Whitelist domains in exim

Login to the server SSH as root. Make a sender whitelist file.

touch /etc/exim_whitelist_senders

Take a backup of the exim conf and open it.

cp -p /etc/exim.conf /etc/exim.conf.BKP
vi /etc/exim.conf

Add the line on top of the file

addresslist whitelist_senders = wildlsearch;/etc/exim_whitelist_senders

Now search for the line
require verify = sender/callout

Comment that line and add the following below that.

!verify = sender/callout=30s,defer_ok,maxwait=60s
!senders = +whitelist_senders

Save conf file.

Add email address to the /etc/exim_whitelist_senders file one by one. Wildcard is also acceptable here, Eg: *@domain.com

Restart exim

Change Mail Server IP

Sometimes your server’s IP address may get black listed by most of RBLs. In such situation a quick solution is to route the emails through a secondary IP address on the same server which is not black listed. There are two options to switch the mail server IP.

1. In Cpanel:

Login to WHM

Click Exim Configuration Editor

Check the box next to:
“Send outgoing mail from the ip that matches the domain name in /etc/mailips (*: IP can be added to the file to change the main outgoing interface)”

Save Changes

Then edit the file /etc/mailips
vi /etc/mailips

and add:

*: newIP

Restart exim


2. Through Shell

vi /etc/exim.conf

Locate remote_smtp

Change as per below:


driver = smtp

#interface = ${if exists {/etc/mailips}{${lookup{$sender_address_domain}lsearch{/etc/mailips}{$value}{}}}{}}
#helo_data = ${if exists {/etc/mailhelo}{${lookup{$sender_address_domain}lsearch{/etc/mailhelo}{$value}{$primary_hostname}}}{$primary_ho stname}}

interface = 111.222.333.444 # Change to your server IP address.

Save changes and exit.

Restart Exim

Track Spammers in Plesk

Install qmhandle-1.3.2 from:


cd qmhandle-1.3.2
./qmHandle -s
shows the stats of mails.

To view the mails in queue, please do

# /var/qmail/bin/qmail-qstat
messages in queue: 758
messages in queue but not yet preprocessed: 0

Let’s examine the queue with qmail-qread. Seeing a bunch of strange email addresses in the recipient list usually it’s meaning spam.

# /var/qmail/bin/qmail-qread

Please examine the email content of the emails in the queue using vi or cat  command. Firstly we should find message’s id using qmail-qread, then find the file holding the email in/var/qmail/queue with find command.

# find /var/qmail/queue/ -name (msg id)

Find the IP address from the mail header and remove spam from the queue using qmail-remove

Now, remove spams, they all will end up in the/var/qmail/queue/yanked directory :

# /etc/init.d/qmail stop

# qmail-remove -r -p ‘mail@address.com’

In a few minutes we do have more emails with the same patterns from the same ip address. That’s great, we do have opportunity to examine smtp traffic from the spammer’s ip address. Run tcpdumpand wait a few minutes.

# tcpdump -i eth0 -n src xxx.xxx.xxx.xxx \or dst xxx.xxx.xxx.xxx -w smtp.tcpdump -s 2048

Examining log file with vi we found that spammer is sending spam using LOGIN authentication:


220 ulise.domain.com ESMTP
ehlo User
334 VXNlcm5hbWU6
334 UGFzc3dvcmQ6
235 go ahead


Then decode the user/pass to see which account is used:

# perl -MMIME::Base64 -e ‘print decode_base64(“dGVzdA==”)’ test

# perl -MMIME::Base64 -e ‘print decode_base64(“MTIzNDU=”)’ 12345

So, someone created a test account with a weak password and someone else guessed it and is sending spam through the server.

Let’s find the domain owning of the mailbox:

[root@ulise ~]# mysql -uadmin -p`cat /etc/psa/.psa.shadow` psa

mysql> SELECT m.mail_name, d.name, a.password FROM mail AS m LEFT JOIN (domains AS d, accounts AS a) ON (m.dom_id = d.id AND m.account_id = a.id) WHERE m.mail_name=’test’ AND a.password=’12345′;
| mail_name | name       | password |
| test      | example.com | 12345    |
1 row in set (0.01 sec)

Next step is to delete test mailbox and send a warning to client.

To improve your server’s security you’ll need to enable:
Server -> Mail -> Check the passwords for mailboxes in the dictionary

Reference : http://www.cherpec.com/2008/07/plesk-howto-debug-spam-problems/

HELO ends with a dot – spamassasign problem

If you need to get rid of this problem, please edit the file


score FH_HELO_ENDS_DOT 0.0

restart spamd





restart spamd

Stop Open Relay of Exim

Telnet to yourmailserver at port 25 and issue all the following commands:


telnet hostname/ip 25

helo client.server.com

mail from: xxx@somedomain.com

rcpt to: yyy@somedomain.com

If you are getting the error “554 : Relay access denied” then the server is not an open Relay

If not Just pass the command “DATA” sfter the recipient and then enter the message ending with a period ie : “.”

If you get the reply “SUCCESS Relay Accepted – final response code 550″

Then as you feared your server is subjected to open relay and if not enjoy………. It is not

I hope your server is not open relay supporting, but if it is so, as it is a Cpanel Server you can stop it normally using the below scripts



/etc/rc.d/init.d/antirelayd restart

service exim restart