domains = ! +local_domains condition = "${if \ or { \ {match{$h_precedence:}{auto}} \ {match{$h_x-precedence:}{auto}} \ } \ {1}{0} \ }" #ignore verisign to prevent waste of bandwidth ignore_target_hosts = +loopback : 64.94.110.0/24 headers_add = "${perl{mailtrapheaders}}" transport = remote_smtp # # Lookup host router for remote smtp and ignores verisign site finder 'service' # lookuphost: # router from etc/exim/replacecf/dkim/lookuphost driver = dnslookup domains = ! +local_domains #ignore verisign to prevent waste of bandwidth ignore_target_hosts = +loopback : 64.94.110.0/24 headers_add = "${perl{mailtrapheaders}}" .ifdef SRSENABLED # if outbound, and forwarding has been done, use an alternate transport transport = ${if eq {$local_part@$domain} \ {$original_local_part@$original_domain} \ {remote_smtp} {remote_forwarded_smtp}} .else transport = remote_smtp .endif # This router routes to remote hosts over SMTP by explicit IP address, # given as a "domain literal" in the form [nnn.nnn.nnn.nnn]. The RFCs # require this facility, which is why it is enabled by default in Exim. # If you want to lock it out, set forbid_domain_literals in the main # configuration section above. # # Literal Transports .. ignores verisigns sitefinder service # literal: driver = ipliteral domains = ! +local_domains ignore_target_hosts = +loopback : 64.94.110.0/24 headers_add = "${perl{mailtrapheaders}}" .ifdef SRSENABLED # if outbound, and forwarding has been done, use an alternate transport transport = ${if eq {$local_part@$domain} \ {$original_local_part@$original_domain} \ {remote_smtp} {remote_forwarded_smtp}} .else transport = remote_smtp .endif #!!# This new router is put here to fail all domains that #!!# were not in local_domains in the Exim 3 configuration. # # Trap Failures to Remote Domain # fail_remote_domains: driver = redirect domains = ! +local_domains : ! localhost : ! localhost.localdomain allow_fail data = ${if eq {$verify_mode}{S} \ {:fail: The mail server does not recognize $local_part@$domain as a valid sender.} \ {:fail: The mail server could not deliver mail to $local_part@$domain. The account or domain may not exist, they may be blacklisted, or missing the proper dns entries.} \ } #!!#######################################################!!# #!!# Here follow routers created from the old directors, #!!# #!!# for handling local domains. #!!# #!!#######################################################!!# ###################################################################### # DIRECTORS CONFIGURATION # # Specifies how local addresses are handled # ###################################################################### # ORDER DOES MATTER # # A local address is passed to each in turn until it is accepted. # ###################################################################### # Local addresses are those with a domain that matches some item in the # "local_domains" setting above, or those which are passed back from the # routers because of a "self=local" setting (not used in this configuration). # This director handles aliasing using a traditional /etc/aliases file. # If any of your aliases expand to pipes or files, you will need to set # up a user and a group for these deliveries to run under. You can do # this by uncommenting the "user" option below (changing the user name # as appropriate) and adding a "group" option if necessary. Alternatively, you # can specify "user" on the transports that are used. Note that those # listed below are the same as are used for .forward files; you might want # to set up different ones for pipe and file deliveries from aliases. #spam_filter: # driver = forwardfile # file = /etc/spam.filter # no_check_local_user # no_verify # filter # allow_system_actions # # Account level filtering for everything but the main account # central_filter: driver = redirect allow_filter allow_fail forbid_filter_run forbid_filter_perl forbid_filter_lookup forbid_filter_readfile forbid_filter_readsocket no_check_local_user domains = !