{"ok":true,"c":"#!!# cPanel Exim 4 Config\n\n# +incoming_port, +smtp_connection, +all_parents are needed for cPanel email tracking.\n# +retry_defer, +subject, +arguments, +received_recipients are suggested settings that may be disabled.\nlog_selector = +all\ntls_require_ciphers = ALL:!ADH:RC4+RSA:+HIGH:+MEDIUM:-LOW:-SSLv2:-EXP\ndisable_ipv6 = true\nsmtp_connect_backlog = 100\nsmtp_enforce_sync = true\nsmtp_receive_timeout = 30s\n\nhostlist loopback = <; @[]; 127.0.0.0\/8 ; 0.0.0.0 ; ::1 ; 0000:0000:0000:0000:0000:ffff:7f00:0000\/8\n\nhostlist senderverifybypass_hosts = net-iplsearch;\/etc\/senderverifybypasshosts\n\nhostlist skipsmtpcheck_hosts = net-iplsearch;\/etc\/skipsmtpcheckhosts\n\nhostlist spammeripblocks = net-iplsearch;\/etc\/spammeripblocks\n\nhostlist blocked_incoming_email_country_ips = ${if exists{\/etc\/blocked_incoming_email_country_ips} {net-iplsearch;\/etc\/blocked_incoming_email_country_ips} {} }\n\nhostlist backupmx_hosts = lsearch;\/etc\/backupmxhosts\n\nhostlist trustedmailhosts = lsearch;\/etc\/trustedmailhosts\n\nhostlist recent_authed_mail_ips = net-iplsearch;\/etc\/recent_authed_mail_ips\n\nhostlist neighbor_netblocks = net-iplsearch;\/etc\/neighbor_netblocks\n\nhostlist greylist_trusted_netblocks = net-iplsearch;\/etc\/greylist_trusted_netblocks\n\nhostlist greylist_common_mail_providers = net-iplsearch;\/etc\/greylist_common_mail_providers\n\nhostlist cpanel_mail_netblocks = net-iplsearch;\/etc\/cpanel_mail_netblocks\n\nhostlist recent_recipient_mail_server_ips = net-iplsearch;\/etc\/recent_recipient_mail_server_ips\n\ndomainlist user_domains = ${if exists{\/etc\/userdomains} {lsearch;\/etc\/userdomains} fail}\n\ndomainlist local_domains = lsearch;\/etc\/localdomains\n\ndomainlist secondarymx_domains = lsearch;\/etc\/secondarymx\n\ndomainlist relay_domains = +local_domains : +secondarymx_domains\n\ndomainlist blocked_domains = wildlsearch;\/etc\/blocked_incoming_email_domains\n\ndomainlist manualmx_domains = ${if exists {\/etc\/manualmx} {lsearch;\/etc\/manualmx} {} }\n\nlocalpartlist path_safe_localparts = \\N^\\.*[^.\/][^\/]*$\\N\n\nsmtp_accept_queue_per_connection = 30\n\nremote_max_parallel = 10\n\nignore_bounce_errors_after = 1d\n\nrfc1413_query_timeout = 0s\n\ntimeout_frozen_after = 5d\n\nauto_thaw = 7d\n\ncallout_domain_negative_expire = 1h\n\ncallout_negative_expire = 1h\n\nacl_not_smtp = acl_not_smtp\n\nacl_smtp_connect = acl_smtp_connect\n\nacl_smtp_data = acl_smtp_data\n\nacl_smtp_helo = acl_smtp_helo\n\nacl_smtp_mail = acl_smtp_mail\n\nacl_smtp_quit = acl_smtp_quit\n\nacl_smtp_notquit = acl_smtp_notquit\n\nacl_smtp_rcpt = acl_smtp_rcpt\n\nmessage_body_newlines = true\n\ncheck_rfc2047_length = false\n\nkeep_environment = X-SOURCE : X-SOURCE-ARGS : X-SOURCE-DIR\n\nadd_environment = PATH=\/usr\/local\/sbin::\/usr\/local\/bin::\/sbin::\/bin::\/usr\/sbin::\/usr\/bin::\/sbin::\/bin\n\nchunking_advertise_hosts = 198.51.100.1\n\ndeliver_queue_load_max = 12\n\nqueue_only_load = 24\n\ndaemon_smtp_ports = 25 : 26 : 465 : 587\n\ntls_on_connect_ports = 465\n\nsystem_filter_user = cpaneleximfilter\n\nsystem_filter_group = cpaneleximfilter\n\nsmtputf8_advertise_hosts = :\n\nopenssl_options = +no_sslv2 +no_sslv3 +no_tlsv1 +no_tlsv1_1\n\ntimezone = America\/Chicago\n\ntls_certificate = ${if and \\\n    { \\\n        {gt{$tls_in_sni}{}} \\\n        {!match{$tls_in_sni}{\/}} \\\n    } \\\n    {${if exists {\/var\/cpanel\/ssl\/domain_tls\/$tls_in_sni\/combined} \\\n        {\/var\/cpanel\/ssl\/domain_tls\/$tls_in_sni\/combined} \\\n        {${if exists {${sg{\/var\/cpanel\/ssl\/domain_tls\/$tls_in_sni\/combined}{(.+\/)[^.]+(.+\/combined)}{\\$1*\\$2}}} \\\n            {${sg{\/var\/cpanel\/ssl\/domain_tls\/$tls_in_sni\/combined}{(.+\/)[^.]+(.+\/combined)}{\\$1*\\$2}}} \\\n            {\/etc\/exim.crt} \\\n        }} \\\n    }} \\\n    {\/etc\/exim.crt} \\\n}\n\n\ntls_privatekey = ${if and \\\n    { \\\n        {gt{$tls_in_sni}{}} \\\n        {!match{$tls_in_sni}{\/}} \\\n    } \\\n    {${if exists {\/var\/cpanel\/ssl\/domain_tls\/$tls_in_sni\/combined} \\\n        {\/var\/cpanel\/ssl\/domain_tls\/$tls_in_sni\/combined} \\\n        {${if exists {${sg{\/var\/cpanel\/ssl\/domain_tls\/$tls_in_sni\/combined}{(.+\/)[^.]+(.+\/combined)}{\\$1*\\$2}}} \\\n            {${sg{\/var\/cpanel\/ssl\/domain_tls\/$tls_in_sni\/combined}{(.+\/)[^.]+(.+\/combined)}{\\$1*\\$2}}} \\\n            {\/etc\/exim.key} \\\n        }} \\\n    }} \\\n    {\/etc\/exim.key} \\\n}\n\n\nsystem_filter = \/etc\/cpanel_exim_system_filter\n\n\n\n\n#!!# These options specify the Access Control Lists (ACLs) that\n#!!# are used for incoming SMTP messages - after the RCPT and DATA\n#!!# commands, respectively.\n\n\n#!!# This setting defines a named domain list called\n#!!# local_domains, created from the old options that\n#!!# referred to local domains. It will be referenced\n#!!# later on by the syntax \"+local_domains\".\n#!!# Other domain and host lists may follow.\n\n\n\n\naddresslist secondarymx = *@partial-lsearch;\/etc\/secondarymx\n\n######################################################################\n#                  Runtime configuration file for Exim               #\n######################################################################\n\n\n# This is a default configuration file which will operate correctly in\n# uncomplicated installations. Please see the manual for a complete list\n# of all the runtime configuration options that can be included in a\n# configuration file. There are many more than are mentioned here. The\n# manual is in the file doc\/spec.txt in the Exim distribution as a plain\n# ASCII file. Other formats (PostScript, Texinfo, HTML) are available from\n# the Exim ftp sites. The manual is also online via the Exim web sites.\n\n\n# This file is divided into several parts, all but the last of which are\n# terminated by a line containing the word \"end\". The parts must appear\n# in the correct order, and all must be present (even if some of them are\n# in fact empty). Blank lines, and lines starting with # are ignored.\n\n\n\n######################################################################\n#                    MAIN CONFIGURATION SETTINGS                     #\n######################################################################\n\nperl_startup = do '\/etc\/exim.pl'\n\n#dns_retry = 1\n#dns_retrans = 1s\n\n# Specify your host's canonical name here. This should normally be the fully\n# qualified \"official\" name of your host. If this option is not set, the\n# uname() function is called to obtain the name.\n\nsmtp_banner = \"${primary_hostname} ESMTP Exim ${version_number} \\\n\\#${compile_number} ${tod_full} \\n\\\n  We do not authorize the use of this system to transport unsolicited, \\n\\\n  and\/or bulk e-mail.\"\n\n\n#nobody as the sender seems to annoy people\nuntrusted_set_sender = *\nlocal_from_check = false\n\n\n\nsplit_spool_directory = yes\n\nsmtp_accept_max = 100\n\n# primary_hostname =\n\n# Specify the domain you want to be added to all unqualified addresses\n# here. An unqualified address is one that does not contain an \"@\" character\n# followed by a domain. For example, \"caesar@rome.ex\" is a fully qualified\n# address, but the string \"caesar\" (i.e. just a login name) is an unqualified\n# email address. Unqualified addresses are accepted only from local callers by\n# default. See the receiver_unqualified_{hosts,nets} options if you want\n# to permit unqualified addresses from remote sources. If this option is\n# not set, the primary_hostname value is used for qualification.\n\n# qualify_domain =\n\n\n# If you want unqualified recipient addresses to be qualified with a different\n# domain to unqualified sender addresses, specify the recipient domain here.\n# If this option is not set, the qualify_domain value is used.\n\n# qualify_recipient =\n\n\n# Specify your local domains as a colon-separated list here. If this option\n# is not set (i.e. not mentioned in the configuration file), the\n# qualify_recipient value is used as the only local domain. If you do not want\n# to do any local deliveries, uncomment the following line, but do not supply\n# any data for it. This sets local_domains to an empty string, which is not\n# the same as not mentioning it at all. An empty string specifies that there\n# are no local domains; not setting it at all causes the default value (the\n# setting of qualify_recipient) to be used.\n\n\n\n#!!# message_filter renamed system_filter\nmessage_body_visible = 5000\n\n\n# Specify a set of options to control the behavior of OpenSSL. The default is to\n# disable SSLv2 and SSLv3 due to weaknesses in these protocols.\n\n\n# If you want to accept mail addressed to your host's literal IP address, for\n# example, mail addressed to \"user@[111.111.111.111]\", then uncomment the\n# following line, or supply the literal domain(s) as part of \"local_domains\"\n# above.\n\n# local_domains_include_host_literals\n\n\n# No local deliveries will ever be run under the uids of these users (a colon-\n# separated list). An attempt to do so gets changed so that it runs under the\n# uid of \"nobody\" instead. This is a paranoic safety catch. Note the default\n# setting means you cannot deliver mail addressed to root as if it were a\n# normal user. This isn't usually a problem, as most sites have an alias for\n# root that redirects such mail to a human administrator.\n\nnever_users = root\n\n\n# The use of your host as a mail relay by any host, including the local host\n# calling its own SMTP port, is locked out by default. If you want to permit\n# relaying from the local host, you should set\n#\n# host_accept_relay = localhost\n#\n# If you want to permit relaying through your host from certain hosts or IP\n# networks, you need to set the option appropriately, for example\n#\n#\n#\n# If you are an MX backup or gateway of some kind for some domains, you must\n# set relay_domains to match those domains. This will allow any host to\n# relay through your host to those domains.