SOLVED Help filtering executables inside ZIP without demime

jayharland

Active Member
Apr 18, 2014
30
1
8
cPanel Access Level
Website Owner
Hey everyone,

So, like some, I was using a bit of code I actually got from this forum to peek inside zip files and reject ones containing an executable. The script worked great, but sadly, demime was part of it, and that has been depreciated.

Since then I've been searching for a solution, but my skills in that area are lacking to put it mildly.

Anyway, on a different forum I found a user asking the same question, someone recommended they use P7Zip to accomplish this.

First I created an EPEL repository, got P7zip installed and.... that's where I'm stuck. I'm not sure how to incorporate the following bit of code into Exim's configuration to get it working.


P7ZIP = /usr/local/bin/7z
BINFORBIDDEN = Windows-executable attachments forbidden
WINBIN = exe|com|js|pif|scr|bat|flv|reg|btm|chm|cmd|cpl|dat|dll|hta|jse|jsp|lnk|msi|prf|sys|vb|vbe|vbs|ace
COMPREXT = zip|rar|7z|arj|bz2|gz|uue|xz|z
check_rfc2047_length = false
acl_smtp_mime = acl_check_mime
begin acl
acl_check_mime:
deny message = BINFORBIDDEN
log_message = forbidden attachment: filename=$mime_filename, \
content-type=$mime_content_type, recipients=$recipients
condition = ${if or{\
{match{$mime_content_type}\
{(?i)executable|application/x-ace-compressed}}\
{match{$mime_filename}{\N(?i)\.(WINBIN)(\.(COMPREXT))*$\N}}\
}}

deny message = Compressed BINFORBIDDEN
condition = ${if or{\
{match{$mime_content_type}{(?i)application/\
(octet-stream|x(-zip)?-compressed|zip)}}\
{match{$mime_filename}{\N(?i)\.(COMPREXT)$\N}}\
}}
condition = ${if <{$message_size}{1500K}}
decode = default
log_message = forbidden binary in attachment: filename=$mime_filename, \
recipients=$recipients
condition = ${if match{${run{P7ZIP l -y $mime_decoded_filename}}}\
{\N(?i)\n[12].+\.(COMPREXT|WINBIN)\n\N}}

accept

I understand what the above code is doing, but I'm not sure where to add it, like I said. I thought I'd just drop it into "custom_end_exiscanall" but nope. I obviously don't understand Exim as well as I'd like to, and yet I need this functionality.

Any help would be appreciated.

Thanks,

Jay
 

jayharland

Active Member
Apr 18, 2014
30
1
8
cPanel Access Level
Website Owner
Thanks for the response. That thread was actually the one I was referring to when I said "I was using a bit of code I actually got from this forum" lol. I was able to implement that solution and it worked great for me until Exim updated.

I will keep searching and working on understanding it all. Thanks again.
 

jayharland

Active Member
Apr 18, 2014
30
1
8
cPanel Access Level
Website Owner
Alright, an update to anyone reading this, trying to figure it out for themselves or looking for help.

The code I pasted above is actually separate pieces of the Exim configuration file:

This is the only portion I haven't gotten a grip on yet, how to add these variables into Exim's configuration:

P7ZIP = /usr/local/bin/7z
BINFORBIDDEN = Windows-executable attachments forbidden
WINBIN = exe|com|js|pif|scr|bat|flv|reg|btm|chm|cmd|cpl|dat|dll|hta|jse|jsp|lnk|msi|prf|sys|vb|vbe|vbs|ace
COMPREXT = zip|rar|7z|arj|bz2|gz|uue|xz|z

*If anyone reading can help with just this portion that would be great. What is the best way to add them; using the advanced editor interface (add additional configuration setting) or just open and edit exim.conf and add them there?

This piece is already defined:

check_rfc2047_length = false

This piece needs to be inserted into "acl_smtp_mime" (I believe, haven't tested yet)

deny message = BINFORBIDDEN
log_message = forbidden attachment: filename=$mime_filename, \
content-type=$mime_content_type, recipients=$recipients
condition = ${if or{\
{match{$mime_content_type}\
{(?i)executable|application/x-ace-compressed}}\
{match{$mime_filename}{\N(?i)\.(WINBIN)(\.(COMPREXT))*$\N}}\
}}

deny message = Compressed BINFORBIDDEN
condition = ${if or{\
{match{$mime_content_type}{(?i)application/\
(octet-stream|x(-zip)?-compressed|zip)}}\
{match{$mime_filename}{\N(?i)\.(COMPREXT)$\N}}\
}}
condition = ${if <{$message_size}{1500K}}
decode = default
log_message = forbidden binary in attachment: filename=$mime_filename, \
recipients=$recipients
condition = ${if match{${run{P7ZIP l -y $mime_decoded_filename}}}\
{\N(?i)\n[12].+\.(COMPREXT|WINBIN)\n\N}}

accept
 

jayharland

Active Member
Apr 18, 2014
30
1
8
cPanel Access Level
Website Owner
Success! Here is how I got it working:

