Hello,
This is a re-write with a few additions of a solution that I found on 2 BLOG’s and in the cPanel Forum. My sources are: johnhesch.com, yamzy.net and forums.cpanel.net.
I was having some issues with a few clients and their email. A client would call me and say, “A vendor says that they cannot send email to me. What’s going on?”
I’d chime back, “Did they give you any more information? If you can ask them to fax you the bounce message or email it to my comcast account I will look into it.”
Eventually I’d receive the error the message. It would read something like:
Error 451: Deferred sender callout cannot be verified.
or
Error 550: Verify sender callout failed.
If you look in your exim Logs /var/log/exim_mainlog you might find something like:
could not complete sender verify callout
Exim by default, will check the senders email address and send a callback to the sending server to check and see if the users email address actually exists. In this case the senders email server was not verifying the email address actually exists and so the email was being rejected. In some cases the sending server does not wait long enough for the check to complete. Most of the time this is an issue with the sending servers configuration. It is not RFC compliant. It is not always possible to contact the senders server admin to alert them of their server issue. You may want to just make a concession on your end.
In cPanel or more specifically “WHM -> Service Configuration -> Exim Configuration Editor” there are 2 setting that help keep SPAM down “Verify the existence of email senders.” and “Use callouts to verify the existence of email senders.” These Exim directives tell Exim to perform the checks. I tried to turn them off for about 4 months. My server mail queue was loaded with over 3000 emails. The queue ages 7 days then deletes but still something was wrong. Then I got on an RBL list and that was the straw that started the search for a solution. I enabled both “Verify the existence of email senders.” and “Use callouts to verify the existence of email senders.” while I looked for a solution. In 7 days my queue dropped to just 40 emails. Now I still had a clients that needed to communicate with their vendors.
After Googling I found my solution on johnhesch.com. I nearly lost it. When I finally confirmed that what was posted there was worth trying the link was broken. I contacted John via email to ask about it and he sent me back the info I needed. I later found what looks like a copy of John’s posting here yamzy.net.
So it turns out what I needed was a white list. Now Starts the “How To” Create a file that will be the actual white list. In this example it is /etc/exim_whitelist_senders – the addresses need to be listed one entry per line, either the email address or use the wildcard to do an entire domain. The Following supports cPanel 10.
- SSH into your server and as root or using SUDO or SU run this command:
touch /etc/exim_whitelist_senders - In WHM, got to “WHM -> Service Configuration -> Exim Configuration Editor.”
In the top most edit box add (if there is anything else in the text box add this bellow it):
addresslist whitelist_senders = wildlsearch;/etc/exim_whitelist_senders - Still in WHM. scroll down to where there are three text boxes together. This is the begin ACL section. In the middle box scroll down until you find:
#sender verifications are required for all messages that are not sent to lists
require verify = sender/callout
accept domains = +local_domains
endpassIncPanel 11 look for:
[% ACL_RBL_BLOCK %]
require verify = sender/callout=60s - and change it to:
#sender verifications are required for all messages that are not sent to lists
deny
!verify = sender/callout=30s,defer_ok,maxwait=60s
!senders = +whitelist_senders
accept domains = +local_domains
endpass - Save and exit. Now try to send and receive email to make sure everything is still working. If all is ok add the address in question to the white list and see if it works.
- Put the sender addresses in the file /etc/exim_whitelist_senders, one per line, e.g. someone@domain1.tld
*@domain2.tld
If you do not want an RFC compliant email server make this change too. When I made this change it broke my setup. Verifying the header can cause valid email to fail this check since some valid email does not come from users but is created by the automated systems, like a server. I WOULD NOT MAKE THIS CHANGE. It took me 5 day to figure out this was the part that broke the above setup.
- Still in the middle box scroll down to the end and change:
#!!# ACL that is used after the DATA command
check_message:
# Enabling this will make the server non-rfc compliant
#require verify = header_sender
accept - and change it to:
#!!# ACL that is used after the DATA command
check_message:
deny
!verify = header_sender
!senders = +whitelist_senders
accept
It did not really break it but for some reason beyond me it was not working with this section active. Disabling it made my white list work like a charm.
Sincerely,
Mike