Skip to main content

Smarthost Mailtarget Setup Guide in WHM/cPanel (Exim)

P
Written by Product Support
Updated over 2 months ago

This document explains step-by-step how to securely redirect outbound email from your WHM/cPanel server through Mailtarget SMTP in a way that is both resilient to cPanel updates and easily rollbackable.

The end result: all outgoing email (except local delivery) is routed to smtp.mtrgt.net port 587 with AUTH + TLS.

1. Prerequisites

  • Root access to WHM (https://IP:2087).

  • Mailtarget SMTP credentials (username & API key/password).

  • Outbound firewall allows TCP 587.

  • Sender domain must have SPF/DKIM that meets the sending policy.

2. Backup & Initial Validation

  • Backup the Exim configuration: WHM → Service Configuration → Exim Configuration Manager → Backup.

  • Check version and locale syntax:

    exim -bV
    exim -C /etc/exim.conf -bV # active file validation

3. Open the Advanced Editor

WHM → Service Configuration → Exim Configuration Manager → Advanced Editor tab.

Changes made via the Advanced Editor are safe from overwriting during cPanel updates (compared to manually editing /etc/exim.conf).

4. Store Credentials in a File (more secure)

Don't hardcode credentials in the configuration. Store them in a lookup file:

  • Create/modify the client credentials file: nano /etc/exim.passwd.client

  • Add the following lines (no trailing spaces): smtp.mtrgt.net:MAILTARGET_USERNAME:MAILTARGET_APIKEY

  • Set strict permissions:

    • chown root:root /etc/exim.passwd.client

    • chmod 600 /etc/exim.passwd.client

The format must be exact: host:username:password per line. One host per line.

5. Add Authenticator (@AUTH@)

In the Advanced Editor, find/expand the Add additional configuration setting section, then in the @AUTH@ block, add:

@AUTH@
# Login authenticator for outbound (client side)
auth_login:
driver = plaintext
public_name = LOGIN
hide client_send = : ${lookup{$host}lsearch*{/etc/exim.passwd.client}{$value}fail}

Short explanation:

  • hide client_send prevents credentials from appearing in the log.

  • The lsearch* lookup returns the full username:password value from the file.

6. Add Router (@PREROUTERS@)

Still in the Advanced Editor, in the @PREROUTERS@ block, add:

@PREROUTERS@
# Manual route to smarthost Mailtarget for all non-local domains
smart_route:
driver = manualroute
domains = ! +local_domains
ignore_target_hosts = 127.0.0.0/8 : ::1
route_list = * smtp.mtrgt.net::587
transport = auth_relay
no_more

Note:

  • domains = ! +local_domains ensures local delivery remains local.

  • ::587 forces port 587.

  • Added ::1 for IPv6 loopback.

7. Add Transport (@TRANSPORTSTART@)

In the @TRANSPORTSTART@ block add:

@TRANSPORTSTART@
auth_relay:
driver = smtp
hosts_require_auth = smtp.mtrgt.net
hosts_require_tls = smtp.mtrgt.net
# tls_require_ciphers = NORMAL:!VERS-SSL3.0:!VERS-TLS1.2

8. Save & Restart

Click Save at the bottom of the Advanced Editor. WHM will rebuild the configuration and restart Exim automatically. Ensure there are no build errors.

9. Test Connection & Delivery

A. Check the TLS connection to Mailtarget

openssl s_client -starttls smtp -connect smtp.mtrgt.net:587 -servername smtp.mtrgt.net

A valid certificate and an active SSL session should appear.

B. Send a test run (option 1 – swaks)

swaks --to [email protected] \
--from [email protected] \
--server smtp.mtrgt.net --port 587 --tls \
--auth LOGIN --auth-user MAILTARGET_USERNAME --auth-password MAILTARGET_APIKEY \
--header "Subject: Test via WHM→Mailtarget" --body "Hello from WHM"

C. Monitoring logs

tail -f /var/log/exim_mainlog

10. Firewall & Network

  • Ensure outbound TCP port 587 is open (CSF: SMTP_PORTS or OUTGOING_TCP).

  • If you have a proxy/IPS, whitelisting smtp.mtrgt.net is recommended for stability.

11. Security & Operations

  • Rotate Mailtarget API keys periodically.

  • Do not store credentials in documentation/chat.

  • Restrict access to the /etc/exim.passwd.client file (600).

  • Audit logs: /var/log/exim_mainlog, /var/log/exim_rejectlog.

12. Quick Rollback

  • Advanced Editor: Remove the smart_route & auth_relay blocks, and change @AUTH@ if it's specific to Mailtarget.

  • Save → Restart Exim.

  • (Optional) Rename /etc/exim.passwd.client.

  • Restore from backup if necessary.

13. Variations & Exceptions (Optional)

A. Route only specific domains via Mailtarget

# Change domains= to only specify domains in a specific list
# For example: send only to external domains, excluding some partner domains
# Create a domainlist first: domainlist relay_only = d1.com : d2.net
smart_route:
driver = manualroute
domains = +relay_only
route_list = * smtp.mtrgt.net::587
transport = auth_relay
no_more

B. Bypass specific domains/hosts (not via Mailtarget)

# Add before smart_route router
skip_partner:
driver = manualroute
domains = partner.local : example.org
self = send
transport = remote_smtp # send directly, not auth_relay
no_more

14. Quick Troubleshooting

Problem

Common Causes

Solution

AUTH failed (535)

Incorrect username/key, incorrect line/format in /etc/exim.passwd.client

Correct credentials; ensure they are in the format host:user:pass, without spaces, and with permissions set to 600

TLS required but not available

STARTTLS is unavailable (intercept/block)

Check openssl s_client, ensure it exits via 587, and disable TLS inspection if applicable

Connection timed out

Outbound firewall blocks 587

Open 587 in CSF/iptables, test telnet smtp.mtrgt.net 587

Looping/route defer

Wrong router order

Ensure smart_route is after the local delivery router and uses no_more

550 Sender verification failed

SPF/DKIM is incorrect

Set up the SPF/DKIM for the sending domain according to the sending policy

15. Minimal Example (not recommended – hardcoded)

If absolutely necessary (temporary) and the environment is controlled, here's the example:

@AUTH@
auth_login:
driver = plaintext
public_name = LOGIN
hide client_send = : MAILTARGET_USERNAME : MAILTARGET_APIKEY

@PREROUTERS@
smart_route:
driver = manualroute
domains = ! +local_domains
ignore_target_hosts = 127.0.0.0/8 : ::1
route_list = * smtp.mtrgt.net::587
transport = auth_relay
no_more

@TRANSPORTSTART@
auth_relay:
driver = smtp
hosts_require_auth = smtp.mtrgt.net
hosts_require_tls = smtp.mtrgt.net

Note: Use for initial testing only. Move credentials to /etc/exim.passwd.client soon.

Did this answer your question?