$primary_hostname : dsearch;/etc/vfilters require_files = "+/etc/vfilters/${domain_data}" condition = "${extract \ {size} \ {${stat:/etc/vfilters/${domain_data}}} \ }" file = /etc/vfilters/${domain_data} file_transport = address_file directory_transport = address_directory pipe_transport = ${if forall \ {/bin/cagefs_enter:/usr/sbin/cagefsctl} \ {exists{$item}} \ {cagefs_virtual_address_pipe} \ {${if forany \ {${extract{6} \ {:} \ {${lookup \ passwd{ \ ${lookup \ {$domain_data} \ lsearch{/etc/userdomains} \ } \ } \ }} \ }:$r_suspended_shell} \ {match{$item}{\N(jail|no)shell\N}} \ {jailed_virtual_address_pipe} \ {virtual_address_pipe} \ }} \ } reply_transport = address_reply router_home_directory = ${extract \ {5} \ {::} \ {${lookup \ passwd{${lookup \ {$domain_data} \ lsearch{/etc/userdomains} \ {$value}}} \ {$value} \ }} \ } user = "${lookup \ {$domain_data} \ lsearch{/etc/userdomains} \ {$value}}" no_verify # # Account level filtering for the main account # # checks /etc/vfilters/maindomain if its a localuser (ie main acct) # mainacct_central_user_filter: driver = redirect allow_filter allow_fail forbid_filter_run forbid_filter_perl forbid_filter_lookup forbid_filter_readfile forbid_filter_readsocket check_local_user domains = $primary_hostname condition = ${if eq \ {${lookup \ {$local_part_data} \ lsearch{/etc/domainusers} \ {$value} \ }} \ {} \ {0} \ {${if exists \ {/etc/vfilters/${lookup \ {$local_part_data} \ lsearch{/etc/domainusers} \ {$value} \ }} \ {${extract \ {size} \ {${stat:/etc/vfilters/${lookup \ {$local_part_data} \ lsearch{/etc/domainusers} \ {$value} \ }}} \ }} \ {0} \ }} \ } file = "/etc/vfilters/${lookup \ {$local_part_data} \ lsearch{/etc/domainusers} \ {$value} \ }" directory_transport = address_directory file_transport = address_file pipe_transport = ${if forall \ {/bin/cagefs_enter:/usr/sbin/cagefsctl} \ {exists{$item}} \ {cagefs_address_pipe} \ {${if forany \ {${extract \ {6} \ {:} \ {${lookup \ passwd{$local_part_data} \ }} \ } \:$r_suspended_shell} \ {match{$item}{\N(jail|no)shell\N}} \ {jailed_address_pipe} \ {address_pipe} \ }} \ } reply_transport = address_reply user = $local_part_data group = $local_part_data retry_use_local_part no_verify # # User Level Filtering for the main account # central_user_filter: driver = redirect allow_filter allow_fail forbid_filter_run forbid_filter_perl forbid_filter_lookup forbid_filter_readfile forbid_filter_readsocket check_local_user domains = $primary_hostname require_files = "+${extract \ {5} \ {::} \ {${lookup \ passwd{$local_part_data} \ {$value} \ }} \ }/etc/filter" condition = "${extract \ {size} \ {${stat:${extract \ {5} \ {::} \ {${lookup \ passwd{$local_part_data} \ {$value} \ }} \ }/etc/filter}} \ }" file = "${extract \ {5} \ {::} \ {${lookup \ passwd{$local_part_data} \ {$value} \ }} \ }/etc/filter" router_home_directory = ${extract \ {5} \ {::} \ {${lookup \ passwd{$local_part_data} \ {$value} \ }} \ } directory_transport = address_directory file_transport = address_file pipe_transport = ${if forall \ {/bin/cagefs_enter:/usr/sbin/cagefsctl} \ {exists{$item}} \ {cagefs_address_pipe} \ {${if forany \ {${extract \ {6} \ {:} \ {${lookup \ passwd{$local_part_data} \ }} \ } \:$r_suspended_shell} \ {match{$item}{\N(jail|no)shell\N}} \ {jailed_address_pipe} \ {address_pipe} \ }} \ } reply_transport = address_reply user = $local_part_data group = $local_part_data local_part_suffix = +* local_part_suffix_optional retry_use_local_part no_verify # # User Level Filtering for virtual users # virtual_user_filter: driver = redirect allow_filter allow_fail forbid_filter_run forbid_filter_perl forbid_filter_lookup forbid_filter_readfile forbid_filter_readsocket domains = \ !$primary_hostname \ : ${lookup \ {$domain} \ lsearch{/etc/userdomains} \ {${perl{untaint}{$domain}}} \ } require_files = "+${extract \ {5} \ {::} \ {${lookup \ passwd{${lookup \ {$domain_data} \ lsearch{/etc/userdomains} \ {$value}}} \ {$value} \ }} \ }/etc/$domain_data/$local_part_data/filter" user = "${lookup \ {$domain_data} \ lsearch{/etc/userdomains} \ {$value}}" router_home_directory = ${extract \ {5} \ {::} \ {${lookup \ passwd{${lookup \ {$domain_data} \ lsearch{/etc/userdomains} \ {$value}}} \ {$value} \ }} \ } local_parts = ${if exists{${extract \ {5} \ {::} \ {${lookup \ passwd{${lookup \ {$domain_data} \ lsearch{/etc/userdomains} \ {$value}}} \ {$value} \ }} \ }/etc/$domain_data}{dsearch;${extract \ {5} \ {::} \ {${lookup \ passwd{${lookup \ {$domain_data} \ lsearch{/etc/userdomains} \ {$value}}} \ {$value} \ }} \ }/etc/$domain_data}} condition = "${extract{size}{${stat:$home/etc/$domain_data/$local_part_data/filter}}}" file = "$home/etc/$domain_data/$local_part_data/filter" directory_transport = address_directory file_transport = address_file pipe_transport = ${if forall \ {/bin/cagefs_enter:/usr/sbin/cagefsctl} \ {exists{$item}} \ {cagefs_virtual_address_pipe} \ {${if forany \ {${extract{6} \ {:} \ {${lookup \ passwd{ \ ${lookup \ {$domain_data} \ lsearch{/etc/userdomains} \ } \ } \ }} \ }:$r_suspended_shell} \ {match{$item}{\N(jail|no)shell\N}} \ {jailed_virtual_address_pipe} \ {virtual_address_pipe} \ }} \ } reply_transport = address_reply local_part_suffix = +* local_part_suffix_optional retry_use_local_part no_verify virtual_aliases_nostar: driver = redirect allow_defer allow_fail domains = !$primary_hostname : dsearch;/etc/valiases user = "${lookup \ {$domain_data} \ lsearch{/etc/userdomains} \ {$value}}" address_data = \ "router=$router_name \ redirect=${quote:${lookup \ {$local_part@$domain_data} \ lsearch{/etc/valiases/$domain_data} \ }}" data = ${extract \ {redirect} \ {$address_data} \ } file_transport = address_file pipe_transport = ${if forall \ {/bin/cagefs_enter:/usr/sbin/cagefsctl} \ {exists{$item}} \ {cagefs_virtual_address_pipe} \ {${if forany \ {${extract \ {6} \ {:} \ {${lookup \ passwd{$local_part_data} \ }} \ } \:$r_suspended_shell} \ {match{$item}{\N(jail|no)shell\N}} \ {jailed_virtual_address_pipe} \ {virtual_address_pipe} \ }} \ } router_home_directory = ${extract \ {5} \ {::} \ {${lookup \ passwd{${lookup \ {$domain_data} \ lsearch{/etc/userdomains} \ {$value}}} \ {$value} \ }} \ } local_part_suffix = +* local_part_suffix_optional retry_use_local_part unseen virtual_user_overquota: driver = redirect domains = !$primary_hostname : ${lookup{$domain}lsearch{/etc/userdomains}{${perl{untaint}{$domain}}}} require_files = "+$home/etc/$domain_data" user = "${lookup \ {$domain_data} \ lsearch{/etc/userdomains} \ {$value}}" router_home_directory = ${extract \ {5} \ {::} \ {${lookup \ passwd{${lookup \ {$domain_data} \ lsearch{/etc/userdomains} \ {$value}}} \ {$value} \ }} \ } # NB: On busy servers Dovecot may take several seconds to respond to # this request. So we set the timeout generously: condition = "${if match {${readsocket{/var/run/dovecot/quota-status}{request=smtpd_access_policy\nrecipient=${quote:$local_part}@${quote:$domain_data}\nsize=$message_size\n\n}{30s}{\n}{SOCKETFAIL}}}{action=5}{true}{false}}" data = ":fail:Mailbox is full / Blocks limit exceeded / Inode limit exceeded" verify_only allow_fail # # Virtual User Spam Boxes # virtual_user_spam: driver = redirect local_parts = +path_safe_localparts domains = \ !$primary_hostname \ : ${lookup \ {$domain} \ lsearch{/etc/userdomains} \ {${perl{untaint}{$domain}}} \ } condition = ${if match{$h_x-spam-status:}{\N^Yes\N}{true}{false}} require_files = \ "+${extract \ {5} \ {::} \ {${lookup \ passwd{${lookup \ {$domain_data} \ lsearch{/etc/userdomains} \ {$value}}} \ {$value} \ }} \ }/.spamassassinboxenable: \ +${extract \ {5} \ {::} \ {${lookup \ passwd{${lookup \ {$domain_data} \ lsearch{/etc/userdomains} \ {$value}}} \ {$value} \ }} \ }/mail/$domain_data/$local_part" router_home_directory = ${extract \ {5} \ {::} \ {${lookup \ passwd{${lookup \ {$domain_data} \ lsearch{/etc/userdomains} \ {$value}}} \ {$value} \ }} \ } headers_remove="x-uidl" data = "${quote_local_part:$local_part}+spam@$domain_data" redirect_router = virtual_user virtual_boxtrapper_user: driver = accept local_parts = +path_safe_localparts domains = !$primary_hostname : ${lookup \ {$domain} \ lsearch{/etc/userdomains} \ {${perl{untaint} \ {$domain} \ }} \ } require_files = "+/usr/local/cpanel/bin/boxtrapper:+${extract \ {5} \ {::} \ {${lookup \ passwd{${lookup \ {$domain_data} \ lsearch{/etc/userdomains} \ {$value}}} \ {$value} \ }} \ }/etc/$domain_data/$local_part/.boxtrapperenable:+${extract \ {5} \ {::} \ {${lookup \ passwd{${lookup \ {$domain_data} \ lsearch{/etc/userdomains} \ {$value}}} \ {$value} \ }} \ }/mail/$domain_data/$local_part" user = "${lookup \ {$domain_data} \ lsearch{/etc/userdomains} \ {$value}}" router_home_directory = "${extract \ {5} \ {::} \ {${lookup \ passwd{${lookup \ {$domain_data} \ lsearch{/etc/userdomains} \ {$value}}} \ {$value} \ }} \ }" headers_remove="x-uidl" transport = virtual_boxtrapper_userdelivery virtual_user: driver = accept domains = \ !