Re: [exim] problem confirmed with exim and mailing off wrong…

Top Page

Reply to this message
Author: Matt Justin
Date:  
To: exim-users
Subject: Re: [exim] problem confirmed with exim and mailing off wrong IPs when mail is queued
ok heres the exim.conf

---start------

#!!# cPanel Exim 4 Config

received_header_text = Received: ${if def:sender_rcvhost {from ${if def:authenticated_id {127.0.0.1} {$sender_rcvhost }}\n\t}} by $sender_address_domain ${if def:received_protocol {with $received_protocol}} ${if def:tls_cipher {($tls_cipher)\n\t}} (Exim $version_number)\n\t id $message_id ${if def:received_for {\n\tfor $received_for}}
hostlist senderverifybypass_hosts = net-iplsearch;/etc/senderverifybypasshosts

hostlist skipsmtpcheck_hosts = net-iplsearch;/etc/skipsmtpcheckhosts

hostlist spammeripblocks = net-iplsearch;/etc/spammeripblocks

hostlist backupmx_hosts = lsearch;/etc/backupmxhosts

hostlist trustedmailhosts = lsearch;/etc/trustedmailhosts

domainlist user_domains = ${if exists{/etc/userdomains} {lsearch;/etc/userdomains} fail}

smtp_receive_timeout = 165s

ignore_bounce_errors_after = 3d

timeout_frozen_after = 5d

auto_thaw = 7d

callout_domain_negative_expire = 1h

callout_negative_expire = 1h

daemon_smtp_ports = 25 : 465

tls_on_connect_ports = 465

system_filter_user = cpaneleximfilter

system_filter_group = cpaneleximfilter

tls_require_ciphers = ALL:!ADH:RC4+RSA:+HIGH:+MEDIUM:-LOW:-SSLv2:-EXP

acl_smtp_connect = acl_connect

acl_smtp_mail = acl_mail

acl_smtp_notquit = acl_notquit

spamd_address = 127.0.0.1 783

system_filter=/etc/cpanel_exim_system_filter




#!!# These options specify the Access Control Lists (ACLs) that
#!!# are used for incoming SMTP messages - after the RCPT and DATA
#!!# commands, respectively.

acl_smtp_rcpt = check_recipient
acl_smtp_data = check_message

#!!# This setting defines a named domain list called
#!!# local_domains, created from the old options that
#!!# referred to local domains. It will be referenced
#!!# later on by the syntax "+local_domains".
#!!# Other domain and host lists may follow.

domainlist local_domains = lsearch;/etc/localdomains

domainlist relay_domains = lsearch;/etc/localdomains : \
    lsearch;/etc/secondarymx
hostlist relay_hosts = lsearch;/etc/relayhosts : \
    localhost
hostlist auth_relay_hosts = *


######################################################################
#                  Runtime configuration file for Exim               #
######################################################################



# This is a default configuration file which will operate correctly in
# uncomplicated installations. Please see the manual for a complete list
# of all the runtime configuration options that can be included in a
# configuration file. There are many more than are mentioned here. The
# manual is in the file doc/spec.txt in the Exim distribution as a plain
# ASCII file. Other formats (PostScript, Texinfo, HTML) are available from
# the Exim ftp sites. The manual is also online via the Exim web sites.


# This file is divided into several parts, all but the last of which are
# terminated by a line containing the word "end". The parts must appear
# in the correct order, and all must be present (even if some of them are
# in fact empty). Blank lines, and lines starting with # are ignored.



######################################################################
#                    MAIN CONFIGURATION SETTINGS                     #
######################################################################


perl_startup = do '/etc/exim.pl'

#dns_retry = 1
#dns_retrans = 1s

# Specify your host's canonical name here. This should normally be the fully
# qualified "official" name of your host. If this option is not set, the
# uname() function is called to obtain the name.

smtp_banner = "${primary_hostname} ESMTP Exim ${version_number} \
\#${compile_number} ${tod_full} \n\
We do not authorize the use of this system to transport unsolicited, \n\
and/or bulk e-mail."


#nobody as the sender seems to annoy people
untrusted_set_sender = *
local_from_check = false

rfc1413_query_timeout = 2s

split_spool_directory = yes

smtp_connect_backlog = 50
smtp_accept_max = 100

# primary_hostname =
deliver_queue_load_max = 3

# Specify the domain you want to be added to all unqualified addresses
# here. An unqualified address is one that does not contain an "@" character
# followed by a domain. For example, "caesar@???" is a fully qualified
# address, but the string "caesar" (i.e. just a login name) is an unqualified
# email address. Unqualified addresses are accepted only from local callers by
# default. See the receiver_unqualified_{hosts,nets} options if you want
# to permit unqualified addresses from remote sources. If this option is
# not set, the primary_hostname value is used for qualification.

# qualify_domain =


# If you want unqualified recipient addresses to be qualified with a different
# domain to unqualified sender addresses, specify the recipient domain here.
# If this option is not set, the qualify_domain value is used.

# qualify_recipient =


# Specify your local domains as a colon-separated list here. If this option
# is not set (i.e. not mentioned in the configuration file), the
# qualify_recipient value is used as the only local domain. If you do not want
# to do any local deliveries, uncomment the following line, but do not supply
# any data for it. This sets local_domains to an empty string, which is not
# the same as not mentioning it at all. An empty string specifies that there
# are no local domains; not setting it at all causes the default value (the
# setting of qualify_recipient) to be used.



#!!# message_filter renamed system_filter
message_body_visible = 5000






# If you want to accept mail addressed to your host's literal IP address, for
# example, mail addressed to "user@???", then uncomment the
# following line, or supply the literal domain(s) as part of "local_domains"
# above.

# local_domains_include_host_literals


# No local deliveries will ever be run under the uids of these users (a colon-
# separated list). An attempt to do so gets changed so that it runs under the
# uid of "nobody" instead. This is a paranoic safety catch. Note the default
# setting means you cannot deliver mail addressed to root as if it were a
# normal user. This isn't usually a problem, as most sites have an alias for
# root that redirects such mail to a human administrator.

never_users = root


# The use of your host as a mail relay by any host, including the local host
# calling its own SMTP port, is locked out by default. If you want to permit
# relaying from the local host, you should set
#
# host_accept_relay = localhost
#
# If you want to permit relaying through your host from certain hosts or IP
# networks, you need to set the option appropriately, for example
#
#
#
# If you are an MX backup or gateway of some kind for some domains, you must
# set relay_domains to match those domains. This will allow any host to
# relay through your host to those domains.
#
# See the section of the manual entitled "Control of relaying" for more
# information.

