How to configure Exim on cPanel to only accept mail from MXGuardian

Kent Oyer
  • Updated
Follow

Introduction

In a standard cPanel server setup, mail is typically accepted directly from any sender on the internet.
However, when you are using MXGuardian to filter inbound email, you want to ensure that your protected domains only accept mail that has passed through MXGuardian — and reject any direct delivery attempts that try to bypass the filtering.

This configuration is useful when:

  • Only some of your domains are using MXGuardian (not all accounts on the server).

  • You cannot fully firewall port 25 because you have other customers or services that still receive direct mail.

  • You want a flexible, low-maintenance solution that allows you to easily update protected domains and trusted IPs without manually editing Exim each time.

This guide will walk you through how to configure Exim on your cPanel server to enforce this behavior using simple flat files and WHM’s Advanced Exim Configuration Editor.

Step 1 — Backup Your Exim Configuration (Important)

Before making any changes, please backup your existing Exim configuration.

Follow this guide to back up and restore your Exim settings:

How to Backup and Restore Exim Configuration

Do not proceed until you have completed a backup.

Step 2 — Prepare Your Domain and IP Lists

You will need to create two simple files on your server to store your protected domains and trusted MXGuardian IPs.

SSH into your server as root and do the following:

2.1 Create the list of protected domains

mkdir -p /etc/exim 
nano /etc/exim/mxguardian_domains

Add your MXGuardian-protected domains, one per line:

example.com
example.org
example.net

Save and exit (CTRL+O, Enter, CTRL+X).

2.2 Create the list of trusted MXGuardian IPs

nano /etc/exim/mxguardian_ips

Add your trusted MXGuardian IP addresses, one per line:

MXGuardian IP address list

Save and exit.

2.3 Set permissions on the files

Make sure the files are properly readable by Exim:

chown root:root /etc/exim/mxguardian_domains /etc/exim/mxguardian_ips
chmod 644 /etc/exim/mxguardian_domains /etc/exim/mxguardian_ips

Step 3 — Log into WHM

  • Go to WHM (WebHost Manager).

  • Login as root.

Step 4 — Open Exim Configuration Manager

  • In the WHM sidebar, search for Exim Configuration Manager.

  • Click on it.

Step 5 — Switch to the Advanced Editor

  • Click the "Advanced Editor" tab inside Exim Configuration Manager.

(You might see a warning about editing manually — that's expected.)

Step 6 — Define Your Domain and IP Lists

Scroll down to:

"Add additional configuration to the top of the file"

In the text box, add:

domainlist mxguardian_protected_domains = lsearch;/etc/exim/mxguardian_domains
hostlist mxguardian_trusted_ips = net-iplsearch;/etc/exim/mxguardian_ips

✅ This tells Exim to use the two flat files you created.

Step 7 — Add the ACL Rule

Scroll down further to:

"Section: CUSTOMACL"

In the text box, paste:

# Block direct delivery attempts for MXGuardian-protected domains
deny
  domains = +mxguardian_protected_domains
  !hosts = +mxguardian_trusted_ips
  message = "Mail for this domain must be delivered via MXGuardian servers."

✅ This ACL will reject mail that targets protected domains unless it comes from an authorized MXGuardian IP.

Step 8 — Save and Restart Exim

  • Scroll to the bottom of the page.

  • Click Save.

  • WHM will prompt you to restart Exim — click Yes.

✅ The new settings will take effect immediately.

Related articles

Comments

0 comments

Please sign in to leave a comment.

Powered by Zendesk