  1. After P7Zip is installed, go to Exim's Advanced Configuration Editor

  2. Inside the editor, scroll down to where the CONFIG section ends and you should see a blue "Add additional configuration setting"

  3. This is where the variables need to be defined, enter each of them with the corresponding value.

    P7ZIP = /usr/local/bin/7z
    BINFORBIDDEN = Windows-executable attachments forbidden
    WINBIN = exe|com|js|pif|scr|bat|flv|reg|btm|chm|cmd|cpl|dat|dll|hta|jse|jsp|lnk|msi|prf|sys|vb|vbe|vbs|ace
    COMPREXT = zip|rar|7z|arj|bz2|gz|uue|xz|z
  4. Once all of the variables are entered, click "Add additional configuration setting" one more time and select "acl_smtp_mime" from the drop down. Make the value "acl_check_mime".

    acl_smtp_mime = acl_check_mime
  5. Below that, under "BEGINACL" you can define the acl:

    acl_check_mime:

    deny message = BINFORBIDDEN
    log_message = forbidden attachment: filename=$mime_filename, \
    content-type=$mime_content_type, recipients=$recipients
    condition = ${if or{\
    {match{$mime_content_type}\
    {(?i)executable|application/x-ace-compressed}}\
    {match{$mime_filename}{\N(?i)\.(WINBIN)(\.(COMPREXT))*$\N}}\
    }}

    deny message = Compressed BINFORBIDDEN
    condition = ${if or{\
    {match{$mime_content_type}{(?i)application/\
    (octet-stream|x(-zip)?-compressed|zip)}}\
    {match{$mime_filename}{\N(?i)\.(COMPREXT)$\N}}\
    }}
    condition = ${if <{$message_size}{1500K}}
    decode = default
    log_message = forbidden binary in attachment: filename=$mime_filename, \
    recipients=$recipients
    condition = ${if match{${run{P7ZIP l -y $mime_decoded_filename}}}\
    {\N(?i)\n[12].+\.(COMPREXT|WINBIN)\n\N}}

    accept

  6. Save the configuration and try to send someone a zip file containing any of the listed file types.

This did the trick for me. Hopefully it helps someone else!
 
  • Like
Reactions: Infopro

julissax

Registered
Apr 21, 2014
4
0
1
cPanel Access Level
Root Administrator
Hi,

The option for filter rar attachments with binary inside not work. p7zip in centos is not compatible with rar.

Thanks jayharland . I fix this with the next workaround:

Code:
1. Install p7zip with more support files (not rar).

yum install epel-release -y
yum install p7zip p7zip-plugins -y

2. Install unrar:
cd /usr/src
wget http://www.rarlab.com/rar/rarlinux-x64-3.8.0.tar.gz
tar xzvf rarlinux-x64-3.8.0.tar.gz
cd rar
make install

3. Create the next script in server (example: /etc/exim_check_compress.sh):
#!/bin/bash
name=$1
location=$2

EXTENS='.(ad[ep]|asd|ba[st]|chm|cmd|com|cpl|crt|dll|exe|hlp|hta|in[fs]|isp|jse?|jar|lnk|md[bez]|ms[cipt]|ole|ocx|pcd|pif|reg|sc[rt]|sh[sb]|sys|url|vb[es]?|vxd|ws[cfh]|cab)'
COMPAC='.(zip|rar|7z|arj|bz2|gz|uue|xz|z)'

validityExtension=`echo $name | egrep -i "${COMPAC}$" | wc -l`

if [ "$validityExtension" != "0" ]; then
        if [ "`echo $name | egrep -i '.(rar)$'`" != "" ]; then
                if [ `/usr/local/bin/unrar l $location | gawk '{ print $1 }' | egrep -i "${EXTENS}$" | wc -l` -gt 0 ]; then
                        exit 1
                fi
        else
                if [ `/usr/bin/7z l -y $location | tail -n +14 | awk '{print $6}' | egrep -i "${EXTENS}$" | wc -l` -gt 0 ]; then
                        exit 1
                fi
        fi
fi
exit 0

4. Execute:

chmod +x /etc/exim_check_compress.sh

5. Add the next variables to exim configuration one by one (WHM / Exim Configuration / Advanced / In the end of SECTION config clic in "Add additional configuration setting".

BINFORBIDDEN = Windows-executable attachments forbidden
WINBIN = exe|com|js|pif|scr|bat|flv|reg|btm|chm|cmd|cpl|dat|dll|hta|jse|jsp|lnk|msi|prf|sys|vb|vbe|vbs|ace
COMPREXT = zip|rar|7z|arj|bz2|gz|uue|xz|z
acl_smtp_mime = acl_check_mime