\n#\n# See the section of the manual entitled \"Control of relaying\" for more\n# information.\n\n# The setting below causes Exim to do a reverse DNS lookup on all incoming\n# IP calls, in order to get the true host name. If you feel this is too\n# expensive, you can specify the networks for which a lookup is done, or\n# remove the setting entirely.\n\n#host_lookup = 0.0.0.0\/0\n\n\n# By default, Exim expects all envelope addresses to be fully qualified, that\n# is, they must contain both a local part and a domain. If you want to accept\n# unqualified addresses (just a local part) from certain hosts, you can specify\n# these hosts by setting one or both of\n#\n# receiver_unqualified_hosts =\n# sender_unqualified_hosts =\n#\n# to control sender and receiver addresses, respectively. When this is done,\n# unqualified addresses are qualified using the settings of qualify_domain\n# and\/or qualify_recipient (see above).\n\n\n# Exim contains support for the Realtime Blocking List (RBL) that is being\n# maintained as part of the DNS. See http:\/\/maps.vix.com\/rbl\/ for background.\n# Uncommenting the first line below will make Exim reject mail from any\n# host whose IP address is blacklisted in the RBL at maps.vix.com. Some\n# others have followed the RBL lead and have produced other lists: DUL is\n# a list of dial-up addresses, and ORBS is a list of open relay systems. The\n# second line below checks all three lists.\n\n# rbl_domains = rbl.maps.vix.com\n# rbl_domains = rbl.maps.vix.com\n\n\n# If you want Exim to support the \"percent hack\" for all your local domains,\n# uncomment the following line. This is the feature by which mail addressed\n# to x%y@z (where z is one of your local domains) is locally rerouted to\n# x@y and sent on. Otherwise x%y is treated as an ordinary local part.\n\n# percent_hack_domains = *\n\n#sender_host_accept = +include_unknown:*\n#sender_host_reject = +include_unknown:lsearch*;\/etc\/spammers\n\n\n\n\n\ntls_advertise_hosts = *\n\nhelo_accept_junk_hosts = *\n\n\n\n#!!#######################################################!!#\n#!!# This new section of the configuration contains ACLs #!!#\n#!!# (Access Control Lists) derived from the Exim 3      #!!#\n#!!# policy control options.                             #!!#\n#!!#######################################################!!#\n\n#!!# These ACLs are crudely constructed from Exim 3 options.\n#!!# They are almost certainly not optimal. You should study\n#!!# them and rewrite as necessary.\n\nbegin acl\n\n\n\n########################################################################################\n# DO NOT ALTER THIS BLOCK\n########################################################################################\n#\n# cPanel Default ACL Template Version: 94.005\n# Template: universal.dist\n#\n########################################################################################\n# DO NOT ALTER THIS BLOCK\n########################################################################################\n\nacl_not_smtp:\n\n#BEGIN ACL-OUTGOING-NOTSMTP-CHECKALL-BLOCK\n# BEGIN INSERT resolve_vhost_owner\nwarn\n        condition   = ${if eq{$originator_uid}{${perl{user2uid}{nobody}}}{1}{0}}\n        set acl_c_vhost_owner = ${perl{resolve_vhost_owner}}\n\n# END INSERT resolve_vhost_owner\n# BEGIN INSERT end_default_outgoing_notsmtp_checkall\n\taccept\n\n# END INSERT end_default_outgoing_notsmtp_checkall\n\n#END ACL-OUTGOING-NOTSMTP-CHECKALL-BLOCK\n\n#BEGIN ACL-NOT-SMTP-BLOCK\n\n#END ACL-NOT-SMTP-BLOCK\n\nacl_not_smtp_mime:\n\n#BEGIN ACL-NOT-SMTP-MIME-BLOCK\n\n#END ACL-NOT-SMTP-MIME-BLOCK\n\nacl_not_smtp_start:\n\n#BEGIN ACL-NOT-SMTP-START-BLOCK\n\n#END ACL-NOT-SMTP-START-BLOCK\n\nacl_smtp_auth:\n\n#BEGIN ACL-SMTP-AUTH-BLOCK\n\n#END ACL-SMTP-AUTH-BLOCK\n\nacl_smtp_connect:\n\n#BEGIN ACL-CONNECT-BLOCK\n# BEGIN INSERT blockedcountryips\n\n\ndrop\n    message = Your country is not allowed to connect to this server.\n    log_message = Country is banned\n    hosts = +blocked_incoming_email_country_ips\n\n\n# END INSERT blockedcountryips\n# BEGIN INSERT ratelimit\n\n    accept\n        hosts = : +loopback : +recent_authed_mail_ips : +backupmx_hosts\n\n    accept\n        hosts = +trustedmailhosts\n\n    accept\n        condition = ${if match_ip{$sender_host_address}{net-iplsearch;\/etc\/trustedmailhosts}{1}{0}}\n\n    defer\n        #only rate limit port 25\n        condition = ${if eq {$received_port}{25}{yes}{no}}\n        message = The server has reached its limit for processing requests from your host.  Please try again later.\n        log_message = \"Host is ratelimited ($sender_rate\/$sender_rate_period max:$sender_rate_limit)\"\n        ratelimit = 1.2 \/ 1h \/ strict \/ per_conn \/ noupdate\n\n\n# END INSERT ratelimit\n# BEGIN INSERT slow_fail_block\n   warn\n        #only rate limit port 25\n        condition = ${if eq {$received_port}{25}{yes}{no}}\n        # host had a success in the last hour\n        ratelimit = 1 \/ 1h \/ noupdate \/ per_conn \/ slow_fail_accept_$sender_host_address\n        set acl_m4 = 1\n\n   defer\n        #only rate limit port 25\n        condition = ${if eq {$received_port}{25}{yes}{no}}\n        condition = ${if eq {${acl_m4}}{1}{0}{1}}\n        log_message = \"Host is ratelimited due to multiple failure only connections ($sender_rate\/$sender_rate_period max:$sender_rate_limit)\"\n        ratelimit = 5 \/ 1h \/ noupdate \/ per_conn \/ slow_fail_block_$sender_host_address\n\n\n# END INSERT slow_fail_block\n# BEGIN INSERT spammerlist\n\n\ndrop\n    message = Your host is not allowed to connect to this server.\n    log_message = Host is banned\n    hosts = +spammeripblocks\n\n\n# END INSERT spammerlist\n\n#END ACL-CONNECT-BLOCK\n\n#BEGIN ACL-CONNECT-POST-BLOCK\n# BEGIN INSERT default_connect_post\n\n# do not change the comment in the line below, it is required for \/usr\/local\/cpanel\/bin\/check_exim_config\n#acl_smtp_notquit is required for this to work (exim 4.68)\n    accept\n\n\n# END INSERT default_connect_post\n\n#END ACL-CONNECT-POST-BLOCK\n\nacl_smtp_data:\n\n# exiscan only\n\n# exiscan only\n\n#BEGIN ACL-OUTGOING-SMTP-CHECKALL-BLOCK\n\n#END ACL-OUTGOING-SMTP-CHECKALL-BLOCK\n\n#BEGIN ACL-CHECK-MESSAGE-PRE-BLOCK\n# BEGIN INSERT default_check_message_pre\n#\n#  Enabling this will make the server non-rfc compliant\n#  require verify = header_sender\n#\n\n    accept  hosts = : +loopback : +recent_authed_mail_ips : +backupmx_hosts\n\n    accept\n            authenticated = *\n            hosts = *\n\n    accept\n            condition = ${extract{size}{${stat:\/etc\/trustedmailhosts}}}\n            hosts = +trustedmailhosts\n\n    accept\n            condition = ${extract{size}{${stat:\/etc\/trustedmailhosts}}}\n            condition = ${if match_ip{$sender_host_address}{net-iplsearch;\/etc\/trustedmailhosts}{1}{0}}\n\n\n\n# END INSERT default_check_message_pre\n\n#END ACL-CHECK-MESSAGE-PRE-BLOCK\n\n#BEGIN ACL-PRE-SPAM-SCAN\n# BEGIN INSERT mailproviders\n# Research in Motion - Blackberry white list\n accept\n     condition = ${if exists {\/etc\/mailproviders\/rim\/ips}{${if match_ip{$sender_host_address}{iplsearch;\/etc\/mailproviders\/rim\/ips}{1}{0}}}{0}}\n\n# END INSERT mailproviders\n\n#END ACL-PRE-SPAM-SCAN\n\n#BEGIN ACL-SPAM-SCAN-BLOCK\n# BEGIN INSERT default_spam_scan\n\n  warn\n     # Remove spam headers from outside sources\n     condition = ${perl{spamd_is_available}}\n     !hosts = +skipsmtpcheck_hosts\n     remove_header  = x-spam-subject : x-spam-status : x-spam-score : x-spam-bar : x-spam-report : x-spam-flag : x-ham-report\n\n\n  warn\n    condition = ${perl{spamd_is_available}}\n    condition = ${if eq {${acl_m0}}{1}{1}{0}}\n    spam =  ${acl_m1}\/defer_ok\n    # Always make sure cPanel support mail can get through\n    !hosts = : +trustedmailhosts : +cpanel_mail_netblocks\n    log_message = \"SpamAssassin as ${acl_m1} detected message as spam ($spam_score)\"\n    add_header = X-Spam-Subject: ***SPAM*** $rh_subject\n    add_header = X-Spam-Status: Yes, score=$spam_score\n    add_header = X-Spam-Score: $spam_score_int\n    add_header = X-Spam-Bar: $spam_bar\n    add_header = X-Spam-Report: ${sg{$spam_report}{\\N\\n \\n\\N}{\\n}}\n    add_header = X-Spam-Flag: YES\n    set acl_m2 = 1\n\n  warn\n      condition = ${perl{spamd_is_available}}\n      condition =  ${if eq {$spam_score_int}{}{0}{${if <= {${spam_score_int}}{8000}{${if >= {${spam_score_int}}{50}{${perl{store_spam}{$sender_host_address}{$spam_score}}}{0}}}{0}}}}\n\n  warn\n  condition = ${perl{spamd_is_available}}\n  condition = ${if eq {${acl_m0}}{1}{${if eq {${acl_m2}}{1}{0}{1}}}{0}}\n  add_header = X-Spam-Status: No, score=$spam_score\n  add_header = X-Spam-Score: $spam_score_int\n  add_header = X-Spam-Bar: $spam_bar\n  add_header = X-Ham-Report: ${sg{$spam_report}{\\N\\n \\n\\N}{\\n}}\n  add_header = X-Spam-Flag: NO\n  log_message = \"SpamAssassin as ${acl_m1} detected message as NOT spam ($spam_score)\"\n\n\n\n# END INSERT default_spam_scan\n\n#END ACL-SPAM-SCAN-BLOCK\n\n# exiscan only\n\n# exiscan only\n\n#BEGIN ACL-RATELIMIT-SPAM-BLOCK\n\n#END ACL-RATELIMIT-SPAM-BLOCK\n\n#BEGIN ACL-SPAM-BLOCK\n\n#END ACL-SPAM-BLOCK\n\n#BEGIN ACL-CHECK-MESSAGE-POST-BLOCK\n# BEGIN INSERT default_check_message_post\n\n accept\n\n# END INSERT default_check_message_post\n\n#END ACL-CHECK-MESSAGE-POST-BLOCK\n\nacl_smtp_etrn:\n\n#BEGIN ACL-SMTP-ETRN-BLOCK\n\n#END ACL-SMTP-ETRN-BLOCK\n\nacl_smtp_helo:\n\n#BEGIN ACL-SMTP-HELO-BLOCK\n\n#END ACL-SMTP-HELO-BLOCK\n\n#BEGIN ACL-SMTP-HELO-POST-BLOCK\n# BEGIN INSERT default_smtp_helo\n\n    accept\n\n\n# END INSERT default_smtp_helo\n\n#END ACL-SMTP-HELO-POST-BLOCK\n\nacl_smtp_mail:\n\n#BEGIN ACL-MAIL-PRE-BLOCK\n# BEGIN INSERT default_mail_pre\n\n    # ignore authenticated hosts\n    accept\n        authenticated = *\n\n    warn\n        condition = ${if match_ip{$sender_host_address}{+loopback}{${perl{identify_local_connection}{$sender_host_address}{$sender_host_port}{$received_ip_address}{$received_port}{1}}}{0}}\n        set acl_c_authenticated_local_user = ${perl{get_identified_local_connection_user}}\n\n    accept\n        hosts = : +loopback : +recent_authed_mail_ips : +backupmx_hosts\n\n\n\n# END INSERT default_mail_pre\n\n#END ACL-MAIL-PRE-BLOCK\n\n#BEGIN ACL-MAIL-BLOCK\n# BEGIN INSERT requirehelo\n\ndeny\n    condition = ${if eq{$sender_helo_name}{}}\n    message   = HELO required before MAIL\n\n\n# END INSERT requirehelo\n# BEGIN INSERT requirehelonoforge\n\n\ndrop\n    # if ($sender_helo_name eq $primary_hostname) {\n    #      if (defined $interface_address) {\n    #           return is_loopback($interface_address) ? 