# The setting below causes Exim to do a reverse DNS lookup on all incoming
# IP calls, in order to get the true host name. If you feel this is too
# expensive, you can specify the networks for which a lookup is done, or
# remove the setting entirely.

#host_lookup = 0.0.0.0/0


# By default, Exim expects all envelope addresses to be fully qualified, that
# is, they must contain both a local part and a domain. If you want to accept
# unqualified addresses (just a local part) from certain hosts, you can specify
# these hosts by setting one or both of
#
# receiver_unqualified_hosts =
# sender_unqualified_hosts =
#
# to control sender and receiver addresses, respectively. When this is done,
# unqualified addresses are qualified using the settings of qualify_domain
# and/or qualify_recipient (see above).


# Exim contains support for the Realtime Blocking List (RBL) that is being
# maintained as part of the DNS. See http://maps.vix.com/rbl/ for background.
# Uncommenting the first line below will make Exim reject mail from any
# host whose IP address is blacklisted in the RBL at maps.vix.com. Some
# others have followed the RBL lead and have produced other lists: DUL is
# a list of dial-up addresses, and ORBS is a list of open relay systems. The
# second line below checks all three lists.

# rbl_domains = rbl.maps.vix.com
# rbl_domains = rbl.maps.vix.com


# If you want Exim to support the "percent hack" for all your local domains,
# uncomment the following line. This is the feature by which mail addressed
# to x%y@z (where z is one of your local domains) is locally rerouted to
# x@y and sent on. Otherwise x%y is treated as an ordinary local part.

# percent_hack_domains = *

#sender_host_accept = +include_unknown:*
#sender_host_reject = +include_unknown:lsearch*;/etc/spammers



tls_certificate = /etc/exim.crt
tls_privatekey = /etc/exim.key
tls_advertise_hosts = *

helo_accept_junk_hosts = *

smtp_enforce_sync = false


#!!#######################################################!!#
#!!# This new section of the configuration contains ACLs #!!#
#!!# (Access Control Lists) derived from the Exim 3      #!!#
#!!# policy control options.                             #!!#
#!!#######################################################!!#


#!!# These ACLs are crudely constructed from Exim 3 options.
#!!# They are almost certainly not optimal. You should study
#!!# them and rewrite as necessary.

begin acl



########################################################################################
# DO NOT ALTER THIS BLOCK
########################################################################################
#
# cPanel Default ACL Template Version: 8.1
# Template: mailman2.dist
#
########################################################################################
# DO NOT ALTER THIS BLOCK
########################################################################################

acl_mail:

# ignore authenticated hosts
    accept authenticated = *


# ignore pop before smtp 
    accept  condition = ${if match_ip{$sender_host_address}{iplsearch;/etc/relayhosts}{1}{${if eq{$sender_host_address}{127.0.0.1}{1}{0}}}}
    accept hosts = +relay_hosts


#BEGIN ACL_MAIL_BLOCK

deny
    condition = ${if eq{$sender_helo_name}{}}
    message   = HELO required before MAIL




drop  
    condition = ${if match{$sender_helo_name}{^$primary_hostname\$}}
    message   = "REJECTED - Bad HELO - Host impersonating [$sender_helo_name]"



drop 
    condition = ${if eq{[$interface_address]}{$sender_helo_name}}
    message   = "REJECTED - Interface: $interface_address is _my_ address"


drop
    condition   = ${if isip{$sender_helo_name}}
    message     = Access denied - Invalid HELO name (See RFC2821 4.1.3)


drop
    # Required because "[IPv6:<address>]" will have no .s
    condition   = ${if match{$sender_helo_name}{\N^\[\N}{no}{yes}}
    condition   = ${if match{$sender_helo_name}{\N\.\N}{no}{yes}}
    message     = Access denied - Invalid HELO name (See RFC2821 4.1.1.1)


drop
    condition   = ${if match{$sender_helo_name}{\N\.$\N}}
    message     = Access denied - Invalid HELO name (See RFC2821 4.1.1.1)


drop
    condition   = ${if match{$sender_helo_name}{\N\.\.\N}}
    message     = Access denied - Invalid HELO name (See RFC2821 4.1.1.1)


#END ACL_MAIL_BLOCK

    accept



acl_connect:

#BEGIN ACL_CONNECT_BLOCK

    accept
        hosts = +trustedmailhosts


    accept
        condition = ${if match_ip{$sender_host_address}{iplsearch;/etc/trustedmailhosts}{1}{0}}



# ignore pop before smtp 
    accept
        condition = ${if match_ip{$sender_host_address}{iplsearch;/etc/relayhosts}{1}{${if eq{$sender_host_address}{127.0.0.1}{1}{0}}}}


    accept
        hosts = +relay_hosts : +backupmx_hosts


#only rate limit port 25
    accept 
        condition = ${if eq {$interface_port}{25}{no}{yes}}


    defer 
        message = The server has reached its limit for processing requests from your host.  Please try again later.
        log_message = "Host is ratelimited ($sender_rate/$sender_rate_period max:$sender_rate_limit)"
        ratelimit = 1.2 / 1h / strict / per_conn / noupdate



#END ACL_CONNECT_BLOCK

# do not change the comment in the line below, it is required for /usr/local/cpanel/bin/check_exim_config
#acl_smtp_notquit is required for this to work (exim 4.68)
    accept


acl_notquit:

#BEGIN ACL_NOTQUIT_BLOCK

# ignore authenticated hosts
accept authenticated = *

# ignore pop before smtp
accept condition = ${if match_ip{$sender_host_address}{iplsearch;/etc/relayhosts}{1}{${if eq{$sender_host_address}{127.0.0.1}{1}{0}}}}
accept hosts = +relay_hosts

#only rate limit port 25
accept condition = ${if eq {$interface_port}{25}{no}{yes}}

warn condition = ${if match {$smtp_notquit_reason}{command}{yes}{no}}
    log_message = "Connection Ratelimit - $sender_fullhost because of notquit: $smtp_notquit_reason ($sender_rate/$sender_rate_period max:$sender_rate_limit)"    
    ratelimit = 1.2 / 1h / strict / per_conn



#END ACL_NOTQUIT_BLOCK


#!!# ACL that is used after the RCPT command
check_recipient:
# Exim 3 had no checking on -bs messages, so for compatibility
# we accept if the source is local SMTP (i.e. not over TCP/IP).
# We do this by testing for an empty sending host field.

