Untitled

#!!# cPanel Exim 4 Config


hostlist loopback = <; 127.0.0.0/8 ; 0.0.0.0 ; ::1 ; 0000:0000:0000:0000:0000:ffff:7f00:0000/8

hostlist senderverifybypass_hosts = net-iplsearch;/etc/senderverifybypasshosts

hostlist skipsmtpcheck_hosts = net-iplsearch;/etc/skipsmtpcheckhosts

hostlist spammeripblocks = net-iplsearch;/etc/spammeripblocks

hostlist backupmx_hosts = lsearch;/etc/backupmxhosts

hostlist trustedmailhosts = lsearch;/etc/trustedmailhosts

domainlist user_domains = ${if exists{/etc/userdomains} {lsearch;/etc/userdomains} fail}

smtp_receive_timeout = 165s

ignore_bounce_errors_after = 3d

timeout_frozen_after = 5d

auto_thaw = 7d

callout_domain_negative_expire = 1h

callout_negative_expire = 1h

daemon_smtp_ports = 25 : 465

tls_on_connect_ports = 465

system_filter_user = cpaneleximfilter

system_filter_group = cpaneleximfilter

tls_require_ciphers = ALL:!ADH:RC4+RSA:+HIGH:+MEDIUM:-LOW:-SSLv2:-EXP

acl_smtp_connect = acl_connect

acl_smtp_mail = acl_mail

acl_smtp_notquit = acl_notquit

spamd_address = 127.0.0.1 783


#!!# These options specify the Access Control Lists (ACLs) that
#!!# are used for incoming SMTP messages - after the RCPT and DATA
#!!# commands, respectively.

acl_smtp_rcpt = check_recipient
acl_smtp_data = check_message

#!!# This setting defines a named domain list called
#!!# local_domains, created from the old options that
#!!# referred to local domains. It will be referenced
#!!# later on by the syntax "+local_domains".
#!!# Other domain and host lists may follow.

domainlist local_domains = lsearch;/etc/localdomains

domainlist relay_domains = lsearch;/etc/localdomains : \
    lsearch;/etc/secondarymx
hostlist relay_hosts = lsearch;/etc/relayhosts : \
    localhost
hostlist auth_relay_hosts = *

######################################################################
#                  Runtime configuration file for Exim               #
######################################################################


# This is a default configuration file which will operate correctly in
# uncomplicated installations. Please see the manual for a complete list
# of all the runtime configuration options that can be included in a
# configuration file. There are many more than are mentioned here. The
# manual is in the file doc/spec.txt in the Exim distribution as a plain
# ASCII file. Other formats (PostScript, Texinfo, HTML) are available from
# the Exim ftp sites. The manual is also online via the Exim web sites.


# This file is divided into several parts, all but the last of which are
# terminated by a line containing the word "end". The parts must appear
# in the correct order, and all must be present (even if some of them are
# in fact empty). Blank lines, and lines starting with # are ignored.


######################################################################
#                    MAIN CONFIGURATION SETTINGS                     #
######################################################################

perl_startup = do '/etc/exim.pl'

#dns_retry = 1
#dns_retrans = 1s

# Specify your host's canonical name here. This should normally be the fully
# qualified "official" name of your host. If this option is not set, the
# uname() function is called to obtain the name.

smtp_banner = "${primary_hostname} ESMTP Exim ${version_number} \
\#${compile_number} ${tod_full} \n\
  We do not authorize the use of this system to transport unsolicited, \n\
  and/or bulk e-mail."


#nobody as the sender seems to annoy people
untrusted_set_sender = *
local_from_check = false

rfc1413_query_timeout = 2s

split_spool_directory = yes

smtp_connect_backlog = 50
smtp_accept_max = 100

# primary_hostname =
deliver_queue_load_max = 3

# Specify the domain you want to be added to all unqualified addresses
# here. An unqualified address is one that does not contain an "@" character
# followed by a domain. For example, "caesar@rome.ex" is a fully qualified
# address, but the string "caesar" (i.e. just a login name) is an unqualified
# email address. Unqualified addresses are accepted only from local callers by
# default. See the receiver_unqualified_{hosts,nets} options if you want
# to permit unqualified addresses from remote sources. If this option is
# not set, the primary_hostname value is used for qualification.

# qualify_domain =


# If you want unqualified recipient addresses to be qualified with a different
# domain to unqualified sender addresses, specify the recipient domain here.
# If this option is not set, the qualify_domain value is used.

# qualify_recipient =


# Specify your local domains as a colon-separated list here. If this option
# is not set (i.e. not mentioned in the configuration file), the
# qualify_recipient value is used as the only local domain. If you do not want
# to do any local deliveries, uncomment the following line, but do not supply
# any data for it. This sets local_domains to an empty string, which is not
# the same as not mentioning it at all. An empty string specifies that there
# are no local domains; not setting it at all causes the default value (the
# setting of qualify_recipient) to be used.


#!!# message_filter renamed system_filter
message_body_visible = 5000


# If you want to accept mail addressed to your host's literal IP address, for
# example, mail addressed to "user@[111.111.111.111]", then uncomment the
# following line, or supply the literal domain(s) as part of "local_domains"
# above.

# local_domains_include_host_literals


# No local deliveries will ever be run under the uids of these users (a colon-
# separated list). An attempt to do so gets changed so that it runs under the
# uid of "nobody" instead. This is a paranoic safety catch. Note the default
# setting means you cannot deliver mail addressed to root as if it were a
# normal user. This isn't usually a problem, as most sites have an alias for
# root that redirects such mail to a human administrator.

never_users = root


# The use of your host as a mail relay by any host, including the local host
# calling its own SMTP port, is locked out by default. If you want to permit
# relaying from the local host, you should set
#
# host_accept_relay = localhost
#
# If you want to permit relaying through your host from certain hosts or IP
# networks, you need to set the option appropriately, for example
#
#
#
# If you are an MX backup or gateway of some kind for some domains, you must
# set relay_domains to match those domains. This will allow any host to
# relay through your host to those domains.
#
# See the section of the manual entitled "Control of relaying" for more
# information.

# The setting below causes Exim to do a reverse DNS lookup on all incoming
# IP calls, in order to get the true host name. If you feel this is too
# expensive, you can specify the networks for which a lookup is done, or
# remove the setting entirely.