0 : 1;  #ok from localhost\n    #      } else {\n    #            return 0; #exim -bs\n    #      }\n    # } else {\n    #      return 0;\n    # }\n    condition = ${if eq{${lc:$sender_helo_name}}{${lc:$primary_hostname}}{${if def:interface_address {${if match_ip{$interface_address}{+loopback}{0}{1}}}{0}}}{0}}\n    message   = \"REJECTED - Bad HELO - Host impersonating [$sender_helo_name]\"\n\n\ndrop\n    condition = ${if eq{[$interface_address]}{$sender_helo_name}}\n    message   = \"REJECTED - Interface: $interface_address is _my_ address\"\n\n# END INSERT requirehelonoforge\n# BEGIN INSERT requirehelosyntax\n\ndrop\n    condition   = ${if isip{$sender_helo_name}}\n    message     = Access denied - Invalid HELO name (See RFC2821 4.1.3)\n\ndrop\n    # Required because \"[IPv6:<address>]\" will have no .s\n    condition   = ${if match{$sender_helo_name}{\\N^\\[\\N}{no}{yes}}\n    condition   = ${if match{$sender_helo_name}{\\N\\.\\N}{no}{yes}}\n    message     = Access denied - Invalid HELO name (See RFC2821 4.1.1.1)\n\ndrop\n    condition   = ${if match{$sender_helo_name}{\\N\\.$\\N}}\n    message     = Access denied - Invalid HELO name (See RFC2821 4.1.1.1)\n\ndrop\n    condition   = ${if match{$sender_helo_name}{\\N\\.\\.\\N}}\n    message     = Access denied - Invalid HELO name (See RFC2821 4.1.1.1)\n\n# END INSERT requirehelosyntax\n\n#END ACL-MAIL-BLOCK\n\n#BEGIN ACL-MAIL-POST-BLOCK\n# BEGIN INSERT default_mail_post\n\n    accept\n\n\n# END INSERT default_mail_post\n\n#END ACL-MAIL-POST-BLOCK\n\nacl_smtp_mailauth:\n\n#BEGIN ACL-SMTP-MAILAUTH-BLOCK\n\n#END ACL-SMTP-MAILAUTH-BLOCK\n\nacl_smtp_mime:\n\n#BEGIN ACL-SMTP-MIME-BLOCK\n\n#END ACL-SMTP-MIME-BLOCK\n\nacl_smtp_notquit:\n\n#BEGIN ACL-NOTQUIT-BLOCK\n# BEGIN INSERT ratelimit\n\n# ignore authenticated hosts\naccept authenticated = *\n\naccept hosts = : +recent_authed_mail_ips : +loopback : +backupmx_hosts\n\nwarn\n    #only rate limit port 25\n    condition = ${if eq {$received_port}{25}{yes}{no}}\n    condition = ${if match {$smtp_notquit_reason}{command}{yes}{no}}\n    log_message = \"Connection Ratelimit - $sender_fullhost because of notquit: $smtp_notquit_reason ($sender_rate\/$sender_rate_period max:$sender_rate_limit)\"\n    ratelimit = 1.2 \/ 1h \/ strict \/ per_conn\n\n\n# END INSERT ratelimit\n\n#END ACL-NOTQUIT-BLOCK\n\nacl_smtp_predata:\n\n#BEGIN ACL-SMTP-PREDATA-BLOCK\n\n#END ACL-SMTP-PREDATA-BLOCK\n\nacl_smtp_quit:\n\n#BEGIN ACL-SMTP-QUIT-BLOCK\n# BEGIN INSERT slow_fail_block\n\n  warn\n    log_message = \"Detected session with all messages failed\"\n    condition = ${if >= {${eval:$rcpt_count}}{1}{${if == {${eval:$rcpt_fail_count}}{${eval:$rcpt_count}}{yes}{no}}}{no}}\n    set acl_m6 = 1\n\n  warn\n    condition = ${if eq {${acl_m6}}{1}{1}{0}}\n    ratelimit = 0 \/ 1h \/ strict \/ per_conn \/ slow_fail_block_$sender_host_address\n    log_message = \"Increment slow_fail_block Ratelimit - $sender_fullhost because of all messages failed\"\n\n  warn\n    ratelimit = 1 \/ 1h \/ noupdate \/ per_conn \/ slow_fail_block_$sender_host_address\n    condition = ${if >= {${eval:$rcpt_count}}{1}{${if < {${eval:$rcpt_fail_count}}{${eval:$rcpt_count}}{yes}{no}}}{no}}\n    set acl_m5 = 1\n    log_message = \"Detected session with ok message that previous had all failed\"\n\n  warn\n    condition = ${if eq {${acl_m5}}{1}{1}{0}}\n    ratelimit = 0 \/ 1h \/ strict \/ per_conn \/ slow_fail_accept_$sender_host_address\n    log_message = \"Decrement slow_fail_lock Ratelimit - $sender_fullhost because one message was successful\"\n\n\n\n# END INSERT slow_fail_block\n\n#END ACL-SMTP-QUIT-BLOCK\n\nacl_smtp_rcpt:\n\n#BEGIN ACL-RATELIMIT-BLOCK\n\n#END ACL-RATELIMIT-BLOCK\n\n#BEGIN ACL-PRE-RECIPIENT-BLOCK\n# BEGIN INSERT default_pre_recipient\nwarn\n  !domains = +relay_domains\n  set acl_m_outbound_recipient = 1\n\n\n# END INSERT default_pre_recipient\n# BEGIN INSERT dkim_disable\n\n warn\n   control = dkim_disable_verify\n\n\n# END INSERT dkim_disable\n\n#END ACL-PRE-RECIPIENT-BLOCK\n\n#BEGIN ACL-RECIPIENT-BLOCK\n# BEGIN INSERT blockeddomains\n  deny\n    message = Your host is not allowed to connect to this server.\n    log_message = Sender domain is banned\n    sender_domains = !+local_domains : +blocked_domains\n\n# END INSERT blockeddomains\n# BEGIN INSERT default_recipient\n  accept\n      hosts = :\n      endpass\n      verify = recipient\n\n  # Accept from any of the domain\u2019s cached secondary MX hosts.\n  # As an optimization, we only check this for local domains because\n  # only local domains will be in the secondary MX cache.\n  accept\n      domains   = +local_domains\n      condition = ${if exists {\/etc\/domain_secondary_mx_ips.cdb}{1}{0}}\n      hosts     = ${lookup{$domain}cdb{\/etc\/domain_secondary_mx_ips.cdb}}\n      endpass\n      verify = recipient\n\n  accept\n     condition = ${extract{size}{${stat:\/etc\/skipsmtpcheckhosts}}}\n     hosts     = +skipsmtpcheck_hosts\n     endpass\n     verify = recipient\n\n  # implemented for \"suspend incoming email\" feature\n  deny\n       domains     = !$primary_hostname : +local_domains\n       condition   = ${if exists {${extract{5}{:}{${lookup passwd{${lookup{$domain}lsearch{\/etc\/userdomains}}}}}{$value}}\/etc\/.${sg{$local_part}{\\N[\/+].*\\N}{}}@${domain}.suspended_incoming}}\n       message     = 525 5.7.13 Disabled recipient address\n       log_message = Mail to ${local_part}@${domain} has been suspended\n\n  # implemented for \"suspend outgoing email\" feature for domains and individual webmail\/pop accounts\n  deny\n    domains     = ! +local_domains\n    condition   = ${perl{check_outgoing_mail_suspended}}\n    message     = ${perl{get_outgoing_mail_suspended_message}}\n    log_message = ${perl{get_outgoing_mail_suspended_message}}\n\n\n# END INSERT default_recipient\n\n#END ACL-RECIPIENT-BLOCK\n#mailman only\n\n#BEGIN ACL-RECIPIENT-MAILMAN-BLOCK\n# BEGIN INSERT default_recipient_mailman\n\n # Accept bounces to lists even if callbacks or other checks would fail\n  accept\n           domains    = +local_domains\n           condition  = ${if match{$local_part}{\\N^(\\.*[^.\/][^\/]*)-bounces(\\+.*)?$\\N}}\n           condition  = ${if exists{\/usr\/local\/cpanel\/3rdparty\/mailman\/lists\/${1}${if !eq{$domain}{$primary_hostname}{_${domain}}{}}\/config.pck}}\n           add_header = X-WhitelistedRCPT-nohdrfromcallback: Yes\n\n  #if it gets here it isn't mailman\n\n\n# END INSERT default_recipient_mailman\n\n#END ACL-RECIPIENT-MAILMAN-BLOCK\n#mailman only\n\n#BEGIN ACL-IDENTIFY-SENDER-BLOCK\n# BEGIN INSERT default_identify_sender\n# Accept authenticated connections when the connection comes from the main\n# account (foo@foo.com, where foo.com's user is foo).  Otherwise, we end up\n# unintentionally rejecting mail if the user is set to :fail:.\n  accept\n          authenticated = *\n          condition = ${if eq{${lookup{$sender_address_domain}lsearch{\/etc\/userdomains}}}{$sender_address_local_part}}\n          endpass\n          verify = recipient\n\n# deny must be on the same line as hosts so it will get removed by buildeximconf if turned off\n   deny hosts = ! +loopback : ! +senderverifybypass_hosts\n        ! verify = sender\n\n  accept\n          authenticated = *\n          endpass\n          verify = recipient\n\n  # if they used \"pop before smtp\" and its not bound for a localdomain we remember the recent_authed_mail_ips_domain\n  warn\n        domains = ! +local_domains\n        hosts = ! +loopback\n        hosts = +recent_authed_mail_ips\n        set acl_c_recent_authed_mail_ips_text_entry = ${perl{get_recent_authed_mail_ips_text_entry}{1}}\n        add_header = ${if exists{\/etc\/eximpopbeforesmtpwarning}{${perl{popbeforesmtpwarn}{$sender_host_address}}}{}}\n\n  # if they used \"pop before smtp\" then we just accept\n  accept\n    condition = ${if exists{\/etc\/popbeforesmtp}{1}{0}}\n    hosts = ! +loopback\n    hosts = +recent_authed_mail_ips\n    endpass\n    verify = recipient\n\n  # we need to check alwaysrelay since we don't require recentauthedmailiptracker to be enabled\n  accept\n    hosts = ! +loopback\n    condition = ${if or {{eq{$acl_c_recent_authed_mail_ips_text_entry}{}}{!exists{\/etc\/popbeforesmtp}}}{${if exists {\/etc\/alwaysrelay}{${lookup{$sender_host_address}iplsearch{\/etc\/alwaysrelay}{1}{0}}}{0}}}{0}}\n    set acl_c_recent_authed_mail_ips_text_entry = ${perl{get_recent_authed_mail_ips_text_entry}{1}}\n    set acl_c_alwaysrelay = 1\n    endpass\n    verify = recipient\n\n  #recipient verifications are now done after smtp auth and pop before smtp so the users get back bounces instead of\n  # a clogged outbox in outlook\n\n   # If we skipped identifying the sender in acl_smtp_mail (ie !def:acl_c_authenticated_local_user)\n   # We need to do it here before we can test the two drops\n   warn\n       condition = ${if !def:acl_c_authenticated_local_user}\n       condition = ${if match_ip{$sender_host_address}{+loopback}}\n       condition = ${perl{identify_local_connection}{$sender_host_address}{$sender_host_port}{$received_ip_address}{$received_port}{1}}\n       set acl_c_authenticated_local_user = ${perl{get_identified_local_connection_user}}\n\n  # drop connections to localhost that are from demo accounts (required for manual connections)\n  drop\n       condition = ${if def:acl_c_authenticated_local_user}\n       condition = ${if !eq{$acl_c_authenticated_local_user}{root}}\n       condition = ${if match_ip{$sender_host_address}{+loopback}}\n       condition = ${lookup{$acl_c_authenticated_local_user}lsearch{\/etc\/demousers}{1}}\n       message   = Demo accounts may not send mail\n\n  # drop connections to localhost that fail auth (required for Horde)\n  drop\n       condition = $authentication_failed\n       condition = ${if match_ip{$sender_host_address}{+loopback}}\n       message   = Authentication failed\n\n  # we learned this in the acl_smtp_mail block\n  accept\n    condition = ${if def:acl_c_authenticated_local_user}\n    endpass\n    verify = recipient\n\n\n# END INSERT default_identify_sender\n# BEGIN INSERT default_message_submission\n\n# Reject unauthenticated relay on port 587\n drop\n    condition = ${if eq{$received_port}{587}{1}{0}}\n    message = SMTP AUTH is required for message submission on port 587\n\n# END INSERT default_message_submission\n\n#END ACL-IDENTIFY-SENDER-BLOCK\n\n\n\n#BEGIN ACL-RECP-VERIFY-BLOCK\n# BEGIN INSERT default_recp_verify\n  # recipient verification to confirm the address is routable.