Please whitelist cPanel in your adblocker so that you’re able to see our version release promotions, thanks!

The Community Forums

Interact with an entire community of cPanel & WHM users!
  1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

SOLVED Debugging the attachments part of system filter file

Discussion in 'E-mail Discussion' started by km9, Feb 28, 2018.

Tags:
  1. km9

    km9 Member

    Joined:
    Apr 5, 2017
    Messages:
    19
    Likes Received:
    3
    Trophy Points:
    3
    Location:
    Asia
    cPanel Access Level:
    Root Administrator
    Hi,
    I recently noticed an email delivered with an attachment that is forbidden in the system filter file. Using

    Code:
    /usr/lib/sendmail -bF /etc/cpanel_exim_system_filter -v <test-message
    I could see that the attachments lines were not matched, though the Content-Type and Content-Disposition headers were present in the body.

    Through a process of elimination, I found that by removing most of the large block of (HTML) text present in the main part of the body I could make the attachment test trigger.

    I'm clearly missing something here. Is there a limit to the amount of the body that is passed to the filter?

    I can reproduce the problem by crafting a simple "Hello World" test email with a forbidden attachment, which is detected correctly, then adding 15,000 characters to the body, which is then not detected.

    Any clues, and, more importantly, work arounds?

    Thanks.
     
  2. cPanelMichael

    cPanelMichael Forums Analyst
    Staff Member

    Joined:
    Apr 11, 2011
    Messages:
    43,247
    Likes Received:
    1,759
    Trophy Points:
    363
    cPanel Access Level:
    Root Administrator
    Hello,

    Do you have any additional custom Exim rules enabled, or are you using any third-party applications such as MailScanner?

    I understand your issue to relate to the Exim system filter itself, but I did want to note that for SpamAssassin, there's a separate limit to be aware of under the "Apache SpamAssassin™ Options" tab in "WHM >> Exim Configuration Manager >> Basic Editor":

    Apache SpamAssassin™: message size threshold to scan

    Per it's description:

    Maximum size (in kilobytes) of a message that Apache SpamAssassin™ will scan. Spam emails are usually about 1-4 kB in size; therefore, it is generally wasteful to scan larger emails.

    Thank you.
     
  3. km9

    km9 Member

    Joined:
    Apr 5, 2017
    Messages:
    19
    Likes Received:
    3
    Trophy Points:
    3
    Location:
    Asia
    cPanel Access Level:
    Root Administrator
    Good thoughts, thanks Michael, but I'm testing the filter directly using the code as above:

    Code:
    /usr/lib/sendmail -bF /etc/cpanel_exim_system_filter -v <test-message
    so I don't think any external influences would be in effect here.
     
  4. cPanelMichael

    cPanelMichael Forums Analyst
    Staff Member

    Joined:
    Apr 11, 2011
    Messages:
    43,247
    Likes Received:
    1,759
    Trophy Points:
    363
    cPanel Access Level:
    Root Administrator
    Hello,

    Could you open a support ticket using the link in my signature so we can take a closer look at this issue?

    Thank you.
     
  5. km9

    km9 Member

    Joined:
    Apr 5, 2017
    Messages:
    19
    Likes Received:
    3
    Trophy Points:
    3
    Location:
    Asia
    cPanel Access Level:
    Root Administrator
    Sure. Your Support Request ID is: 9321015
     
  6. km9

    km9 Member

    Joined:
    Apr 5, 2017
    Messages:
    19
    Likes Received:
    3
    Trophy Points:
    3
    Location:
    Asia
    cPanel Access Level:
    Root Administrator
    Michael, It's the $message_body_visible Exim advanced setting that was causing the behaviour. The default cPanel value is 5k. (Exim default is 500 bytes)

    Exim 4.50 Specification chapter 11

    Tested and working now, with the proviso that the unwanted attachment header has to occur within the first $message_body_visible bytes of the body for the filter to see it. i.e. this is not guaranteed to filter out all bad attachments.

    This email had just over 20k, with html text and a small jpeg before the unwanted attachment headers. I'm now using 50k as the value for the moment.
     
    cPanelMichael likes this.
  7. cPanelMichael

    cPanelMichael Forums Analyst
    Staff Member

    Joined:
    Apr 11, 2011
    Messages:
    43,247
    Likes Received:
    1,759
    Trophy Points:
    363
    cPanel Access Level:
    Root Administrator
    Hello,

    Thank you for sharing the outcome. I've marked this thread as solved.
     
Loading...

Share This Page