Skip to main content

Help filtering executables inside ZIP without demime

Comments

8 comments

  • sktest123
    A similar thread was there mentioning using custom_end_exiscanall, but seems cpanel updates has overcomed it. Hope some feature might be done for that as its useful. Reject emails with ZIP files containing EXE files
    0
  • jayharland
    Thanks for the response. That thread was actually the one I was referring to when I said "I was using a bit of code I actually got from this forum" lol. I was able to implement that solution and it worked great for me until Exim updated. I will keep searching and working on understanding it all. Thanks again.
    0
  • jayharland
    Alright, an update to anyone reading this, trying to figure it out for themselves or looking for help. The code I pasted above is actually separate pieces of the Exim configuration file: This is the only portion I haven't gotten a grip on yet, how to add these variables into Exim's configuration: P7ZIP = /usr/local/bin/7z BINFORBIDDEN = Windows-executable attachments forbidden WINBIN = exe|com|js|pif|scr|bat|flv|reg|btm|chm|cmd|cpl|dat|dll|hta|jse|jsp|lnk|msi|prf|sys|vb|vbe|vbs|ace COMPREXT = zip|rar|7z|arj|bz2|gz|uue|xz|z *If anyone reading can help with just this portion that would be great. What is the best way to add them; using the advanced editor interface (add additional configuration setting) or just open and edit exim.conf and add them there? This piece is already defined: check_rfc2047_length = false This piece needs to be inserted into "acl_smtp_mime" (I believe, haven't tested yet) deny message = BINFORBIDDEN log_message = forbidden attachment: filename=$mime_filename, \ content-type=$mime_content_type, recipients=$recipients condition = ${if or{\ {match{$mime_content_type}\ {(?i)executable|application/x-ace-compressed}}\ {match{$mime_filename}{\N(?i)\.(WINBIN)(\.(COMPREXT))*$\N}}\ }} deny message = Compressed BINFORBIDDEN condition = ${if or{\ {match{$mime_content_type}{(?i)application/\ (octet-stream|x(-zip)?-compressed|zip)}}\ {match{$mime_filename}{\N(?i)\.(COMPREXT)$\N}}\ }} condition = ${if <{$message_size}{1500K}} decode = default log_message = forbidden binary in attachment: filename=$mime_filename, \ recipients=$recipients condition = ${if match{${run{P7ZIP l -y $mime_decoded_filename}}}\ {\N(?i)\n[12].+\.(COMPREXT|WINBIN)\n\N}} accept
    0
  • jayharland
    Success! Here is how I got it working:
      ]
    • After P7Zip is installed, go to Exim's Advanced Configuration Editor
    • Inside the editor, scroll down to where the CONFIG section ends and you should see a blue "Add additional configuration setting"
    • This is where the variables need to be defined, enter each of them with the corresponding value. P7ZIP = /usr/local/bin/7z BINFORBIDDEN = Windows-executable attachments forbidden WINBIN = exe|com|js|pif|scr|bat|flv|reg|btm|chm|cmd|cpl|dat|dll|hta|jse|jsp|lnk|msi|prf|sys|vb|vbe|vbs|ace COMPREXT = zip|rar|7z|arj|bz2|gz|uue|xz|z
    • Once all of the variables are entered, click "Add additional configuration setting" one more time and select "acl_smtp_mime" from the drop down. Make the value "acl_check_mime". acl_smtp_mime = acl_check_mime