6. In (WHM / Exim Configuration / Advanced / Section BEGINACL) define the acl:
acl_check_mime:
deny message = BINFORBIDDEN
log_message = forbidden attachment: filename=$mime_filename, \
content-type=$mime_content_type, recipients=$recipients

condition = ${if or{\
{match{$mime_content_type}\
{(?i)executable|application/x-ace-compressed}}\
{match{$mime_filename}{\N(?i)\.(WINBIN)(\.(COMPREXT))*$\N}}\
}}


deny message = Compressed BINFORBIDDEN
condition = ${if or{\
{match{$mime_content_type}{(?i)application/\
(octet-stream|x(-zip)?-compressed|zip)}}\
{match{$mime_filename}{\N(?i)\.(COMPREXT)$\N}}\
}}

condition = ${if <{$message_size}{1500K}}
decode = default
log_message = forbidden binary in attachment: filename=$mime_filename, \
recipients=$recipients
condition = ${run{/bin/sh -c '/etc/exim_check_compress.sh $mime_filename $mime_decoded_filename'}{0}{1}}

accept
Try send attachment with rar 7z or zip file with binary inside to this server and work :)
 

efuzone

Well-Known Member
Mar 17, 2011
79
0
56
cPanel Access Level
Root Administrator
Hi,

The option for filter rar attachments with binary inside not work. p7zip in centos is not compatible with rar.

Thanks jayharland . I fix this with the next workaround:

Code:
1. Install p7zip with more support files (not rar).

yum install epel-release -y
yum install p7zip p7zip-plugins -y

2. Install unrar:
cd /usr/src
wget http://www.rarlab.com/rar/rarlinux-x64-3.8.0.tar.gz
tar xzvf rarlinux-x64-3.8.0.tar.gz
cd rar
make install

3. Create the next script in server (example: /etc/exim_check_compress.sh):
#!/bin/bash
name=$1
location=$2

EXTENS='.(ad[ep]|asd|ba[st]|chm|cmd|com|cpl|crt|dll|exe|hlp|hta|in[fs]|isp|jse?|jar|lnk|md[bez]|ms[cipt]|ole|ocx|pcd|pif|reg|sc[rt]|sh[sb]|sys|url|vb[es]?|vxd|ws[cfh]|cab)'
COMPAC='.(zip|rar|7z|arj|bz2|gz|uue|xz|z)'

validityExtension=`echo $name | egrep -i "${COMPAC}$" | wc -l`

if [ "$validityExtension" != "0" ]; then
        if [ "`echo $name | egrep -i '.(rar)$'`" != "" ]; then
                if [ `/usr/local/bin/unrar l $location | gawk '{ print $1 }' | egrep -i "${EXTENS}$" | wc -l` -gt 0 ]; then
                        exit 1
                fi
        else
                if [ `/usr/bin/7z l -y $location | tail -n +14 | awk '{print $6}' | egrep -i "${EXTENS}$" | wc -l` -gt 0 ]; then
                        exit 1
                fi
        fi
fi
exit 0

4. Execute:

chmod +x /etc/exim_check_compress.sh

5. Add the next variables to exim configuration one by one (WHM / Exim Configuration / Advanced / In the end of SECTION config clic in "Add additional configuration setting".

BINFORBIDDEN = Windows-executable attachments forbidden
WINBIN = exe|com|js|pif|scr|bat|flv|reg|btm|chm|cmd|cpl|dat|dll|hta|jse|jsp|lnk|msi|prf|sys|vb|vbe|vbs|ace
COMPREXT = zip|rar|7z|arj|bz2|gz|uue|xz|z
acl_smtp_mime = acl_check_mime

6. In (WHM / Exim Configuration / Advanced / Section BEGINACL) define the acl:
acl_check_mime:
deny message = BINFORBIDDEN
log_message = forbidden attachment: filename=$mime_filename, \
content-type=$mime_content_type, recipients=$recipients

condition = ${if or{\
{match{$mime_content_type}\
{(?i)executable|application/x-ace-compressed}}\
{match{$mime_filename}{\N(?i)\.(WINBIN)(\.(COMPREXT))*$\N}}\
}}


deny message = Compressed BINFORBIDDEN
condition = ${if or{\
{match{$mime_content_type}{(?i)application/\
(octet-stream|x(-zip)?-compressed|zip)}}\
{match{$mime_filename}{\N(?i)\.(COMPREXT)$\N}}\
}}

condition = ${if <{$message_size}{1500K}}
decode = default
log_message = forbidden binary in attachment: filename=$mime_filename, \
recipients=$recipients
condition = ${run{/bin/sh -c '/etc/exim_check_compress.sh $mime_filename $mime_decoded_filename'}{0}{1}}

accept
Try send attachment with rar 7z or zip file with binary inside to this server and work :)
Hello,

I tried same method but it is not working.. I have zipped exe file into zip and i am receiving it.. Please tell me what to do
 

cPanelMichael

Administrator
Staff member
Apr 11, 2011
47,913
2,205
363
I tried same method but it is not working.. I have zipped exe file into zip and i am receiving it.. Please tell me what to do
Hello,

These are unsupported workarounds, but you may want to try using the workaround guide for zip files only from the earlier post if you don't need it for the RAR extension:

Post-2412927

Additionally, if this is something you'd like to see supported by default in cPanel & WHM, I recommend opening a feature request:

Submit A Feature Request

Thanks!