#host_lookup = 0.0.0.0/0


# By default, Exim expects all envelope addresses to be fully qualified, that
# is, they must contain both a local part and a domain. If you want to accept
# unqualified addresses (just a local part) from certain hosts, you can specify
# these hosts by setting one or both of
#
# receiver_unqualified_hosts =
# sender_unqualified_hosts =
#
# to control sender and receiver addresses, respectively. When this is done,
# unqualified addresses are qualified using the settings of qualify_domain
# and/or qualify_recipient (see above).


# Exim contains support for the Realtime Blocking List (RBL) that is being
# maintained as part of the DNS. See http://maps.vix.com/rbl/ for background.
# Uncommenting the first line below will make Exim reject mail from any
# host whose IP address is blacklisted in the RBL at maps.vix.com. Some
# others have followed the RBL lead and have produced other lists: DUL is
# a list of dial-up addresses, and ORBS is a list of open relay systems. The
# second line below checks all three lists.

# rbl_domains = rbl.maps.vix.com
# rbl_domains = rbl.maps.vix.com


# If you want Exim to support the "percent hack" for all your local domains,
# uncomment the following line. This is the feature by which mail addressed
# to x%y@z (where z is one of your local domains) is locally rerouted to
# x@y and sent on. Otherwise x%y is treated as an ordinary local part.

# percent_hack_domains = *

#sender_host_accept = +include_unknown:*
#sender_host_reject = +include_unknown:lsearch*;/etc/spammers


tls_certificate = /etc/exim.crt
tls_privatekey = /etc/exim.key
tls_advertise_hosts = *

helo_accept_junk_hosts = *

smtp_enforce_sync = false


#!!#######################################################!!#
#!!# This new section of the configuration contains ACLs #!!#
#!!# (Access Control Lists) derived from the Exim 3      #!!#
#!!# policy control options.                             #!!#
#!!#######################################################!!#

#!!# These ACLs are crudely constructed from Exim 3 options.
#!!# They are almost certainly not optimal. You should study
#!!# them and rewrite as necessary.

begin acl


########################################################################################
# DO NOT ALTER THIS BLOCK
########################################################################################
#
# cPanel Default ACL Template Version: 8.2
# Template: mailman2.dist
#
########################################################################################
# DO NOT ALTER THIS BLOCK
########################################################################################

acl_mail:

    # ignore authenticated hosts
    accept authenticated = *

    # drop connections to localhost that fail auth (required for Horde)
    drop
        condition = ${if and {{match_ip{$sender_host_address}{+loopback}} \
                              {def:authentication_failed}} \
                        {yes}{no}}
        condition = $authentication_failed
        message   = Authentication failed

    # ignore pop before smtp
    accept  condition = ${if match_ip{$sender_host_address}{iplsearch;/etc/relayhosts}{1}{${if eq{$sender_host_address}{127.0.0.1}{1}{0}}}}
    accept hosts = +relay_hosts

#BEGIN ACL_MAIL_BLOCK

deny
    condition = ${if eq{$sender_helo_name}{}}
    message   = HELO required before MAIL


drop
    condition = ${if match{$sender_helo_name}{^$primary_hostname\$}}
    message   = "REJECTED - Bad HELO - Host impersonating [$sender_helo_name]"


drop
    condition = ${if eq{[$interface_address]}{$sender_helo_name}}
    message   = "REJECTED - Interface: $interface_address is _my_ address"

drop
    condition   = ${if isip{$sender_helo_name}}
    message     = Access denied - Invalid HELO name (See RFC2821 4.1.3)

drop
    # Required because "[IPv6:<address>]" will have no .s
    condition   = ${if match{$sender_helo_name}{\N^\[\N}{no}{yes}}
    condition   = ${if match{$sender_helo_name}{\N\.\N}{no}{yes}}
    message     = Access denied - Invalid HELO name (See RFC2821 4.1.1.1)

drop
    condition   = ${if match{$sender_helo_name}{\N\.$\N}}
    message     = Access denied - Invalid HELO name (See RFC2821 4.1.1.1)

drop
    condition   = ${if match{$sender_helo_name}{\N\.\.\N}}
    message     = Access denied - Invalid HELO name (See RFC2821 4.1.1.1)

#END ACL_MAIL_BLOCK


    accept


acl_connect:

#BEGIN ACL_CONNECT_BLOCK

    accept
        hosts = +trustedmailhosts

    accept
        condition = ${if match_ip{$sender_host_address}{iplsearch;/etc/trustedmailhosts}{1}{0}}


# ignore pop before smtp
    accept
        condition = ${if match_ip{$sender_host_address}{iplsearch;/etc/relayhosts}{1}{${if eq{$sender_host_address}{127.0.0.1}{1}{0}}}}

    accept
        hosts = +relay_hosts : +backupmx_hosts

#only rate limit port 25
    accept
        condition = ${if eq {$interface_port}{25}{no}{yes}}

    defer
        message = The server has reached its limit for processing requests from your host.  Please try again later.
        log_message = "Host is ratelimited ($sender_rate/$sender_rate_period max:$sender_rate_limit)"
        ratelimit = 1.2 / 1h / strict / per_conn / noupdate


drop
    message = Your host is not allowed to connect to this server.
    log_message = Host is banned
    hosts = +spammeripblocks


#END ACL_CONNECT_BLOCK

# do not change the comment in the line below, it is required for /usr/local/cpanel/bin/check_exim_config
#acl_smtp_notquit is required for this to work (exim 4.68)
    accept

acl_notquit:

#BEGIN ACL_NOTQUIT_BLOCK

# ignore authenticated hosts
accept authenticated = *

# ignore pop before smtp
accept  condition = ${if match_ip{$sender_host_address}{iplsearch;/etc/relayhosts}{1}{${if eq{$sender_host_address}{127.0.0.1}{1}{0}}}}
accept hosts = +relay_hosts

#only rate limit port 25
accept condition = ${if eq {$interface_port}{25}{no}{yes}}

warn condition = ${if match {$smtp_notquit_reason}{command}{yes}{no}}
    log_message = "Connection Ratelimit - $sender_fullhost because of notquit: $smtp_notquit_reason ($sender_rate/$sender_rate_period max:$sender_rate_limit)"
    ratelimit = 1.2 / 1h / strict / per_conn


#END ACL_NOTQUIT_BLOCK


#!!# ACL that is used after the RCPT command
check_recipient:
  # Exim 3 had no checking on -bs messages, so for compatibility
  # we accept if the source is local SMTP (i.e. not over TCP/IP).
  # We do this by testing for an empty sending host field.

