Allow .eml extension attachment on server

[linuxgirl]

Hello,

We have one of our client using thunderbird email client.He could able to send and receive mails without any problem but when he forward those mails he is getting this error -

----------------------------------------------
A message that you sent could not be delivered to one or more of its
recipients. This is a permanent error. The following address(es) failed:

[email protected]
This message has been rejected because it has
a potentially executable attachment "FW: Observations.eml"
This form of attachment has been used by
recent viruses or other malware.
If you meant to send this file then please
package it up as a zip file and resend it.
----------------------------------------------------

We have antivirus.exim filter enabled on server and we can see .eml is filtered by this script only. But now my query is --

How we can allow this attachment extension for particular domain?
Is thee any whitelist file? Or how we can allow him to forward mails without getting this error?

Please update us for the same.


Thank you.



Linuxgirl

 

[cPanelDavidG]

Hello,

We have one of our client using thunderbird email client.He could able to send and receive mails without any problem but when he forward those mails he is getting this error -

----------------------------------------------
A message that you sent could not be delivered to one or more of its
recipients. This is a permanent error. The following address(es) failed:

[email protected]
This message has been rejected because it has
a potentially executable attachment "FW: Observations.eml"
This form of attachment has been used by
recent viruses or other malware.
If you meant to send this file then please
package it up as a zip file and resend it.
----------------------------------------------------

We have antivirus.exim filter enabled on server and we can see .eml is filtered by this script only. But now my query is --

How we can allow this attachment extension for particular domain?
Is thee any whitelist file? Or how we can allow him to forward mails without getting this error?

Please update us for the same.


Thank you.



Linuxgirl

I would recommend he set his ciient to NOT send forwarded emails as attachments but rather in the more traditional style of forwarding emails.

 

[tweakservers]

the other option you may consider to remove the .eml from the antivirus.exim file but you are on your risk

 

[mtindor]

I can see why she would want to accept EML files. I see people validly forwarding emails as attachments on a daily basis. Heck, I do it myself very often. I prefer to have 'preserved' emails. Forwarding does not preserve the full content of the original email.

And to my knowledge, the people that have to worry if you allow EMLs to be sent/received are the clients, not the server owners. The clients should be running antivirus anyway, and often email clients (like Outlook/Express) default now to not allowing attachments to be read / viewed if it deems them potentially malicious.

So I always remove 'eml' from the antivirus.exim file. Actually, I copy /etc/antivirus.exim to /etc/antivirus.exim.without.eml and then I go into Exim Configuration Editor and change the antivirus script to /etc/antivirus.exim.without.eml. I then edit /etc/antivirus.exim.without.eml to remove any instance of 'eml' (except in the comments).

Mike

 

[linuxgirl]

Hello,

Thank you all, for providing me the information.
So mtindor..... you think removing .eml from antivirus.exikm is not harmfull and we can do it?
right? Does anyone want to comment on this?


Thank you.




!Linuxgirl!

 

[mtindor]

Hello,

Thank you all, for providing me the information.
So mtindor..... you think removing .eml from antivirus.exikm is not harmfull and we can do it?
right? Does anyone want to comment on this?


Thank you.




!Linuxgirl!

That questoin would be answered differently by just about everyone. It's not harmful to the sysadmin. It _could_ be harmful to the users on your system who don't keep their OS/software up to date and/or don't use antivirus software and/or open every piece of email regardless of how suspect it looks.

So I can't say that removing EML would not be harmful - It could be. But, I personally don't find it harmful to me or my customers - my customers have often specifically asked me to allow the reception of EML files. It wasn't until I had started using an account of my own on a cpanel machine that I realized it's a real pain in the ass to have EMLs blocked. I forward messages (with and without attachments) on a REGULAR basis, and if EML blocking is in place you can't do that. Knowing what kind of legitimate emails I forward as attachments, I think most people are forwarding legitimate emails as attachments.

Like I said though, you should keep the original /etc/cpanel_exim_system_filter and just create a new one and use that.