#BEGIN ACL_RATELIMIT_BLOCK
# Log all senders' rates
    warn ratelimit = 0 / 1h / strict
    log_message = Sender rate $sender_rate / $sender_rate_period


#END ACL_RATELIMIT_BLOCK

accept hosts = :

accept hosts = +skipsmtpcheck_hosts


  # Accept bounces to lists even if callbacks or other checks would fail
  warn     message      = X-WhitelistedRCPT-nohdrfromcallback: Yes
           condition    = \
           ${if and {{match{$local_part}{(.*)-bounces\+.*}} \
                     {exists {/usr/local/cpanel/3rdparty/mailman/lists/${lc:$1}/config.pck}}} \
                {yes}{no}}


  accept   condition    = \
           ${if and {{match{$local_part}{(.*)-bounces\+.*}} \
                     {exists {/usr/local/cpanel/3rdparty/mailman/lists/${lc:$1}/config.pck}}} \
                {yes}{no}}



  # Accept bounces to lists even if callbacks or other checks would fail
  warn     message      = X-WhitelistedRCPT-nohdrfromcallback: Yes
           condition    = \
           ${if and {{match{$local_part}{(.*)-bounces\+.*}} \
                     {exists {/usr/local/cpanel/3rdparty/mailman/lists/${lc:$1}_${lc:$domain}/config.pck}}} \
                {yes}{no}}


  accept   condition    = \
           ${if and {{match{$local_part}{(.*)-bounces\+.*}} \
                     {exists {/usr/local/cpanel/3rdparty/mailman/lists/${lc:$1}_${lc:$domain}/config.pck}}} \
                {yes}{no}}


  #if it gets here it isn't mailman
# deny must be on the same line as hosts so it will get removed by buildeximconf if turned off
   deny  hosts = ! +senderverifybypass_hosts
        ! verify = sender


  accept  hosts = *
          authenticated = *



  # if they used "pop before smtp" then we just accept
  accept  condition = ${if match_ip{$sender_host_address}{iplsearch;/etc/relayhosts}{1}{${if eq{$sender_host_address}{127.0.0.1}{1}{0}}}}
          add_header = ${if exists{/etc/eximpopbeforesmtpwarning}{${perl{popbeforesmtpwarn}{$sender_host_address}}{}}


  accept  hosts = +relay_hosts
          add_header = ${if exists{/etc/eximpopbeforesmtpwarning}{${perl{popbeforesmtpwarn}{$sender_host_address}}{}}


#recipient verifications are now done after smtp auth and pop before smtp so the users get back bounces instead of
# a clogged outbox in outlook



    #recipient verifications are required for all messages that are not sent to the local machine    #this was done at multiple users requests
    require verify = recipient



#BEGIN ACL_POST_RECP_VERIFY_BLOCK


  warn
    log_message = "Detected Dictionary Attack (Let $rcpt_fail_count bad recipients though before engaging)"
    condition = ${if > {${eval:$rcpt_fail_count}}{4}{yes}{no}}
    set acl_m7 = 1


  warn
    condition = ${if eq {${acl_m7}}{1}{1}{0}}
    ratelimit = 0 / 1h / strict / per_conn
    log_message = "Increment Connection Ratelimit - $sender_fullhost because of Dictionary Attack"


  drop 
    condition = ${if eq {${acl_m7}}{1}{1}{0}}
    message = "Number of failed recipients exceeded.  Come back in a few hours."



#END ACL_POST_RECP_VERIFY_BLOCK






    # The only problem with this setup is that if the message is for multiple users on the same server
    # and they are on different unix accounts, the settings for the first recipient which has spamassassin enabled will be used.
    # This shouldn't be a problem 99.9% of the time, however its a very small price to pay for a massive speed increase.



  warn  domains = ! ${primary_hostname} : +local_domains
         condition = ${if <= {$message_size}{200K}{${if eq {${acl_m0}}{1}{0}{${if exists{/etc/global_spamassassin_enable}{1}{${if exists{${extract{5}{:}{${lookup passwd{${lookup{$domain}lsearch*{/etc/userdomains}{$value}}}{$value}}}}/.spamassassinenable}{1}{0}}}}}}}{0}}
         set acl_m0    = 1
         set acl_m1    = ${lookup{$domain}lsearch*{/etc/userdomains}{$value}}


  warn  domains = ${primary_hostname}
          condition = ${if <= {$message_size}{200K}{${if eq {${acl_m0}}{1}{0}{${if exists{/etc/global_spamassassin_enable}{1}{${if exists{${extract{5}{:}{${lookup passwd{$local_part}{$value}}}}/.spamassassinenable}{1}{0}}}}}}}{0}}
          set acl_m0    = 1
          set acl_m1    = $local_part


#BEGIN ACL_POST_SPAM_SCAN_CHECK_BLOCK
# Research in Motion - Blackberry white list
 warn
     condition = ${if exists {/etc/mailproviders/rim/ips}{${if match_ip{$sender_host_address}{iplsearch;/etc/mailproviders/rim/ips}{1}{0}}}{0}}
     set acl_m0 = 0


#END ACL_POST_SPAM_SCAN_CHECK_BLOCK

accept domains = +relay_domains

  deny    message = $sender_fullhost is currently not permitted to \
                        relay through this server. Perhaps you \
                        have not logged into the pop/imap server in the \
                        last 30 minutes or do not have SMTP Authentication turned on in your email client.