#BEGIN ACL_RATELIMIT_BLOCK
# Log all senders' rates
    warn ratelimit = 0 / 1h / strict
    log_message = Sender rate $sender_rate / $sender_rate_period

#END ACL_RATELIMIT_BLOCK

  accept  hosts = :

  accept hosts = +skipsmtpcheck_hosts


  # Accept bounces to lists even if callbacks or other checks would fail
  warn     message      = X-WhitelistedRCPT-nohdrfromcallback: Yes
           condition    = \
           ${if and {{match{$local_part}{(.*)-bounces\+.*}} \
                     {exists {/usr/local/cpanel/3rdparty/mailman/lists/${lc:$1}/config.pck}}} \
                {yes}{no}}

  accept   condition    = \
           ${if and {{match{$local_part}{(.*)-bounces\+.*}} \
                     {exists {/usr/local/cpanel/3rdparty/mailman/lists/${lc:$1}/config.pck}}} \
                {yes}{no}}


  # Accept bounces to lists even if callbacks or other checks would fail
  warn     message      = X-WhitelistedRCPT-nohdrfromcallback: Yes
           condition    = \
           ${if and {{match{$local_part}{(.*)-bounces\+.*}} \
                     {exists {/usr/local/cpanel/3rdparty/mailman/lists/${lc:$1}_${lc:$domain}/config.pck}}} \
                {yes}{no}}

  accept   condition    = \
           ${if and {{match{$local_part}{(.*)-bounces\+.*}} \
                     {exists {/usr/local/cpanel/3rdparty/mailman/lists/${lc:$1}_${lc:$domain}/config.pck}}} \
                {yes}{no}}

  #if it gets here it isn't mailman
# deny must be on the same line as hosts so it will get removed by buildeximconf if turned off
   deny  hosts = ! +senderverifybypass_hosts
        ! verify = sender

  accept  hosts = *
          authenticated = *


  # if they used "pop before smtp" then we just accept
  accept  condition = ${if match_ip{$sender_host_address}{iplsearch;/etc/relayhosts}{1}{${if eq{$sender_host_address}{127.0.0.1}{1}{0}}}}
          add_header = ${if exists{/etc/eximpopbeforesmtpwarning}{${perl{popbeforesmtpwarn}{$sender_host_address}}{}}

  accept  hosts = +relay_hosts
          add_header = ${if exists{/etc/eximpopbeforesmtpwarning}{${perl{popbeforesmtpwarn}{$sender_host_address}}{}}

   #recipient verifications are now done after smtp auth and pop before smtp so the users get back bounces instead of
   # a clogged outbox in outlook


    #recipient verifications are required for all messages that are not sent to the local machine    #this was done at multiple users requests
    require verify = recipient


#BEGIN ACL_POST_RECP_VERIFY_BLOCK


  warn
    log_message = "Detected Dictionary Attack (Let $rcpt_fail_count bad recipients though before engaging)"
    condition = ${if > {${eval:$rcpt_fail_count}}{4}{yes}{no}}
    set acl_m7 = 1

  warn
    condition = ${if eq {${acl_m7}}{1}{1}{0}}
    ratelimit = 0 / 1h / strict / per_conn
    log_message = "Increment Connection Ratelimit - $sender_fullhost because of Dictionary Attack"

  drop
    condition = ${if eq {${acl_m7}}{1}{1}{0}}
    message = "Number of failed recipients exceeded.  Come back in a few hours."


#END ACL_POST_RECP_VERIFY_BLOCK

#BEGIN ACL_TRUSTEDLIST_BLOCK
 accept
    hosts = +trustedmailhosts

 accept
     condition = ${if match_ip{$sender_host_address}{iplsearch;/etc/trustedmailhosts}{1}{0}}

#END ACL_TRUSTEDLIST_BLOCK


    # The only problem with this setup is that if the message is for multiple users on the same server
    # and they are on different unix accounts, the settings for the first recipient which has spamassassin enabled will be used.
    # This shouldn't be a problem 99.9% of the time, however its a very small price to pay for a massive speed increase.


  warn  domains = ! ${primary_hostname} : +local_domains
         condition = ${if <= {$message_size}{200K}{${if eq {${acl_m0}}{1}{0}{${if exists{/etc/global_spamassassin_enable}{1}{${if exists{${extract{5}{:}{${lookup passwd{${lookup{$domain}lsearch*{/etc/userdomains}{$value}}}{$value}}}}/.spamassassinenable}{1}{0}}}}}}}{0}}
         set acl_m0    = 1
         set acl_m1    = ${lookup{$domain}lsearch*{/etc/userdomains}{$value}}

  warn  domains = ${primary_hostname}
          condition = ${if <= {$message_size}{200K}{${if eq {${acl_m0}}{1}{0}{${if exists{/etc/global_spamassassin_enable}{1}{${if exists{${extract{5}{:}{${lookup passwd{$local_part}{$value}}}}/.spamassassinenable}{1}{0}}}}}}}{0}}
          set acl_m0    = 1
          set acl_m1    = $local_part

#BEGIN ACL_POST_SPAM_SCAN_CHECK_BLOCK
# Research in Motion - Blackberry white list
 warn
     condition = ${if exists {/etc/mailproviders/rim/ips}{${if match_ip{$sender_host_address}{iplsearch;/etc/mailproviders/rim/ips}{1}{0}}}{0}}
     set acl_m0 = 0

#END ACL_POST_SPAM_SCAN_CHECK_BLOCK

  accept  domains = +relay_domains

  deny    message = $sender_fullhost is currently not permitted to \
                        relay through this server. Perhaps you \
                        have not logged into the pop/imap server in the \
                        last 30 minutes or do not have SMTP Authentication turned on in your email client.