$primary_hostname \ : ${lookup \ {$domain} \ lsearch{/etc/userdomains} \ {${perl{untaint}{$domain}}} \ } local_parts = +path_safe_localparts require_files = "+${extract \ {5} \ {::} \ {${lookup \ passwd{${lookup \ {$domain_data} \ lsearch{/etc/userdomains} \ {$value}}} \ {$value} \ }} \ }/mail/$domain_data/$local_part" router_home_directory = ${extract \ {5} \ {::} \ {${lookup \ passwd{${lookup \ {$domain_data} \ lsearch{/etc/userdomains} \ {$value}}} \ {$value} \ }} \ } headers_remove="x-uidl" local_part_suffix = +* local_part_suffix_optional user = mailnull group = mail transport = dovecot_virtual_delivery set = r_bcc_addr=${if forany \ {${addresses:$h_to:}:${addresses:$h_cc:}} \ {or { \ {eqi \ {${extract{1}{+}{${local_part:$item}}}@${domain:$item}} \ {$local_part@$domain_data} \ } \ {eqi \ {${extract{1}{+}{${local_part:$item}}}@${domain:$item}} \ {$original_local_part@$original_domain} \ } \ }} \ {} \ {$local_part@$domain} \ } set = r_cpanel_user=${lookup \ {$domain_data} \ lsearch{/etc/userdomains} \ {$value}} # # If the delivery address, original address (forwarded), # or address with subaddress is shown on the To: or Cc: # lines or the message has the List-Id: or Precedence: # header we allow the message to be batched to # dovecot LMTP via transport dovecot_virtual_delivery # # If it does match match the above we do not allow the message # to be batched in order to ensure that the Envelope-To: header # does not contain a user that was Bcc:ed so savvy recipients # cannot see that another email was Bcc:ed in the header # via transport dovecot_virtual_delivery_no_batch # # Note: match_address would be nice here but the second string # is not expanded for security reasons # # # has_alias_but_no_mailbox_discarded_to_prevent_loop required either of the following: # # 1. There is an active alias in the valias file # 2. There is an active autoresponder and the * is set to :fail: # has_alias_but_no_mailbox_discarded_to_prevent_loop: driver = redirect domains = !$primary_hostname : dsearch;/etc/valiases condition = ${lookup \ {$local_part@$domain_data} \ lsearch{/etc/valiases/$domain_data} \ {1} \ {0} \ } condition = "${if forany{<, \ ${lookup \ {$local_part@$domain_data} \ lsearch{/etc/valiases/$domain_data} \ {$value} \ }} \ {!match{$item}{\N/autorespond\N}} \ {1} \ {${if match \ {${lookup \ {\N*\N} \ lsearch{/etc/valiases/$domain_data} \ {$value} \ }} \ {:fail:} \ {1} \ {0} \ }} \ }" data=":blackhole:" local_part_suffix = +* local_part_suffix_optional disable_logging = true # srs is disabled valias_domain_file: driver = redirect allow_defer allow_fail domains = !$primary_hostname : dsearch;/etc/vdomainaliases user = "${lookup \ {$domain_data} \ lsearch{/etc/userdomains} \ {$value}}" condition = ${lookup {$domain_data} lsearch {/etc/vdomainaliases/$domain_data}{yes}{no} } address_data = router=$router_name redirect=${quote:${quote_local_part:$local_part}@${lookup{$domain_data}lsearch{/etc/vdomainaliases/$domain_data}}} data = ${extract{redirect}{$address_data}} virtual_aliases: driver = redirect allow_defer allow_fail domains = !$primary_hostname : dsearch;/etc/valiases user = "${lookup \ {$domain_data} \ lsearch{/etc/userdomains} \ {$value}}" router_home_directory = ${extract \ {5} \ {::} \ {${lookup \ passwd{${lookup \ {$domain_data} \ lsearch{/etc/userdomains} \ {$value}}} \ {$value} \ }} \ } address_data = \ "router=$router_name \ redirect=${quote:${lookup \ {*} \ lsearch{/etc/valiases/$domain_data} \ }}" data = ${extract \ {redirect} \ {$address_data} \ } file_transport = address_file pipe_transport = ${if forall \ {/bin/cagefs_enter:/usr/sbin/cagefsctl} \ {exists{$item}} \ {cagefs_virtual_address_pipe} \ {${if forany \ {${extract \ {6} \ {:} \ {${lookup \ passwd{$local_part_data} \ }} \ } \:$r_suspended_shell} \ {match{$item}{\N(jail|no)shell\N}} \ {jailed_virtual_address_pipe} \ {virtual_address_pipe} \ }} \ } # This director handles forwarding using traditional .forward files. # If you want it also to allow mail filtering