System filter: # Exim filter # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # cPanel System Filter for EXIM # # VERSION = 2.0 # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!DO NOT MODIFY THIS FILE DIRECTLY!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!! # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # Direct modifications to the /etc/cpanel_exim_system_filter file will be lost when the configuration is # # next rebuilt. To have modifications retained, please use one of the following options: # # # # 1) # # * Place each sysfilter block you wish to include in a unique file at: # # /usr/local/cpanel/etc/exim/sysfilter/options/ # # * Enable or disable the custom block in WHM using: # # Service Configuration => Exim Configuration Manager => Filters => Custom Filter: [your unique file] # # # # 2) # # * Create a custom sysfilter file in /etc/ # # * Change the location of the sysfilter file in WHM using: # # Service Configuration => Exim Configuration Manager => Filters => System Filter File # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!DO NOT MODIFY THIS FILE DIRECTLY!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!! # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # Only process once # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # if not first_delivery then finish endif # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # Ignore "real" errors # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # if error_message and $header_from: contains "Mailer-Daemon@" then finish endif # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # BEGIN - Included from /usr/local/cpanel/etc/exim/sysfilter/options/attachments # (Use the Basic Editor in the Exim Configuration Manager in WHM to change) # or manually edit /etc/exim.conf.localopts and run /scripts/buildeximconf ## ----------------------------------------------------------------------- # Look for single part MIME messages with suspicious name extensions # Check Content-Type header using quoted filename [content_type_quoted_fn_match] if $header_content-type: matches "(?:file)?name=(\"[^\"]+\\\\.(?:ad[ep]|ba[st]|chm|cmd|com|cpl|crt|eml|exe|hlp|hta|in[fs]|isp|jse?|lnk|md[be]|ms[cipt]|pcd|pif|reg|scr|sct|shs|url|vb[se]|ws[fhc])\")" then fail text "This message has been rejected because it has\n\ potentially executable content $1\n\ This form of attachment has been used by\n\ recent viruses or other malware.\n\ If you meant to send this file then please\n\ package it up as a zip file and resend it." seen finish endif # same again using unquoted filename [content_type_unquoted_fn_match] if $header_content-type: matches "(?:file)?name=(\\\\S+\\\\.(?:ad[ep]|ba[st]|chm|cmd|com|cpl|crt|eml|exe|hlp|hta|in[fs]|isp|jse?|lnk|md[be]|ms[cipt]|pcd|pif|reg|scr|sct|shs|url|vb[se]|ws[fhc]))([\\\\s;]|\\$)" then fail text "This message has been rejected because it has\n\ potentially executable content $1\n\ This form of attachment has been used by\n\ recent viruses or other malware.\n\ If you meant to send this file then please\n\ package it up as a zip file and resend it." seen finish endif ## ----------------------------------------------------------------------- # Attempt to catch embedded VBS attachments # in emails. These were used as the basis for # the ILOVEYOU virus and its variants - many many varients # Quoted filename - [body_quoted_fn_match] if $message_body matches "(?:Content-(?:Type:(?>\\\\s*)[\\\\w-]+/[\\\\w-]+|Disposition:(?>\\\\s*)attachment);(?>\\\\s*)(?:file)?name=|begin(?>\\\\s+)[0-7]{3,4}(?>\\\\s+))(\"[^\"]+\\\\.(?:ad[ep]|ba[st]|chm|cmd|com|cpl|crt|eml|exe|hlp|hta|in[fs]|isp|jse?|lnk|md[be]|ms[cipt]|pcd|pif|reg|scr|sct|shs|url|vb[se]|ws[fhc])\")[\\\\s;]" then fail text "This message has been rejected because it has\n\ a potentially executable attachment $1\n\ This form of attachment has been used by\n\ recent viruses or other malware.\n\ If you meant to send this file then please\n\ package it up as a zip file and resend it." seen finish endif # same again using unquoted filename [body_unquoted_fn_match] if $message_body matches "(?:Content-(?:Type:(?>\\\\s*)[\\\\w-]+/[\\\\w-]+|Disposition:(?>\\\\s*)attachment);(?>\\\\s*)(?:file)?name=|begin(?>\\\\s+)[0-7]{3,4}(?>\\\\s+))(\\\\S+\\\\.(?:ad[ep]|ba[st]|chm|cmd|com|cpl|crt|eml|exe|hlp|hta|in[fs]|isp|jse?