#!!# ACL that is used after the DATA command
check_message:
#  Enabling this will make the server non-rfc compliant
#  require verify = header_sender
 accept  hosts = 127.0.0.1 : +relay_hosts

  accept  hosts = *
          authenticated = *

    accept
        hosts = +trustedmailhosts

    accept
        condition = ${if match_ip{$sender_host_address}{iplsearch;/etc/trustedmailhosts}{1}{0}}

#BEGIN ACL_PRE_SPAM_SCAN
# Research in Motion - Blackberry white list
 accept
     condition = ${if exists {/etc/mailproviders/rim/ips}{${if match_ip{$sender_host_address}{iplsearch;/etc/mailproviders/rim/ips}{1}{0}}}{0}}

#END ACL_PRE_SPAM_SCAN

  warn
    condition = ${if eq {${acl_m0}}{1}{1}{0}}
    spam =  ${acl_m1}/defer_ok
    log_message = "SpamAssassin as ${acl_m1} detected message as spam ($spam_score)"
    add_header = X-Spam-Subject:  $h_subject
    add_header = X-Spam-Status: Yes, score=$spam_score
    add_header = X-Spam-Score: $spam_score_int
    add_header = X-Spam-Bar: $spam_bar
    add_header = X-Spam-Report: $spam_report
    add_header = X-Spam-Flag: YES
    set acl_m2 = 1

  warn
      condition =  ${if eq {$spam_score_int}{}{0}{${if <= {${spam_score_int}}{8000}{${if >= {${spam_score_int}}{50}{${perl{store_spam}{$sender_host_address}{$spam_score}}}{0}}}{0}}}}

  warn
  condition = ${if eq {${acl_m0}}{1}{${if eq {${acl_m2}}{1}{0}{1}}}{0}}
  add_header = X-Spam-Status: No, score=$spam_score
  add_header = X-Spam-Score: $spam_score_int
  add_header = X-Spam-Bar: $spam_bar
  add_header = X-Ham-Report: $spam_report
  add_header = X-Spam-Flag: NO
  log_message = "SpamAssassin as ${acl_m1} detected message as NOT spam ($spam_score)"


 accept


begin authenticators

dovecot_plain:
    driver = dovecot
    public_name = PLAIN
    server_socket = /var/run/dovecot/auth-client
    server_set_id = $auth1
    server_condition = ${if and {{!match {$auth1}{\N[/]\N}}{eq{${if match {$auth1}{\N[+%:@]\N}{${lookup{${extract{2}{+%:@}{$auth1}}}lsearch{/etc/demodomains}{yes}}}{${lookup{$auth1}lsearch{/etc/demousers}{yes}}}}}{}}}{true}{false}}

dovecot_login:
  driver = dovecot
  public_name = LOGIN
  server_socket = /var/run/dovecot/auth-client
  server_set_id = $auth1
  server_condition = ${if and {{!match {$auth1}{\N[/]\N}}{eq{${if match {$auth1}{\N[+%:@]\N}{${lookup{${extract{2}{+%:@}{$auth1}}}lsearch{/etc/demodomains}{yes}}}{${lookup{$auth1}lsearch{/etc/demousers}{yes}}}}}{}}}{true}{false}}


######################################################################
#                      REWRITE CONFIGURATION                         #
######################################################################

# There are no rewriting specifications in this default configuration file.

begin rewrite


#!!#######################################################!!#
#!!# Here follow routers created from the old routers,   #!!#
#!!# for handling non-local domains.                     #!!#
#!!#######################################################!!#

begin routers


#!!# If we are trying to deliver to a remote mailman domain that is on the localhost
#!!# let it go though even if its not in /etc/localdomains since mailman will eat
#!!# up 100% of the cpu if we don't

mailman_virtual_router:
    driver = accept
    require_files = /usr/local/cpanel/3rdparty/mailman/lists/${lc::$local_part}_${lc::$domain}/config.pck
    local_part_suffix_optional
    local_part_suffix = -admin     : \
			-bounces   : -bounces+* : \
                        -confirm   : -confirm+* : \
			-join      : -leave     : \
			-owner	   : -request   : \
			-subscribe : -unsubscribe
    transport = mailman_virtual_transport

mailman_virtual_router_nodns:
    driver = accept
    require_files = /usr/local/cpanel/3rdparty/mailman/lists/${lc::$local_part}/config.pck
    condition    = \
           ${if or {{match{$local_part}{.*_.*}} \
                     {eq{$local_part}{mailman}}} \
                {1}{0}}
    local_part_suffix_optional
    local_part_suffix = -admin     : \
			-bounces   : -bounces+* : \
                        -confirm   : -confirm+* : \
			-join      : -leave     : \
			-owner	   : -request   : \
			-subscribe : -unsubscribe
    domains = +local_domains
    transport = mailman_virtual_transport_nodns


######################################################################
#                      ROUTERS CONFIGURATION                         #
#            Specifies how remote addresses are handled              #
######################################################################
#                          ORDER DOES MATTER                         #
#  A remote address is passed to each in turn until it is accepted.  #
######################################################################

# Remote addresses are those with a domain that does not match any item
# in the "local_domains" setting above.

#
# Demo Safety Router
#

democheck:
    driver = redirect
    require_files = "+/etc/demouids"
    condition = "${if eq {${lookup {$originator_uid} lsearch {/etc/demouids} {$value}}}{}{false}{true}}"
    allow_fail
    data = :fail: demo accounts are not permitted to relay email


# This router routes to remote hosts over SMTP using a DNS lookup with
# default options.

boxtrapper_autowhitelist:
  driver = accept
  condition = ${if eq {$authenticated_id}{}{0}{${if eq {$sender_address}{$local_part@$domain}{0}{${if match{$received_protocol}{local}{${perl{checkbx_autowhitelist}{$authenticated_id}}}{${if match{$received_protocol}{\N^e?smtps?a$\N}{${perl{checkbx_autowhitelist}{$authenticated_id}}}{0}}}}}}}}
  require_files = "+/usr/local/cpanel/bin/boxtrapper"
  transport = boxtrapper_autowhitelist
  unseen

#
# Handles nobody and webspam and mail trap checks in checkspam2 and gives a userful error
#

checkspam2:
    domains = ! +local_domains
    condition = "${perl{checkspam2}}"
    driver = redirect
    ignore_target_hosts = 0.0.0.0 : 127.0.0.0/8 : 64.94.110.0/24
    allow_fail
    data = "${perl{checkspam2_results}}"