\n  # no callouts to remote systems are performed by default.\n  require\n    verify = recipient\n\n  # skip content scanning for suspended recipients that are being queued, blackholed or relayed\n  accept\n    condition = ${extract{suspended}{$address_data}}\n\n\n# END INSERT default_recp_verify\n\n#END ACL-RECP-VERIFY-BLOCK\n\n#BEGIN ACL-POST-RECP-VERIFY-BLOCK\n# BEGIN INSERT dictionary_attack\n\n\n  warn\n    log_message = \"Detected Dictionary Attack (Let $rcpt_fail_count bad recipients though before engaging)\"\n    condition = ${if > {${eval:$rcpt_fail_count}}{4}{yes}{no}}\n    set acl_m7 = 1\n\n  warn\n    condition = ${if eq {${acl_m7}}{1}{1}{0}}\n    ratelimit = 0 \/ 1h \/ strict \/ per_conn\n    log_message = \"Increment Connection Ratelimit - $sender_fullhost because of Dictionary Attack\"\n\n  drop\n    condition = ${if eq {${acl_m7}}{1}{1}{0}}\n    message = \"Number of failed recipients exceeded.  Come back in a few hours.\"\n\n\n# END INSERT dictionary_attack\n\n#END ACL-POST-RECP-VERIFY-BLOCK\n\n#BEGIN ACL-TRUSTEDLIST-BLOCK\n# BEGIN INSERT trustedmailhosts\n accept\n    hosts = +trustedmailhosts\n\n accept\n     condition = ${if match_ip{$sender_host_address}{net-iplsearch;\/etc\/trustedmailhosts}{1}{0}}\n\n# END INSERT trustedmailhosts\n\n#END ACL-TRUSTEDLIST-BLOCK\n\n#BEGIN ACL-RBL-BLOCK\n\n#END ACL-RBL-BLOCK\n\n#BEGIN ACL-MAILAUTH-BLOCK\n\n#END ACL-MAILAUTH-BLOCK\n\n#BEGIN ACL-GREYLISTING-BLOCK\n# BEGIN INSERT greylisting\n\n  # Greylisting\n  defer   message = Temporarily unable to process your email. Please try again later.\n          # skip if authenticated (with SMTP AUTH ...)\n          !authenticated = *\n          # skip if spf check passes\n          !spf = pass\n          !hosts = +recent_recipient_mail_server_ips : +greylist_trusted_netblocks : +greylist_common_mail_providers : +cpanel_mail_netblocks\n          domains = +local_domains : +relay_domains\n          condition = ${sg{${readsocket{\/var\/run\/cpgreylistd.sock}\\\n                       {should_defer ${sg{$sender_host_address}{ }{\\x01}} ${sg{$sender_address}{ }{\\x01}} ${sg{$local_part@$domain}{ }{\\x01}}\\n}\\\n                       {5s}{\\n}{no}}}{\\n}{}}\n          log_message = Deferred due to greylisting. Host: '$sender_host_address' From: '$sender_address' To: '$local_part@$domain' SPF: '${if def:spf_result {$spf_result}{unchecked}}'\n\n\n\n# END INSERT greylisting\n\n#END ACL-GREYLISTING-BLOCK\n\n#BEGIN ACL-RCPT-HARD-LIMIT-BLOCK\n# BEGIN INSERT deny_rcpt_hard_limit\n  warn\n    log_message = \"Number of RCPT commands exceeds hard limit\"\n    condition = ${if > {${eval:$rcpt_count}}{100}{1}{0}}\n    set acl_m7 = 1\n\n  warn\n    condition = ${if eq {${acl_m7}}{1}{1}{0}}\n    ratelimit = 0 \/ 1h \/ strict \/ per_conn\n    log_message = \"Increment Connection Ratelimit - $sender_fullhost because of RCPT command abuse\"\n\n  drop\n    condition = ${if eq {${acl_m7}}{1}{1}{0}}\n    message = Too many recipients specified.  Come back in a few hours.\n\n# END INSERT deny_rcpt_hard_limit\n\n#END ACL-RCPT-HARD-LIMIT-BLOCK\n\n#BEGIN ACL-RCPT-SOFT-LIMIT-BLOCK\n# BEGIN INSERT deny_rcpt_soft_limit\n  defer\n    condition = ${if > {${eval:$rcpt_count}}{100}{1}{0}}\n    message = 452 too many recipients\n\n# END INSERT deny_rcpt_soft_limit\n\n#END ACL-RCPT-SOFT-LIMIT-BLOCK\n\n#BEGIN ACL-SPAM-SCAN-CHECK-BLOCK\n# BEGIN INSERT default_spam_scan_check\n\n  # The only problem with this setup is that if the message is for multiple users on the same server\n  # and they are on different unix accounts, the settings for the first recipient which has spamassassin enabled will be used.\n  # This shouldn't be a problem 99.9% of the time, however its a very small price to pay for a massive speed increase.\n\n  warn\n         domains    = +local_domains\n         condition  = ${if <= {$message_size}{200K}}\n         condition  = ${if !eq{${acl_m0}}{1}}\n         condition  = ${if exists{\/etc\/global_spamassassin_enable}{1}{${if exists{${extract{5}{::}{${lookup passwd{${if eq{$domain}{$primary_hostname}{${sg{$local_part}{\\N[\/+].*\\N}{}}}{${lookup{$domain}lsearch{\/etc\/userdomains}}}}}}}}\/.spamassassinenable}}}}\n         set acl_m0 = 1\n\n         # $local_part should work here rather than $local_part_data, but\n         # $local_part_data sidesteps a taint-checking bug in Exim 4.94.\n         #\n         # Commit 12b7f811de is advertised as the fix for it, but during\n         # testing an Exim built with that change still had the bug.\n         # cf. https:\/\/www.mail-archive.com\/exim-users@exim.org\/msg54624.html\n         #\n         set acl_m1 = ${if eq{$domain}{$primary_hostname}{${sg{$local_part_data}{\\N[\/+].*\\N}{}}}{${lookup{$domain}lsearch{\/etc\/userdomains}}}}\n\n\n# END INSERT default_spam_scan_check\n# BEGIN INSERT spam_scan_secondarymx\n\n  # Support for scanning secondarymx domains\n\n  warn  domains = ! +local_domains : +secondarymx_domains\n         condition = ${if <= {$message_size}{200K}{1}{0}}\n          set acl_m0    = 1\n          set acl_m1    = cpaneleximscanner\n\n\n\n# END INSERT spam_scan_secondarymx\n\n#END ACL-SPAM-SCAN-CHECK-BLOCK\n\n#BEGIN ACL-POST-SPAM-SCAN-CHECK-BLOCK\n# BEGIN INSERT mailproviders\n# Research in Motion - Blackberry white list\n warn\n     condition = ${if exists {\/etc\/mailproviders\/rim\/ips}{${if match_ip{$sender_host_address}{iplsearch;\/etc\/mailproviders\/rim\/ips}{1}{0}}}{0}}\n     set acl_m0 = 0\n\n# END INSERT mailproviders\n\n#END ACL-POST-SPAM-SCAN-CHECK-BLOCK\n\n#BEGIN ACL-RECIPIENT-POST-BLOCK\n# BEGIN INSERT default_recipient_post\n\n\n\n  accept  domains = +relay_domains\n\n  deny    message = ${expand:${lookup{host_accept_relay}lsearch{\/etc\/eximrejects}{$value}}}\n          log_message = Rejected relay attempt: '$sender_host_address' From: '$sender_address' To: '$local_part@$domain'\n\n\n# END INSERT default_recipient_post\n\n#END ACL-RECIPIENT-POST-BLOCK\n\nacl_smtp_starttls:\n\n#BEGIN ACL-SMTP-STARTTLS-BLOCK\n\n#END ACL-SMTP-STARTTLS-BLOCK\n\nacl_smtp_vrfy:\n\n#BEGIN ACL-SMTP-SMTP-VRFY-BLOCK\n\n#END ACL-SMTP-SMTP-VRFY-BLOCK\n\nacl_smtp_dkim:\n\n#BEGIN ACL-SMTP-DKIM-BLOCK\n\n#END ACL-SMTP-DKIM-BLOCK\n\n\n\n\n\nbegin authenticators\n\n\ndovecot_plain:\n    driver = dovecot\n    public_name = PLAIN\n    server_socket = \/var\/run\/dovecot\/auth-client\n    server_set_id = $auth1\n    server_condition = ${if and {{!match {$auth1}{\\N[\/]\\N}}{eq{${if match {$auth1}{\\N[+%:@]\\N}{${lookup{${extract{2}{+%:@}{$auth1}}}lsearch{\/etc\/demodomains}{yes}}}{${lookup{$auth1}lsearch{\/etc\/demousers}{yes}}}}}{}}}{true}{false}}\n    server_advertise_condition = ${if or {{def:tls_cipher}{match_ip{$sender_host_address}{+loopback}}}{1}{0}}\n\n\n\ndovecot_login:\n  driver = dovecot\n  public_name = LOGIN\n  server_socket = \/var\/run\/dovecot\/auth-client\n  server_set_id = $auth1\n  server_condition = ${if and {{!match {$auth1}{\\N[\/]\\N}}{eq{${if match {$auth1}{\\N[+%:@]\\N}{${lookup{${extract{2}{+%:@}{$auth1}}}lsearch{\/etc\/demodomains}{yes}}}{${lookup{$auth1}lsearch{\/etc\/demousers}{yes}}}}}{}}}{true}{false}}\n  server_advertise_condition = ${if or {{def:tls_cipher}{match_ip{$sender_host_address}{+loopback}}}{1}{0}}\n\n\n\n\n\n\n######################################################################\n#                      REWRITE CONFIGURATION                         #\n######################################################################\n\n# There are no rewriting specifications in this default configuration file.\n\nbegin rewrite\n\n\n\n\n#!!#######################################################!!#\n#!!# Here follow routers created from the old routers,   #!!#\n#!!# for handling non-local domains.                     #!!#\n#!!#######################################################!!#\n\nbegin routers\n\n\n\n\n######################################################################\n#                      ROUTERS CONFIGURATION                         #\n#            Specifies how remote addresses are handled              #\n######################################################################\n#                          ORDER DOES MATTER                         #\n#  A remote address is passed to each in turn until it is accepted.  #\n######################################################################\n\n# Remote addresses are those with a domain that does not match any item\n# in the \"local_domains\" setting above.