|lnk|md[be]|ms[cipt]|pcd|pif|reg|scr|sct|shs|url|vb[se]|ws[fhc]))[\\\\s;]" then fail text "This message has been rejected because it has\n\ a potentially executable attachment $1\n\ This form of attachment has been used by\n\ recent viruses or other malware.\n\ If you meant to send this file then please\n\ package it up as a zip file and resend it." seen finish endif ## ----------------------------------------------------------------------- #### Version history # # 0.01 5 May 2000 # Initial release # 0.02 8 May 2000 # Widened list of content-types accepted, added WSF extension # 0.03 8 May 2000 # Embedded the install notes in for those that don't do manuals # 0.04 9 May 2000 # Check global content-type header. Efficiency mods to REs # 0.05 9 May 2000 # More minor efficiency mods, doc changes # 0.06 20 June 2000 # Added extension handling - thx to Douglas Gray Stephens & Jeff Carnahan # 0.07 19 July 2000 # Latest MS Outhouse bug catching # 0.08 19 July 2000 # Changed trigger length to 80 chars, fixed some spelling # 0.09 29 September 2000 # More extensions... its getting so we should just allow 2 or 3 through # 0.10 18 January 2001 # Removed exclusion for error messages - this is a little nasty # since it has other side effects, hence we do still exclude # on unix like error messages # 0.11 20 March, 2001 # Added CMD extension, tidied docs slightly, added RCS tag # ** Missed changing version number at top of file :-( # 0.12 10 May, 2001 # Added HTA extension # 0.13 22 May, 2001 # Reformatted regexps and code to build them so that they are # shorter than the limits on pre exim 3.20 filters. This will # make them significantly less efficient, but I am getting so # many queries about this that requiring 3.2x appears unsupportable. # 0.14 15 August,2001 # Added .lnk extension - most requested item :-) # Reformatted everything so its now built from a set of short # library files, cutting down on manual duplication. # Changed \w in filename detection to . - dodges locale problems # Explicit application of GPL after queries on license status # 0.15 17 August, 2001 # Changed the . in filename detect to \S (stops it going mad) # 0.16 19 September, 2001 # Pile of new extensions including the eml in current use # 0.17 19 September, 2001 # Syntax fix # #### Install Notes # # Exim filters run the exim filter language - a very primitive # scripting language - in place of a user .forward file, or on # a per system basis (on all messages passing through). # The filtering capability is documented in the main set of manuals # a copy of which can be found on the exim web site # http://www.exim.org/ # # To install, copy the filter file (with appropriate permissions) # to /etc/exim/system_filter.exim and add to your exim config file # [location is installation depedant - typicaly /etc/exim/config ] # in the first section the line:- # message_filter = /etc/exim/system_filter.exim # message_body_visible = 5000 # # You may also want to set the message_filter_user & message_filter_group # options, but they default to the standard exim user and so can # be left untouched. The other message_filter_* options are only # needed if you modify this to do other functions such as deliveries. # The main exim documentation is quite thorough and so I see no need # to expand it here... # # Any message that matches the filter will then be bounced. # If you wish you can change the error message by editing it # in the section above - however be careful you don't break it. # # After install exim should be restarted - a kill -HUP to the # daemon will do this. # #### LIMITATIONS # # This filter tries to parse MIME with a regexp... that doesn't # work too well. It will also only see the amount of the body # specified in message_body_visible # #### BASIS # # The regexp that is used to pickup MIME/uuencoded body parts with # quoted filenames is replicated below (in perl format). # You need to remember that exim converts newlines to spaces in # the message_body variable. # # (?:Content- # start of content header # (?:Type: (?>\s*) # rest of c/t header # [\w-]+/[\w-]+ # content-type (any) # |Disposition: (?>\s*) # content-disposition hdr # attachment) # content-disposition # ;(?>\s*) # ; space or newline # (?:file)?name= # filename=/name= # |begin (?>\s+) [0-7]{3,4} (?