#
# Handles nobody and webspam and mail trap checks in checkspam2 and gives a userful error
#
trackbandwidth:
    domains = ! +local_domains
    condition = "${perl{trackbandwidth}}"
    driver = redirect
    ignore_target_hosts = 0.0.0.0 : 127.0.0.0/8 : 64.94.110.0/24
    allow_fail
    verify = false
    data = "${perl{trackbandwidth_results}}"

#
# Lookup host router for remote smtp and ignores verisign site finder 'service' and uses domain keys
#

dk_lookuphost:
    driver = dnslookup
    domains = ! +local_domains
    #ignore verisign to prevent waste of bandwidth
    ignore_target_hosts = 0.0.0.0 : 127.0.0.0/8 : 64.94.110.0/24
    require_files = "+/var/cpanel/domain_keys/private/${sender_address_domain}"
    headers_add = "${perl{mailtrapheaders}}"
    transport = dk_remote_smtp

#
# Lookup host router for remote smtp and ignores verisign site finder 'service'
#

lookuphost:
    driver = dnslookup
    domains = ! +local_domains
    #ignore verisign to prevent waste of bandwidth
    ignore_target_hosts = 0.0.0.0 : 127.0.0.0/8 : 64.94.110.0/24
    headers_add = "${perl{mailtrapheaders}}"
    transport = remote_smtp

# This router routes to remote hosts over SMTP by explicit IP address,
# given as a "domain literal" in the form [nnn.nnn.nnn.nnn]. The RFCs
# require this facility, which is why it is enabled by default in Exim.
# If you want to lock it out, set forbid_domain_literals in the main
# configuration section above.

#
# Literal Transports .. ignores verisigns sitefinder service
#

literal:
    driver = ipliteral
    domains = ! +local_domains
    headers_add = "${perl{mailtrapheaders}}"
    ignore_target_hosts = 0.0.0.0 : 127.0.0.0/8 : 64.94.110.0/24
    transport = remote_smtp


#!!# This new router is put here to fail all domains that
#!!# were not in local_domains in the Exim 3 configuration.

#
# Trap Failures to Remote Domain
#

fail_remote_domains:
  driver = redirect
  domains = ! +local_domains : ! localhost : ! localhost.localdomain
  allow_fail
  data = ":fail: The mail server could not deliver mail to $local_part@$domain.  The account or domain may not exist, they may be blacklisted, or missing the proper dns entries."


#!!#######################################################!!#
#!!# Here follow routers created from the old directors, #!!#
#!!# for handling local domains.                         #!!#
#!!#######################################################!!#


######################################################################
#                      DIRECTORS CONFIGURATION                       #
#             Specifies how local addresses are handled              #
######################################################################
#                          ORDER DOES MATTER                         #
#   A local address is passed to each in turn until it is accepted.  #
######################################################################

# Local addresses are those with a domain that matches some item in the
# "local_domains" setting above, or those which are passed back from the
# routers because of a "self=local" setting (not used in this configuration).


# This director handles aliasing using a traditional /etc/aliases file.
# If any of your aliases expand to pipes or files, you will need to set
# up a user and a group for these deliveries to run under. You can do
# this by uncommenting the "user" option below (changing the user name
# as appropriate) and adding a "group" option if necessary. Alternatively, you
# can specify "user" on the transports that are used. Note that those
# listed below are the same as are used for .forward files; you might want
# to set up different ones for pipe and file deliveries from aliases.

#spam_filter:
#  driver = forwardfile
#  file = /etc/spam.filter
#  no_check_local_user
#  no_verify
#  filter
#  allow_system_actions


virtual_user_maildir_overquota:
  driver = redirect
  domains = +user_domains
  router_home_directory = ${extract{5}{:}{${lookup passwd{${lookup{$domain}lsearch{/etc/userdomains}{$value}}}{$value}}}}
  require_files = $home/etc/$domain
  condition = "${if exists {$home/etc/$domain/quota}{${if > {${lookup{$local_part}lsearch{$home/etc/$domain/quota}{$value}{0}}}{0}{${if eq {${if exists {$home/mail/$domain/$local_part/maildirsize}{1}{0}}}{0}{${if > {${run {/usr/local/cpanel/bin/eximwrap GETDISKUSED $local_part $domain}}}{${lookup{$local_part}lsearch{$home/etc/$domain/quota}{$value}{0}}}{true}{false}}}{${perl{checkuserquota}{$domain}{$local_part}{$message_size}{${lookup{$local_part}lsearch{$home/etc/$domain/quota}{$value}}}{$home/mail/$domain/$local_part/maildirsize}}}}}{false}}}{false}}"
  user = "${lookup{$domain}lsearch* {/etc/userdomains}{$value}}"
  data = :fail:Mailbox quota exceeded
  allow_fail


#
# Account level filtering for everything but the main account
#

central_filter:
    driver = redirect
    allow_filter
    no_check_local_user
    file = /etc/vfilters/${domain}
    file_transport = address_file
    directory_transport = address_directory
    domains = +user_domains
    pipe_transport = virtual_address_pipe
    reply_transport = address_reply
    router_home_directory = ${extract{5}{:}{${lookup passwd{${lookup{$domain}lsearch*{/etc/userdomains}{$value}}}{$value}}}}
    user = "${lookup{$domain}lsearch* {/etc/userdomains}{$value}}"
    allow_fail
    no_verify

#
# Account level filtering for the main account
#
# checks /etc/vfilters/maindomain if its a localuser (ie main acct)
#
mainacct_central_user_filter:
    driver = redirect
    allow_filter
    allow_fail
    check_local_user
    domains = ! +user_domains
    condition = ${if eq {${lookup{$local_part}lsearch{/etc/domainusers}{$value}}}{}{0}{${if exists {/etc/vfilters/${lookup{$local_part}lsearch{/etc/domainusers}{$value}}}{1}{0}}}}
    file = "/etc/vfilters/${lookup{$local_part}lsearch{/etc/domainusers}{$value}}"
    directory_transport = address_directory
    file_transport = address_file
    pipe_transport = address_pipe
    reply_transport = address_reply
    retry_use_local_part
    no_verify