when a forward file # starts with the string "# Exim filter", uncomment the "filter" option. # The check_ancestor option means that if the forward file generates an # address that is an ancestor of the current one, the current one gets # passed on instead. This covers the case where A is aliased to B and B # has a .forward file pointing to A. The three transports specified at the # end are those that are used when forwarding generates a direct delivery # to a file, or to a pipe, or sets up an auto-reply, respectively. system_aliases: driver = redirect allow_defer allow_fail domains = $primary_hostname : localhost address_data = \ "router=$router_name \ redirect=${quote: \ ${lookup \ {$local_part} \ lsearch{/etc/aliases} \ }}" data = ${extract \ {redirect} \ {$address_data} \ } file_transport = address_file pipe_transport = address_pipe # user = exim local_aliases: driver = redirect allow_defer allow_fail domains = $primary_hostname : localhost address_data = \ "router=$router_name \ redirect=${quote: \ ${lookup \ {$local_part} \ lsearch{/etc/localaliases} \ }}" data = ${extract \ {redirect} \ {$address_data} \ } file_transport = address_file pipe_transport = address_pipe check_local_user userforward: driver = redirect allow_filter allow_fail forbid_filter_run forbid_filter_perl forbid_filter_lookup forbid_filter_readfile forbid_filter_readsocket check_ancestor check_local_user domains = $primary_hostname no_expn require_files = "+$home/.forward" condition = "${extract{size}{${stat:$home/.forward}}}" file = $home/.forward file_transport = address_file pipe_transport = ${if forall \ {/bin/cagefs_enter:/usr/sbin/cagefsctl} \ {exists{$item}} \ {cagefs_address_pipe} \ {${if forany \ {${extract \ {6} \ {:} \ {${lookup \ passwd{$local_part_data} \ }} \ } \:$r_suspended_shell} \ {match{$item}{\N(jail|no)shell\N}} \ {jailed_address_pipe} \ {address_pipe} \ }} \ } reply_transport = address_reply directory_transport = address_directory user = $local_part_data group = $local_part_data no_verify # srs is disabled localuser_root: driver = redirect allow_fail domains = $primary_hostname : localhost check_local_user condition = ${if eq {$local_part_data}{root}} data = :fail: root cannot accept local mail deliveries localuser_overquota: driver = redirect domains = $primary_hostname check_local_user # NB: On busy servers Dovecot may take several seconds to respond to # this request. So we set the timeout generously: condition = "${if match {${readsocket{/var/run/dovecot/quota-status}{request=smtpd_access_policy\nrecipient=${quote:$local_part}\nsize=$message_size\n\n}{30s}{\n}{SOCKETFAIL}}}{action=5}{true}{false}}" data = ":fail:Mailbox is full / Blocks limit exceeded / Inode limit exceeded" verify_only allow_fail # # Optimized spambox router # localuser_spam: driver = redirect domains = $primary_hostname require_files = "+$home/.spamassassinboxenable" condition = ${if match{$h_x-spam-status:}{\N^Yes\N}{true}{false}} # sets home,user,group check_local_user headers_remove="x-uidl" data = "${quote_local_part:$local_part_data}+spam" redirect_router = localuser boxtrapper_localuser: driver = accept require_files = "+/usr/local/cpanel/bin/boxtrapper:+$home/etc/.boxtrapperenable" check_local_user domains = $primary_hostname transport = local_boxtrapper_delivery localuser: driver = accept # sets home,user,group check_local_user domains = $primary_hostname headers_remove="x-uidl" local_part_suffix = +* local_part_suffix_optional user = mailnull group = mail transport = dovecot_delivery set = r_bcc_addr=${if forany \ {${addresses:$h_to:}:${addresses:$h_cc:}} \ {or { \ { eqi \ {${extract \ {1} \ {+} \ {${local_part:$item}} \ }@${domain:$item}} \ {$local_part@$domain} \ } \ { eqi \ {${extract \ {1} \ {+} \ {${local_part:$item}} \ }@${domain:$item}} \ {$original_local_part@$original_domain} \ } \ }} \ {} \ {$local_part@$domain} \ } set = r_cpanel_user=${local_part} # # If the delivery address, original address (forwarded), # or address with subaddress is shown on the To: or Cc: # lines or the message has the List-Id: or Precedence: # header we allow the message to be batched to # dovecot LMTP via transport dovecot_virtual_delivery # # If it does match match the above we do not allow the