\n\n\n\n\nblackhole_dovenull:\n    driver= redirect\n    local_parts = \"@dovenull\"\n    allow_fail = true\n    data = :fail: Unrouteable address\n\ndeliver_local_outside_jail:\n    driver = manualroute\n    require_files = \"+\/jail_owner\"\n    # users outside the jail will not be in \/etc\/passwd => We need to check if $local_part is in \/jail_owner\n    # we can't just check to see if they exist\n    # because we still want to be able to mail root\n    domains = +local_domains\n    transport = remote_smtp\n    route_list = \"* 127.0.0.1\"\n    # self = send allows us to send outside the jail\n    # we make sure \/home\/virtfs does not exist before we get here\n    # to be safe\n    self = send\n\n\n\nsuspendedcheck:\n    driver = redirect\n    domains = +local_domains\n    local_parts = ${if eq{$domain}{$primary_hostname}{+path_safe_localparts}{*}}\n    require_files = +\/etc\/exim_suspended_list : +\/var\/cpanel\/suspended\/${if eq{$domain}{$primary_hostname}{$local_part}{${lookup{$domain}lsearch{\/etc\/userdomains}{$value}{::::invalid::::}}}}\n    local_part_suffix = +*\n    local_part_suffix_optional\n    allow_fail\n    allow_defer\n    allow_freeze\n    # Sets r_suspendinfo to the contents of the suspendinfo file,\n    # r_suspended_shell to the original shell of the suspended account,\n    # r_suspended_redirect to the real mapped redirect setting.\n    set = r_suspended_shell=${perl{get_suspended_shell}{${if eq{$domain}{$primary_hostname}{$local_part}{${lookup{$domain}lsearch{\/etc\/userdomains}{$value}}}}}}\n    # This skips content scanning for the primary account address with live-transfers and handles the special :queue: setting by pretending those are :blackhole: deliveries during address verification\n    address_data = router=$router_name ${if !match{${lookup{$local_part@$domain}wildlsearch{\/etc\/exim_suspended_list}{$value}{:unknown:}}}{\\N^\\s*(:unknown:.*)?$\\N}{suspended=1 redirect=${quote:${if !match{${lookup{$local_part@$domain}wildlsearch{\/etc\/exim_suspended_list}{$value}{:unknown:}}}{\\N^\\s*:\\N}{${if eq{$verify_mode}{}{${lookup{$local_part@$domain}wildlsearch{\/etc\/exim_suspended_list}{$value}{:unknown:}}}{:blackhole:}}}{${sg{${lookup{$local_part@$domain}wildlsearch{\/etc\/exim_suspended_list}{$value}{:unknown:}}}{\\N^\\s*:queue:\\N}{${if eq{$verify_mode}{}{:defer:}{:blackhole:}}}}}}}}}\n    data = ${extract{redirect}{$address_data}}\n\n\n# The main routers handle traffic to the lists themselves and the suffixed ones\n# handle mail to administrative aliases.  We have to use a two step process\n# because otherwise mail to a list such as foo-admin@example.tld will not be\n# handled properly.\n\nmailman_virtual_router:\n    driver = accept\n    domains = !$primary_hostname : +local_domains\n    local_parts = +path_safe_localparts\n    require_files = \/usr\/local\/cpanel\/3rdparty\/mailman\/lists\/${lc::$local_part}_${lc::$domain}\/config.pck : \/usr\/local\/cpanel\/3rdparty\/mailman\/mail\/mailman\n    transport = mailman_virtual_transport\n\n\n\nmailman_virtual_router_suffixed:\n    driver = accept\n    require_files = \/usr\/local\/cpanel\/3rdparty\/mailman\/lists\/${lc::$local_part}_${lc::$domain}\/config.pck : \/usr\/local\/cpanel\/3rdparty\/mailman\/mail\/mailman\n    domains = !$primary_hostname : +local_domains\n    local_parts = +path_safe_localparts\n    local_part_suffix = -admin     : \\\n            -bounces   : -bounces+* : \\\n                        -confirm   : -confirm+* : \\\n            -join      : -leave     : \\\n            -owner     : -request   : \\\n            -subscribe : -unsubscribe\n    transport = mailman_virtual_transport\n\n\n\nmailman_virtual_router_nodns:\n    driver = accept\n    require_files = \/usr\/local\/cpanel\/3rdparty\/mailman\/lists\/${lc::$local_part}\/config.pck : \/usr\/local\/cpanel\/3rdparty\/mailman\/mail\/mailman\n    condition    = \\\n           ${if or {{match{$local_part}{.*_.*}} \\\n                     {eq{$local_part}{mailman}}} \\\n                {1}{0}}\n    domains = $primary_hostname\n    local_parts = +path_safe_localparts\n    transport = mailman_virtual_transport_nodns\n\n\n\nmailman_virtual_router_nodns_suffixed:\n    driver = accept\n    require_files = \/usr\/local\/cpanel\/3rdparty\/mailman\/lists\/${lc::$local_part}\/config.pck : \/usr\/local\/cpanel\/3rdparty\/mailman\/mail\/mailman\n    condition    = \\\n           ${if or {{match{$local_part}{.*_.*}} \\\n                     {eq{$local_part}{mailman}}} \\\n                {1}{0}}\n    local_part_suffix = -admin     : \\\n            -bounces   : -bounces+* : \\\n                        -confirm   : -confirm+* : \\\n            -join      : -leave     : \\\n            -owner     : -request   : \\\n            -subscribe : -unsubscribe\n    domains = $primary_hostname\n    local_parts = +path_safe_localparts\n    transport = mailman_virtual_transport_nodns\n\ndemocheck:\n    driver = redirect\n    require_files = \"+\/etc\/demouids\"\n    condition = ${if >= {$originator_uid}{100}{1}{0}}\n    condition = \"${extract{size}{${stat:\/etc\/demouids}}}\"\n    condition = \"${if eq {${lookup {$originator_uid} lsearch {\/etc\/demouids} {$value}}}{}{false}{true}}\"\n    allow_fail\n    data = :fail: demo accounts are not permitted to relay email\n\n#\n# This is to make sure that cpanel@* always passes sender verification\n# so that the system notifications don't get rejected by spam filters\n# doing a sender verification check.\n#\nblackhole_cpanel_at:\n    driver = redirect\n    local_parts = cpanel\n    domains = !$primary_hostname\n    verify_only\n    data = :blackhole:\n\n\n\n# cPanel Mail Archiving is disabled\n\n\n\n\n\n#\n# Handles identification of messages, nobody and webspam and mail trap checks\n# in check_mail_permissions and notifies if we are defering a message\n#\n\n\nboxtrapper_autowhitelist:\n  driver = accept\n  condition = ${if eq {$authenticated_id}{}{0}{${if eq {$sender_address}{$local_part@$domain}{0}{${if match{$received_protocol}{\\N^e?smtps?a$\\N}{${perl{checkbx_autowhitelist}{$authenticated_id}}}{${if eq{$received_protocol}{local}{${perl{checkbx_autowhitelist}{$sender_ident}}}{0}}}}}}}}\n  require_files = \"+\/usr\/local\/cpanel\/bin\/boxtrapper\"\n  transport = boxtrapper_autowhitelist\n  no_verify\n  unseen\n\ncheck_mail_permissions:\n    domains = ! +local_domains\n    condition =  ${if eq {$authenticated_id}{root}{0}{1}}\n    ignore_target_hosts = +loopback : 64.94.110.0\/24\n    driver = redirect\n    allow_filter\n    reply_transport = address_reply\n    user = mailnull\n    no_verify\n    expn = false\n    condition = \"${perl{check_mail_permissions}}\"\n    data = \"${perl{check_mail_permissions_results}}\"\n\n\n#\n#  discover_sender_information is not included\n#  because from_rewrites are not enabled\n#\n\n\n#\n# If check_mail_permissions needs to defer or fail a message it is done here\n#\nenforce_mail_permissions:\n    domains = ! +local_domains\n    ignore_target_hosts = +loopback : 64.94.110.0\/24\n    condition =  ${if eq {$authenticated_id}{root}{0}{1}}\n    driver = redirect\n    allow_fail\n    allow_defer\n    no_verify\n    expn = false\n    condition = \"${perl{enforce_mail_permissions}}\"\n    data = \"${perl{enforce_mail_permissions_results}}\"\n\n#\n# Increments max emails per hour if needed\n#\nincrement_max_emails_per_hour_if_needed:\n    domains = ! +local_domains\n    ignore_target_hosts = +loopback : 64.94.110.0\/24\n    condition =  ${if eq {$authenticated_id}{root}{0}{1}}\n    driver = redirect\n    allow_fail\n    no_verify\n    one_time\n    expn = false\n    condition = \"${perl{increment_max_emails_per_hour_if_needed}}\"\n    data = \":unknown:\"\n\n\n\n\n\n#\n#  reject_forwarded_mail_marked_as_spam is not included\n#  because no_forward_outbound_spam and no_forward_outbound_spam_over_int\n#  are both disabled\n#\n\n\n\n\n#\n# Lookup host router for remote smtp and ignores verisign site finder 'service'\n# This matches lookup exactly except we look for X-Precedence and Precedence so\n# we can determinte what is an auto responder message in the log.\n# Note: there is nothing to\n# prevent X-Precedence from being added to non-autoresponded messages so this is for\n# logging reasons only\n#\n# Note: Boxtrapper sets Precedence to auto_reply\n#\nautoreply_dkim_lookuphost:\n    driver = dnslookup\n    domains = ! +local_domains\n    condition = \"${perl{sender_domain_can_dkim_sign}}\"\n    condition = \"${if or {{match{$h_precedence:}{auto}}{match{$h_x-precedence:}{auto}}}{1}{0}}\"\n    #ignore verisign to prevent waste of bandwidth\n    ignore_target_hosts = +loopback : 64.94.110.0\/24\n    headers_add = \"${perl{mailtrapheaders}}\"\n    transport = dkim_remote_smtp\n\n#\n# Lookup host router for remote smtp and ignores verisign site finder 'service' and uses domain keys\n#\n\n\ndkim_lookuphost:\n    driver = dnslookup\n    domains = ! +local_domains\n    condition = \"${perl{sender_domain_can_dkim_sign}}\"\n    #ignore verisign to prevent waste of bandwidth\n    ignore_target_hosts = +loopback : 64.94.110.0\/24\n    headers_add = \"${perl{mailtrapheaders}}\"\n    transport = dkim_remote_smtp\n\n#\n# Lookup host router for remote smtp and ignores verisign site finder 'service'\n# This matches lookup exactly except we look for X-Precedence and Precedence so\n# we can determinte what is an auto responder message in the log.\n# Note: there is nothing to\n# prevent X-Precedence from being added to non-autoresponded messages so this is for\n# logging reasons only\n#\n# Note: Boxtrapper sets Precedence to auto_reply\n#\n\n\nautoreply_lookuphost:\n    driver = dnslookup\n    domains = ! +local_domains\n    condition = \"${if or {{match{$h_precedence:}{auto}}{match{$h_x-precedence:}{auto}}}{1}{0}}\"\n    #ignore verisign to prevent waste of bandwidth\n    ignore_target_hosts = +loopback : 64.94.110.0\/24\n    headers_add = \"${perl{mailtrapheaders}}\"\n    transport = remote_smtp\n\n#\n# Lookup host router for remote smtp and ignores verisign site finder 'service'\n#\n\n\nlookuphost:\n    driver = dnslookup\n    domains = ! +local_domains\n    #ignore verisign to prevent waste of bandwidth\n    ignore_target_hosts = +loopback : 64.94.110.0\/24\n    headers_add = \"${perl{mailtrapheaders}}\"\n    transport = remote_smtp\n\n\n# This router routes to remote hosts over SMTP by explicit IP address,\n# given as a \"domain literal\" in the form [nnn.nnn.nnn.nnn]. The RFCs\n# require this facility, which is why it is enabled by default in Exim.