#
# User Level Filtering for the main account
#
central_user_filter:
    driver = redirect
    allow_filter
    allow_fail
    check_local_user
    domains = ! +user_domains
    file = "${extract{5}{:}{${lookup passwd{$local_part}{$value}}}}/etc/filter"
    require_files = "+${extract{5}{::}{${lookup passwd{$local_part}{$value}}}}/etc/filter"
    router_home_directory = ${extract{5}{:}{${lookup passwd{$local_part}{$value}}}}
    directory_transport = address_directory
    file_transport = address_file
    pipe_transport = virtual_address_pipe
    reply_transport = address_reply
    retry_use_local_part
    no_verify

#
# User Level Filtering for virtual users
#
virtual_user_filter:
    driver = redirect
    allow_filter
    allow_fail
    no_check_local_user
    domains = +user_domains
    require_files = "+${extract{5}{::}{${lookup passwd{${lookup{$domain}lsearch*{/etc/userdomains}{$value}}}{$value}}}}/etc/$domain/$local_part/filter"
    file = "${extract{5}{:}{${lookup passwd{${lookup{$domain}lsearch*{/etc/userdomains}{$value}}}{$value}}}}/etc/$domain/$local_part/filter"
    router_home_directory = ${extract{5}{:}{${lookup passwd{${lookup{$domain}lsearch*{/etc/userdomains}{$value}}}{$value}}}}
    directory_transport = address_directory
    file_transport = address_file
    pipe_transport = virtual_address_pipe
    reply_transport = address_reply
    user = "${lookup{$domain}lsearch* {/etc/userdomains}{$value}}"
    no_verify

virtual_aliases_nostar:
  driver = redirect
  allow_defer
  allow_fail
  require_files = "+/etc/valiases/$domain"
  data = ${lookup{$local_part@$domain}lsearch{/etc/valiases/$domain}}
  file_transport = address_file
  group = mail
  pipe_transport = virtual_address_pipe
  retry_use_local_part
  unseen

#
# Virtual User Spam Boxes
#

virtual_user_spam:
    driver = accept
    domains = +user_domains
    require_files = "+${extract{5}{::}{${lookup passwd{${lookup{$domain}lsearch*{/etc/userdomains}{$value}}}{$value}}}}/.spamassassinboxenable:+${extract{5}{::}{${lookup passwd{${lookup{$domain}lsearch*{/etc/userdomains}{$value}}}{$value}}}}/etc/$domain/passwd"
    condition = ${if eq {${lookup {$local_part} lsearch {${extract{5}{:}{${lookup passwd{${lookup{$domain}lsearch*{/etc/userdomains}{$value}}}{$value}}}}/etc/$domain/passwd}}}{}{false}{${if match{$h_X-Spam-Status:}{\N^Yes\N}{true}{false}}}}
    headers_remove="x-spam-exim"
    transport = virtual_userdelivery_spam


virtual_boxtrapper_user:
  driver = accept
  domains = +user_domains
  require_files = "+/usr/local/cpanel/bin/boxtrapper:+${extract{5}{::}{${lookup passwd{${lookup{$domain}lsearch*{/etc/userdomains}{$value}}}{$value}}}}/etc/$domain/passwd"
  condition = ${if eq {${lookup {$local_part} lsearch {${extract{5}{:}{${lookup passwd{${lookup{$domain}lsearch*{/etc/userdomains}{$value}}}{$value}}}}/etc/$domain/passwd}}}{} {false}{${if exists {${extract{5}{:}{${lookup passwd{${lookup{$domain}lsearch*{/etc/userdomains}{$value}}}{$value}}}}/etc/$domain/$local_part/.boxtrapperenable} {true} {false}}}}
  retry_use_local_part
  transport = virtual_boxtrapper_userdelivery

virtual_user:
  driver = accept
  headers_remove="x-spam-exim"
  domains = +user_domains
  require_files = "+${extract{5}{::}{${lookup passwd{${lookup{$domain}lsearch*{/etc/userdomains}{$value}}}{$value}}}}/etc/$domain/passwd"
  condition = ${if eq {${lookup {$local_part} lsearch {${extract{5}{:}{${lookup passwd{${lookup{$domain}lsearch*{/etc/userdomains}{$value}}}{$value}}}}/etc/$domain/passwd}}}{} {false}{true}}
  transport = virtual_userdelivery


has_alias_but_no_mailbox_discarded_to_prevent_loop:
        driver = redirect
        require_files = "+/etc/valiases/$domain"
        domains = +user_domains
        condition = "${perl{checkvalias}{$domain}{$local_part}}"
        data="#Exim Filter\nseen finish"
        group = "${lookup{$domain}lsearch* {/etc/userdomains}{$value}}"
        user = "${lookup{$domain}lsearch* {/etc/userdomains}{$value}}"
        allow_filter
        disable_logging = true

valias_domain_file:
  driver = redirect
  allow_defer
  allow_fail
  require_files = +/etc/vdomainaliases/$domain
  condition = ${lookup {$domain} lsearch {/etc/vdomainaliases/$domain}{yes}{no} }
  data = $local_part@${lookup {$domain} lsearch {/etc/vdomainaliases/$domain} }
virtual_aliases:
    driver = redirect
    allow_defer
    allow_fail
    require_files = "+/etc/valiases/$domain"
    data = ${lookup{*}lsearch{/etc/valiases/$domain}}
    file_transport = address_file
    group = mail
    pipe_transport = virtual_address_pipe


# This director handles forwarding using traditional .forward files.
# If you want it also to allow mail filtering when a forward file
# starts with the string "# Exim filter", uncomment the "filter" option.
# The check_ancestor option means that if the forward file generates an
# address that is an ancestor of the current one, the current one gets
# passed on instead. This covers the case where A is aliased to B and B
# has a .forward file pointing to A. The three transports specified at the
# end are those that are used when forwarding generates a direct delivery
# to a file, or to a pipe, or sets up an auto-reply, respectively.

