Exim Configuration Manager in cPanel/WHM: A Complete Technical Guide

Exim is a Mail Transfer Agent (MTA) developed at the University of Cambridge, widely deployed on Linux-based web hosting servers as the default email backbone for cPanel/WHM environments. The Exim Configuration Manager in WHM is a graphical interface that exposes Exim's configuration directives — from basic spam filtering toggles to raw ACL editing — without requiring direct manipulation of /etc/exim.conf.

For server administrators, this tool is the single most consequential control surface for email deliverability, security posture, and abuse prevention. Misconfiguring it can result in open relay exposure, blacklisting, or complete mail delivery failure. Getting it right means a hardened, high-throughput mail stack that passes SPF, DKIM, and DMARC validation on every outbound message.

What Is Exim and Why It Matters on cPanel Servers

Exim processes both inbound and outbound SMTP traffic, applying a pipeline of Access Control Lists (ACLs), routing rules, transport drivers, and filter scripts at each stage of message handling. On a typical cPanel server, Exim operates alongside Dovecot (IMAP/POP3) and SpamAssassin, forming a three-layer mail stack where Exim is the entry and exit point for all SMTP sessions.

Unlike Postfix or Sendmail, Exim's configuration is a single monolithic file (/etc/exim.conf on cPanel systems, symlinked from /etc/exim.conf.local for custom overrides) that defines routers, transports, ACLs, and rewrite rules in a specific sequential order. cPanel's WHM generates this file dynamically from a template system — which is precisely why the Exim Configuration Manager exists: to let WHM regenerate the config safely without overwriting your customizations.

Key architectural roles Exim plays on a cPanel server:

• Accepts inbound SMTP connections on ports 25, 465 (SMTPS), and 587 (submission)
• Applies pre-DATA and post-DATA ACLs for spam, authentication, and policy enforcement
• Routes mail to local Maildir delivery via Dovecot LDA or relays outbound to remote MTAs
• Executes SpamAssassin scanning via the spamd daemon
• Signs outbound messages with DKIM using per-domain private keys stored in /etc/domainkeys/

Accessing Exim Configuration Manager in WHM

The Exim Configuration Manager is exclusively a WHM (Web Host Manager) tool — it is not accessible from individual cPanel accounts. You need root or reseller-level WHM access.

Navigation path:

1. Log in to WHM at https://your-server-ip:2087
2. In the left search bar, type Exim
3. Select Exim Configuration Manager under the Service Configuration section

Alternatively, navigate directly to:

WHM > Home > Service Configuration > Exim Configuration Manager

Once loaded, the interface presents two tabs: Basic Editor and Advanced Editor. These are not independent tools — changes in the Basic Editor write structured directives into the same underlying template that the Advanced Editor exposes in raw form.

Critical operational note: Every time you click Save in either editor, WHM calls exim_tidydb and restarts the Exim service. On a busy server, plan configuration changes during low-traffic windows to avoid dropping in-flight SMTP connections.

Basic Editor: Feature-by-Feature Breakdown

The Basic Editor organizes Exim's configurable options into logical sections. Each toggle or input field maps to a specific directive or macro in the generated exim.conf. Understanding what each setting actually does at the protocol level — not just what the label says — is essential for making informed decisions.

Mail Server Security and Anti-Spam Features

SpamAssassin Integration

When enabled, Exim pipes each incoming message through spamd using the spamc client. SpamAssassin assigns a numeric score based on header analysis, Bayesian filtering, and rule matching. Messages exceeding the configured threshold (default: 5.0) receive an X-Spam-Status: Yes header. WHM's implementation also supports auto-deletion of messages above a higher threshold (default: 10.0).

A frequently overlooked detail: SpamAssassin scanning adds latency to every inbound SMTP transaction. On servers handling more than 50 concurrent connections, ensure spamd is running with adequate child processes (--max-children) to prevent queue buildup.

