Child pages
  • How to Customize the Exim System Filter File

Versions Compared

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

Table of Contents
maxLevel3
minLevel2
stylenone

Overview

Warning
titleWarning:

The steps in this document are for advanced users only.

The Exim system filter file scans messages that your server has received, but that it has not yet delivered. To add custom filter rules to your Exim configuration, you may either create custom filter rule files for Exim to include in its configuration, or create a custom Exim system filter file.

How to create a custom filter rule file

To create a custom filter rule file, perform the following steps:

  1. Create a file in the /usr/local/cpanel/etc/exim/sysfilter/options/ directory.
  2. Within that file, enter your custom filter rules. For example, to block mail from user@example.com, add the following rule:

    Code Block
    languagetext
    linenumberstrue
    if ("$h_from:" contains "user@example.com")
    then fail
    endif
  3. Navigate to WHM's Exim Configuration Manager interface (WHM >> Home >> Service Configuration >> Exim Configuration Manager). In the Basic Editor section, select the Filters tab.
  4. Disable any undesired filter rules.
  5. Click Save.
Warning
titleWarning:

The Exim configuration enables all of the custom filter rules within the /usr/local/cpanel/etc/exim/sysfilter/options/ directory.

How to create a custom Exim system filter file

To create a custom system filter file, perform the following steps:

  1. Log in to the server as the root user.

  2. Run the following command to copy the /etc/cpanel_exim_system_filter file:

    Code Block
    languagebash
    cp -p /etc/cpanel_exim_system_filter /etc/cpanel_system_filter_new
    Warning
    titleWarning:

    We strongly recommend that you copy this file before you edit it. If you experience problems, use the file to revert your changes.

  3. Confirm that the new file has the following ownership and file permissions:

    Code Block
    languagebash
    -rw-r--r-- 1 root root
  4. Use your preferred text editor to edit the /etc/cpanel_system_filter_new file.
  5. Navigate to WHM's Exim Configuration Manager interface (WHM >> Home >> Service Configuration >> Exim Configuration Manager).
  6. In the Basic Editor section of the interface, select the textbox option for the System Filter File setting.

    Warning
    titleWarning:

    Regardless of which option you select, the Exim configuration will include all of the files within the /usr/local/cpanel/etc/exim/sysfilter/options/ directory.

  7. Enter the new file's absolute path in the text box (for example, /etc/cpanel_system_filter_new).
  8. Click Save.

    Note
    titleNote:

    Exim restarts when you save changes in the Exim Configuration Manager interface.

For more information about the Exim system filter file, visit Exim's system filter documentation.

How to block additional extensions

The /etc/cpanel_exim_system_filter  file is the system's default filter file. It contains the following sections:

  • Single-part MIME messages with suspicious name extensions.
  • Single-part MIME messages with suspicious name extensions that use unquoted filenames.
  • Embedded VBS attachments.
  • Embedded VBS attachments that use unquoted filenames.

To block a new extension, edit the regular expressions in the following lines:

Code Block
linenumberstrue
if $header_content-type: matches "(?:file)?name=(\"[^\"]+\\\\.(?:ad[ep]|ba[st]|chm|cmd|com|cpl|crt|eml|exe|hlp|hta|in[fs]|isp|jse?|lnk|md[be]|ms[cipt]|pcd|pif|reg|scr|sct|shs|url|vb[se]|ws[fhc])\")"

if $header_content-type: matches "(?:file)?name=(\\\\S+\\\\.(?:ad[ep]|ba[st]|chm|cmd|com|cpl|crt|eml|exe|hlp|hta|in[fs]|isp|jse?|lnk|md[be]|ms[cipt]|pcd|pif|reg|scr|sct|shs|url|vb[se]|ws[fhc]))"