\n# If you want to lock it out, set forbid_domain_literals in the main\n# configuration section above.\n\n\n#\n# Literal Transports .. ignores verisigns sitefinder service\n#\n\nliteral:\n    driver = ipliteral\n    domains = ! +local_domains\n    ignore_target_hosts = +loopback : 64.94.110.0\/24\n    headers_add = \"${perl{mailtrapheaders}}\"\n    transport = remote_smtp\n\n\n\n\n\n# This router routes to a statically defined host from \/etc\/manualmx\n# so that any mail received for the domain will skip MX lookups and attempt to\n# deliver the message directly to the specified host.\nmanualmx:\n  driver = manualroute\n  domains = +manualmx_domains\n  transport = remote_smtp\n  route_data = ${lookup{$domain}lsearch{\/etc\/manualmx}}\n\n#!!# This new router is put here to fail all domains that\n#!!# were not in local_domains in the Exim 3 configuration.\n\n\n#\n# Trap Failures to Remote Domain\n#\n\nfail_remote_domains:\n  driver = redirect\n  domains = ! +local_domains : ! localhost : ! localhost.localdomain\n  allow_fail\n  data = ${if eq {$verify_mode}{S} \\\n        {:fail: The mail server does not recognize $local_part@$domain as a valid sender.} \\\n        {:fail: The mail server could not deliver mail to $local_part@$domain.  The account or domain may not exist, they may be blacklisted, or missing the proper dns entries.} \\\n  }\n\n\n\n\n\n#!!#######################################################!!#\n#!!# Here follow routers created from the old directors, #!!#\n#!!# for handling local domains.                         #!!#\n#!!#######################################################!!#\n\n######################################################################\n#                      DIRECTORS CONFIGURATION                       #\n#             Specifies how local addresses are handled              #\n######################################################################\n#                          ORDER DOES MATTER                         #\n#   A local address is passed to each in turn until it is accepted.  #\n######################################################################\n\n# Local addresses are those with a domain that matches some item in the\n# \"local_domains\" setting above, or those which are passed back from the\n# routers because of a \"self=local\" setting (not used in this configuration).\n\n\n# This director handles aliasing using a traditional \/etc\/aliases file.\n# If any of your aliases expand to pipes or files, you will need to set\n# up a user and a group for these deliveries to run under. You can do\n# this by uncommenting the \"user\" option below (changing the user name\n# as appropriate) and adding a \"group\" option if necessary. Alternatively, you\n# can specify \"user\" on the transports that are used. Note that those\n# listed below are the same as are used for .forward files; you might want\n# to set up different ones for pipe and file deliveries from aliases.\n\n#spam_filter:\n#  driver = forwardfile\n#  file = \/etc\/spam.filter\n#  no_check_local_user\n#  no_verify\n#  filter\n#  allow_system_actions\n\n\n\n\n\n\n\n\n\n\n\n\n#\n# Account level filtering for everything but the main account\n#\n\ncentral_filter:\n    driver = redirect\n    allow_filter\n    allow_fail\n    forbid_filter_run\n    forbid_filter_perl\n    forbid_filter_lookup\n    forbid_filter_readfile\n    forbid_filter_readsocket\n    no_check_local_user\n    domains = !$primary_hostname : dsearch;\/etc\/vfilters\n    require_files = \"+\/etc\/vfilters\/${domain_data}\"\n    condition = \"${extract{size}{${stat:\/etc\/vfilters\/${domain_data}}}}\"\n    file = \/etc\/vfilters\/${domain_data}\n    file_transport = address_file\n    directory_transport = address_directory\n    pipe_transport = ${if forall{\/bin\/cagefs_enter:\/usr\/sbin\/cagefsctl}{exists{$item}}{cagefs_virtual_address_pipe}{${if forany{${extract{6}{:}{${lookup passwd{${lookup{$domain_data}lsearch{\/etc\/userdomains}}}}}}:$r_suspended_shell}{match{$item}{\\N(jail|no)shell\\N}}{jailed_virtual_address_pipe}{virtual_address_pipe}}}}\n    reply_transport = address_reply\n    router_home_directory = ${extract{5}{::}{${lookup passwd{${lookup{$domain_data}lsearch{\/etc\/userdomains}{$value}}}{$value}}}}\n    user = \"${lookup{$domain_data}lsearch{\/etc\/userdomains}{$value}}\"\n    no_verify\n\n\n\n#\n# Account level filtering for the main account\n#\n# checks \/etc\/vfilters\/maindomain if its a localuser (ie main acct)\n#\nmainacct_central_user_filter:\n    driver = redirect\n    allow_filter\n    allow_fail\n    forbid_filter_run\n    forbid_filter_perl\n    forbid_filter_lookup\n    forbid_filter_readfile\n    forbid_filter_readsocket\n    check_local_user\n    domains = $primary_hostname\n    condition = ${if eq {${lookup{$local_part_data}lsearch{\/etc\/domainusers}{$value}}}{}{0}{${if exists {\/etc\/vfilters\/${lookup{$local_part_data}lsearch{\/etc\/domainusers}{$value}}}{${extract{size}{${stat:\/etc\/vfilters\/${lookup{$local_part_data}lsearch{\/etc\/domainusers}{$value}}}}}}{0}}}}\n    file = \"\/etc\/vfilters\/${lookup{$local_part_data}lsearch{\/etc\/domainusers}{$value}}\"\n    directory_transport = address_directory\n    file_transport = address_file\n    pipe_transport = ${if forall{\/bin\/cagefs_enter:\/usr\/sbin\/cagefsctl}{exists{$item}}{cagefs_address_pipe}{${if forany{${extract{6}{:}{${lookup passwd{$local_part_data}}}}:$r_suspended_shell}{match{$item}{\\N(jail|no)shell\\N}}{jailed_address_pipe}{address_pipe}}}}\n    reply_transport = address_reply\n    user = $local_part_data\n    group = $local_part_data\n    retry_use_local_part\n    no_verify\n\n#\n# User Level Filtering for the main account\n#\n\n\ncentral_user_filter:\n    driver = redirect\n    allow_filter\n    allow_fail\n    forbid_filter_run\n    forbid_filter_perl\n    forbid_filter_lookup\n    forbid_filter_readfile\n    forbid_filter_readsocket\n    check_local_user\n    domains = $primary_hostname\n    require_files = \"+${extract{5}{::}{${lookup passwd{$local_part_data}{$value}}}}\/etc\/filter\"\n    condition = \"${extract{size}{${stat:${extract{5}{::}{${lookup passwd{$local_part_data}{$value}}}}\/etc\/filter}}}\"\n    file = \"${extract{5}{::}{${lookup passwd{$local_part_data}{$value}}}}\/etc\/filter\"\n    router_home_directory = ${extract{5}{::}{${lookup passwd{$local_part_data}{$value}}}}\n    directory_transport = address_directory\n    file_transport = address_file\n    pipe_transport = ${if forall{\/bin\/cagefs_enter:\/usr\/sbin\/cagefsctl}{exists{$item}}{cagefs_address_pipe}{${if forany{${extract{6}{:}{${lookup passwd{$local_part_data}}}}:$r_suspended_shell}{match{$item}{\\N(jail|no)shell\\N}}{jailed_address_pipe}{address_pipe}}}}\n    reply_transport = address_reply\n    user = $local_part_data\n    group = $local_part_data\n    local_part_suffix = +*\n    local_part_suffix_optional\n    retry_use_local_part\n    no_verify\n\n#\n# User Level Filtering for virtual users\n#\n\n\nvirtual_user_filter:\n    driver = redirect\n    allow_filter\n    allow_fail\n    forbid_filter_run\n    forbid_filter_perl\n    forbid_filter_lookup\n    forbid_filter_readfile\n    forbid_filter_readsocket\n    domains = !$primary_hostname : ${lookup{$domain}lsearch{\/etc\/userdomains}{${perl{untaint}{$domain}}}}\n    require_files = \"+${extract{5}{::}{${lookup passwd{${lookup{$domain_data}lsearch{\/etc\/userdomains}{$value}}}{$value}}}}\/etc\/$domain_data\/$local_part_data\/filter\"\n    user = \"${lookup{$domain_data}lsearch{\/etc\/userdomains}{$value}}\"\n    router_home_directory = ${extract{5}{::}{${lookup passwd{${lookup{$domain_data}lsearch{\/etc\/userdomains}{$value}}}{$value}}}}\n    local_parts = ${if exists{${extract{5}{::}{${lookup passwd{${lookup{$domain_data}lsearch{\/etc\/userdomains}{$value}}}{$value}}}}\/etc\/$domain_data}\\\n        {dsearch;${extract{5}{::}{${lookup passwd{${lookup{$domain_data}lsearch{\/etc\/userdomains}{$value}}}{$value}}}}\/etc\/$domain_data}\\\n    }\n    condition = \"${extract{size}{${stat:$home\/etc\/$domain_data\/$local_part_data\/filter}}}\"\n    file = \"$home\/etc\/$domain_data\/$local_part_data\/filter\"\n    directory_transport = address_directory\n    file_transport = address_file\n    pipe_transport = ${if forall{\/bin\/cagefs_enter:\/usr\/sbin\/cagefsctl}{exists{$item}}{cagefs_virtual_address_pipe}{${if forany{${extract{6}{:}{${lookup passwd{${lookup{$domain_data}lsearch{\/etc\/userdomains}}}}}}:$r_suspended_shell}{match{$item}{\\N(jail|no)shell\\N}}{jailed_virtual_address_pipe}{virtual_address_pipe}}}}\n    reply_transport = address_reply\n    local_part_suffix = +*\n    local_part_suffix_optional\n    retry_use_local_part\n    no_verify\n\n\n\n\n\n\nvirtual_aliases_nostar:\n  driver = redirect\n  allow_defer\n  allow_fail\n  domains = !$primary_hostname : dsearch;\/etc\/valiases\n  user = \"${lookup{$domain_data}lsearch{\/etc\/userdomains}{$value}}\"\n  address_data = \"router=$router_name redirect=${quote:${lookup{$local_part@$domain_data}lsearch{\/etc\/valiases\/$domain_data}}}\"\n  data = ${extract{redirect}{$address_data}}\n  file_transport = address_file\n  pipe_transport = ${if forall{\/bin\/cagefs_enter:\/usr\/sbin\/cagefsctl}{exists{$item}}{cagefs_virtual_address_pipe}{${if forany{${extract{6}{:}{${lookup passwd{${lookup{$domain_data}lsearch{\/etc\/userdomains}}}}}}:$r_suspended_shell}{match{$item}{\\N(jail|no)shell\\N}}{jailed_virtual_address_pipe}{virtual_address_pipe}}}}\n  router_home_directory = ${extract{5}{::}{${lookup passwd{${lookup{$domain_data}lsearch{\/etc\/userdomains}{$value}}}{$value}}}}\n  local_part_suffix = +*\n  local_part_suffix_optional\n  retry_use_local_part\n  unseen\n\n\n\nvirtual_user_overquota:\n  driver = redirect\n  domains = !