#!!# ACL that is used after the DATA command
check_message:
# Enabling this will make the server non-rfc compliant
# require verify = header_sender
accept hosts = 127.0.0.1 : +relay_hosts

  accept  hosts = *
          authenticated = *


    accept
        hosts = +trustedmailhosts


    accept
        condition = ${if match_ip{$sender_host_address}{iplsearch;/etc/trustedmailhosts}{1}{0}}


#BEGIN ACL_PRE_SPAM_SCAN
# Research in Motion - Blackberry white list
 accept 
     condition = ${if exists {/etc/mailproviders/rim/ips}{${if match_ip{$sender_host_address}{iplsearch;/etc/mailproviders/rim/ips}{1}{0}}}{0}}


#END ACL_PRE_SPAM_SCAN

  warn
    condition = ${if eq {${acl_m0}}{1}{1}{0}}
    spam =  ${acl_m1}/defer_ok
    log_message = "SpamAssassin as ${acl_m1} detected message as spam ($spam_score)"
    add_header = X-Spam-Subject: ***SPAM*** $h_subject
    add_header = X-Spam-Status: Yes, score=$spam_score
    add_header = X-Spam-Score: $spam_score_int
    add_header = X-Spam-Bar: $spam_bar
    add_header = X-Spam-Report: $spam_report
    add_header = X-Spam-Flag: YES
    set acl_m2 = 1


  warn
      condition =  ${if eq {$spam_score_int}{}{0}{${if <= {${spam_score_int}}{8000}{${if >= {${spam_score_int}}{50}{${perl{store_spam}{$sender_host_address}{$spam_score}}}{0}}}{0}}}}


warn
condition = ${if eq {${acl_m0}}{1}{${if eq {${acl_m2}}{1}{0}{1}}}{0}}
add_header = X-Spam-Status: No, score=$spam_score
add_header = X-Spam-Score: $spam_score_int
add_header = X-Spam-Bar: $spam_bar
add_header = X-Ham-Report: $spam_report
add_header = X-Spam-Flag: NO
log_message = "SpamAssassin as ${acl_m1} detected message as NOT spam ($spam_score)"



accept






begin authenticators

dovecot_plain:
    driver = dovecot
    public_name = PLAIN
    server_socket = /var/run/dovecot/auth-client
    server_set_id = $auth1
    server_condition = ${if and {{!match {$auth1}{\N[/]\N}}{eq{${if match {$auth1}{\N[+%:@]\N}{${lookup{${extract{2}{+%:@}{$auth1}}}lsearch{/etc/demodomains}{yes}}}{${lookup{$auth1}lsearch{/etc/demousers}{yes}}}}}{}}}{true}{false}}


dovecot_login:
driver = dovecot
public_name = LOGIN
server_socket = /var/run/dovecot/auth-client
server_set_id = $auth1
server_condition = ${if and {{!match {$auth1}{\N[/]\N}}{eq{${if match {$auth1}{\N[+%:@]\N}{${lookup{${extract{2}{+%:@}{$auth1}}}lsearch{/etc/demodomains}{yes}}}{${lookup{$auth1}lsearch{/etc/demousers}{yes}}}}}{}}}{true}{false}}





######################################################################
#                      REWRITE CONFIGURATION                         #
######################################################################


# There are no rewriting specifications in this default configuration file.

begin rewrite





#!!#######################################################!!#
#!!# Here follow routers created from the old routers,   #!!#
#!!# for handling non-local domains.                     #!!#
#!!#######################################################!!#


begin routers


#!!# If we are trying to deliver to a remote mailman domain that is on the localhost
#!!# let it go though even if its not in /etc/localdomains since mailman will eat
#!!# up 100% of the cpu if we don't

mailman_virtual_router:
    driver = accept
    require_files = /usr/local/cpanel/3rdparty/mailman/lists/${lc::$local_part}_${lc::$domain}/config.pck
    local_part_suffix_optional
    local_part_suffix = -admin     : \
            -bounces   : -bounces+* : \
                        -confirm   : -confirm+* : \
            -join      : -leave     : \
            -owner       : -request   : \
            -subscribe : -unsubscribe
    transport = mailman_virtual_transport


mailman_virtual_router_nodns:
    driver = accept
    require_files = /usr/local/cpanel/3rdparty/mailman/lists/${lc::$local_part}/config.pck
    condition    = \
           ${if or {{match{$local_part}{.*_.*}} \
                     {eq{$local_part}{mailman}}} \
                {1}{0}}
    local_part_suffix_optional
    local_part_suffix = -admin     : \
            -bounces   : -bounces+* : \
                        -confirm   : -confirm+* : \
            -join      : -leave     : \
            -owner       : -request   : \
            -subscribe : -unsubscribe
    domains = +local_domains
    transport = mailman_virtual_transport_nodns





######################################################################
#                      ROUTERS CONFIGURATION                         #
#            Specifies how remote addresses are handled              #
######################################################################
#                          ORDER DOES MATTER                         #
#  A remote address is passed to each in turn until it is accepted.  #
######################################################################


# Remote addresses are those with a domain that does not match any item
# in the "local_domains" setting above.

#
# Demo Safety Router
#

democheck:
    driver = redirect
    require_files = "+/etc/demouids"
    condition = "${if eq {${lookup {$originator_uid} lsearch {/etc/demouids} {$value}}}{}{false}{true}}"
    allow_fail
    data = :fail: demo accounts are not permitted to relay email





# This router routes to remote hosts over SMTP using a DNS lookup with
# default options.

boxtrapper_autowhitelist:
driver = accept
condition = ${if eq {$authenticated_id}{}{0}{${if eq {$sender_address}{$local_part@$domain}{0}{${if match{$received_protocol}{local}{${perl{checkbx_autowhitelist}{$authenticated_id}}}{${if match{$received_protocol}{\N^e?smtps?a$\N}{${perl{checkbx_autowhitelist}{$authenticated_id}}}{0}}}}}}}}
require_files = "+/usr/local/cpanel/bin/boxtrapper"
transport = boxtrapper_autowhitelist
unseen

#
# Handles nobody and webspam and mail trap checks in checkspam2 and gives a userful error
#

checkspam2:
    domains = ! +local_domains
    condition = "${perl{checkspam2}}"
    driver = redirect
    ignore_target_hosts = 0.0.0.0 : 127.0.0.0/8 : 64.94.110.0/24
    allow_fail
    data = "${perl{checkspam2_results}}"


#
# Handles nobody and webspam and mail trap checks in checkspam2 and gives a userful error
#
trackbandwidth:
    domains = ! +local_domains
    condition = "${perl{trackbandwidth}}"
    driver = redirect
    ignore_target_hosts = 0.0.0.0 : 127.0.0.0/8 : 64.94.110.0/24
    allow_fail
    verify = false
    data = "${perl{trackbandwidth_results}}"


