Don't reject mails when viruses are found

chrismfz

Well-Known Member
Jul 4, 2007
127
1
68
Greece
cPanel Access Level
DataCenter Provider
Scenario:

a) I am sending a legit email and I might be infected or
b) I am sending a legit email and the attachment could be flagged as virus but it's a false positive.

Right now we got as default this:
rejected after DATA: This message contains a virus or other harmful content (SignatureGoesHere)
And nobody knows anything except if we dig inside exim reject log.


Is there a way to make them PASS to inbox/spam folder but cleaned and not defer them ?

The default default_exiscan has a deny / defer message:

deny message = This message contains a virus or other harmful content ($malware_name)
malware = */defer_ok
warn log_message = Message has been scanned: no virus or other harmful content was found


Is there a way to make clam delete/disinfect the attachment, pass the message without it and just print the Signature of the found virus ?
It's important to pass every mail, even infected to spam or inbox folder, but just without the infected attachment or with the ClamAV signature warning in the footer.
 
Last edited by a moderator:

cPRex

Jurassic Moderator
Staff member
Oct 19, 2014
7,519
1,030
313
cPanel Access Level
Root Administrator
Hey there! If you're sending a message out, I would expect this to be handled at the recipient end and not on your server, unless you also have scanning turned on for outgoing messages. Do you have a log of this type of mail transaction showing the issue? If so, you can paste that here, but just remove any public details such as the domain name or IP address.
 

chrismfz

Well-Known Member
Jul 4, 2007
127
1
68
Greece
cPanel Access Level
DataCenter Provider
Sorry didn't clarified that, I meant our (cPanel) end. Receiving messages. I just used "I am sending" as an example (Let's say better, I am sending an example mail to a cPanel server then :) )

If someone sends something to a cPanel server and contains a virus or something that looks like a virus (false positive), it gets deferred. It never touches inbox or spambox.
Customer never knows about it.

Just like the code I wrote:

The default default_exiscan has a deny / defer message:

deny message = This message contains a virus or other harmful content ($malware_name)
malware = */defer_ok
warn log_message = Message has been scanned: no virus or other harmful content was found


And I was wondering if there is a way NOT to defer those messages when they are coming to the cPanel server.
Make them pass, with a warning, like the clamav signature found, or/and deleting the viruses and leave the rest mail to come in.

For example, ESETS Linux Mail Scanner does that when I use it as a ROUTE/TRANSPORT in exim.conf , deletes the virus/malware and delivers the mail without it with a footer warning of what it erased and why.
But Clam-Exim instantly denies the mail and nothing passes.

I believe there is a way I just didn't find it yet.
 

cPRex

Jurassic Moderator
Staff member
Oct 19, 2014
7,519
1,030
313
cPanel Access Level
Root Administrator
Thanks for the additional details. I'm not seeing a value that wold perform exactly that work when I check the available settings here:


As with everything related to Exim, there's likely a workaround available somewhere, but I didn't find much on this with a search. You may want to look into alternative mail scanning tools, or consider opening a feature request with the link in my signature.