message # to be batched in order to ensure that the Envelope-To: header # does not contain a user that was Bcc:ed so savvy recipients # cannot see that another email was Bcc:ed in the header # via transport dovecot_virtual_delivery_no_batch # # Note: match_address would be nice here but the second string # is not expanded for security reasons # # This director matches local user mailboxes. ###################################################################### # TRANSPORTS CONFIGURATION # ###################################################################### # ORDER DOES NOT MATTER # # Only one appropriate transport is called for each delivery. # ###################################################################### # A transport is used only when referenced from a director or a router that # successfully handles an address. # This transport is used for delivering messages over SMTP connections. begin transports mailman_virtual_transport: driver = pipe command = /usr/local/cpanel/3rdparty/mailman/mail/mailman \ '${if def:local_part_suffix \ {${sg{$local_part_suffix}{-(\\w+)(\\+.*)?}{\$1}}} \ {post}}' \ ${perl{untaint}{${lc:$local_part}_${lc:$domain}}} current_directory = /usr/local/cpanel/3rdparty/mailman home_directory = /usr/local/cpanel/3rdparty/mailman user = mailman group = mailman mailman_virtual_transport_nodns: driver = pipe command = /usr/local/cpanel/3rdparty/mailman/mail/mailman \ '${if def:local_part_suffix \ {${sg{$local_part_suffix}{-(\\w+)(\\+.*)?}{\$1}}} \ {post}}' \ ${perl{untaint}{${lc:$local_part}}} current_directory = /usr/local/cpanel/3rdparty/mailman home_directory = /usr/local/cpanel/3rdparty/mailman user = mailman group = mailman remote_smtp: driver = smtp interface = <; ${if > \ {${extract \ {size} \ {${stat:/etc/mailips}} \ }} \ {0} \ {${lookup \ {${lc:${perl{get_message_sender_domain}}}} \ lsearch{/etc/mailips} \ {$value} \ {${lookup \ {${if match_domain \ {$original_domain} \ {+relay_domains} \ {${lc:$original_domain}} \ {} \ }} \ lsearch{/etc/mailips} \ {$value} \ {${lookup \ {${perl{get_sender_from_uid}}} \ lsearch*{/etc/mailips} \ {$value} \ {} \ }} \ }} \ }} \ } helo_data = ${if > \ {${extract{size}{${stat:/etc/mailhelo}}}} \ {0} \ {${lookup \ {${lc:${perl{get_message_sender_domain}}}} \ lsearch{/etc/mailhelo} \ {$value} \ {${lookup \ {${if match_domain \ {$original_domain} \ {+relay_domains} \ {${lc:$original_domain}} \ {} \ }} \ lsearch{/etc/mailhelo} \ {$value} \ {${lookup \ {${perl{get_sender_from_uid}}} \ lsearch*{/etc/mailhelo} \ {$value} \ {$primary_hostname} \ }} \ }} \ }} \ {$primary_hostname} \ } hosts_try_chunking = 198.51.100.1 message_linelength_limit = 2048 dkim_remote_smtp: driver = smtp interface = <; ${if > \ {${extract \ {size} \ {${stat:/etc/mailips}} \ }} \ {0} \ {${lookup \ {${lc:${perl{get_message_sender_domain}}}} \ lsearch{/etc/mailips} \ {$value} \ {${lookup \ {${if match_domain \ {$original_domain} \ {+relay_domains} \ {${lc:$original_domain}} \ {} \ }} \ lsearch{/etc/mailips} \ {$value} \ {${lookup \ {${perl{get_sender_from_uid}}} \ lsearch*{/etc/mailips} \ {$value} \ {} \ }} \ }} \ }} \ } helo_data = ${if > \ {${extract{size}{${stat:/etc/mailhelo}}}} \ {0} \ {${lookup \ {${lc:${perl{get_message_sender_domain}}}} \ lsearch{/etc/mailhelo} \ {$value} \ {${lookup \ {${if match_domain \ {$original_domain} \ {+relay_domains} \ {${lc:$original_domain}} \ {} \ }} \ lsearch{/etc/mailhelo} \ {$value} \ {${lookup \ {${perl{get_sender_from_uid}}} \ lsearch*{/etc/mailhelo} \ {$value} \ {$primary_hostname} \ }} \ }} \ }} \ {$primary_hostname} \ } dkim_domain = ${perl{get_dkim_domain}} dkim_selector = default dkim_private_key = "/var/cpanel/domain_keys/private/${dkim_domain}" dkim_canon = relaxed hosts_try_chunking = 198.51.100.1 message_linelength_limit = 2048 # remote_forwarded_srs absent due to SRS support being disabled # This transport is used for local delivery to user mailboxes. By default # it will be run under the uid and gid of the local user, and requires # the sticky bit to be set on the /var/mail directory. Some systems use # the alternative approach of running mail deliveries under a particular # group instead of using the sticky bit. The commented options below show # how this can be done. # This transport