#
# Lookup host router for remote smtp and ignores verisign site finder 'service' and uses domain keys
#

dk_lookuphost:
    driver = dnslookup
    domains = ! +local_domains
    #ignore verisign to prevent waste of bandwidth
    ignore_target_hosts = 0.0.0.0 : 127.0.0.0/8 : 64.94.110.0/24
    require_files = "+/var/cpanel/domain_keys/private/${sender_address_domain}" 
    headers_add = "${perl{mailtrapheaders}}"
    transport = dk_remote_smtp


#
# Lookup host router for remote smtp and ignores verisign site finder 'service'
#

lookuphost:
    driver = dnslookup
    domains = ! +local_domains
    #ignore verisign to prevent waste of bandwidth
    ignore_target_hosts = 0.0.0.0 : 127.0.0.0/8 : 64.94.110.0/24
    headers_add = "${perl{mailtrapheaders}}"
    transport = remote_smtp


# This router routes to remote hosts over SMTP by explicit IP address,
# given as a "domain literal" in the form [nnn.nnn.nnn.nnn]. The RFCs
# require this facility, which is why it is enabled by default in Exim.
# If you want to lock it out, set forbid_domain_literals in the main
# configuration section above.

#
# Literal Transports .. ignores verisigns sitefinder service
#

literal:
    driver = ipliteral
    domains = ! +local_domains
    headers_add = "${perl{mailtrapheaders}}"
    ignore_target_hosts = 0.0.0.0 : 127.0.0.0/8 : 64.94.110.0/24
    transport = remote_smtp





#!!# This new router is put here to fail all domains that
#!!# were not in local_domains in the Exim 3 configuration.

#
# Trap Failures to Remote Domain
#

fail_remote_domains:
driver = redirect
domains = ! +local_domains : ! localhost : ! localhost.localdomain
allow_fail
data = ":fail: The mail server could not deliver mail to $local_part@$domain. The account or domain may not exist, they may be blacklisted, or missing the proper dns entries."





#!!#######################################################!!#
#!!# Here follow routers created from the old directors, #!!#
#!!# for handling local domains.                         #!!#
#!!#######################################################!!#




######################################################################
#                      DIRECTORS CONFIGURATION                       #
#             Specifies how local addresses are handled              #
######################################################################
#                          ORDER DOES MATTER                         #
#   A local address is passed to each in turn until it is accepted.  #
######################################################################


# Local addresses are those with a domain that matches some item in the
# "local_domains" setting above, or those which are passed back from the
# routers because of a "self=local" setting (not used in this configuration).


# This director handles aliasing using a traditional /etc/aliases file.
# If any of your aliases expand to pipes or files, you will need to set
# up a user and a group for these deliveries to run under. You can do
# this by uncommenting the "user" option below (changing the user name
# as appropriate) and adding a "group" option if necessary. Alternatively, you
# can specify "user" on the transports that are used. Note that those
# listed below are the same as are used for .forward files; you might want
# to set up different ones for pipe and file deliveries from aliases.

#spam_filter:
# driver = forwardfile
# file = /etc/spam.filter
# no_check_local_user
# no_verify
# filter
# allow_system_actions







virtual_user_maildir_overquota:
driver = redirect
domains = +user_domains
router_home_directory = ${extract{5}{:}{${lookup passwd{${lookup{$domain}lsearch{/etc/userdomains}{$value}}}{$value}}}}
require_files = $home/etc/$domain
condition = "${if exists {$home/etc/$domain/quota}{${if > {${lookup{$local_part}lsearch{$home/etc/$domain/quota}{$value}{0}}}{0}{${if eq {${if exists {$home/mail/$domain/$local_part/maildirsize}{1}{0}}}{0}{${if > {${run {/usr/local/cpanel/bin/eximwrap GETDISKUSED $local_part $domain}}}{${lookup{$local_part}lsearch{$home/etc/$domain/quota}{$value}{0}}}{true}{false}}}{${perl{checkuserquota}{$domain}{$local_part}{$message_size}{${lookup{$local_part}lsearch{$home/etc/$domain/quota}{$value}}}{$home/mail/$domain/$local_part/maildirsize}}}}}{false}}}{false}}"
user = "${lookup{$domain}lsearch* {/etc/userdomains}{$value}}"
data = :fail:Mailbox quota exceeded
allow_fail











#
# Account level filtering for everything but the main account
#

central_filter:
    driver = redirect
    allow_filter
    no_check_local_user
    file = /etc/vfilters/${domain}
    file_transport = address_file
    directory_transport = address_directory
    domains = +user_domains
    pipe_transport = virtual_address_pipe
    reply_transport = address_reply
    router_home_directory = ${extract{5}{:}{${lookup passwd{${lookup{$domain}lsearch*{/etc/userdomains}{$value}}}{$value}}}}
    user = "${lookup{$domain}lsearch* {/etc/userdomains}{$value}}"
    allow_fail
    no_verify


#
# Account level filtering for the main account
#
# checks /etc/vfilters/maindomain if its a localuser (ie main acct)
# 
mainacct_central_user_filter:
    driver = redirect  
    allow_filter  
    allow_fail
    check_local_user
    domains = ! +user_domains
    condition = ${if eq {${lookup{$local_part}lsearch{/etc/domainusers}{$value}}}{}{0}{${if exists {/etc/vfilters/${lookup{$local_part}lsearch{/etc/domainusers}{$value}}}{1}{0}}}}
    file = "/etc/vfilters/${lookup{$local_part}lsearch{/etc/domainusers}{$value}}"
    directory_transport = address_directory
    file_transport = address_file  
    pipe_transport = address_pipe
    reply_transport = address_reply
    retry_use_local_part  
    no_verify


#
# User Level Filtering for the main account
#
central_user_filter:
    driver = redirect
    allow_filter
    allow_fail
    check_local_user
    domains = ! +user_domains
    file = "${extract{5}{:}{${lookup passwd{$local_part}{$value}}}}/etc/filter"
    require_files = "+${extract{5}{::}{${lookup passwd{$local_part}{$value}}}}/etc/filter"
    router_home_directory = ${extract{5}{:}{${lookup passwd{$local_part}{$value}}}}
    directory_transport = address_directory
    file_transport = address_file
    pipe_transport = virtual_address_pipe
    reply_transport = address_reply
    retry_use_local_part
    no_verify


