We recently decided that we would fire up the outgoing filter side of our spam filter due to the continued blacklisting we were getting hit with. I had looked at this over the last year or so but it wasn’t till recently that we were able to actually move forward with this. After doing tons of research and annoying the support folks at our spam filter dealer for several days with questions that I had not been able to find answers to or with questions that the knowledge base articles left me with I decided that I had enough info to go ahead and move forward. I would think this would apply to any spam filtering service but our configuration was with Spam Experts and using CPanel as our control panel.
My main concerns dealt more with the email flow than anything else. I did not want to implement anything and then find out emails were not going out. Originally my plan was to only filter certain domains (those paying for outgoing) but ultimately decided that for the benefit of the greater good I would just filter everyone through a single IP. While this gives individual customers no access to outgoing information it would alleviate the amount of spam being sent and/or forwarded. If customers wanted access to information for their domain then we can easily shift their domain out of the main pool and into their own account.
Things of note:
- When setting up the outgoing filter, every domain on your server will be getting sent out via the smarthost configuration to the filter.
- Yes you can setup where some domains are filtered and some are not.
- You will need to contact your specific filters Support Team to get your specific information
- You will need to add the spam filters hostname they give you to your SPF record
- After creating the IP authenticated user, set identification method to Envelope Sender.
Issues I ran into:
- Email Forwards were broke. This turned out to be a timing issue. If I had done this a couple weeks prior it would not have been a problem, at least not till the update. But the WHM 54 update brought with it the implementation of SRS support for the Basic Exim Configuration. CPanel support said it should not have been on by default but unfortunately it was on after the update. The problem here is (as I understand it) that SRS rewrites the sender addresses so that the emails that are being forwarded appear to come from the forwarding mail server. While this is fine and dandy for normal operation to avoid it looking like the forwarded spam is coming from you, the way it rewrites the sender address makes the message fail. And since I was setting up outgoing filtering, I didn’t care since the filter should catch most if not all outgoing spam. Turning off SRS in the CPanel Exim Basic Configuration fixed this issue with outgoing forwarded email being bounced. This was the biggest issue and took a while to figure out.
- Example of SRS enable sender address – SRS0=B6VOx=OH=originatingdomain.com=…dingdomain.co m. Well that email address does not exist on the forwarding email server so the sender verification fails.
- The other issue I ran into was with IPV6 enabled on my server. With IPV6 enabled on the server, I had to turn off “Send mail from account’s dedicated IP address” and turn on “reference /etc/mailhelo” and “reference /etc/mailips”. With IPV6 enabled on the accounts WHM put each dedicated IPV6 in the /etc/mailips file. This caused the mail to fail sending because of the : in the IPV6 address. This is something that will need to be fixed in the future by either CPanel or my specific spam filter provider as IPV6 becomes more prevalent. I am leaning towards CPanel as it would seem the server was the one having the issue sending via the IPV6 address and not the filter, but I may be incorrect.
- Example of IPV6 sending issue – == recipientemail.com R=smarthost_dkim T=remote_smtp_smart_dkim defer
- (-1): “”IPV6 first digits” is not a valid IP address for the “interface” option for remote_smtp_smart_dkim transport
I found this fix by accidentally looking for another problem that was I was having since the WHM 54 update. Which was being blacklisted by CBL. You can find the post here that helped me with that issue and happily the IPV6 issue – CBL blacklisted but no outgoing spam detected
At this point I cannot see any reason why you would not have outgoing spam filter enabled for your server. I wish I had done this long ago but hind sight is 20/20. While the single IP authenticated user does not give you granular control, it is a simple and cheap way to control outgoing spam and help keep your servers off blacklists.
If you have the same setup as I do Spam Experts and CPanel and are looking at possibly setting this up let me know and I can PM you the full version of this article which contains knowledgebase article links and a step by step walk through. I will not post here without admin approval as it may be considered marketing.