SOLVED Help filtering executables inside ZIP without demime

[jayharland]

Hey everyone,

So, like some, I was using a bit of code I actually got from this forum to peek inside zip files and reject ones containing an executable. The script worked great, but sadly, demime was part of it, and that has been depreciated.

Since then I've been searching for a solution, but my skills in that area are lacking to put it mildly.

Anyway, on a different forum I found a user asking the same question, someone recommended they use P7Zip to accomplish this.

First I created an EPEL repository, got P7zip installed and.... that's where I'm stuck. I'm not sure how to incorporate the following bit of code into Exim's configuration to get it working.

P7ZIP = /usr/local/bin/7z
BINFORBIDDEN = Windows-executable attachments forbidden
WINBIN = exe|com|js|pif|scr|bat|flv|reg|btm|chm|cmd|cpl|dat|dll|hta|jse|jsp|lnk|msi|prf|sys|vb|vbe|vbs|ace
COMPREXT = zip|rar|7z|arj|bz2|gz|uue|xz|z
check_rfc2047_length = false
acl_smtp_mime = acl_check_mime
begin acl
acl_check_mime:
deny message = BINFORBIDDEN
log_message = forbidden attachment: filename=$mime_filename, \
content-type=$mime_content_type, recipients=$recipients
condition = ${if or{\
{match{$mime_content_type}\
{(?i)executable|application/x-ace-compressed}}\
{match{$mime_filename}{\N(?i)\.(WINBIN)(\.(COMPREXT))*$\N}}\
}}

deny message = Compressed BINFORBIDDEN
condition = ${if or{\
{match{$mime_content_type}{(?i)application/\
(octet-stream|x(-zip)?-compressed|zip)}}\
{match{$mime_filename}{\N(?i)\.(COMPREXT)$\N}}\
}}
condition = ${if <{$message_size}{1500K}}
decode = default
log_message = forbidden binary in attachment: filename=$mime_filename, \
recipients=$recipients
condition = ${if match{${run{P7ZIP l -y $mime_decoded_filename}}}\
{\N(?i)\n[12].+\.(COMPREXT|WINBIN)\n\N}}

accept

​

I understand what the above code is doing, but I'm not sure where to add it, like I said. I thought I'd just drop it into "custom_end_exiscanall" but nope. I obviously don't understand Exim as well as I'd like to, and yet I need this functionality.

Any help would be appreciated.

Thanks,

Jay

 

[sktest123]

A similar thread was there mentioning using custom_end_exiscanall , but seems cpanel updates has overcomed it. Hope some feature might be done for that as its useful.

Reject emails with ZIP files containing EXE files

 

[jayharland]

Thanks for the response. That thread was actually the one I was referring to when I said "I was using a bit of code I actually got from this forum" lol. I was able to implement that solution and it worked great for me until Exim updated.

I will keep searching and working on understanding it all. Thanks again.

 

[jayharland]

Alright, an update to anyone reading this, trying to figure it out for themselves or looking for help.

The code I pasted above is actually separate pieces of the Exim configuration file:

This is the only portion I haven't gotten a grip on yet, how to add these variables into Exim's configuration:

P7ZIP = /usr/local/bin/7z
BINFORBIDDEN = Windows-executable attachments forbidden
WINBIN = exe|com|js|pif|scr|bat|flv|reg|btm|chm|cmd|cpl|dat|dll|hta|jse|jsp|lnk|msi|prf|sys|vb|vbe|vbs|ace
COMPREXT = zip|rar|7z|arj|bz2|gz|uue|xz|z
​

*If anyone reading can help with just this portion that would be great. What is the best way to add them; using the advanced editor interface (add additional configuration setting) or just open and edit exim.conf and add them there?

This piece is already defined:

check_rfc2047_length = false​

This piece needs to be inserted into "acl_smtp_mime" (I believe, haven't tested yet)

deny message = BINFORBIDDEN
log_message = forbidden attachment: filename=$mime_filename, \
content-type=$mime_content_type, recipients=$recipients
condition = ${if or{\
{match{$mime_content_type}\
{(?i)executable|application/x-ace-compressed}}\
{match{$mime_filename}{\N(?i)\.(WINBIN)(\.(COMPREXT))*$\N}}\
}}

deny message = Compressed BINFORBIDDEN
condition = ${if or{\
{match{$mime_content_type}{(?i)application/\
(octet-stream|x(-zip)?-compressed|zip)}}\
{match{$mime_filename}{\N(?i)\.(COMPREXT)$\N}}\
}}
condition = ${if <{$message_size}{1500K}}
decode = default
log_message = forbidden binary in attachment: filename=$mime_filename, \
recipients=$recipients
condition = ${if match{${run{P7ZIP l -y $mime_decoded_filename}}}\
{\N(?i)\n[12].+\.(COMPREXT|WINBIN)\n\N}}

accept​

 

[jayharland]

Success! Here is how I got it working:

1. After P7Zip is installed, go to Exim's Advanced Configuration Editor
   
   
2. Inside the editor, scroll down to where the CONFIG section ends and you should see a blue "Add additional configuration setting"
   
   
3. This is where the variables need to be defined, enter each of them with the corresponding value.
   
   
   P7ZIP = /usr/local/bin/7z
   BINFORBIDDEN = Windows-executable attachments forbidden
   WINBIN = exe|com|js|pif|scr|bat|flv|reg|btm|chm|cmd|cpl|dat|dll|hta|jse|jsp|lnk|msi|prf|sys|vb|vbe|vbs|ace
   COMPREXT = zip|rar|7z|arj|bz2|gz|uue|xz|z
   ​
4. Once all of the variables are entered, click "Add additional configuration setting" one more time and select "acl_smtp_mime" from the drop down. Make the value "acl_check_mime".
   
   
   acl_smtp_mime = acl_check_mime
   ​
5. Below that, under "BEGINACL" you can define the acl:
   
   
   acl_check_mime:
   
   deny message = BINFORBIDDEN
   log_message = forbidden attachment: filename=$mime_filename, \
   content-type=$mime_content_type, recipients=$recipients
   condition = ${if or{\
   {match{$mime_content_type}\
   {(?i)executable|application/x-ace-compressed}}\
   {match{$mime_filename}{\N(?i)\.(WINBIN)(\.(COMPREXT))*$\N}}\
   }}
   
   deny message = Compressed BINFORBIDDEN
   condition = ${if or{\
   {match{$mime_content_type}{(?i)application/\
   (octet-stream|x(-zip)?-compressed|zip)}}\
   {match{$mime_filename}{\N(?i)\.(COMPREXT)$\N}}\
   }}
   condition = ${if <{$message_size}{1500K}}
   decode = default
   log_message = forbidden binary in attachment: filename=$mime_filename, \
   recipients=$recipients
   condition = ${if match{${run{P7ZIP l -y $mime_decoded_filename}}}\
   {\N(?i)\n[12].+\.(COMPREXT|WINBIN)\n\N}}
   
   accept
   ​
6. Save the configuration and try to send someone a zip file containing any of the listed file types.

This did the trick for me. Hopefully it helps someone else!

 

[Infopro]

Thanks for updating the thread with your findings.

 

[julissax]

Hi,

The option for filter rar attachments with binary inside not work. p7zip in centos is not compatible with rar.

Thanks jayharland . I fix this with the next workaround:

1. Install p7zip with more support files (not rar).

yum install epel-release -y
yum install p7zip p7zip-plugins -y

2. Install unrar:
cd /usr/src
wget http://www.rarlab.com/rar/rarlinux-x64-3.8.0.tar.gz
tar xzvf rarlinux-x64-3.8.0.tar.gz
cd rar
make install

3. Create the next script in server (example: /etc/exim_check_compress.sh):
#!/bin/bash
name=$1
location=$2

EXTENS='.(ad[ep]|asd|ba[st]|chm|cmd|com|cpl|crt|dll|exe|hlp|hta|in[fs]|isp|jse?|jar|lnk|md[bez]|ms[cipt]|ole|ocx|pcd|pif|reg|sc[rt]|sh[sb]|sys|url|vb[es]?|vxd|ws[cfh]|cab)'
COMPAC='.(zip|rar|7z|arj|bz2|gz|uue|xz|z)'

validityExtension=`echo $name | egrep -i "${COMPAC}$" | wc -l`

if [ "$validityExtension" != "0" ]; then
        if [ "`echo $name | egrep -i '.(rar)$'`" != "" ]; then
                if [ `/usr/local/bin/unrar l $location | gawk '{ print $1 }' | egrep -i "${EXTENS}$" | wc -l` -gt 0 ]; then
                        exit 1
                fi
        else
                if [ `/usr/bin/7z l -y $location | tail -n +14 | awk '{print $6}' | egrep -i "${EXTENS}$" | wc -l` -gt 0 ]; then
                        exit 1
                fi
        fi
fi
exit 0

4. Execute:

chmod +x /etc/exim_check_compress.sh

5. Add the next variables to exim configuration one by one (WHM / Exim Configuration / Advanced / In the end of SECTION config clic in "Add additional configuration setting".