#
# User Level Filtering for virtual users
#
virtual_user_filter:
    driver = redirect
    allow_filter
    allow_fail
    no_check_local_user
    domains = +user_domains
    require_files = "+${extract{5}{::}{${lookup passwd{${lookup{$domain}lsearch*{/etc/userdomains}{$value}}}{$value}}}}/etc/$domain/$local_part/filter"
    file = "${extract{5}{:}{${lookup passwd{${lookup{$domain}lsearch*{/etc/userdomains}{$value}}}{$value}}}}/etc/$domain/$local_part/filter"
    router_home_directory = ${extract{5}{:}{${lookup passwd{${lookup{$domain}lsearch*{/etc/userdomains}{$value}}}{$value}}}}
    directory_transport = address_directory
    file_transport = address_file
    pipe_transport = virtual_address_pipe
    reply_transport = address_reply
    user = "${lookup{$domain}lsearch* {/etc/userdomains}{$value}}"
    no_verify


virtual_aliases_nostar:
driver = redirect
allow_defer
allow_fail
require_files = "+/etc/valiases/$domain"
data = ${lookup{$local_part@$domain}lsearch{/etc/valiases/$domain}}
file_transport = address_file
group = mail
pipe_transport = virtual_address_pipe
retry_use_local_part
unseen

#
# Virtual User Spam Boxes
#

virtual_user_spam:
    driver = accept
    domains = +user_domains
    require_files = "+${extract{5}{::}{${lookup passwd{${lookup{$domain}lsearch*{/etc/userdomains}{$value}}}{$value}}}}/.spamassassinboxenable:+${extract{5}{::}{${lookup passwd{${lookup{$domain}lsearch*{/etc/userdomains}{$value}}}{$value}}}}/etc/$domain/passwd"
    condition = ${if eq {${lookup {$local_part} lsearch {${extract{5}{:}{${lookup passwd{${lookup{$domain}lsearch*{/etc/userdomains}{$value}}}{$value}}}}/etc/$domain/passwd}}}{}{false}{${if match{$h_X-Spam-Status:}{\N^Yes\N}{true}{false}}}}
    headers_remove="x-spam-exim"
    transport = virtual_userdelivery_spam



virtual_boxtrapper_user:
driver = accept
domains = +user_domains
require_files = "+/usr/local/cpanel/bin/boxtrapper:+${extract{5}{::}{${lookup passwd{${lookup{$domain}lsearch*{/etc/userdomains}{$value}}}{$value}}}}/etc/$domain/passwd"
condition = ${if eq {${lookup {$local_part} lsearch {${extract{5}{:}{${lookup passwd{${lookup{$domain}lsearch*{/etc/userdomains}{$value}}}{$value}}}}/etc/$domain/passwd}}}{} {false}{${if exists {${extract{5}{:}{${lookup passwd{${lookup{$domain}lsearch*{/etc/userdomains}{$value}}}{$value}}}}/etc/$domain/$local_part/.boxtrapperenable} {true} {false}}}}
retry_use_local_part
transport = virtual_boxtrapper_userdelivery

virtual_user:
driver = accept
headers_remove="x-spam-exim"
domains = +user_domains
require_files = "+${extract{5}{::}{${lookup passwd{${lookup{$domain}lsearch*{/etc/userdomains}{$value}}}{$value}}}}/etc/$domain/passwd"
condition = ${if eq {${lookup {$local_part} lsearch {${extract{5}{:}{${lookup passwd{${lookup{$domain}lsearch*{/etc/userdomains}{$value}}}{$value}}}}/etc/$domain/passwd}}}{} {false}{true}}
transport = virtual_userdelivery


has_alias_but_no_mailbox_discarded_to_prevent_loop:
        driver = redirect
        require_files = "+/etc/valiases/$domain"
        domains = +user_domains
        condition = "${perl{checkvalias}{$domain}{$local_part}}"
        data="#Exim Filter\nseen finish"
        group = "${lookup{$domain}lsearch* {/etc/userdomains}{$value}}"
        user = "${lookup{$domain}lsearch* {/etc/userdomains}{$value}}"
        allow_filter
        disable_logging = true


valias_domain_file:
  driver = redirect
  allow_defer
  allow_fail
  require_files = +/etc/vdomainaliases/$domain
  condition = ${lookup {$domain} lsearch {/etc/vdomainaliases/$domain}{yes}{no} }
  data = $local_part@${lookup {$domain} lsearch {/etc/vdomainaliases/$domain} }
virtual_aliases:
    driver = redirect
    allow_defer
    allow_fail
    require_files = "+/etc/valiases/$domain"
    data = ${lookup{*}lsearch{/etc/valiases/$domain}}
    file_transport = address_file
    group = mail
    pipe_transport = virtual_address_pipe







# This director handles forwarding using traditional .forward files.
# If you want it also to allow mail filtering when a forward file
# starts with the string "# Exim filter", uncomment the "filter" option.
# The check_ancestor option means that if the forward file generates an
# address that is an ancestor of the current one, the current one gets
# passed on instead. This covers the case where A is aliased to B and B
# has a .forward file pointing to A. The three transports specified at the
# end are those that are used when forwarding generates a direct delivery
# to a file, or to a pipe, or sets up an auto-reply, respectively.

system_aliases:
driver = redirect
allow_defer
allow_fail
data = ${lookup{$local_part}lsearch{/etc/aliases}}
file_transport = address_file
pipe_transport = address_pipe
retry_use_local_part
# user = exim


local_aliases:
driver = redirect
allow_defer
allow_fail
data = ${lookup{$local_part}lsearch{/etc/localaliases}}
file_transport = address_file
pipe_transport = address_pipe
check_local_user



userforward:
driver = redirect
allow_filter
check_ancestor
check_local_user
domains = ! +user_domains
no_expn
file = $home/.forward
file_transport = address_file
pipe_transport = address_pipe
reply_transport = address_reply
directory_transport = address_directory
no_verify

