Child pages
  • How to Customize the Exim System Filter File
Skip to end of metadata
Go to start of metadata

Overview

Warning:

The steps in this document are for advanced users only.

The Exim system filter file scans messages that your server has received, but that it has not yet delivered. To add custom filter rules to your Exim configuration, you may either create custom filter rule files for Exim to include in its configuration, or create a custom Exim system filter file.

How to create a custom filter rule file

To create a custom filter rule file, perform the following steps:

  1. Create a file in the /usr/local/cpanel/etc/exim/sysfilter/options/ directory.
  2. Within that file, enter your custom filter rules. For example, to block mail from user@example.com, add the following rule:

    if ("$h_from:" contains "user@example.com")
    then fail
    endif
  3. Navigate to WHM's Exim Configuration Manager interface (Home >> Service Configuration >> Exim Configuration Manager). In the Basic Editor section, select the Filters tab.
  4. Disable any undesired filter rules.
  5. Click Save.

Warning:

The Exim configuration enables all of the custom filter rules within the /usr/local/cpanel/etc/exim/sysfilter/options/ directory.

How to create a custom Exim system filter file

To create a custom system filter file, perform the following steps:

  1. Log in to the server as the root user.

  2. Run the following command to copy the /etc/cpanel_exim_system_filter file:

    cp -p /etc/cpanel_exim_system_filter /etc/cpanel_system_filter_new

    Warning:

    We strongly recommend that you copy this file before you edit it. If you experience problems, use the file to revert your changes.

  3. Confirm that the new file has the following ownership and file permissions:

    -rw-r--r-- 1 root root
  4. Use your preferred text editor to edit the /etc/cpanel_system_filter_new file.
  5. Navigate to WHM's Exim Configuration Manager interface (Home >> Service Configuration >> Exim Configuration Manager).
  6. In the Basic Editor section of the interface, select the textbox option for the System Filter File setting.

    Warning:

    Regardless of which option you select, the Exim configuration will include all of the files within the /usr/local/cpanel/etc/exim/sysfilter/options/ directory.

  7. Enter the new file's absolute path in the text box (for example, /etc/cpanel_system_filter_new).
  8. Click Save.

    Note:

    Exim restarts when you save changes in the Exim Configuration Manager interface.

For more information about the Exim system filter file, visit Exim's system filter documentation.

How to block additional extensions

The /etc/cpanel_exim_system_filter  file is the system's default filter file. It contains the following sections:

  • Single-part MIME messages with suspicious name extensions.
  • Single-part MIME messages with suspicious name extensions that use unquoted filenames.
  • Embedded VBS attachments.
  • Embedded VBS attachments that use unquoted filenames.

To block a new extension, edit the regular expressions in the following lines:

if $header_content-type: matches "(?:file)?name=(\"[^\"]+\\\\.(?:ad[ep]|ba[st]|chm|cmd|com|cpl|crt|eml|exe|hlp|hta|in[fs]|isp|jse?|lnk|md[be]|ms[cipt]|pcd|pif|reg|scr|sct|shs|url|vb[se]|ws[fhc])\")"

if $header_content-type: matches "(?:file)?name=(\\\\S+\\\\.(?:ad[ep]|ba[st]|chm|cmd|com|cpl|crt|eml|exe|hlp|hta|in[fs]|isp|jse?|lnk|md[be]|ms[cipt]|pcd|pif|reg|scr|sct|shs|url|vb[se]|ws[fhc]))"

if $message_body matches "(?:Content-(?:Type:(?>\\\\s*)[\\\\w-]+/[\\\\w-]+|Disposition:(?>\\\\s*)attachment);(?>\\\\s*)(?:file)?name=|begin(?>\\\\s+)[0-7]{3,4}(?>\\\\s+))(\"[^\"]+\\\\.(?:ad[ep]|ba[st]|chm|cmd|com|cpl|crt|eml|exe|hlp|hta|in[fs]|isp|jse?|lnk|md[be]|ms[cipt]|pcd|pif|reg|scr|sct|shs|url|vb[se]|ws[fhc])\")[\\\\s;]"

if $message_body matches "(?:Content-(?:Type:(?>\\\\s*)[\\\\w-]+/[\\\\w-]+|Disposition:(?>\\\\s*)attachment);(?>\\\\s*)(?:file)?name=|begin(?>\\\\s+)[0-7]{3,4}(?>\\\\s+))(\\\\S+\\\\.(?:ad[ep]|ba[st]|chm|cmd|com|cpl|crt|eml|exe|hlp|hta|in[fs]|isp|jse?|lnk|md[be]|ms[cipt]|pcd|pif|reg|scr|sct|shs|url|vb[se]|ws[fhc]))[\\\\s;]"

Note:

To unblock an extension, remove it from those regular expressions.

For example, if you blocked the .foo extension, your changes would resemble the following example:

if $header_content-type: matches "(?:file)?name=(\"[^\"]+\\\\.(?:ad[ep]|ba[st]|chm|cmd|com|cpl|crt|eml|exe|foo|hlp|hta|in[fs]|isp|jse?|lnk|md[be]|ms[cipt]|pcd|pif|reg|scr|sct|shs|url|vb[se]|ws[fhc])\")"

if $header_content-type: matches "(?:file)?name=(\\\\S+\\\\.(?:ad[ep]|ba[st]|chm|cmd|com|cpl|crt|eml|exe|foo|hlp|hta|in[fs]|isp|jse?|lnk|md[be]|ms[cipt]|pcd|pif|reg|scr|sct|shs|url|vb[se]|ws[fhc]))"

if $message_body matches "(?:Content-(?:Type:(?>\\\\s*)[\\\\w-]+/[\\\\w-]+|Disposition:(?>\\\\s*)attachment);(?>\\\\s*)(?:file)?name=|begin(?>\\\\s+)[0-7]{3,4}(?>\\\\s+))(\"[^\"]+\\\\.(?:ad[ep]|ba[st]|chm|cmd|com|cpl|crt|eml|exe|foo|hlp|hta|in[fs]|isp|jse?|lnk|md[be]|ms[cipt]|pcd|pif|reg|scr|sct|shs|url|vb[se]|ws[fhc])\")[\\\\s;]"

if $message_body matches "(?:Content-(?:Type:(?>\\\\s*)[\\\\w-]+/[\\\\w-]+|Disposition:(?>\\\\s*)attachment);(?>\\\\s*)(?:file)?name=|begin(?>\\\\s+)[0-7]{3,4}(?>\\\\s+))(\\\\S+\\\\.(?:ad[ep]|ba[st]|chm|cmd|com|cpl|crt|eml|exe|foo|hlp|hta|in[fs]|isp|jse?|lnk|md[be]|ms[cipt]|pcd|pif|reg|scr|sct|shs|url|vb[se]|ws[fhc]))[\\\\s;]"

Additional documentation