cPanel & WHM Version 94 has been released, and brings a slew of great updates. Take a look at what is included, and then upgrade today!

Allow exim's "dangerous attachments" list to be modified from Exim Basic Editor

cPanelMary shared this idea 6 years ago
Open Discussion

As a systems administrator, I would like to be able to edit the list of "Dangerous Attachment" types from the Exim Basic Editor. I would like to be able to customize this list without loosing the ability to receive cPanel's regular updates to the other sections of the system filter file.


Currently this is done by creating a custom exim system filter file:

http://documentation.cpanel.net/display/ALD/Customize+the+Exim+System+Filter+File

However, this is used, regular cPanel updates to the system filter file are not used (because the custom filter is being used).


This might also be seen as a step towards implementing the following feature request:

http://features.cpanel.net/responses/as-a-server-administrator-i-want-the-ability-to-allow-antivirusexim-customization-per-account-so-that-i-can-set-email-security-policies-by-account

Comments (8)

photo
4

As a server admin, I would also like to see this feature. The default list includes .eml attachments, which caused me problems on my production server. This is the extension that is used by Thunderbird when you forward an email as an attachment. I need to be able to remove .eml from this list permanently.


It's not useful in production to filter out all .eml attachments without inspection, as the vast majority of them are harmless. Without a malware scanner confirming that an attachment is malicious, simply blocking all standard email attachment files is cumbersome and makes for a lot of unnecessary bounce messages.

photo
1

I agree with this one too

photo
1

We need this too.


I've just manually duplicated /etc/cpanel_exim_system_filter_custom and manually removed all 4 instances of the eml extension, but I don't like doing this as it could cause issues in the future.


We should have an editor to add / remove disallowed file extensions in a way that other settings and modifications by cPanel updates in /etc/cpanel_exim_system_filter are preserved.


If you could just store the file extensions in a file and regenerate /etc/cpanel_exim_system_filter using these extensions it would be great ! :)

photo
3

This is really needed by Italian providers.

In Italy we have PEC emails (certificated email system) which runs over .eml attachments formats.

Every cPanel system start with a predefined set of settings that do not allows PEC email to be delivered to standard email systems.


Working with custom filters means:

- custom's changes overwritten every time cPanel is upgraded, or

- point to a custom filter file that'll not be updated, with most updated information, forever

photo
1

As a reseller user, we find that on our user level, we are unable to alter this for hosted domains. We agree with phoenixweb, and also have similar demands from others. We need to have the option to alter this on the user level, not just the server level.

photo
1

How about doing it another (efficient) way. Block all attachments, and only allow the specific attachments you want in a whitelist. This way, admins can add any attachments to the whitelist, and not worry about unknown ones (as those unknown, would be blocked).

photo
1

We need user level customization. For example .exe is a known attachment but gmail and yahoo does not support it because of security. A user may need to accept .exe while another user may prefer security and does not accept .exe

photo
1

Again... Efficiency... By default all are blocked, then the mailserver admin(s) add(s) only the permitted extensions (onto a whitelist of "allowed"), this way everyone is happy (because they can add and remove whatever extensions they wish - At the server level - WHM). The problem comes when cPanel account users decide to circumvent security by adding or removing different allowed extensions. End-user level customization is not the best approach in this case (it introduces more options for exploits). If everyone were a mail server admin, it would be perfect, but that's not reality. If end-users wish, they can operate their own VPN, for example, still using cPanel/WHM.

photo
1

But if the admin does not block an extension (for example .exe) and an account user wants more security, what is your suggestion for blocking .exe at user level?

photo
1

There are millions file extensions. Most of these extension are images, video and documents.

Instead malware needs to run on an executable extension in order to be able to infect.

This leave the extensions which could be used by a malware to just few (probably not more than 10).

Blacklist all and reverse the selection to a whitelist will force administrator to update frequently the list with new extension and also add all the common extension like PDF, AI, FW, TIFF, JPEG, GIF, PNG, DOC, XLS, SQL, JS, PHP, PY, TXT.... MP3, MP4, MOV, FLA...


Instead of blacklist 10 file, you'll have to whitelist 1.000.000 extension.

This is NOT efficient.

photo
1

@phoenixweb I was not disrespectful to you, please extend the professional courtesy in return. The whole point of the forum is open, professional discussion. I don't necessarily agree with your some of your suggestions (for example), but I would not insult you personally. We're discussing the Exim suggestion, not what we personally think of people we've never met - https://forums.cpanel.net/threads/forum-rules-posting-instructions-and-support-info.102269/

photo
1

Ok, I'll edit my previous post to be more professional but please next time ... think twice before post.

Bye

photo
1

@BlogLogistics How to ("whitelist of "allowed")?

photo
photo
1

For info, I don't use a custom system filter, I use a custom 'attachments-new' filter and activate it from WHM. That way the system filter is still updated.

Not sure if this could be amended to vary by domain, but it seems to be a possibility.

photo
1

No, I only made a new attachments filter.

photo
photo
1

The problem is, if we edit the file: /usr/local/cpanel/etc/exim/sysfilter/options/attachments

When cPanel runs an update, it updates the file it and we lose the custom settings.


And if we do what it says in this link: https://forums.cpanel.net/threads/allow-eml-extension-attachment-on-server.70037/

The disadvantage is that updates made by cPanel will not be applied to our server.


It is important for this reason that cPanel includes as a variable the allowed extensions, so we can customize them.


Thank you!

Leave a Comment
 
Attach a file