#
# Optimzied spambox router
#

localuser_spam:
    driver = accept
    headers_remove="x-spam-exim"
    domains = ! +user_domains
    require_files = "+$home/.spamassassinboxenable"
    condition = ${if match{$h_X-Spam-Status:}{\N^Yes\N}{true}{false}}
    check_local_user
    transport = local_delivery_spam


boxtrapper_localuser:
driver = accept
require_files = "+/usr/local/cpanel/bin/boxtrapper:+$home/etc/.boxtrapperenable"
check_local_user
domains = ! +user_domains
transport = local_boxtrapper_delivery


localuser:
    driver = accept
    headers_remove="x-spam-exim"
    check_local_user
    domains = ! +user_domains
    transport = local_delivery




# This director matches local user mailboxes.







######################################################################
#                      TRANSPORTS CONFIGURATION                      #
######################################################################
#                       ORDER DOES NOT MATTER                        #
#     Only one appropriate transport is called for each delivery.    #
######################################################################


# A transport is used only when referenced from a director or a router that
# successfully handles an address.


# This transport is used for delivering messages over SMTP connections.

begin transports





remote_smtp:
driver = smtp
interface = ${if exists {/etc/mailips}{${lookup{$sender_address_domain}lsearch*{/etc/mailips}{$value}{}}}{}}
helo_data = ${if exists {/etc/mailhelo}{${lookup{$sender_address_domain}lsearch*{/etc/mailhelo}{$value}{$primary_hostname}}}{$primary_hostname}}
dkim_domain = $sender_address_domain
dkim_selector = mail
dkim_private_key = /usr/local/cpanel/etc/exim/dkim.key

dk_remote_smtp:
driver = smtp
interface = ${if exists {/etc/mailips}{${lookup{$sender_address_domain}lsearch*{/etc/mailips}{$value}{}}}{}}
helo_data = ${if exists {/etc/mailhelo}{${lookup{$sender_address_domain}lsearch*{/etc/mailhelo}{$value}{$primary_hostname}}}{$primary_hostname}}
dk_private_key = "/var/cpanel/domain_keys/private/${dk_domain}"
dk_canon = nofws
dk_selector = default


# This transport is used for local delivery to user mailboxes. By default
# it will be run under the uid and gid of the local user, and requires
# the sticky bit to be set on the /var/mail directory. Some systems use
# the alternative approach of running mail deliveries under a particular
# group instead of using the sticky bit. The commented options below show
# how this can be done.


local_delivery:
    driver = appendfile
    delivery_date_add
    envelope_to_add
    directory = "${extract{5}{:}{${lookup passwd{$local_part}{$value}}}}/mail"
    maildir_use_size_file
    maildir_quota_directory_regex = ^(?:cur|new|\.(?!Trash$)[^\@]+)$
    maildir_format
    maildir_tag = ,S=$message_size
    quota_size_regex = ,S=(\d+)
    mode = 0660
    return_path_add
    group = ${extract{3}{:}{${lookup passwd{$local_part}{$value}}}}
    user = $local_part
    shadow_condition = ${if exists {${extract{5}{:}{${lookup passwd{${lookup{$domain}lsearch*{/etc/userdomains}{$value}}}{$value}}}}/.cpanel/rim/bis/$local_part}{1}{0}}
    shadow_transport = rim_bis_notifier_local_user


rim_bis_notifier_local_user:
    driver = pipe
    headers_only
    command = /usr/local/cpanel/bin/rim_bis_notifier "${local_part}"
    group = ${extract{3}{:}{${lookup passwd{$local_part}{$value}}}}
    user = $local_part
    log_output = true
    current_directory = "/tmp"
    return_fail_output = true
    return_path_add = false


local_delivery_spam:
driver = appendfile
delivery_date_add
envelope_to_add
directory = "${extract{5}{:}{${lookup passwd{$local_part}{$value}}}}/mail/.spam"
maildir_use_size_file
maildir_quota_directory_regex = ^(?:cur|new|\.(?!Trash$)[^\@]+)$
maildir_format
maildir_tag = ,S=$message_size
quota_size_regex = ,S=(\d+)
group = ${extract{3}{:}{${lookup passwd{$local_part}{$value}}}}
mode = 0660
return_path_add
user = $local_part









# This transport is used for handling pipe deliveries generated by alias
# or .forward files. If the pipe generates any standard output, it is returned
# to the sender of the message as a delivery error. Set return_fail_output
# instead of return_output if you want this to happen only when the pipe fails
# to complete normally. You can set different transports for aliases and
# forwards if you want to - see the references to address_pipe below.

address_directory:
    driver        = appendfile
    maildir_tag = ,S=$message_size
    quota_size_regex = ,S=(\d+)
    maildir_format
    maildir_use_size_file
    maildir_quota_directory_regex = ^(?:cur|new|\.(?!Trash$)[^\@]+)$
    mode = 0660
    delivery_date_add
    envelope_to_add
    return_path_add
address_pipe:
  driver = pipe
  return_output


virtual_address_pipe:
driver = pipe
group = "${lookup{$domain}lsearch* {/etc/userdomains}{$value}}"
return_output
user = "${lookup{$domain}lsearch* {/etc/userdomains}{$value}}"

# This transport is used for handling deliveries directly to files that are
# generated by aliassing or forwarding.

address_file:
driver = appendfile
delivery_date_add
envelope_to_add
return_path_add


# This transport is used for handling autoreplies generated by the filtering
# option of the forwardfile director.





virtual_userdelivery_spam:
driver = appendfile
delivery_date_add
envelope_to_add
directory = "${extract{5}{:}{${lookup passwd{${lookup{$domain}lsearch*{/etc/userdomains}{$value}}}{$value}}}}/mail/${domain}/${local_part}/.spam"
maildir_use_size_file
maildir_quota_directory_regex = ^(?:cur|new|\.(?!Trash$)[^\@]+)$
maildir_format
maildir_tag = ,S=$message_size
quota_size_regex = ,S=(\d+)
mode = 0660
quota = "${if exists{${extract{5}{:}{${lookup passwd{${lookup{$domain}lsearch*{/etc/userdomains}{$value}}}{$value}}}}/etc/${domain}/quota} {${lookup{$local_part}lsearch*{${extract{5}{:}{${lookup passwd{${lookup{$domain}lsearch*{/etc/userdomains}{$value}}}{$value}}}}/etc/${domain}/quota}{$value}}} {}}"
quota_is_inclusive = false
quota_directory = "${extract{5}{:}{${lookup passwd{${lookup{$domain}lsearch*{/etc/userdomains}{$value}}}{$value}}}}/mail/${domain}/${local_part}"
return_path_add
user = "${lookup{$domain}lsearch* {/etc/userdomains}{$value}}"
group = ${extract{3}{:}{${lookup passwd{${lookup{$domain}lsearch* {/etc/userdomains}{$value}}}{$value}}}}