1. cp /etc/cpanel_exim_system_filter /etc/cpanel_exim_system_filter_without_eml
2. Edit /etc/cpanel_exim_system_filter_without_eml
- remove the various eml references - eml|

On four lines you'll find eml references that you need to remove. The exact things to remove are bold and red.

if $header_content-type: matches "(?:file)?name=(\"[^\"]+\\\\.(?:ad[ep]|ba[st]|chm|cmd|com|cpl|crt|eml|exe|hlp|hta|in[fs]|isp|jse?|lnk|md[be]|ms[cipt]|pcd|pif|reg|scr|sct|shs|url|vb[se]|ws[fhc])\")"

if $header_content-type: matches "(?:file)?name=(\\\\S+\\\\.(?:ad[ep]|ba[st]|chm|cmd|com|cpl|crt|eml|exe|hlp|hta|in[fs]|isp|jse?|lnk|md[be]|ms[cipt]|pcd|pif|reg|scr|sct|shs|url|vb[se]|ws[fhc]))"

if $message_body matches "(?:Content-(?:Type?>\\\\s*)[\\\\w-]+/[\\\\w-]+|Disposition?>\\\\s*)attachment);(?>\\\\s*)(?:file)?name=|begin(?>\\\\s+)[0-7]{3,4}(?>\\\\s+))(\"[^\"]+\\\\.(?:ad[ep]|ba[st]|chm|cmd|com|cpl|crt|eml|exe|hlp|hta|in[fs]|isp|jse?|lnk|md[be]|ms[cipt]|pcd|pif|reg|scr|sct|shs|url|vb[se]|ws[fhc])\")[\\\\s;]"

if $message_body matches "(?:Content-(?:Type?>\\\\s*)[\\\\w-]+/[\\\\w-]+|Disposition?>\\\\s*)attachment);(?>\\\\s*)(?:file)?name=|begin(?>\\\\s+)[0-7]{3,4}(?>\\\\s+))(\\\\S+\\\\.(?:ad[ep]|ba[st]|chm|cmd|com|cpl|crt|eml|exe|hlp|hta|in[fs]|isp|jse?|lnk|md[be]|ms[cipt]|pcd|pif|reg|scr|sct|shs|url|vb[se]|ws[fhc]))[\\\\s;]"

3. Log into WHM, go into Exim Configuration Editor:
System Filter File: /etc/cpanel_exim_system_filter_without_eml
4 Save

If you ever need to switch back, just change the System Filter File in Exim Configuration Editor to point back to the original file.

NOTE: /etc/cpanel_exim_system_filter may occasionally be updated by Cpanel - and if you copy /etc/cpanel_exim_system_filter to /etc/cpanel_exim_system_filter_without_eml and you use /etc/cpanel_exim_system_filter_without_eml instead, then when Cpanel updates /etc/cpanel_exim_system_filter you'll never know about it. So you should check every so often to see if a Cpanel update has uploaded a new /etc/cpanel_exim_system_filter. If it has, then you can repeat this process.

- Mike

 

[mlopez]

I can see now, that this attachment extensions should be established in another file, according to /etc/cpanel_exim_system_filter file documentation:

Direct modifications to the /etc/cpanel_exim_system_filter file will be lost when the configuration is next rebuilt. To have modifications retained, please use one of the following options:

1)
* Place each sysfilter block you wish to include in a unique file at:
/usr/local/cpanel/etc/exim/sysfilter/options/
* Enable or disable the custom block in WHM using:
Service Configuration => Exim Configuration Manager => Filters => Custom Filter: [your unique file]

2)
* Create a custom sysfilter file in /etc/
* Change the location of the sysfilter file in WHM using:
Service Configuration => Exim Configuration Manager => Filters => System Filter File

So, one need to remove eml extension from /usr/local/cpanel/etc/exim/sysfilter/options/attachments or keep doing the file stuff as @mtindor said?

 

[cPanelAnthony]

Hello! You should be able to use the exact steps in the following article.

Customize Exim System Filters

 

[mlopez]

Thank you @cPanelAnthony

I removed eml extension block.

 

[cPanelAnthony]

I'm glad to hear it worked!