$primary_hostname : ${lookup{$domain}lsearch{\/etc\/userdomains}{${perl{untaint}{$domain}}}}\n  require_files = \"+$home\/etc\/$domain_data\"\n  user = \"${lookup{$domain_data}lsearch{\/etc\/userdomains}{$value}}\"\n  router_home_directory = ${extract{5}{::}{${lookup passwd{${lookup{$domain_data}lsearch{\/etc\/userdomains}{$value}}}{$value}}}}\n\n  # NB: On busy servers Dovecot may take several seconds to respond to\n  # this request. So we set the timeout generously:\n  condition = \"${if match {${readsocket{\/var\/run\/dovecot\/quota-status}{request=smtpd_access_policy\\nrecipient=${quote:$local_part}@${quote:$domain_data}\\nsize=$message_size\\n\\n}{30s}{\\n}{SOCKETFAIL}}}{action=5}{true}{false}}\"\n\n  data = \":fail:Mailbox is full \/ Blocks limit exceeded \/ Inode limit exceeded\"\n  verify_only\n  allow_fail\n\n\n\n\n\n\n\n#\n# Virtual User Spam Boxes\n#\n\nvirtual_user_spam:\n    driver = redirect\n    local_parts = +path_safe_localparts\n    domains = !$primary_hostname : ${lookup{$domain}lsearch{\/etc\/userdomains}{${perl{untaint}{$domain}}}}\n    condition = ${if match{$h_x-spam-status:}{\\N^Yes\\N}{true}{false}}\n    require_files = \"+${extract{5}{::}{${lookup passwd{${lookup{$domain_data}lsearch{\/etc\/userdomains}{$value}}}{$value}}}}\/.spamassassinboxenable:+${extract{5}{::}{${lookup passwd{${lookup{$domain_data}lsearch{\/etc\/userdomains}{$value}}}{$value}}}}\/mail\/$domain_data\/$local_part\"\n    router_home_directory = ${extract{5}{::}{${lookup passwd{${lookup{$domain_data}lsearch{\/etc\/userdomains}{$value}}}{$value}}}}\n    headers_remove=\"x-uidl\"\n    data = \"${quote_local_part:$local_part}+spam@$domain_data\"\n    redirect_router = virtual_user\n\n\n\nvirtual_boxtrapper_user:\n  driver = accept\n  local_parts = +path_safe_localparts\n  domains = !$primary_hostname : ${lookup{$domain}lsearch{\/etc\/userdomains}{${perl{untaint}{$domain}}}}\n  require_files = \"+\/usr\/local\/cpanel\/bin\/boxtrapper:+${extract{5}{::}{${lookup passwd{${lookup{$domain_data}lsearch{\/etc\/userdomains}{$value}}}{$value}}}}\/etc\/$domain_data\/$local_part\/.boxtrapperenable:+${extract{5}{::}{${lookup passwd{${lookup{$domain_data}lsearch{\/etc\/userdomains}{$value}}}{$value}}}}\/mail\/$domain_data\/$local_part\"\n  user = \"${lookup{$domain_data}lsearch{\/etc\/userdomains}{$value}}\"\n  router_home_directory = ${extract{5}{::}{${lookup passwd{${lookup{$domain_data}lsearch{\/etc\/userdomains}{$value}}}{$value}}}}\n  headers_remove=\"x-uidl\"\n  transport = virtual_boxtrapper_userdelivery\n\nvirtual_user:\n  driver = accept\n  domains = !$primary_hostname : ${lookup{$domain}lsearch{\/etc\/userdomains}{${perl{untaint}{$domain}}}}\n  local_parts = +path_safe_localparts\n  require_files = \"+${extract{5}{::}{${lookup passwd{${lookup{$domain_data}lsearch{\/etc\/userdomains}{$value}}}{$value}}}}\/mail\/$domain_data\/$local_part\"\n  router_home_directory = ${extract{5}{::}{${lookup passwd{${lookup{$domain_data}lsearch{\/etc\/userdomains}{$value}}}{$value}}}}\n  headers_remove=\"x-uidl\"\n  local_part_suffix = +*\n  local_part_suffix_optional\n  user = mailnull\n  group = mail\n  transport = ${if forany {${addresses:$h_to:}:${addresses:$h_cc:}}{or {{eqi{${extract{1}{+}{${local_part:$item}}}@${domain:$item}}{$local_part@$domain_data}}{eqi{${extract{1}{+}{${local_part:$item}}}@${domain:$item}}{$original_local_part@$original_domain}}}}{dovecot_virtual_delivery}{dovecot_virtual_delivery_no_batch}}\n  #\n  # If the delivery address, original address (forwarded),\n  # or address with subaddress is shown on the To: or Cc:\n  # lines or the message has the List-Id: or Precedence:\n  # header we allow the message to be batched to\n  # dovecot LMTP via transport dovecot_virtual_delivery\n  #\n  # If it does match match the above we do not allow the message\n  # to be batched in order to ensure that the Envelope-To: header\n  # does not contain a user that was Bcc:ed so savvy recipients\n  # cannot see that another email was Bcc:ed in the header\n  # via transport dovecot_virtual_delivery_no_batch\n  #\n  # Note: match_address would be nice here but the second string\n  # is not expanded for security reasons\n  #\n\n\n\n\n#\n# has_alias_but_no_mailbox_discarded_to_prevent_loop required either of the following:\n#\n# 1. There is an active alias in the valias file\n# 2. There is an active autoresponder and the * is set to :fail:\n#\nhas_alias_but_no_mailbox_discarded_to_prevent_loop:\n        driver = redirect\n        domains = !$primary_hostname : dsearch;\/etc\/valiases\n        condition = ${lookup{$local_part@$domain_data}lsearch{\/etc\/valiases\/$domain_data}{1}{0}}\n        condition = \"${if forany{<, ${lookup{$local_part@$domain_data}lsearch{\/etc\/valiases\/$domain_data}{$value}}}{!match{$item}{\\N\/autorespond\\N}}{1}{${if match {${lookup{\\N*\\N}lsearch{\/etc\/valiases\/$domain_data}{$value}}}{:fail:}{1}{0}}}}\"\n        data=\":blackhole:\"\n        local_part_suffix = +*\n        local_part_suffix_optional\n        disable_logging = true\n\n\n\n\n# srs is disabled\n\n\n\n\n\n\n\n\nvalias_domain_file:\n  driver = redirect\n  allow_defer\n  allow_fail\n  domains = !$primary_hostname : dsearch;\/etc\/vdomainaliases\n  user = \"${lookup{$domain_data}lsearch{\/etc\/userdomains}{$value}}\"\n  condition = ${lookup {$domain_data} lsearch {\/etc\/vdomainaliases\/$domain_data}{yes}{no} }\n  address_data = router=$router_name redirect=${quote:${quote_local_part:$local_part}@${lookup{$domain_data}lsearch{\/etc\/vdomainaliases\/$domain_data}}}\n  data = ${extract{redirect}{$address_data}}\n\nvirtual_aliases:\n    driver = redirect\n    allow_defer\n    allow_fail\n    domains = !$primary_hostname : dsearch;\/etc\/valiases\n    user = \"${lookup{$domain_data}lsearch{\/etc\/userdomains}{$value}}\"\n    router_home_directory = ${extract{5}{::}{${lookup passwd{${lookup{$domain_data}lsearch{\/etc\/userdomains}{$value}}}{$value}}}}\n    address_data = \"router=$router_name redirect=${quote:${lookup{*}lsearch{\/etc\/valiases\/$domain_data}}}\"\n    data = ${extract{redirect}{$address_data}}\n    file_transport = address_file\n    pipe_transport = ${if forall{\/bin\/cagefs_enter:\/usr\/sbin\/cagefsctl}{exists{$item}}{cagefs_virtual_address_pipe}{${if forany{${extract{6}{:}{${lookup passwd{${lookup{$domain_data}lsearch{\/etc\/userdomains}}}}}}:$r_suspended_shell}{match{$item}{\\N(jail|no)shell\\N}}{jailed_virtual_address_pipe}{virtual_address_pipe}}}}\n\n\n\n\n\n\n\n# This director handles forwarding using traditional .forward files.\n# If you want it also to allow mail filtering when a forward file\n# starts with the string \"# Exim filter\", uncomment the \"filter\" option.\n# The check_ancestor option means that if the forward file generates an\n# address that is an ancestor of the current one, the current one gets\n# passed on instead. This covers the case where A is aliased to B and B\n# has a .forward file pointing to A. The three transports specified at the\n# end are those that are used when forwarding generates a direct delivery\n# to a file, or to a pipe, or sets up an auto-reply, respectively.\n\nsystem_aliases:\n  driver = redirect\n  allow_defer\n  allow_fail\n  domains = $primary_hostname : localhost\n  address_data = \"router=$router_name redirect=${quote:${lookup{$local_part}lsearch{\/etc\/aliases}}}\"\n  data = ${extract{redirect}{$address_data}}\n  file_transport = address_file\n  pipe_transport = address_pipe\n# user = exim\n\n\nlocal_aliases:\n  driver = redirect\n  allow_defer\n  allow_fail\n  domains = $primary_hostname : localhost\n  address_data = \"router=$router_name redirect=${quote:${lookup{$local_part}lsearch{\/etc\/localaliases}}}\"\n  data = ${extract{redirect}{$address_data}}\n  file_transport = address_file\n  pipe_transport = address_pipe\n  check_local_user\n\n\n\n\n\nuserforward:\n  driver = redirect\n  allow_filter\n  allow_fail\n  forbid_filter_run\n  forbid_filter_perl\n  forbid_filter_lookup\n  forbid_filter_readfile\n  forbid_filter_readsocket\n  check_ancestor\n  check_local_user\n  domains = $primary_hostname\n  no_expn\n  require_files = \"+$home\/.forward\"\n  condition = \"${extract{size}{${stat:$home\/.forward}}}\"\n  file = $home\/.forward\n  file_transport = address_file\n  pipe_transport = ${if forall{\/bin\/cagefs_enter:\/usr\/sbin\/cagefsctl}{exists{$item}}{cagefs_address_pipe}{${if forany{${extract{6}{:}{${lookup passwd{$local_part_data}}}}:$r_suspended_shell}{match{$item}{\\N(jail|no)shell\\N}}{jailed_address_pipe}{address_pipe}}}}\n  reply_transport = address_reply\n  directory_transport = address_directory\n  user = $local_part_data\n  group = $local_part_data\n  no_verify\n\n\n\n\n# srs is disabled\n\n\n\n\n\n\nlocaluser_root:\n    driver = redirect\n    allow_fail\n    domains = $primary_hostname : localhost\n    check_local_user\n    condition = ${if eq {$local_part_data}{root}}\n    data = :fail: root cannot accept local mail deliveries\n\n\n\nlocaluser_overquota:\n  driver = redirect\n  domains = $primary_hostname\n  check_local_user\n\n  # NB: On busy servers Dovecot may take several seconds to respond to\n  # this request. So we set the timeout generously:\n  condition =  \"${if match {${readsocket{\/var\/run\/dovecot\/quota-status}{request=smtpd_access_policy\\nrecipient=${quote:$local_part}\\nsize=$message_size\\n\\n}{30s}{\\n}{SOCKETFAIL}}}{action=5}{true}{false}}\"\n\n  data = \":fail:Mailbox is full \/ Blocks limit exceeded \/ Inode limit exceeded\"\n  verify_only\n  allow_fail\n\n\n#\n# Optimized spambox router\n#\n\nlocaluser_spam:\n    driver = redirect\n    domains = $primary_hostname\n    require_files = \"+$home\/.spamassassinboxenable\"\n    condition = ${if match{$h_x-spam-status:}{\\N^Yes\\N}{true}{false}}\n# sets home,user,group\n    check_local_user\n    headers_remove=\"x-uidl\"\n    data = \"${quote_local_part:$local_part_data}+spam\"\n    redirect_router = localuser\n\n\n\n\nboxtrapper_localuser:\n  driver = accept\n  require_files = \"+\/usr\/local\/cpanel\/bin\/boxtrapper:+$home\/etc\/.boxtrapperenable\"\n  check_local_user\n  domains = $primary_hostname\n  transport = local_boxtrapper_delivery\n\nlocaluser:\n    driver = accept\n# sets home,user,group\n    check_local_user\n    domains = $primary_hostname\n    headers_remove=\"x-uidl\"\n    local_part_suffix = +*\n    local_part_suffix_optional\n    user = mailnull\n    group = mail\n    transport = ${if forany {${addresses:$h_to:}:${addresses:$h_cc:}}{or {{eqi{${extract{1}{+}{${local_part:$item}}}@${domain:$item}}{$local_part@$domain}}{eqi{${extract{1}{+}{${local_part:$item}}}@${domain:$item}}{$original_local_part@$original_domain}}}}{dovecot_delivery}{dovecot_delivery_no_batch}}\n    #\n    # If the delivery address, original address (forwarded),\n    # or address with subaddress is shown on the To: or Cc:\n    # lines or the message has the List-Id: or Precedence:\n    # header we allow the message to be batched to\n    # dovecot LMTP via transport dovecot_virtual_delivery\n    #\n    # If it does match match the above we do not allow the message\n    # to be batched in order to ensure that the Envelope-To: header\n    # does not contain a user that was Bcc:ed so savvy recipients\n    # cannot see that another email was Bcc:ed in the header\n    # via transport dovecot_virtual_delivery_no_batch\n    #\n    # Note: match_address would be nice here but the second string\n    # is not expanded for security reasons\n    #\n\n# This director matches local user mailboxes.