RBLs (Real-time Blackhole Lists)

RBLs perform a DNS lookup against a blacklist database for every connecting IP address. If the IP is listed, Exim rejects the connection at the SMTP RCPT TO stage with a 550 error — before any message data is transmitted, saving bandwidth and processing overhead.

cPanel's default RBL list includes:

zen.spamhaus.org — composite list covering SBL, XBL, and PBL
bl.spamcop.net — SpamCop's reporting-based list
b.barracudacentral.org — Barracuda Reputation Block List

Pitfall: Aggressive RBL usage can produce false positives, particularly for mail originating from large shared infrastructure (AWS SES, Google Workspace, Office 365 egress IPs). Always test RBL additions against your legitimate mail sources before enabling in production.
Sender Verification (Callout Verification)
This feature instructs Exim to open a temporary SMTP connection back to the sender's mail server and issue a RCPT TO for the claimed sender address. If the remote server rejects the address, Exim rejects the inbound message.
Known edge case: Sender verification can cause delivery failures when the sending domain uses a null sender (MAIL FROM:<>) for bounce messages, or when the remote MTA implements anti-callout measures (returning 250 to all RCPT probes). This is a common source of false rejections for automated notification systems and mailing list software.
Greylisting
Greylisting temporarily rejects mail from unknown sender/IP/recipient triplets with a 451 Try again later response. Legitimate MTAs retry after the configured delay (typically 5–10 minutes), at which point the triplet is whitelisted. Spam engines rarely retry, so the rejection is permanent in practice.
Implementation detail: cPanel implements greylisting via the greylistd daemon, which maintains a SQLite database of triplets at /var/cpanel/greylist/. The database grows over time and should be monitored for size on high-volume servers.
Mail Server Performance and Rate Limiting
Maximum Number of Connections
This maps to Exim's smtp_accept_max directive. Setting this too low causes legitimate senders to receive 421 Too many connections errors. A reasonable starting point for a shared hosting server is 200–500, depending on available RAM (each Exim process consumes approximately 8–15 MB).
Maximum Number of Emails Per Hour
This is enforced per cPanel account via a counter stored in /var/cpanel/ratelimit/. When an account exceeds the limit, subsequent send attempts receive a 550 Message rejected response. This is your primary defense against compromised cPanel accounts being used for spam campaigns.
Recommended baseline limits by server type:



Server Type
Emails/Hour Per Domain
Max Connections
Queue Runner Interval








—
—
—
—








Shared Hosting
300–500
200
5 minutes








VPS (SMB)
500–1000
300
3 minutes








Dedicated Mail Server
Unlimited or 5000+
500–1000
1 minute








Transactional Email Server
Per-account SLA
1000+
30 seconds





If you are running a VPS Hosting environment with multiple client domains, per-domain rate limiting is the most granular and effective approach to abuse containment.
Email Authentication: DKIM and SPF
DKIM (DomainKeys Identified Mail)
When enabled in WHM, Exim signs every outbound message with a 2048-bit RSA private key stored at /etc/domainkeys/<domain>/. The corresponding public key is published as a DNS TXT record at default._domainkey.<domain>. Receiving MTAs verify the signature against the public key, confirming the message was not altered in transit and originated from an authorized server.
Critical configuration point: cPanel generates DKIM keys per domain automatically when a domain is added. However, if you migrate domains from another server, the private keys do not transfer — you must regenerate keys in WHM under Email > DomainKeys and update DNS records accordingly.
SPF (Sender Policy Framework)
SPF is a DNS-based mechanism that specifies which IP addresses are authorized to send mail for a domain. Exim checks the SPF record of the sender's domain during the SMTP MAIL FROM phase. A failing SPF check does not automatically reject mail in cPanel's default configuration — it adds a header. You can escalate this to a hard reject in the Advanced Editor.
DMARC alignment requires both SPF and DKIM to be configured correctly. SPF alone is insufficient for DMARC compliance because SPF validates the envelope sender (MAIL FROM), not the From: header visible to recipients.
Email Routing Configuration
Backup Mail Exchanger (MX Backup)
Configuring a server as a backup MX (secondary MX with a higher priority number, e.g., MX 20) causes remote senders to queue mail to your server when the primary MX is unreachable. Your server then holds the mail and delivers it when the primary recovers.
Operational pitfall: A backup MX configured without proper spam filtering becomes a spam relay bypass vector. Spammers deliberately target secondary MX records because they are often less protected than primary servers. Always apply identical ACL and RBL rules to backup MX configurations.
Remote and Local Mail Handling
This setting controls Exim's router behavior for each domain. Options include:

Local — Exim delivers mail directly to the local Maildir
Remote — Exim relays all mail for the domain to an external MX
Backup — Exim queues mail for a domain when the primary MX is down

For domains using external mail providers (Google Workspace, Microsoft 365), set routing to Remote and ensure the domain's MX records point to the external provider. Leaving routing set to Local for externally-hosted domains causes Exim to generate bounce messages for all inbound mail to those domains.
Logging Configuration
Exim's logging is controlled by the log_selector directive. The Basic Editor exposes the most commonly needed options:

