BlueRay Concepts has been a Spam Experts Partner for several years now on the incoming filter side. We recently decided that we would fire up the outgoing filter side due to the annoyingness of being blacklisted several times. I had looked at this over the last year or so but it wasn’t till recently that we were able to actually move forward with this. After doing tons of research and annoying the support folks for several days with questions that I had not been able to find answers to or with questions that the knowledge base articles left me with I decided I had enough info to go ahead and move forward. I would think this would apply to any spam filtering service but I only have experience with Spam Experts.

The implementation of the hosted cloud outgoing filter was actually very easy once I fully understood everything. The knowledge base articles however left me somewhat confused on several things so I spent several days digging the answers out of the support folks who were very helpful. I have noticed that their support has gotten tremendously better of the years and am very pleased with it. I think most of my confusion came from grammar and article titles. (My grammar is probably not great either)

My main concerns dealt more with the email flow than anything else. I did not want to implement anything and then find out emails were not going out. Originally my plan was to only filter certain domains (those paying for outgoing) but ultimately decided that for the benefit of the greater good I would just filter everyone through a single IP authentication. While this gives individual customers no access to outgoing information it would alleviate the amount of spam being sent and/or forwarded. If customers wanted access to information for their domain then we can easily shift their domain out of the main pool and into their own account.

Things of note:
1. When setting up the outgoing filter, every domain on your server will be getting sent out via the smarthost configuration to the filter.
2. Yes you can setup where some domains are filtered and some are not.
3. You will need to contact Spam Experts Support to get your hostname that you will be sending mail to from your MTA.
4. You will need to add the Spam Experts hostname they give you to your SPF record
5. After creating the IP authenticated user, set identification method to Envelope Sender.

Issue I ran into:

1. Email Forwards were broke. This turned out to be a timing issue. If I had done this a couple weeks ago it would not have been a problem, at least not till the update. But the WHM 54 update brought with it the implementation of SRS support for the Basic Exim Configuration. CPanel support said it should not have been on by default but unfortunately it was on after the update. The problem here is (as I understand it) that SRS rewrites the sender addresses so that the emails that are being forwarded appear to come from the forwarding mail server. While this is fine and dandy for normal operation to avoid it looking like the forwarded spam is coming from you, the way it rewrites the sender address makes the message fail. And since I was setting up outgoing filtering, I didn’t care since the filter should catch most if not all outgoing spam. Turning off SRS in the CPanel Exim Basic Configuration fixed this issue with outgoing forwarded email being bounced. This was the biggest issue and took a while to figure out.

a. Example of SRS enable sender address –… Well that email address does not exist on the forwarding email server so the sender verification fails.

2. The other issue I ran into was with IPV6 enabled on my server. With IPV6 enabled on the server, I had to turn off “Send mail from account’s dedicated IP address” and turn on “reference /etc/mailhelo” and “reference /etc/mailips”. With IPV6 enabled on the accounts WHM put each dedicated IPV6 in the /etc/mailips file. This caused the mail to fail sending because of the : in the IPV6 address. This is something that will need to be fixed in the future by either CPanel or Spam Expert as IPV6 becomes more prevalent. I am leaning towards CPanel as it would seem the server was the one having the issue sending via the IPV6 address and not the filter, but I may be incorrect.

a. Example of IPV6 sending issue – == R=smarthost_dkim T=remote_smtp_smart_dkim defer
(-1): “”IPV6 first digits” is not a valid IP address for the “interface” option for
remote_smtp_smart_dkim transport

b. I found this fix by accidentally looking for another problem that was I was having since the WHM 54 update. Which was being blacklisted by CBL. You can find the post here that helped me with that issue and happily the IPV6 issue – CBL blacklisted but no outgoing spam detected

At this point if you are a partner reseller with Spam Experts or any other spam filtering service I cannot see any reason why you would not have outgoing spam filter enabled for your server. I wish I had done this long ago but hind sight is 20/20. While single IP authenticated user does not give you finite control, it is a simple and cheap way, if you are already setup with them to control outgoing spam and help keep your servers off blacklists. Their knowledge base article titles are however a bit misleading and confusing. The following step by step is for hosted cloud version only.

1. Read Knowledgebase | Getting started with the outgoing filtering and Knowledgebase | MTA examples to setup usage as a smarthost at the bare minimum.

a. I setup via the “Exim/CPanel – Routing all outgoing mails via the outgoing smarthost (IP Authentication)

b. If you want to setup to only filter certain domains but let others pass unfiltered the I was told to use – “Limit Outgoing for certain sender domains.

2. Make sure you have the outgoing filtering setup in spam panel. You can create a new domain for it or use an existing one. In our case I just used our main domain and added the outgoing filter to it.

3. Contact support and get the hostname that your server will use to connect to the filter.

4. Create an Authenticated IP User for outgoing mail. This will be the IP that your server uses to connect to the spam filter. You can use ranges for this or single ip. I preferred to enter the IPV4 addresses separately rather than a single range as this allowed me a bit more reporting capability for my dedicated IP customers and would allow me to auto lock the dedicated account if there was spam being sent.

a. Configure your user as necessary, at the minimum select your identification method. I chose envelope sender. This will give you the specific account that is sending the email.

b. Disable the Automatic lock on the shared IP account if it is serving more than one domain.

5. Choose your MTA server and use the appropriate config. Make sure to replace the Bolded SMARTHOST with the hostname they give you. Save

6. Add a:hostnametheygiveyou and

That was it. I have been monitoring logs to make sure everything is good and once I fixed the two issues I had everything has been grand. I hope this helpful to someone.