When a domain’s MX records point to MailChannels, all mail for that domain should arrive via MailChannels — not directly from the open internet. Without additional configuration, your mail servers will still accept direct SMTP connections from anyone, allowing senders to bypass inbound filtering entirely.
To enforce this, configure an ACL (Access Control List) on your mail server that rejects direct connections for any domain whose MX records point to MailChannels. The ACL checks whether the connecting host is a MailChannels delivery server, and temporarily rejects the connection if it is not — prompting the sender to use the correct MX path.
The steps below cover WHM/cPanel and DirectAdmin servers running Exim.
Safelist MailChannels service IPs
Your mail server must accept connections from the MailChannels inbound filtering delivery servers. Add the following IP addresses to your mail server’s allowlist:
35.161.220.13435.163.189.6434.214.167.13123.83.223.25423.83.220.523.83.212.223.83.208.2
These IP addresses are used exclusively for inbound email filtering. Refer to your mail server’s documentation for how to configure an IP-based allowlist.
Restrict connections via Exim ACL
WHM/cPanel servers
Step 1: Create protection scripts
SSH into your server and create the following two files:
/opt/mc-mx-protect:
#!/bin/bash
host -t MX $1 | sort -n -k1 | cut -d ' ' -f 7 | sed -e 's/\.$//' | xargs | sed -e 's/ /:/g' | tr -d '\n'
/opt/mc-ptr-protect:
#!/bin/bash
host -t PTR $1 | cut -d ' ' -f5 | sed 's/\.$//g' | tr -d '\n'
chmod +x /opt/mc-mx-protect && chmod +x /opt/mc-ptr-protect
- Log in to the WHM panel.
- Open Exim Configuration Editor → Advanced Editor.
- Search for
custom_begin_recp_verify.
- Add the following snippet in the provided box:
################## Start MailChannels verification #####################################
defer
!condition = ${if match_domain{${run {/opt/mc-ptr-protect $sender_host_address}}}{*.mailchannels.net}}
set acl_m_mx_records = ${run {/opt/mc-mx-protect $domain}}
condition = ${if eq{$acl_m_mx_records}{mx1.mailchannels.net:mx2.mailchannels.net}}
message = Please deliver mail to the address specified in the MX records for this domain.
################## End MailChannels verification #####################################
- Save the configuration and restart Exim.
DirectAdmin servers (v1.63.0+)
Step 1: Create protection scripts
SSH into your server and create the following two files:
/usr/local/directadmin/scripts/custom/mc-mx-protect:
#!/bin/bash
host -t MX $1 | sort -n -k1 | cut -d ' ' -f 7 | sed -e 's/\.$//' | xargs | sed -e 's/ /:/g' | tr -d '\n'
/usr/local/directadmin/scripts/custom/mc-ptr-protect:
#!/bin/bash
host -t PTR $1 | cut -d ' ' -f5 | sed 's/\.$//g' | tr -d '\n'
chmod +x /usr/local/directadmin/scripts/custom/mc-mx-protect && chmod +x /usr/local/directadmin/scripts/custom/mc-ptr-protect
- Navigate to the custombuild directory:
cd /usr/local/directadmin/custombuild
- Ensure Exim is configured:
./build update
./build set exim yes
./build exim
- Add the custom ACL to the Exim configuration:
vi /etc/exim.acl_check_rcpt.conf.custom
- Insert the following ACL rule:
################## Start MailChannels verification #####################################
defer
!condition = ${if match_domain{${run {/usr/local/directadmin/scripts/custom/mc-ptr-protect $sender_host_address}}}{*.mailchannels.net}}
set acl_m_mx_records = ${run {/usr/local/directadmin/scripts/custom/mc-mx-protect $domain}}
condition = ${if eq{$acl_m_mx_records}{mx1.mailchannels.net:mx2.mailchannels.net}}
message = Please deliver mail to the address specified in the MX records for this domain.
################## End MailChannels verification #####################################
- Rebuild the Exim configuration and restart:
./build exim_conf
service exim restart
What these ACL rules do
Once applied, your mail server will:
- Accept mail from hosts with a PTR record matching
*.mailchannels.net or from localhost.
- Temporarily reject direct delivery attempts that don’t originate from MailChannels, directing senders to use the MX path instead.
- Allow direct delivery for domains whose MX records do not point to MailChannels, since those domains are not routed through inbound filtering.