>\s+)) # begin octal-mode # (\"[^\"]+\. # quoted filename. # (?:ad[ep] # list of extns # |ba[st] # |chm # |cmd # |com # |cpl # |crt # |eml # |exe # |hlp # |hta # |in[fs] # |isp # |jse? # |lnk # |md[be] # |ms[cipt] # |pcd # |pif # |reg # |scr # |sct # |shs # |url # |vb[se] # |ws[fhc]) # \" # end quote # ) # end of filename capture # [\s;] # trailing ;/space/newline # # ### [End] # END - Included from /usr/local/cpanel/etc/exim/sysfilter/options/attachments # BEGIN - Included from /usr/local/cpanel/etc/exim/sysfilter/options/spam_rewrite # (Use the Basic Editor in the Exim Configuration Manager in WHM to change) # or manually edit /etc/exim.conf.localopts and run /scripts/buildeximconf if "${if def:header_X-Spam-Subject: {there}}" is there then headers remove Subject headers add "Subject: $rh_X-Spam-Subject:" headers remove X-Spam-Subject endif # END - Included from /usr/local/cpanel/etc/exim/sysfilter/options/spam_rewrite exim.pl.local (first 50 lines): =encoding utf-8 =head1 NAME /etc/exim.pl.local - Perl functions for exim that are loaded by /etc/exim.pl =cut my $VALIASES_DIR = '/etc/valiases'; my $VDOMAINALIASES_DIR = '/etc/vdomainaliases'; my $outgoing_mail_suspended_message; my $outgoing_sender; my $outgoing_sender_domain; my $outgoing_sender_counted_domain; my $outgoing_sender_sysuser; my $outgoing_sender_is_mailman; my $outgoing_sender_archive_directory = 'outgoing'; my $mail_gid; my $nobody_uid; my $nobody_gid; my $mailtrap_gid; my $check_mail_permissions_domain = ''; my $check_mail_permissions_sender = ''; my $check_mail_permissions_msgid = ''; my $check_mail_permissions_data = ''; my $check_mail_permissions_is_mailman = 0; my $enforce_mail_permissions_data = ''; my $primary_hostname; my %uid_cache = ( 0 => 'root', 47 => 'mailnull', 99 => 'nobody' ); my %user_cache = ( 'root' => 0, 'mailnull' => 47, 'nobody' => 99 ); my $reattempt_message = 'Message will be reattempted later'; my $sender_lookup; my $sender_lookup_method; # TEST VARIABLES my $check_mail_permissions_result; my %file_exists_cache; sub file_exists { return $file_exists_cache{ $_[0] } if exists $file_exists_cache{ $_[0] }; $file_exists_cache{ $_[0] } = -e $_[0] ? 1 : 0; return $file_exists_cache{ $_[0] }; } sub checkbx_autowhitelist { my $address = shift; my $phost = Exim::expand_string('$primary_hostname'); localopts: spamassassin_plugin_BAYES_POISON_DEFENSE=1 spam_deferok=1 rbl_whitelist= smarthost_username= acl_trustedmailhosts=0 arc_signing=0 filter_fail_spam_score_over_int acl_requirehelo=1 require_secure_auth=1 message_linelength_limit=2048 acl_outgoing_malware_scan=0 srs=0 senderverify=1 query_apache_for_nobody_senders=1 spam_header=***SPAM*** spamassassin_plugin_P0f=0 acl_dont_delay_greylisting_trusted_hosts=1 callouts=0 dsn_advertise_hosts globalspamassassin=0 acl_ratelimit=1 acl_spamcop_rbl=0 malware_deferok=1 acl_0tracksenders=0 hosts_avoid_pipelining=0 rbl_whitelist_greylist_trusted_netblocks=0 acl_ratelimit_spam_score_over_int acl_spam_scan_secondarymx=1 trust_x_php_script=1 smarthost_password= smarthost_auth_required=0 acl_spamhaus_rbl=0 mailbox_quota_query_timeout=45s no_forward_outbound_spam=0 acl_dkim_disable=1 rewrite_from=disable openssl_options= +no_sslv2 +no_sslv3 +no_tlsv1 +no_tlsv1_1 custom_mailhelo=0 systemfilter=/etc/cpanel_exim_system_filter spamassassin_plugin_KAM=1 acl_deny_rcpt_soft_limit acl_dictionary_attack=1 acl_dont_delay_greylisting_common_mail_providers=0 rbl_whitelist_greylist_common_mail_providers=1 acl_outgoing_spam_scan_over_int filter_spam_rewrite=1 suspended_account_deliveries=queue tls_require_ciphers=ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384 acl_delay_unknown_hosts=1 per_domain_mailips=0 allowweakciphers=0 smarthost_autodiscover_spf_include=1 rebuild_rdns_cache=0 acl_deny_rcpt_hard_limit max_spam_scan_size=1000 smarthost_routelist= filter_attachments=1 acl_slow_fail_block=1 exiscanall=0 smtputf8_advertise_hosts acl_primary_hostname_bl=0 custom_mailips=0 acl_requirehelosyntax=1 acl_requirehelonold=0 use_rdns_for_helo=1 acl_outgoing_spam_scan=0 rbl_whitelist_neighbor_netblocks=1 no_forward_outbound_spam_over_int acl_requirehelonoforge=1 acl_dkim_bl=0 setsenderheader=0 acl_mailproviders=1 spamassassin_plugin_CPANEL=1 acl_deny_spam_score_over_int spf_include_hosts= cpaneleximfilter: uid=990(cpaneleximfilter) gid=987(cpaneleximfilter) groups=987(cpaneleximfilter) -rw-r--r--. 1 root root 12144 Feb 24 14:47 /etc/cpanel_exim_system_filter