system_aliases:
  driver = redirect
  allow_defer
  allow_fail
  data = ${lookup{$local_part}lsearch{/etc/aliases}}
  file_transport = address_file
  pipe_transport = address_pipe
  retry_use_local_part
# user = exim


local_aliases:
  driver = redirect
  allow_defer
  allow_fail
  data = ${lookup{$local_part}lsearch{/etc/localaliases}}
  file_transport = address_file
  pipe_transport = address_pipe
  check_local_user


userforward:
  driver = redirect
  allow_filter
  check_ancestor
  check_local_user
  domains = ! +user_domains
  no_expn
  file = $home/.forward
  file_transport = address_file
  pipe_transport = address_pipe
  reply_transport = address_reply
  directory_transport = address_directory
  no_verify

#
# Optimzied spambox router
#

localuser_spam:
    driver = accept
    headers_remove="x-spam-exim"
    domains = ! +user_domains
    require_files = "+$home/.spamassassinboxenable"
    condition = ${if match{$h_X-Spam-Status:}{\N^Yes\N}{true}{false}}
    check_local_user
    transport = local_delivery_spam

boxtrapper_localuser:
  driver = accept
  require_files = "+/usr/local/cpanel/bin/boxtrapper:+$home/etc/.boxtrapperenable"
  check_local_user
  domains = ! +user_domains
  transport = local_boxtrapper_delivery


localuser:
    driver = accept
    headers_remove="x-spam-exim"
    check_local_user
    domains = ! +user_domains
    transport = local_delivery


# This director matches local user mailboxes.


######################################################################
#                      TRANSPORTS CONFIGURATION                      #
######################################################################
#                       ORDER DOES NOT MATTER                        #
#     Only one appropriate transport is called for each delivery.    #
######################################################################

# A transport is used only when referenced from a director or a router that
# successfully handles an address.


# This transport is used for delivering messages over SMTP connections.

begin transports


remote_smtp:
  driver = smtp
  interface = ${if exists {/etc/mailips}{${lookup{$sender_address_domain}lsearch*{/etc/mailips}{$value}{}}}{}}
  helo_data = ${if exists {/etc/mailhelo}{${lookup{$sender_address_domain}lsearch*{/etc/mailhelo}{$value}{$primary_hostname}}}{$primary_hostname}}


dk_remote_smtp:
  driver = smtp
  interface = ${if exists {/etc/mailips}{${lookup{$sender_address_domain}lsearch*{/etc/mailips}{$value}{}}}{}}
  helo_data = ${if exists {/etc/mailhelo}{${lookup{$sender_address_domain}lsearch*{/etc/mailhelo}{$value}{$primary_hostname}}}{$primary_hostname}}
  dk_private_key = "/var/cpanel/domain_keys/private/${dk_domain}"
  dk_canon = nofws
  dk_selector = default


# This transport is used for local delivery to user mailboxes. By default
# it will be run under the uid and gid of the local user, and requires
# the sticky bit to be set on the /var/mail directory. Some systems use
# the alternative approach of running mail deliveries under a particular
# group instead of using the sticky bit. The commented options below show
# how this can be done.


local_delivery:
    driver = appendfile
    delivery_date_add
    envelope_to_add
    directory = "${extract{5}{:}{${lookup passwd{$local_part}{$value}}}}/mail"
    maildir_use_size_file
    maildir_quota_directory_regex = ^(?:cur|new|\.(?!Trash$)[^\@]+)$
    maildir_format
    maildir_tag = ,S=$message_size
    quota_size_regex = ,S=(\d+)
    mode = 0660
    return_path_add
    group = ${extract{3}{:}{${lookup passwd{$local_part}{$value}}}}
    user = $local_part
    shadow_condition = ${if exists {${extract{5}{:}{${lookup passwd{${lookup{$domain}lsearch*{/etc/userdomains}{$value}}}{$value}}}}/.cpanel/rim/bis/$local_part}{1}{0}}
    shadow_transport = rim_bis_notifier_local_user

rim_bis_notifier_local_user:
    driver = pipe
    headers_only
    command = /usr/local/cpanel/bin/rim_bis_notifier "${local_part}"
    group = ${extract{3}{:}{${lookup passwd{$local_part}{$value}}}}
    user = $local_part
    log_output = true
    current_directory = "/tmp"
    return_fail_output = true
    return_path_add = false

local_delivery_spam:
  driver = appendfile
  delivery_date_add
  envelope_to_add
  directory = "${extract{5}{:}{${lookup passwd{$local_part}{$value}}}}/mail/.spam"
  maildir_use_size_file
  maildir_quota_directory_regex = ^(?:cur|new|\.(?!Trash$)[^\@]+)$
  maildir_format
  maildir_tag = ,S=$message_size
  quota_size_regex = ,S=(\d+)
  group = ${extract{3}{:}{${lookup passwd{$local_part}{$value}}}}
  mode = 0660
  return_path_add
  user = $local_part


# This transport is used for handling pipe deliveries generated by alias
# or .forward files. If the pipe generates any standard output, it is returned
# to the sender of the message as a delivery error. Set return_fail_output
# instead of return_output if you want this to happen only when the pipe fails
# to complete normally. You can set different transports for aliases and
# forwards if you want to - see the references to address_pipe below.

address_directory:
    driver        = appendfile
    maildir_tag = ,S=$message_size
    quota_size_regex = ,S=(\d+)
    maildir_format
    maildir_use_size_file
    maildir_quota_directory_regex = ^(?:cur|new|\.(?!Trash$)[^\@]+)$
    mode = 0660
    delivery_date_add
    envelope_to_add
    return_path_add
address_pipe:
  driver = pipe
  return_output

virtual_address_pipe:
  driver = pipe
  group = "${lookup{$domain}lsearch* {/etc/userdomains}{$value}}"
  return_output
  user = "${lookup{$domain}lsearch* {/etc/userdomains}{$value}}"

# This transport is used for handling deliveries directly to files that are
# generated by aliassing or forwarding.

address_file:
  driver = appendfile
  delivery_date_add
  envelope_to_add
  return_path_add