\n\n\n\n\n\n\n\n######################################################################\n#                      TRANSPORTS CONFIGURATION                      #\n######################################################################\n#                       ORDER DOES NOT MATTER                        #\n#     Only one appropriate transport is called for each delivery.    #\n######################################################################\n\n# A transport is used only when referenced from a director or a router that\n# successfully handles an address.\n\n\n# This transport is used for delivering messages over SMTP connections.\n\nbegin transports\n\n\n\n\n\n\nmailman_virtual_transport:\n    driver = pipe\n    command = \/usr\/local\/cpanel\/3rdparty\/mailman\/mail\/mailman \\\n              '${if def:local_part_suffix \\\n                    {${sg{$local_part_suffix}{-(\\\\w+)(\\\\+.*)?}{\\$1}}} \\\n                    {post}}' \\\n              ${lc:$local_part}_${lc:$domain}\n    current_directory = \/usr\/local\/cpanel\/3rdparty\/mailman\n    home_directory = \/usr\/local\/cpanel\/3rdparty\/mailman\n    user = mailman\n    group = mailman\n\n\n\n\nmailman_virtual_transport_nodns:\n    driver = pipe\n    command = \/usr\/local\/cpanel\/3rdparty\/mailman\/mail\/mailman \\\n              '${if def:local_part_suffix \\\n                    {${sg{$local_part_suffix}{-(\\\\w+)(\\\\+.*)?}{\\$1}}} \\\n                    {post}}' \\\n              ${lc:$local_part}\n    current_directory = \/usr\/local\/cpanel\/3rdparty\/mailman\n    home_directory = \/usr\/local\/cpanel\/3rdparty\/mailman\n    user = mailman\n    group = mailman\n\n\nremote_smtp:\n  driver = smtp\n  interface = <; ${if > {${extract{size}{${stat:\/etc\/mailips}}}}{0}{${lookup{${lc:${perl{get_message_sender_domain}}}}lsearch{\/etc\/mailips}{$value}{${lookup{${lc:$original_domain}}lsearch{\/etc\/mailips}{$value}{${lookup{${perl{get_sender_from_uid}}}lsearch*{\/etc\/mailips}{$value}{}}}}}}}}\n  helo_data = ${if > {${extract{size}{${stat:\/etc\/mailhelo}}}}{0}{${lookup{${lc:${perl{get_message_sender_domain}}}}lsearch{\/etc\/mailhelo}{$value}{${lookup{${lc:$original_domain}}lsearch{\/etc\/mailhelo}{$value}{${lookup{${perl{get_sender_from_uid}}}lsearch*{\/etc\/mailhelo}{$value}{$primary_hostname}}}}}}}{$primary_hostname}}\n  hosts_try_chunking = 198.51.100.1\n\n\n\ndkim_remote_smtp:\n  driver = smtp\n  interface = <; ${if > {${extract{size}{${stat:\/etc\/mailips}}}}{0}{${lookup{${lc:${perl{get_message_sender_domain}}}}lsearch{\/etc\/mailips}{$value}{${lookup{${lc:$original_domain}}lsearch{\/etc\/mailips}{$value}{${lookup{${perl{get_sender_from_uid}}}lsearch*{\/etc\/mailips}{$value}{}}}}}}}}\n  helo_data = ${if > {${extract{size}{${stat:\/etc\/mailhelo}}}}{0}{${lookup{${lc:${perl{get_message_sender_domain}}}}lsearch{\/etc\/mailhelo}{$value}{${lookup{${lc:$original_domain}}lsearch{\/etc\/mailhelo}{$value}{${lookup{${perl{get_sender_from_uid}}}lsearch*{\/etc\/mailhelo}{$value}{$primary_hostname}}}}}}}{$primary_hostname}}\n  dkim_domain = ${perl{get_dkim_domain}}\n  dkim_selector = default\n  dkim_private_key = \"\/var\/cpanel\/domain_keys\/private\/${dkim_domain}\"\n  dkim_canon = relaxed\n  hosts_try_chunking = 198.51.100.1\n\n\n\n# This transport is used for local delivery to user mailboxes. By default\n# it will be run under the uid and gid of the local user, and requires\n# the sticky bit to be set on the \/var\/mail directory. Some systems use\n# the alternative approach of running mail deliveries under a particular\n# group instead of using the sticky bit. The commented options below show\n# how this can be done.\n\n\n\n\n\n\n# This transport is used for handling pipe deliveries generated by alias\n# or .forward files. If the pipe generates any standard output, it is returned\n# to the sender of the message as a delivery error. Set return_fail_output\n# instead of return_output if you want this to happen only when the pipe fails\n# to complete normally. You can set different transports for aliases and\n# forwards if you want to - see the references to address_pipe below.\n\n\naddress_directory:\n  driver = pipe\n  command = \/usr\/libexec\/dovecot\/dovecot-lda -f $sender_address -d ${perl{convert_address_directory_to_dovecot_lda_destination_username}} -m ${perl{convert_address_directory_to_dovecot_lda_mailbox}}\n  message_prefix =\n  message_suffix =\n  log_output\n  delivery_date_add\n  envelope_to_add\n  return_path_add\n  temp_errors = 64 : 69 : 70: 71 : 72 : 73 : 74 : 75 : 78\n\naddress_pipe:\n  driver = pipe\n  return_output\n\nvirtual_address_pipe:\n  driver = pipe\n  return_output\n\njailed_address_pipe:\n  driver = pipe\n  force_command\n  command = \/usr\/local\/cpanel\/bin\/jailexec $address_pipe\n  return_output\n\njailed_virtual_address_pipe:\n  driver = pipe\n  force_command\n  command = \/usr\/local\/cpanel\/bin\/jailexec $address_pipe\n  return_output\n\ncagefs_address_pipe:\n  driver = pipe\n  force_command\n  command = \/bin\/cagefs_enter $address_pipe\n  return_output\n\ncagefs_virtual_address_pipe:\n  driver = pipe\n  force_command\n  command = \/bin\/cagefs_enter $address_pipe\n  return_output\n\n\n# This transport is used for handling deliveries directly to files that are\n# generated by aliassing or forwarding.\n\n\naddress_file:\n  driver = pipe\n  command = \/usr\/libexec\/dovecot\/dovecot-lda -e -f $sender_address -d ${perl{convert_address_directory_to_dovecot_lda_destination_username}} -m ${perl{convert_address_directory_to_dovecot_lda_mailbox}}\n  message_prefix =\n  message_suffix =\n  log_output\n  delivery_date_add\n  envelope_to_add\n  return_path_add\n  temp_errors = 64 : 69 : 70: 71 : 72 : 73 : 74 : 75 : 78\n\n\n# For email with a bcc:\ndovecot_delivery_no_batch:\n  driver = lmtp\n  socket = \/var\/run\/dovecot\/lmtp\n  batch_max = 1\n  rcpt_include_affixes\n  delivery_date_add\n  envelope_to_add\n  return_path_add\n\n# For email with a bcc:\ndovecot_virtual_delivery_no_batch:\n  driver = lmtp\n  socket = \/var\/run\/dovecot\/lmtp\n  batch_max = 1\n  rcpt_include_affixes\n  delivery_date_add\n  envelope_to_add\n  return_path_add\n\n\n\nboxtrapper_autowhitelist:\n  driver = pipe\n  headers_only\n  command = \/usr\/local\/cpanel\/bin\/boxtrapper --autowhitelist \"${authenticated_id}\"\n  user = ${perl{getemailuser}{$authenticated_id}{$received_protocol}{$sender_ident}}\n  group = ${extract{3}{:}{${lookup passwd{${perl{getemailuser}{$authenticated_id}{$received_protocol}{$sender_ident}}}{$value}}}}\n  log_output = true\n  return_fail_output = true\n  return_path_add = false\n  temp_errors = 64 : 69 : 70: 71 : 72 : 73 : 74 : 75 : 78\n\n\n\nlocal_boxtrapper_delivery:\n  driver = pipe\n  command = \/usr\/local\/cpanel\/bin\/boxtrapper \"${local_part_data}\" $home\n  user = $local_part_data\n  group = ${extract{3}{:}{${lookup passwd{$local_part_data}{$value}}}}\n  log_output = true\n  return_fail_output = true\n  return_path_add = false\n  temp_errors = 64 : 69 : 70: 71 : 72 : 73 : 74 : 75 : 78\n\n\n\nvirtual_boxtrapper_userdelivery:\n  driver = pipe\n  command = \/usr\/local\/cpanel\/bin\/boxtrapper \"${local_part}@${domain}\" $home\n  user = \"${lookup{$domain}lsearch{\/etc\/userdomains}{$value}}\"\n  log_output = true\n  return_fail_output = true\n  return_path_add = false\n  temp_errors = 64 : 69 : 70: 71 : 72 : 73 : 74 : 75 : 78\n\ndovecot_delivery:\n  driver = lmtp\n  socket = \/var\/run\/dovecot\/lmtp\n  batch_max = 200\n  rcpt_include_affixes\n  delivery_date_add\n  envelope_to_add\n  return_path_add\n\ndovecot_virtual_delivery:\n  driver = lmtp\n  socket = \/var\/run\/dovecot\/lmtp\n  batch_max = 200\n  rcpt_include_affixes\n  delivery_date_add\n  envelope_to_add\n  return_path_add\n\naddress_reply:\n  driver = autoreply\n\n\n\n# cPanel Mail Archiving is disabled\n\n\n\n\n\n\n\n\n\n######################################################################\n#                      RETRY CONFIGURATION                           #\n######################################################################\n\n# This single retry rule applies to all domains and all errors. It specifies\n# retries every 15 minutes for 2 hours, then increasing retry intervals,\n# starting at 1 hour and increasing each time by a factor of 1.5, up to 16\n# hours, then retries every 8 hours until 4 days have passed since the first\n# failed delivery.\n\n# Domain               Error       Retries\n# ------               -----       -------\n\n\nbegin retry\n\n\n\n\n+secondarymx           *           F,4h,5m; G,16h,1h,1.5; F,4d,8h\n*                      *           F,2h,15m; G,16h,1h,1.5; F,4d,8h\n\n\n\n\n# End of Exim 4 configuration"}