BINFORBIDDEN = Windows-executable attachments forbidden
WINBIN = exe|com|js|pif|scr|bat|flv|reg|btm|chm|cmd|cpl|dat|dll|hta|jse|jsp|lnk|msi|prf|sys|vb|vbe|vbs|ace
COMPREXT = zip|rar|7z|arj|bz2|gz|uue|xz|z
acl_smtp_mime = acl_check_mime

6. In (WHM / Exim Configuration / Advanced / Section BEGINACL) define the acl:
acl_check_mime:
deny message = BINFORBIDDEN
log_message = forbidden attachment: filename=$mime_filename, \
content-type=$mime_content_type, recipients=$recipients

condition = ${if or{\
{match{$mime_content_type}\
{(?i)executable|application/x-ace-compressed}}\
{match{$mime_filename}{\N(?i)\.(WINBIN)(\.(COMPREXT))*$\N}}\
}}


deny message = Compressed BINFORBIDDEN
condition = ${if or{\
{match{$mime_content_type}{(?i)application/\
(octet-stream|x(-zip)?-compressed|zip)}}\
{match{$mime_filename}{\N(?i)\.(COMPREXT)$\N}}\
}}

condition = ${if <{$message_size}{1500K}}
decode = default
log_message = forbidden binary in attachment: filename=$mime_filename, \
recipients=$recipients
condition = ${run{/bin/sh -c '/etc/exim_check_compress.sh $mime_filename $mime_decoded_filename'}{0}{1}}

accept

Try send attachment with rar 7z or zip file with binary inside to this server and work

 

[efuzone]

Hi,

The option for filter rar attachments with binary inside not work. p7zip in centos is not compatible with rar.

Thanks jayharland . I fix this with the next workaround:

1. Install p7zip with more support files (not rar).

yum install epel-release -y
yum install p7zip p7zip-plugins -y

2. Install unrar:
cd /usr/src
wget http://www.rarlab.com/rar/rarlinux-x64-3.8.0.tar.gz
tar xzvf rarlinux-x64-3.8.0.tar.gz
cd rar
make install

3. Create the next script in server (example: /etc/exim_check_compress.sh):
#!/bin/bash
name=$1
location=$2

EXTENS='.(ad[ep]|asd|ba[st]|chm|cmd|com|cpl|crt|dll|exe|hlp|hta|in[fs]|isp|jse?|jar|lnk|md[bez]|ms[cipt]|ole|ocx|pcd|pif|reg|sc[rt]|sh[sb]|sys|url|vb[es]?|vxd|ws[cfh]|cab)'
COMPAC='.(zip|rar|7z|arj|bz2|gz|uue|xz|z)'

validityExtension=`echo $name | egrep -i "${COMPAC}$" | wc -l`

if [ "$validityExtension" != "0" ]; then
        if [ "`echo $name | egrep -i '.(rar)$'`" != "" ]; then
                if [ `/usr/local/bin/unrar l $location | gawk '{ print $1 }' | egrep -i "${EXTENS}$" | wc -l` -gt 0 ]; then
                        exit 1
                fi
        else
                if [ `/usr/bin/7z l -y $location | tail -n +14 | awk '{print $6}' | egrep -i "${EXTENS}$" | wc -l` -gt 0 ]; then
                        exit 1
                fi
        fi
fi
exit 0

4. Execute:

chmod +x /etc/exim_check_compress.sh

5. Add the next variables to exim configuration one by one (WHM / Exim Configuration / Advanced / In the end of SECTION config clic in "Add additional configuration setting".

BINFORBIDDEN = Windows-executable attachments forbidden
WINBIN = exe|com|js|pif|scr|bat|flv|reg|btm|chm|cmd|cpl|dat|dll|hta|jse|jsp|lnk|msi|prf|sys|vb|vbe|vbs|ace
COMPREXT = zip|rar|7z|arj|bz2|gz|uue|xz|z
acl_smtp_mime = acl_check_mime

6. In (WHM / Exim Configuration / Advanced / Section BEGINACL) define the acl:
acl_check_mime:
deny message = BINFORBIDDEN
log_message = forbidden attachment: filename=$mime_filename, \
content-type=$mime_content_type, recipients=$recipients

condition = ${if or{\
{match{$mime_content_type}\
{(?i)executable|application/x-ace-compressed}}\
{match{$mime_filename}{\N(?i)\.(WINBIN)(\.(COMPREXT))*$\N}}\
}}


deny message = Compressed BINFORBIDDEN
condition = ${if or{\
{match{$mime_content_type}{(?i)application/\
(octet-stream|x(-zip)?-compressed|zip)}}\
{match{$mime_filename}{\N(?i)\.(COMPREXT)$\N}}\
}}

condition = ${if <{$message_size}{1500K}}
decode = default
log_message = forbidden binary in attachment: filename=$mime_filename, \
recipients=$recipients
condition = ${run{/bin/sh -c '/etc/exim_check_compress.sh $mime_filename $mime_decoded_filename'}{0}{1}}

accept

Try send attachment with rar 7z or zip file with binary inside to this server and work

Hello,

I tried same method but it is not working.. I have zipped exe file into zip and i am receiving it.. Please tell me what to do

 

[cPanelMichael]

I tried same method but it is not working.. I have zipped exe file into zip and i am receiving it.. Please tell me what to do

Hello,

These are unsupported workarounds, but you may want to try using the workaround guide for zip files only from the earlier post if you don't need it for the RAR extension:

Post-2412927

Additionally, if this is something you'd like to see supported by default in cPanel & WHM, I recommend opening a feature request:

Submit A Feature Request

Thanks!