Allow .eml extension attachment on server

linuxgirl

Active Member
Nov 20, 2004
44
0
156
Hello,

We have one of our client using thunderbird email client.He could able to send and receive mails without any problem but when he forward those mails he is getting this error -

----------------------------------------------
A message that you sent could not be delivered to one or more of its
recipients. This is a permanent error. The following address(es) failed:

[email protected]
This message has been rejected because it has
a potentially executable attachment "FW: Observations.eml"
This form of attachment has been used by
recent viruses or other malware.
If you meant to send this file then please
package it up as a zip file and resend it.
----------------------------------------------------

We have antivirus.exim filter enabled on server and we can see .eml is filtered by this script only. But now my query is --

How we can allow this attachment extension for particular domain?
Is thee any whitelist file? Or how we can allow him to forward mails without getting this error?

Please update us for the same.


Thank you.



Linuxgirl
 

cPanelDavidG

Technical Product Specialist
Nov 29, 2006
11,212
13
313
Houston, TX
cPanel Access Level
Root Administrator
Hello,

We have one of our client using thunderbird email client.He could able to send and receive mails without any problem but when he forward those mails he is getting this error -

----------------------------------------------
A message that you sent could not be delivered to one or more of its
recipients. This is a permanent error. The following address(es) failed:

[email protected]
This message has been rejected because it has
a potentially executable attachment "FW: Observations.eml"
This form of attachment has been used by
recent viruses or other malware.
If you meant to send this file then please
package it up as a zip file and resend it.
----------------------------------------------------

We have antivirus.exim filter enabled on server and we can see .eml is filtered by this script only. But now my query is --

How we can allow this attachment extension for particular domain?
Is thee any whitelist file? Or how we can allow him to forward mails without getting this error?

Please update us for the same.


Thank you.



Linuxgirl
I would recommend he set his ciient to NOT send forwarded emails as attachments but rather in the more traditional style of forwarding emails.
 

tweakservers

Well-Known Member
Mar 30, 2006
379
0
166
the other option you may consider to remove the .eml from the antivirus.exim file but you are on your risk
 

mtindor

Well-Known Member
Sep 14, 2004
1,416
80
178
inside a catfish
cPanel Access Level
Root Administrator
I can see why she would want to accept EML files. I see people validly forwarding emails as attachments on a daily basis. Heck, I do it myself very often. I prefer to have 'preserved' emails. Forwarding does not preserve the full content of the original email.

And to my knowledge, the people that have to worry if you allow EMLs to be sent/received are the clients, not the server owners. The clients should be running antivirus anyway, and often email clients (like Outlook/Express) default now to not allowing attachments to be read / viewed if it deems them potentially malicious.

So I always remove 'eml' from the antivirus.exim file. Actually, I copy /etc/antivirus.exim to /etc/antivirus.exim.without.eml and then I go into Exim Configuration Editor and change the antivirus script to /etc/antivirus.exim.without.eml. I then edit /etc/antivirus.exim.without.eml to remove any instance of 'eml' (except in the comments).

Mike
 

linuxgirl

Active Member
Nov 20, 2004
44
0
156
Hello,

Thank you all, for providing me the information.
So mtindor..... you think removing .eml from antivirus.exikm is not harmfull and we can do it?
right? Does anyone want to comment on this?


Thank you.




!Linuxgirl!
 

mtindor

Well-Known Member
Sep 14, 2004
1,416
80
178
inside a catfish
cPanel Access Level
Root Administrator
Hello,

Thank you all, for providing me the information.
So mtindor..... you think removing .eml from antivirus.exikm is not harmfull and we can do it?
right? Does anyone want to comment on this?


Thank you.




!Linuxgirl!
That questoin would be answered differently by just about everyone. It's not harmful to the sysadmin. It _could_ be harmful to the users on your system who don't keep their OS/software up to date and/or don't use antivirus software and/or open every piece of email regardless of how suspect it looks.

So I can't say that removing EML would not be harmful - It could be. But, I personally don't find it harmful to me or my customers - my customers have often specifically asked me to allow the reception of EML files. It wasn't until I had started using an account of my own on a cpanel machine that I realized it's a real pain in the ass to have EMLs blocked. I forward messages (with and without attachments) on a REGULAR basis, and if EML blocking is in place you can't do that. Knowing what kind of legitimate emails I forward as attachments, I think most people are forwarding legitimate emails as attachments.

Like I said though, you should keep the original /etc/cpanel_exim_system_filter and just create a new one and use that.

1. cp /etc/cpanel_exim_system_filter /etc/cpanel_exim_system_filter_without_eml
2. Edit /etc/cpanel_exim_system_filter_without_eml
- remove the various eml references - eml|

On four lines you'll find eml references that you need to remove. The exact things to remove are bold and red.

if $header_content-type: matches "(?:file)?name=(\"[^\"]+\\\\.(?:ad[ep]|ba[st]|chm|cmd|com|cpl|crt|eml|exe|hlp|hta|in[fs]|isp|jse?|lnk|md[be]|ms[cipt]|pcd|pif|reg|scr|sct|shs|url|vb[se]|ws[fhc])\")"

if $header_content-type: matches "(?:file)?name=(\\\\S+\\\\.(?:ad[ep]|ba[st]|chm|cmd|com|cpl|crt|eml|exe|hlp|hta|in[fs]|isp|jse?|lnk|md[be]|ms[cipt]|pcd|pif|reg|scr|sct|shs|url|vb[se]|ws[fhc]))"

if $message_body matches "(?:Content-(?:Type:(?>\\\\s*)[\\\\w-]+/[\\\\w-]+|Disposition:(?>\\\\s*)attachment);(?>\\\\s*)(?:file)?name=|begin(?>\\\\s+)[0-7]{3,4}(?>\\\\s+))(\"[^\"]+\\\\.(?:ad[ep]|ba[st]|chm|cmd|com|cpl|crt|eml|exe|hlp|hta|in[fs]|isp|jse?|lnk|md[be]|ms[cipt]|pcd|pif|reg|scr|sct|shs|url|vb[se]|ws[fhc])\")[\\\\s;]"

if $message_body matches "(?:Content-(?:Type:(?>\\\\s*)[\\\\w-]+/[\\\\w-]+|Disposition:(?>\\\\s*)attachment);(?>\\\\s*)(?:file)?name=|begin(?>\\\\s+)[0-7]{3,4}(?>\\\\s+))(\\\\S+\\\\.(?:ad[ep]|ba[st]|chm|cmd|com|cpl|crt|eml|exe|hlp|hta|in[fs]|isp|jse?|lnk|md[be]|ms[cipt]|pcd|pif|reg|scr|sct|shs|url|vb[se]|ws[fhc]))[\\\\s;]"

3. Log into WHM, go into Exim Configuration Editor:
System Filter File: /etc/cpanel_exim_system_filter_without_eml
4 Save

If you ever need to switch back, just change the System Filter File in Exim Configuration Editor to point back to the original file.

NOTE: /etc/cpanel_exim_system_filter may occasionally be updated by Cpanel - and if you copy /etc/cpanel_exim_system_filter to /etc/cpanel_exim_system_filter_without_eml and you use /etc/cpanel_exim_system_filter_without_eml instead, then when Cpanel updates /etc/cpanel_exim_system_filter you'll never know about it. So you should check every so often to see if a Cpanel update has uploaded a new /etc/cpanel_exim_system_filter. If it has, then you can repeat this process.

- Mike