SMTP transaction logging — records MAIL FROM, RCPT TO, and DATA commands with timestamps and IP addresses
Received email logging — writes a log entry for every accepted message, including message size and queue ID

Exim logs are written to /var/log/exim_mainlog (main transaction log) and /var/log/exim_rejectlog (rejected message log). On high-volume servers, these files rotate daily and can reach several gigabytes. Implement log rotation via logrotate with appropriate retention policies.
Forensic tip: When investigating a spam complaint or delivery failure, the most efficient workflow is:
grep "message-id@example.com" /var/log/exim_mainlog
This retrieves the complete delivery chain for a specific message ID, including all routing decisions and remote server responses.
Advanced Editor: Direct Configuration Control
The Advanced Editor presents the raw Exim configuration template, allowing administrators to insert directives that have no corresponding toggle in the Basic Editor. This is where experienced sysadmins implement configurations that go beyond cPanel's preset options.
Warning: Changes made in the Advanced Editor are preserved across WHM template regeneration only if they are placed in the correct override sections. Directives placed outside designated custom blocks may be overwritten when WHM updates the Exim configuration (e.g., during cPanel version upgrades).
Custom ACL (Access Control List) Implementation
ACLs are Exim's most powerful filtering mechanism. They execute at specific points in the SMTP transaction and can accept, reject, defer, or discard messages based on virtually any message attribute.
ACL execution points in Exim:



ACL Hook
Trigger Point
Common Use Cases








—
—
—








`acl_smtp_connect`
TCP connection established
IP reputation blocking, connection rate limiting








`acl_smtp_helo`
HELO/EHLO command received
HELO hostname validation, PTR record checks








`acl_smtp_mail`
MAIL FROM command
Sender domain validation, SPF enforcement








`acl_smtp_rcpt`
RCPT TO command
Recipient validation, RBL checks, greylisting








`acl_smtp_data`
After DATA received
SpamAssassin scanning, content filtering, DKIM verification








`acl_smtp_mime`
Per MIME part
Attachment type blocking, malware scanning





Example: Blocking a specific sending domain in the Advanced Editor
# Add to acl_smtp_rcpt section
deny
  sender_domains = spammerdomain.example.com
  message = Mail from this domain is not accepted
Example: Enforcing DMARC-style rejection for SPF hard fails
# Add to acl_smtp_mail section
deny
  condition = ${if eq{${run{/usr/bin/spfquery --ip=$sender_host_address 
    --sender=$sender_address --helo=$sender_helo_name}}{fail}{yes}{no}}}
  message = SPF check failed: $sender_address is not authorized to send from $sender_host_address
Custom Mail Routing Rules
Advanced routing in Exim uses routers — ordered processing stages that determine how a message is handled. In the Advanced Editor, you can add custom routers to implement:

Load balancing across multiple outbound IPs — useful for transactional email servers managing multiple sending domains
Per-domain relay to third-party SMTP services — route mail for @domain.com through SendGrid or Mailgun while handling all other domains locally
Conditional routing based on message headers — route messages with specific X-Priority headers through a dedicated high-priority transport

Example: Route a specific domain through an external SMTP relay
# Custom router — add before the standard remote_smtp router
sendgrid_route:
  driver = manualroute
  domains = transactional.example.com
  route_list = * smtp.sendgrid.net
  transport = sendgrid_transport

sendgrid_transport:
  driver = smtp
  hosts = smtp.sendgrid.net
  port = 587
  hosts_require_auth = smtp.sendgrid.net
  hosts_require_tls = smtp.sendgrid.net
SMTP Parameter Tuning
The Advanced Editor allows modification of core SMTP timing and retry parameters that significantly affect deliverability and queue behavior:

smtp_connect_backoff — delay between retry attempts for failed outbound connections
retry_data_expire — how long Exim retains retry records (default: 7 days)
timeout_frozen_after — duration before a frozen message is automatically deleted
ignore_bounce_errors_after — time after which bounce messages for undeliverable mail are discarded

Tuning recommendation for high-volume servers: Reduce retry_data_expire to 3 days and timeout_frozen_after to 4 days to prevent the mail queue from accumulating large numbers of undeliverable messages that consume disk I/O during queue runner passes.
SpamAssassin Deep Customization
Beyond the Basic Editor's on/off toggle, the Advanced Editor allows you to modify the SpamAssassin invocation parameters within Exim's configuration:
# Increase SpamAssassin timeout for large messages
spamd_address = 127.0.0.1 783 variant=spamc
Custom SpamAssassin rules are placed in /etc/mail/spamassassin/local.cf. For example, to add a scoring boost for messages failing both SPF and DKIM:
# /etc/mail/spamassassin/local.cf
score SPF_FAIL 5.0
score DKIM_INVALID 4.0
score MISSING_FROM 3.5
required_score 6.0
After modifying SpamAssassin rules, restart the daemon:
systemctl restart spamassassin
Exim vs. Alternative MTAs: Architecture Comparison
Understanding where Exim sits relative to other MTAs helps justify configuration decisions, particularly when evaluating whether to migrate or supplement your mail stack.