# This transport is used for handling autoreplies generated by the filtering
# option of the forwardfile director.


virtual_userdelivery_spam:
  driver = appendfile
  delivery_date_add
  envelope_to_add
  directory = "${extract{5}{:}{${lookup passwd{${lookup{$domain}lsearch*{/etc/userdomains}{$value}}}{$value}}}}/mail/${domain}/${local_part}/.spam"
  maildir_use_size_file
  maildir_quota_directory_regex = ^(?:cur|new|\.(?!Trash$)[^\@]+)$
  maildir_format
  maildir_tag = ,S=$message_size
  quota_size_regex = ,S=(\d+)
  mode = 0660
  quota = "${if exists{${extract{5}{:}{${lookup passwd{${lookup{$domain}lsearch*{/etc/userdomains}{$value}}}{$value}}}}/etc/${domain}/quota} {${lookup{$local_part}lsearch*{${extract{5}{:}{${lookup passwd{${lookup{$domain}lsearch*{/etc/userdomains}{$value}}}{$value}}}}/etc/${domain}/quota}{$value}}} {}}"
  quota_is_inclusive = false
  quota_directory = "${extract{5}{:}{${lookup passwd{${lookup{$domain}lsearch*{/etc/userdomains}{$value}}}{$value}}}}/mail/${domain}/${local_part}"
  return_path_add
  user = "${lookup{$domain}lsearch* {/etc/userdomains}{$value}}"
  group = ${extract{3}{:}{${lookup passwd{${lookup{$domain}lsearch* {/etc/userdomains}{$value}}}{$value}}}}

boxtrapper_autowhitelist:
  driver = pipe
  headers_only
  command = /usr/local/cpanel/bin/boxtrapper --autowhitelist "${authenticated_id}"
  user = ${perl{getemailuser}{$authenticated_id}}
  group = ${extract{3}{:}{${lookup passwd{${perl{getemailuser}{$authenticated_id}}}{$value}}}}
  log_output = true
  current_directory = "/tmp"
  return_fail_output = true
  return_path_add = false

local_boxtrapper_delivery:
  driver = pipe
  command = /usr/local/cpanel/bin/boxtrapper "${local_part}" $home
  user = $local_part
  group = ${extract{3}{:}{${lookup passwd{$local_part}{$value}}}}
  log_output = true
  current_directory = "/tmp"
  return_fail_output = true
  return_path_add = false

virtual_boxtrapper_userdelivery:
  driver = pipe
  command = /usr/local/cpanel/bin/boxtrapper "${local_part}@${domain}" $home
  user = "${lookup{$domain}lsearch* {/etc/userdomains}{$value}}"
  group = ${extract{3}{:}{${lookup passwd{${lookup{$domain}lsearch* {/etc/userdomains}{$value}}}{$value}}}}
  log_output = true
  current_directory = "/tmp"
  return_fail_output = true
  return_path_add = false


virtual_userdelivery:
  driver = appendfile
  delivery_date_add
  envelope_to_add
  directory = "${extract{5}{:}{${lookup passwd{${lookup{$domain}lsearch*{/etc/userdomains}{$value}}}{$value}}}}/mail/${domain}/${local_part}"
  maildir_use_size_file
  maildir_quota_directory_regex = ^(?:cur|new|\.(?!Trash$)[^\@]+)$
  maildir_format
  maildir_tag = ,S=$message_size
  quota_size_regex = ,S=(\d+)
  mode = 0660
  quota = "${if exists{${extract{5}{:}{${lookup passwd{${lookup{$domain}lsearch*{/etc/userdomains}{$value}}}{$value}}}}/etc/${domain}/quota} {${lookup{$local_part}lsearch*{${extract{5}{:}{${lookup passwd{${lookup{$domain}lsearch*{/etc/userdomains}{$value}}}{$value}}}}/etc/${domain}/quota}{$value}}} {}}"
  quota_is_inclusive = false
  quota_directory = "${extract{5}{:}{${lookup passwd{${lookup{$domain}lsearch*{/etc/userdomains}{$value}}}{$value}}}}/mail/${domain}/${local_part}"
  return_path_add
  user = "${lookup{$domain}lsearch* {/etc/userdomains}{$value}}"
  group = ${extract{3}{:}{${lookup passwd{${lookup{$domain}lsearch* {/etc/userdomains}{$value}}}{$value}}}}
  shadow_condition = ${if exists {${extract{5}{:}{${lookup passwd{${lookup{$domain}lsearch*{/etc/userdomains}{$value}}}{$value}}}}/.cpanel/rim/bis/$local_part@$domain}{1}{0}}
  shadow_transport = rim_bis_notifier_virtual_user

rim_bis_notifier_virtual_user:
  driver = pipe
  headers_only
  command = /usr/local/cpanel/bin/rim_bis_notifier "${local_part}@${domain}"
  user = "${lookup{$domain}lsearch* {/etc/userdomains}{$value}}"
  group = ${extract{3}{:}{${lookup passwd{${lookup{$domain}lsearch* {/etc/userdomains}{$value}}}{$value}}}}
  log_output = true
  current_directory = "/tmp"
  return_fail_output = true
  return_path_add = false


address_reply:
  driver = autoreply


mailman_virtual_transport:
    driver = pipe
    command = /usr/local/cpanel/3rdparty/mailman/mail/mailman \
              '${if def:local_part_suffix \
                    {${sg{$local_part_suffix}{-(\\w+)(\\+.*)?}{\$1}}} \
                    {post}}' \
              ${lc:$local_part}_${lc:$domain}
    current_directory = /usr/local/cpanel/3rdparty/mailman
    home_directory = /usr/local/cpanel/3rdparty/mailman
    user = mailman
    group = mailman


mailman_virtual_transport_nodns:
    driver = pipe
    command = /usr/local/cpanel/3rdparty/mailman/mail/mailman \
              '${if def:local_part_suffix \
                    {${sg{$local_part_suffix}{-(\\w+)(\\+.*)?}{\$1}}} \
                    {post}}' \
              ${lc:$local_part}
    current_directory = /usr/local/cpanel/3rdparty/mailman
    home_directory = /usr/local/cpanel/3rdparty/mailman
    user = mailman
    group = mailman


######################################################################
#                      RETRY CONFIGURATION                           #
######################################################################

# This single retry rule applies to all domains and all errors. It specifies
# retries every 15 minutes for 2 hours, then increasing retry intervals,
# starting at 1 hour and increasing each time by a factor of 1.5, up to 16
# hours, then retries every 8 hours until 4 days have passed since the first
# failed delivery.

# Domain               Error       Retries
# ------               -----       -------


begin retry

*			quota


*                      *           F,2h,15m; G,16h,1h,1.5; F,4d,8h


# End of Exim 4 configuration