boxtrapper_autowhitelist:
driver = pipe
headers_only
command = /usr/local/cpanel/bin/boxtrapper --autowhitelist "${authenticated_id}"
user = ${perl{getemailuser}{$authenticated_id}}
group = ${extract{3}{:}{${lookup passwd{${perl{getemailuser}{$authenticated_id}}}{$value}}}}
log_output = true
current_directory = "/tmp"
return_fail_output = true
return_path_add = false

local_boxtrapper_delivery:
driver = pipe
command = /usr/local/cpanel/bin/boxtrapper "${local_part}" $home
user = $local_part
group = ${extract{3}{:}{${lookup passwd{$local_part}{$value}}}}
log_output = true
current_directory = "/tmp"
return_fail_output = true
return_path_add = false

virtual_boxtrapper_userdelivery:
driver = pipe
command = /usr/local/cpanel/bin/boxtrapper "${local_part}@${domain}" $home
user = "${lookup{$domain}lsearch* {/etc/userdomains}{$value}}"
group = ${extract{3}{:}{${lookup passwd{${lookup{$domain}lsearch* {/etc/userdomains}{$value}}}{$value}}}}
log_output = true
current_directory = "/tmp"
return_fail_output = true
return_path_add = false


virtual_userdelivery:
driver = appendfile
delivery_date_add
envelope_to_add
directory = "${extract{5}{:}{${lookup passwd{${lookup{$domain}lsearch*{/etc/userdomains}{$value}}}{$value}}}}/mail/${domain}/${local_part}"
maildir_use_size_file
maildir_quota_directory_regex = ^(?:cur|new|\.(?!Trash$)[^\@]+)$
maildir_format
maildir_tag = ,S=$message_size
quota_size_regex = ,S=(\d+)
mode = 0660
quota = "${if exists{${extract{5}{:}{${lookup passwd{${lookup{$domain}lsearch*{/etc/userdomains}{$value}}}{$value}}}}/etc/${domain}/quota} {${lookup{$local_part}lsearch*{${extract{5}{:}{${lookup passwd{${lookup{$domain}lsearch*{/etc/userdomains}{$value}}}{$value}}}}/etc/${domain}/quota}{$value}}} {}}"
quota_is_inclusive = false
quota_directory = "${extract{5}{:}{${lookup passwd{${lookup{$domain}lsearch*{/etc/userdomains}{$value}}}{$value}}}}/mail/${domain}/${local_part}"
return_path_add
user = "${lookup{$domain}lsearch* {/etc/userdomains}{$value}}"
group = ${extract{3}{:}{${lookup passwd{${lookup{$domain}lsearch* {/etc/userdomains}{$value}}}{$value}}}}
shadow_condition = ${if exists {${extract{5}{:}{${lookup passwd{${lookup{$domain}lsearch*{/etc/userdomains}{$value}}}{$value}}}}/.cpanel/rim/bis/$local_part@$domain}{1}{0}}
shadow_transport = rim_bis_notifier_virtual_user

rim_bis_notifier_virtual_user:
driver = pipe
headers_only
command = /usr/local/cpanel/bin/rim_bis_notifier "${local_part}@${domain}"
user = "${lookup{$domain}lsearch* {/etc/userdomains}{$value}}"
group = ${extract{3}{:}{${lookup passwd{${lookup{$domain}lsearch* {/etc/userdomains}{$value}}}{$value}}}}
log_output = true
current_directory = "/tmp"
return_fail_output = true
return_path_add = false


address_reply:
driver = autoreply


mailman_virtual_transport:
    driver = pipe
    command = /usr/local/cpanel/3rdparty/mailman/mail/mailman \
              '${if def:local_part_suffix \
                    {${sg{$local_part_suffix}{-(\\w+)(\\+.*)?}{\$1}}} \
                    {post}}' \
              ${lc:$local_part}_${lc:$domain}
    current_directory = /usr/local/cpanel/3rdparty/mailman
    home_directory = /usr/local/cpanel/3rdparty/mailman
    user = mailman
    group = mailman



mailman_virtual_transport_nodns:
    driver = pipe
    command = /usr/local/cpanel/3rdparty/mailman/mail/mailman \
              '${if def:local_part_suffix \
                    {${sg{$local_part_suffix}{-(\\w+)(\\+.*)?}{\$1}}} \
                    {post}}' \
              ${lc:$local_part}
    current_directory = /usr/local/cpanel/3rdparty/mailman
    home_directory = /usr/local/cpanel/3rdparty/mailman
    user = mailman
    group = mailman










######################################################################
#                      RETRY CONFIGURATION                           #
######################################################################


# This single retry rule applies to all domains and all errors. It specifies
# retries every 15 minutes for 2 hours, then increasing retry intervals,
# starting at 1 hour and increasing each time by a factor of 1.5, up to 16
# hours, then retries every 8 hours until 4 days have passed since the first
# failed delivery.

# Domain               Error       Retries
# ------               -----       -------



begin retry

*            quota




*                      *           F,2h,15m; G,16h,1h,1.5; F,4d,8h





# End of Exim 4 configuration










This message is for the addressee's use only and may contain confidential, proprietary or legally privileged information. Unauthorized forwarding, copying, printing, distribution, or any other unauthorized use of the information in this message is prohibited. If you believe you are not the intended recipient of the message, please notify the sender and delete the message. No confidentiality or privilege is waived or lost by any mistransmission.
_____

From: Phil Pennock [mailto:exim-users@spodhuis.org]
To: exim-users@???
Sent: Tue, 30 Aug 2011 09:36:52 +0000
Subject: Re: [exim] problem confirmed with exim and mailing off wrong IPs when mail is queued

On 2011-08-29 at 22:06 +0000, Matt Justin wrote:
> what so u need to see my exim.conf?


Yes. That's pretty essential to debugging problems, since it's the
exim.conf which dictates how Exim is supposed to deal with any
particular problem.

-Phil

--
## List details at https://lists.exim.org/mailman/listinfo/exim-users
## Exim details at http://www.exim.org/
## Please use the Wiki with this list - http://wiki.exim.org/