Last modified: January 26, 2023

---

Overview

The Exim system filter file scans messages that your server has received, but that it has not yet delivered. To add custom filter rules to your Exim configuration, you may either create custom filter rule files for Exim to include in its configuration, or create a custom Exim system filter file.

How to create a custom filter rule file

To create a custom filter rule file, perform the following steps:

1. Create a file in the /usr/local/cpanel/etc/exim/sysfilter/options/ directory.

2. Within that file, enter your custom filter rules. For example, to block mail from [email protected], add the following rule:

   1 2 3

   if ("$h_from:" contains "[email protected]") then fail endif

3. Navigate to WHM’s Exim Configuration Manager interface (WHM » Home » Service Configuration » Exim Configuration Manager). In the Basic Editor section, select the Filters tab.

4. Disable any undesired filter rules.

5. Click Save.

How to create a custom Exim system filter file

To create a custom system filter file, perform the following steps:

1. Log in to the server as the root user.

2. Run the following command to copy the /etc/cpanel_exim_system_filter file:

   cp -p /etc/cpanel_exim_system_filter /etc/cpanel_system_filter_new

   Warning:

   We strongly recommend that you copy this file before you edit it. If you experience problems, use the file to revert your changes.

3. Confirm that the new file has the following ownership and file permissions:

   -rw-r--r-- 1 root root

4. Use your preferred text editor to edit the /etc/cpanel_system_filter_new file.

5. Navigate to the Basic Editor section of WHM’s Exim Configuration Manager interface (WHM » Home » Service Configuration » Exim Configuration Manager).

6. Select the text box option for the System Filter File setting.

   Warning:

   Regardless of which option you select, the Exim configuration will include all of the files within the /usr/local/cpanel/etc/exim/sysfilter/options/ directory.

7. Enter the new file’s absolute path in the text box (for example, /etc/cpanel_system_filter_new).

8. Click Save.
   

   Note:

   Exim restarts when you save changes in the Exim Configuration Manager interface.

For more information about the Exim system filter file, visit Exim’s system filter documentation.

How to block additional extensions

The /etc/cpanel_exim_system_filter file is the system’s default filter file. It contains the following sections:

• Single-part MIME messages with suspicious name extensions.
• Single-part MIME messages with suspicious name extensions that use unquoted filenames.
• Embedded VBS attachments.
• Embedded VBS attachments that use unquoted filenames.

To block a new extension:

1. Create a custom filter file. To do this, follow steps 1-3 of the How to create a custom Exim system filter file section.

2. Edit the regular expressions in the following lines:

   1 2 3 4 5 6 7

   if $header_content-type: matches "(?:file)?name=(\"[^\"]+\\\\.(?:ad[ep]|ba[st]|chm|cmd|com|cpl|crt|eml|exe|hlp|hta|in[fs]|isp|jse?|lnk|md[be]|ms[cipt]|pcd|pif|reg|scr|sct|shs|url|vb[se]|ws[fhc])\")" if $header_content-type: matches "(?:file)?name=(\\\\S+\\\\.(?:ad[ep]|ba[st]|chm|cmd|com|cpl|crt|eml|exe|hlp|hta|in[fs]|isp|jse?|lnk|md[be]|ms[cipt]|pcd|pif|reg|scr|sct|shs|url|vb[se]|ws[fhc]))" if $message_body matches "(?:Content-(?:Type:(?>\\\\s*)[\\\\w-]+/[\\\\w-]+|Disposition:(?>\\\\s*)attachment);(?>\\\\s*)(?:file)?name=|begin(?>\\\\s+)[0-7]{3,4}(?>\\\\s+))(\"[^\"]+\\\\.(?:ad[ep]|ba[st]|chm|cmd|com|cpl|crt|eml|exe|hlp|hta|in[fs]|isp|jse?|lnk|md[be]|ms[cipt]|pcd|pif|reg|scr|sct|shs|url|vb[se]|ws[fhc])\")[\\\\s;]" if $message_body matches "(?:Content-(?:Type:(?>\\\\s*)[\\\\w-]+/[\\\\w-]+|Disposition:(?>\\\\s*)attachment);(?>\\\\s*)(?:file)?name=|begin(?>\\\\s+)[0-7]{3,4}(?>\\\\s+))(\\\\S+\\\\.(?:ad[ep]|ba[st]|chm|cmd|com|cpl|crt|eml|exe|hlp|hta|in[fs]|isp|jse?|lnk|md[be]|ms[cipt]|pcd|pif|reg|scr|sct|shs|url|vb[se]|ws[fhc]))[\\\\s;]"

   Note:

   To unblock an extension, remove it from those regular expressions.

   For example, if you blocked the .foo extension, your changes would resemble the following example:

   1 2 3 4 5 6 7

   if $header_content-type: matches "(?:file)?name=(\"[^\"]+\\\\.(?:ad[ep]|ba[st]|chm|cmd|com|cpl|crt|eml|exe|foo|hlp|hta|in[fs]|isp|jse?|lnk|md[be]|ms[cipt]|pcd|pif|reg|scr|sct|shs|url|vb[se]|ws[fhc])\")" if $header_content-type: matches "(?:file)?name=(\\\\S+\\\\.(?:ad[ep]|ba[st]|chm|cmd|com|cpl|crt|eml|exe|foo|hlp|hta|in[fs]|isp|jse?|lnk|md[be]|ms[cipt]|pcd|pif|reg|scr|sct|shs|url|vb[se]|ws[fhc]))" if $message_body matches "(?:Content-(?:Type:(?>\\\\s*)[\\\\w-]+/[\\\\w-]+|Disposition:(?>\\\\s*)attachment);(?>\\\\s*)(?:file)?name=|begin(?>\\\\s+)[0-7]{3,4}(?>\\\\s+))(\"[^\"]+\\\\.(?:ad[ep]|ba[st]|chm|cmd|com|cpl|crt|eml|exe|foo|hlp|hta|in[fs]|isp|jse?|lnk|md[be]|ms[cipt]|pcd|pif|reg|scr|sct|shs|url|vb[se]|ws[fhc])\")[\\\\s;]" if $message_body matches "(?:Content-(?:Type:(?>\\\\s*)[\\\\w-]+/[\\\\w-]+|Disposition:(?>\\\\s*)attachment);(?>\\\\s*)(?:file)?name=|begin(?>\\\\s+)[0-7]{3,4}(?>\\\\s+))(\\\\S+\\\\.(?:ad[ep]|ba[st]|chm|cmd|com|cpl|crt|eml|exe|foo|hlp|hta|in[fs]|isp|jse?|lnk|md[be]|ms[cipt]|pcd|pif|reg|scr|sct|shs|url|vb[se]|ws[fhc]))[\\\\s;]"

3. Log in to WHM as the root user.

4. Navigate to the Filters section of WHM’s Exim Configuration Manager interface (WHM » Home » Service Configuration » Exim Configuration Manager).

5. Enter the new filter file’s filepath in the System Filter File option’s text box.

6. Click Save.