is used for handling pipe deliveries generated by alias # or .forward files. If the pipe generates any standard output, it is returned # to the sender of the message as a delivery error. Set return_fail_output # instead of return_output if you want this to happen only when the pipe fails # to complete normally. You can set different transports for aliases and # forwards if you want to - see the references to address_pipe below. address_directory: driver = pipe command = /usr/libexec/dovecot/dovecot-lda -f ${perl{untaint}{$sender_address}} -d ${perl{convert_address_directory_to_dovecot_lda_destination_username}} -m ${perl{convert_address_directory_to_dovecot_lda_mailbox}} message_prefix = message_suffix = log_output delivery_date_add envelope_to_add return_path_add temp_errors = 64 : 69 : 70: 71 : 72 : 73 : 74 : 75 : 78 address_pipe: driver = pipe return_output virtual_address_pipe: driver = pipe return_output jailed_address_pipe: driver = pipe force_command command = /usr/local/cpanel/bin/jailexec $address_pipe return_output jailed_virtual_address_pipe: driver = pipe force_command command = /usr/local/cpanel/bin/jailexec $address_pipe return_output cagefs_address_pipe: driver = pipe force_command command = /bin/cagefs_enter $address_pipe return_output cagefs_virtual_address_pipe: driver = pipe force_command command = /bin/cagefs_enter $address_pipe return_output # This transport is used for handling deliveries directly to files that are # generated by aliassing or forwarding. address_file: driver = pipe command = /usr/libexec/dovecot/dovecot-lda -e -f $sender_address -d ${perl{convert_address_directory_to_dovecot_lda_destination_username}} -m ${perl{convert_address_directory_to_dovecot_lda_mailbox}} message_prefix = message_suffix = log_output delivery_date_add envelope_to_add return_path_add temp_errors = 64 : 69 : 70: 71 : 72 : 73 : 74 : 75 : 78 boxtrapper_autowhitelist: driver = pipe headers_only command = /usr/local/cpanel/bin/boxtrapper --autowhitelist "${perl{untaint}{$authenticated_id}}" user = ${perl{getemailuser}{$authenticated_id}{$received_protocol}{$sender_ident}} group = ${extract{3}{:}{${lookup passwd{${perl{getemailuser}{$authenticated_id}{$received_protocol}{$sender_ident}}}{$value}}}} log_output = true return_fail_output = true return_path_add = false temp_errors = 64 : 69 : 70: 71 : 72 : 73 : 74 : 75 : 78 local_boxtrapper_delivery: driver = pipe command = /usr/local/cpanel/bin/boxtrapper "${perl{untaint}{$local_part_data}}" $home user = $local_part_data group = ${extract{3}{:}{${lookup passwd{$local_part_data}{$value}}}} log_output = true return_fail_output = true return_path_add = false temp_errors = 64 : 69 : 70: 71 : 72 : 73 : 74 : 75 : 78 virtual_boxtrapper_userdelivery: driver = pipe command = /usr/local/cpanel/bin/boxtrapper \ "${perl{untaint}{$local_part}}@${perl{untaint}{$domain}}" \ $home user = "${lookup{${perl{untaint}{$domain}}}lsearch{/etc/userdomains}{$value}}" log_output = true return_fail_output = true return_path_add = false temp_errors = 64 : 69 : 70: 71 : 72 : 73 : 74 : 75 : 78 dovecot_delivery: driver = lmtp socket = /var/run/dovecot/lmtp batch_max = 200 batch_id = "$r_cpanel_user ${if def:r_bcc_addr {$r_bcc_addr}}" rcpt_include_affixes delivery_date_add envelope_to_add return_path_add dovecot_virtual_delivery: driver = lmtp socket = /var/run/dovecot/lmtp batch_max = 200 batch_id = "$r_cpanel_user ${if def:r_bcc_addr {$r_bcc_addr}}" rcpt_include_affixes delivery_date_add envelope_to_add return_path_add address_reply: driver = autoreply # cPanel Mail Archiving is disabled ###################################################################### # RETRY CONFIGURATION # ###################################################################### # This single retry rule applies to all domains and all errors. It specifies # retries every 15 minutes for 2 hours, then increasing retry intervals, # starting at 1 hour and increasing each time by a factor of 1.5, up to 16 # hours, then retries every 8 hours until 4 days have passed since the first # failed delivery. # Domain Error Retries # ------ ----- ------- begin retry +secondarymx * F,4h,5m; G,16h,1h,1.5; F,4d,8h * * F,2h,15m; G,16h,1h,1.5; F,4d,8h # End of Exim 4 configuration