Feature
Exim
Postfix
Sendmail
OpenSMTPD








—
—
—
—
—








Default on cPanel/WHM
Yes
No
No
No








Configuration model
Single monolithic file
Modular (main.cf + master.cf)
M4 macro-based
Simple, readable syntax








ACL flexibility
Extremely high
High
Moderate
Moderate








Performance (high volume)
Good
Excellent
Moderate
Good








DKIM signing (native)
Via cPanel integration
Via `opendkim`
Via `opendkim`
Native








Learning curve
Steep
Moderate
Very steep
Low








cPanel integration depth
Native, full
Not supported
Not supported
Not supported








Community documentation
Extensive
Extensive
Declining
Growing





For cPanel-based environments — whether Shared Web Hosting or dedicated infrastructure — Exim is the only fully supported MTA. Replacing it with Postfix on a cPanel server is technically possible but unsupported and voids cPanel's assistance for mail-related issues.
Security Hardening: Beyond the Default Configuration
The default cPanel Exim configuration is functional but not hardened. The following measures go beyond what the Basic Editor exposes and represent production-grade security practices.
Disable Open Relay Verification
Confirm your server is not an open relay immediately after any configuration change:
exim -bh 1.2.3.4 <<EOF
HELO test.example.com
MAIL FROM:<test@external-domain.com>
RCPT TO:<victim@another-external-domain.com>
EOF
A correctly configured server should return 550 at the RCPT TO stage for any recipient domain not hosted locally.
Enforce TLS for Outbound Connections
Add the following to the Advanced Editor to require TLS for outbound connections to domains that advertise STARTTLS:
hosts_try_starttls = *
tls_verify_hosts = *
tls_verify_certificates = /etc/ssl/certs/ca-certificates.crt
Pairing this with a valid SSL Certificate on your mail server ensures both inbound and outbound connections are encrypted and verifiable.
Rate Limiting at the ACL Level
WHM's per-account rate limiting operates at the application layer. For volumetric abuse prevention at the SMTP layer, add rate limiting directly to the acl_smtp_connect ACL:
defer
  ratelimit = 100 / 1m / per_conn / $sender_host_address
  message = Connection rate limit exceeded. Try again later.
This limits any single IP address to 100 new connections per minute — effective against botnet-driven spam bursts without impacting legitimate high-volume senders that maintain persistent connections.
Implementing DMARC Enforcement
DMARC is not natively enforced by Exim in cPanel's default configuration — it only generates reports. To enforce DMARC rejection, install the opendmarc daemon and integrate it with Exim via a milter or local socket. Alternatively, use the Mail::DMARC Perl module via a custom Exim filter.
For servers where email deliverability is business-critical — such as those running Email Hosting services — implementing full DMARC enforcement (p=reject) on your sending domains is the single highest-impact deliverability improvement available.
Diagnosing Common Exim Problems
Mail Queue Inspection and Management
# View the current mail queue
exim -bp

# Count queued messages
exim -bpc

# Force immediate delivery attempt for all queued messages
exim -qff

# Delete a specific message from the queue by ID
exim -Mrm <message-id>

# Delete all frozen messages
exiqgrep -z -i | xargs exim -Mrm
Testing Exim Configuration Syntax
Before restarting Exim after manual config edits, always validate syntax:
exim -C /etc/exim.conf -bV
A clean output confirms the configuration file parses without errors. Any syntax error will be reported with a line number reference.
Tracing a Specific Message
# Find all log entries for a sender address
grep "sender@example.com" /var/log/exim_mainlog | tail -50

# Trace delivery of a specific queue ID
exim -Mvl <message-id>

# View message headers for a queued message
exim -Mvh <message-id>

# View message body for a queued message
exim -Mvb <message-id>
Checking DKIM Signing Status
# Verify DKIM key exists for a domain
ls -la /etc/domainkeys/yourdomain.com/

