Enabling SRS on a CPanel Server

The default MTA on a CPanel server (Exim) has supported both the Sender Policy Framework (SPF) and the Sender Rewriting Scheme (SRS) for quite some time. Unfortunately, whilst CPanel provides configuration options allowing you to enable and configure SPF, the same cannot be said for SRS.

This can cause a major headache if you have set-up mail forwarders on your system. This documentation details how to go about configuring SRS.

Why is it an issue?

Initially, the lack of support for SRS wasn't a major drama. However, more and more hosts are enabling SPF so it's an issue that's going to come up far more frequently.

SPF allows you to specify exactly which servers are authorised to send mail on behalf of your domain. The problem is, the CPanel server that's doing the forwarding is unlikely to be included in this list (the server administrator would need to ask anyone that might ever email them to add their IP to their SPF record - never going to happen!).

It's not been an issue thus far as a lot of email providers either haven't enabled SPF checks or indeed haven't enabled the SPF record for their domain.

That's changing and quickly.


What we need to do

Basically the root cause of the issue is that when my CPanel server (myserver.com) receives an email from bob@example.com it forwards it on to me@myotherdomain.com as if it were from bob@example.com. Unfortunately, if example.com have their SPF record enabled, the SPF checks on myotherdomain.com will fail.

What SRS allows us to do, is to re-write the envelope header so that the email comes from myserver.com

As there's no checkbox or configuration options within CPanel/WHM, you're going to need root access to the shell via SSH (which means if you're on shared hosting, you'll need to ask your host to complete these steps!)

Let's start by generating our secret key

openssl rand -base64 48

Copy this output as we'll need it in the next step

cd /etc/
nano /etc/exim.conf
#Add this at the top of the file, just under CPanel Exim Config
hide srs_config = INSERTSECRETKEY

# Now find virtual_aliases_nostar
# Insert the following just under driver = redirect
srs = forward

# Next find virtual_aliases
# Again, insert just after driver = redirect
srs = forward

# Just under the end of the virtual_aliases section, add

Close and save, and the configuration changes are made. Now you just need to re-start Exim to make them take effect

service exim restart

You should now find that you're able to email using an account which was previously bouncing


Bounce Messages

Assuming a Failed Delivery message was sent (it depends on the configuration of the server running the check) it'll likely have contained something like

SMTP error from remote mail server after end of data:
host RECEIVINGSERVER [RECEIVINGIP]: 550 YOURSERVER is not allowed to send mail from SENDERSDOMAIN.

So taking our example above, we'd have expected to receive

SMTP error from remote mail server after end of data:
host mail.myotherdomain.com []: 550 is not allowed to send mail from example.com.


Unfortunately, there's a good chance that whenever you update CPanel/Exim, it'll helpfully overwrite your configuration changes. It's not the end of the world (you should change your secret key once a year anyway) but if you want to save yourself some work, create a patch file with diff