reject at smtp time if headers contains

keat63

Well-Known Member
Nov 20, 2014
1,959
266
113
cPanel Access Level
Root Administrator
Really struggling with an email virus at the moment, clamav isn't always catching it.
I've identified a pettern in the message headers, which a global filter is doing a decent job of weeding out.
However, is it possible to create a filter that would reject at smtp time based on what's in the headers.
I've about four patterns which weeds out about 95% of them.
 

sparek-3

Well-Known Member
Aug 10, 2002
2,092
244
368
cPanel Access Level
Root Administrator
The only way to properly reject a message at SMTP time would be to do it within the exim.conf file.

You would need to do this in the acl_smtp_data section before the final accept. For information on header expansion in the conf file see:


Scroll down to the section that starts with

$header_<header name>: or $h_<header name>

To actually make this kosher with cPanel, you would have to add the code into the proper /usr/local/cpanel/etc/exim/acls and enable that customization file in /etc/exim.conf.localopts ... easiest way is to use the Exim Configuration builder in WHM and note what files change in these directories/file after you make the changes.

If you are using a filter to do all of this - then you can place the filter context in /etc/cpanel_exim_system_filter or whatever file system_filter is pointing to in the exim.conf file.

The key here is that you can't reject mail in a filter (well... I mean... I guess you can, but your server is then going to be responsible for sending the bounce message). The filter doesn't run until after you have accepted the message. But you can blackhole it or send it to /dev/null. Doesn't give necessarily the same effect, but it at least keeps messages from being delivered.

There's probably a more kosher way of doing this in cPanel that involves modifying some files again in the /usr/local/cpanel/etc/exim directory. Perhaps creating a file in /usr/local/cpanel/etc/exim/sysfilter/options with the code and running /scripts/buildeximconf ? Really not sure with this, never used this. You would also need to restart exim after /scripts/buildeximconf because it doesn't restart exim.
 
  • Like
Reactions: cPRex

keat63

Well-Known Member
Nov 20, 2014
1,959
266
113
cPanel Access Level
Root Administrator
i'm using a filter to a decent effect, which dicards the message.
However, I would prefer to reject.

You say " If you are using a filter to do all of this - then you can place the filter context in /etc/cpanel_exim_system_filter or whatever file system_filter is pointing to in the exim.conf file. "

Would it be as simple as extracting the rule and literally just dropping these in to cpanel_exim_system_filter.

I found the filter in etc/vfilters, and I'll not divulge my actual rules, but something along these lines.

Code:
# Exim filter - auto-generated by cPanel.
#
# Do not manually edit this file; instead, use cPanel APIs to manipulate
# email filters. MANUAL CHANGES TO THIS FILE WILL BE OVERWRITTEN.
#

headers charset "UTF-8"

if not first_delivery and error_message then finish endif

#Old Payments Email
if
$header_to: contains "[email protected]"or $message_body contains "[email protected]"

endif
 

keat63

Well-Known Member
Nov 20, 2014
1,959
266
113
cPanel Access Level
Root Administrator
@sparek-3

You've possibly put me on to something here.
I use CSF Mailscanner, and I believe it to over write the exim_system_filter with a file named antivirus_empty.
So I located this file and see a rule in there already

if first_delivery
and ("$h_to:, $h_cc:" contains ".icu")
or ("$h_from:" contains ".icu")
then
seen finish
endif

so in the middle I added
or ("$message_body" contains "blahblah")

Now i've emailed myself from gmail with blahblah in the body and it got through, so I assume my context could be wrong on my entry.
Any thoughts ??
 

sparek-3

Well-Known Member
Aug 10, 2002
2,092
244
368
cPanel Access Level
Root Administrator
Yea, would really hope that someone else with more experience writing Exim filters like this would chime in - I'm not really the one to ask.

You might want to make sure you're adding the filter code into the right file

cat /etc/exim.conf | grep "^system_filter = "

Should tell you what system_filter file Exim is using.

You might need a

save "/dev/null" 660

instead of

seen finish

Again - it's not advisable to reject messages with these filters. Because these filters run AFTER your server has already accepted the message.

So if you reject a message in a filter, YOUR server is going to tasked with sending the bounce rejection message. And if the envelope-sender of the message is faked, then you'll build up rejection messages in your mail queue or you will send a rejection message to an email address that did not send the message.

After your server accepts a message - if you don't want your email users to see the message, your best (and safest) recourse is to send it to /dev/null
 

keat63

Well-Known Member
Nov 20, 2014
1,959
266
113
cPanel Access Level
Root Administrator
OK, understood.
Ideally I want to reject at smtp time.
Doing it this way isn't achieving anything that a global filter isn't doing already