# Test outbound DKIM signing by sending a test message
echo "Test" | exim -v -odf test@mail-tester.com
Operational Considerations for Different Hosting Environments
The appropriate Exim configuration varies significantly based on the server's role and scale.
Shared hosting servers running dozens to hundreds of cPanel accounts require aggressive rate limiting, mandatory SpamAssassin scanning, and RBL enforcement. A single compromised account can result in the server's IP being blacklisted within hours. If you manage a VPS with cPanel, implementing per-account rate limits and automated account suspension triggers via WHM's Notify on Spam feature is essential.
Dedicated mail servers handling transactional email for a single organization benefit from relaxed rate limits, custom routing to multiple outbound IPs (IP rotation for deliverability), and direct DMARC enforcement. A Dedicated Server gives you full control over the IP reputation and PTR record configuration — both critical factors in inbox placement rates.
High-throughput AI or data pipeline environments that generate automated email notifications may benefit from separating transactional mail from bulk mail at the MTA level, using distinct transport configurations and outbound IP addresses for each traffic class.
Technical Decision Matrix: Configuration Checklist
Use this checklist to audit your Exim configuration against production-grade standards:
Authentication and signing

DKIM 2048-bit keys generated and DNS TXT records published for all sending domains
SPF records published with -all (hard fail) for all domains
DMARC policy set to at minimum p=quarantine with a reporting address configured
TLS certificate valid and covering the server's primary hostname (mail.yourdomain.com)

Anti-abuse controls

At least two RBLs enabled (recommend zen.spamhaus.org + one secondary)
SpamAssassin enabled with a score threshold of 5.0 and auto-delete at 10.0
Per-account email rate limits configured (300–500/hour for shared hosting)
Connection-level rate limiting implemented in acl_smtp_connect

• Greylisting enabled for unknown senders

Routing and delivery

• All domains verified as Local, Remote, or Backup — no domains left in ambiguous state
• Backup MX (if configured) applies identical ACL rules as primary MX
• Open relay test passed (no unauthorized relay possible)

Monitoring and logging

• SMTP transaction logging enabled
• Log rotation configured with minimum 30-day retention
• Alerting configured for queue depth exceeding threshold (e.g., 500+ messages)
• Regular review of /var/log/exim_rejectlog for false positive patterns

Maintenance

• cPanel/WHM auto-updates enabled for security releases
• Exim version checked against upstream release notes quarterly
• SpamAssassin rule updates automated via sa-update cron job

# Add to crontab for daily SpamAssassin rule updates
0 3 * * * /usr/bin/sa-update && systemctl restart spamassassin

FAQ

What is the difference between the Basic Editor and Advanced Editor in Exim Configuration Manager?

The Basic Editor provides toggle-based access to the most commonly needed Exim settings — spam filters, rate limits, DKIM, SPF, and routing — without exposing raw configuration syntax. The Advanced Editor gives direct access to the Exim configuration template, allowing insertion of custom ACLs, routers, transports, and directives that have no equivalent in the Basic Editor. Both write to the same underlying configuration file.

Will changes in WHM's Exim Configuration Manager survive a cPanel update?

Changes made through the Basic Editor are stored in WHM's configuration database and are reapplied when the Exim template is regenerated during updates. Changes made in the Advanced Editor are preserved only if they are placed within the designated custom override sections of the template. Directives inserted outside these sections may be overwritten during cPanel version upgrades.

How do I stop a compromised cPanel account from sending spam through Exim?

Immediately suspend the account in WHM, then purge its queued messages:

exiqgrep -f "compromised@domain.com" -i | xargs exim -Mrm

After suspension, audit the account's sent mail log, rotate all credentials, and scan for web shells or backdoors. Implement per-account rate limiting and WHM's Notify on Spam threshold to detect future incidents earlier.

Why are legitimate emails being rejected by my Exim server after enabling RBLs?

RBL false positives occur most frequently with mail from large shared infrastructure providers (AWS, Google, Microsoft) whose IP ranges may appear on some lists due to other tenants' abuse. Check the specific RBL that caused the rejection using dig <reversed-ip>.zen.spamhaus.org and whitelist the IP or CIDR range in Exim's host_list if the sender is legitimate. Consider using warn instead of deny for secondary RBLs to log hits without rejecting.

Does Exim Configuration Manager support DMARC enforcement natively?

No. cPanel's Exim Configuration Manager handles SPF checking and DKIM signing natively, but DMARC enforcement (acting on p=reject or p=quarantine policies published by sending domains) requires additional software such as opendmarc integrated as a milter, or a custom Exim filter using the Mail::DMARC Perl module. DMARC reporting (receiving aggregate reports) is a separate function handled by a dedicated DMARC report processor.