if $message_body matches "(?:Content-(?:Type:(?>\\\\s*)[\\\\w-]+/[\\\\w-]+|Disposition:(?>\\\\s*)attachment);(?>\\\\s*)(?:file)?name=|begin(?>\\\\s+)[0-7]{3,4}(?>\\\\s+))(\"[^\"]+\\\\.(?:ad[ep]|ba[st]|chm|cmd|com|cpl|crt|eml|exe|hlp|hta|in[fs]|isp|jse?|lnk|md[be]|ms[cipt]|pcd|pif|reg|scr|sct|shs|url|vb[se]|ws[fhc])\")[\\\\s;]"

if $message_body matches "(?:Content-(?:Type:(?>\\\\s*)[\\\\w-]+/[\\\\w-]+|Disposition:(?>\\\\s*)attachment);(?>\\\\s*)(?:file)?name=|begin(?>\\\\s+)[0-7]{3,4}(?>\\\\s+))(\\\\S+\\\\.(?:ad[ep]|ba[st]|chm|cmd|com|cpl|crt|eml|exe|hlp|hta|in[fs]|isp|jse?|lnk|md[be]|ms[cipt]|pcd|pif|reg|scr|sct|shs|url|vb[se]|ws[fhc]))[\\\\s;]"
Note
titleNote:

To unblock an extension, remove it from those regular expressions.

For example, if you blocked the .foo extension, your changes would resemble the following example:

Code Block
linenumberstrue
if $header_content-type: matches "(?:file)?name=(\"[^\"]+\\\\.(?:ad[ep]|ba[st]|chm|cmd|com|cpl|crt|eml|exe|foo|hlp|hta|in[fs]|isp|jse?|lnk|md[be]|ms[cipt]|pcd|pif|reg|scr|sct|shs|url|vb[se]|ws[fhc])\")"

if $header_content-type: matches "(?:file)?name=(\\\\S+\\\\.(?:ad[ep]|ba[st]|chm|cmd|com|cpl|crt|eml|exe|foo|hlp|hta|in[fs]|isp|jse?|lnk|md[be]|ms[cipt]|pcd|pif|reg|scr|sct|shs|url|vb[se]|ws[fhc]))"

if $message_body matches "(?:Content-(?:Type:(?>\\\\s*)[\\\\w-]+/[\\\\w-]+|Disposition:(?>\\\\s*)attachment);(?>\\\\s*)(?:file)?name=|begin(?>\\\\s+)[0-7]{3,4}(?>\\\\s+))(\"[^\"]+\\\\.(?:ad[ep]|ba[st]|chm|cmd|com|cpl|crt|eml|exe|foo|hlp|hta|in[fs]|isp|jse?|lnk|md[be]|ms[cipt]|pcd|pif|reg|scr|sct|shs|url|vb[se]|ws[fhc])\")[\\\\s;]"

if $message_body matches "(?:Content-(?:Type:(?>\\\\s*)[\\\\w-]+/[\\\\w-]+|Disposition:(?>\\\\s*)attachment);(?>\\\\s*)(?:file)?name=|begin(?>\\\\s+)[0-7]{3,4}(?>\\\\s+))(\\\\S+\\\\.(?:ad[ep]|ba[st]|chm|cmd|com|cpl|crt|eml|exe|foo|hlp|hta|in[fs]|isp|jse?|lnk|md[be]|ms[cipt]|pcd|pif|reg|scr|sct|shs|url|vb[se]|ws[fhc]))[\\\\s;]"

Additional documentation

Localtab Group
Localtab
activetrue
titleSuggested documentation

Content by Label
showLabelsfalse
max5
showSpacefalse
cqllabel in ("exim") and label = "whm" and space = currentSpace()

Localtab
titleFor cPanel users

Content by Label
showLabelsfalse
max5
showSpacefalse
cqllabel = "exim" and label = "cpanel" and space = "ALD"

Localtab
titleFor WHM users

Content by Label
showLabelsfalse
max5
showSpacefalse
cqllabel = "exim" and label = "whm" and space in (currentSpace(),"ALD")

Localtab
titleFor developers

Content by Label
showLabelsfalse
max5
showSpacefalse
cqllabel = "exim" and space = "SDK"