JMDS TRACK Cameroon

Boost the productivity of your mobile ressources

Make An Appointment

Fleet management

Reduce the operting cost and the unavailability of your vehicles
reduce the fuel consumption of your fleet
Improve the driving dehavior and safety of your drivers
optimize the utilization rate of your equipment
protect your vehicle against theft
Improve the quality of your customer service

Find out more

Assets management

Track the roaming of your equipment
Optimise the management of your assets on site and during transport
Secure the transport of your goods
Make your team responsible for preventing the loss of tools, equipment
Take a real-time inventory of your equipment on site
Easily find your mobile objects or equipment

Find out more

Find out more

Antitheft solutions

Secure your vehicles and machinery and increase your chances of recovering them in the event of theft
Protect your assets and reduce the costs associated with their loss
Combine immobiliser and driver identification and limit the risk of theft
Identify fuel theft and reduce costs
Protect your goods and take no more risks
Be alerted to abnormal events

Our Location

Douala BP cité

and

Yaoundé Total Essos

Make An Appointment

Get Directions

682230363/ 677481892

What makes us different from others

young and dynamic team
call center 24/24 7/7
roaming throughout Africa
team of developers who can develop customer-specific solutions
diversity of services
reactive and prompt after-sales service when soliciting a customer or a malfunction
Free Maintenance and installation in the cities of Douala and Yaounde

https://youtu.be/xI1cz_Jh2x8

15+
years of experience in GPS system development, production and deployment.

15 Collaborators

More than 15 employees dedicated to the research and development of new applications and to customer care

5 000 Vehicles and mobile assets

5 000 vehicles and mobile assets under management, in Africa

Our Partners

Latest Case Studies

Our current projects

Our stand at the Yaoundé trade fair

Installation of solar-powered multi-beam wireless active infrared detectors at SABC

Vector now available

Introducing JMDS Track solutions to our partners

One of our professional technician installing a GPS at Cami Toyota

 5/5
Bon SAV , SATISFAIT DU TRAITEMENT DES REQUETES

M DIPITA CHRISTIAN
Logistic Safety Manager Road Safety Manager
 5/5
La réactivité de JMDS est excellente
Nous restons satisfait dans l’ensemble des prestations relatives a la couverture de notre parc automobile

Hervé Frédéric NDENGUE
Chef Service Adjoint de la Sécurité Générale (CNPS)
 5/5
L’APPLICATION EMIXIS est convivial A L’utilisation
BEIG-3 SARL
DIRECTOR GENERAL
 5/5
Nevertheless I am delighted with the service
MR. BISSE BENJAMIN
CUSTOMER