    • Below that, under "BEGINACL" you can define the acl: acl_check_mime: deny message = BINFORBIDDEN log_message = forbidden attachment: filename=$mime_filename, \ content-type=$mime_content_type, recipients=$recipients condition = ${if or{\ {match{$mime_content_type}\ {(?i)executable|application/x-ace-compressed}}\ {match{$mime_filename}{\N(?i)\.(WINBIN)(\.(COMPREXT))*$\N}}\ }} deny message = Compressed BINFORBIDDEN condition = ${if or{\ {match{$mime_content_type}{(?i)application/\ (octet-stream|x(-zip)?-compressed|zip)}}\ {match{$mime_filename}{\N(?i)\.(COMPREXT)$\N}}\ }} condition = ${if <{$message_size}{1500K}} decode = default log_message = forbidden binary in attachment: filename=$mime_filename, \ recipients=$recipients condition = ${if match{${run{P7ZIP l -y $mime_decoded_filename}}}\ {\N(?i)\n[12].+\.(COMPREXT|WINBIN)\n\N}} accept
    • Save the configuration and try to send someone a zip file containing any of the listed file types.
    This did the trick for me. Hopefully it helps someone else!
    0
  • Infopro
    Thanks for updating the thread with your findings. :)
    0
  • julissax
    Hi, The option for filter rar attachments with binary inside not work. p7zip in centos is not compatible with rar. Thanks jayharland . I fix this with the next workaround:
    1. Install p7zip with more support files (not rar). yum install epel-release -y yum install p7zip p7zip-plugins -y 2. Install unrar: cd /usr/src wget http://www.rarlab.com/rar/rarlinux-x64-3.8.0.tar.gz tar xzvf rarlinux-x64-3.8.0.tar.gz cd rar make install 3. Create the next script in server (example: /etc/exim_check_compress.sh): #!/bin/bash name=$1 location=$2 EXTENS='.(ad[ep]|asd|ba[st]|chm|cmd|com|cpl|crt|dll|exe|hlp|hta|in[fs]|isp|jse?|jar|lnk|md[bez]|ms[cipt]|ole|ocx|pcd|pif|reg|sc[rt]|sh[sb]|sys|url|vb[es]?|vxd|ws[cfh]|cab)' COMPAC='.(zip|rar|7z|arj|bz2|gz|uue|xz|z)' validityExtension=`echo $name | egrep -i "${COMPAC}$" | wc -l` if [ "$validityExtension" != "0" ]; then if [ "`echo $name | egrep -i '.(rar)$'`" != "" ]; then if [ `/usr/local/bin/unrar l $location | gawk '{ print $1 }' | egrep -i "${EXTENS}$" | wc -l` -gt 0 ]; then exit 1 fi else if [ `/usr/bin/7z l -y $location | tail -n +14 | awk '{print $6}' | egrep -i "${EXTENS}$" | wc -l` -gt 0 ]; then exit 1 fi fi fi exit 0 4. Execute: chmod +x /etc/exim_check_compress.sh 5. Add the next variables to exim configuration one by one (WHM / Exim Configuration / Advanced / In the end of SECTION config clic in "Add additional configuration setting". BINFORBIDDEN = Windows-executable attachments forbidden WINBIN = exe|com|js|pif|scr|bat|flv|reg|btm|chm|cmd|cpl|dat|dll|hta|jse|jsp|lnk|msi|prf|sys|vb|vbe|vbs|ace COMPREXT = zip|rar|7z|arj|bz2|gz|uue|xz|z acl_smtp_mime = acl_check_mime 6. In (WHM / Exim Configuration / Advanced / Section BEGINACL) define the acl: acl_check_mime: deny message = BINFORBIDDEN log_message = forbidden attachment: filename=$mime_filename, \ content-type=$mime_content_type, recipients=$recipients condition = ${if or{\ {match{$mime_content_type}\ {(?i)executable|application/x-ace-compressed}}\ {match{$mime_filename}{\N(?i)\.(WINBIN)(\.(COMPREXT))*$\N}}\ }} deny message = Compressed BINFORBIDDEN condition = ${if or{\ {match{$mime_content_type}{(?i)application/\ (octet-stream|x(-zip)?-compressed|zip)}}\ {match{$mime_filename}{\N(?i)\.(COMPREXT)$\N}}\ }} condition = ${if <{$message_size}{1500K}} decode = default log_message = forbidden binary in attachment: filename=$mime_filename, \ recipients=$recipients condition = ${run{/bin/sh -c '/etc/exim_check_compress.sh $mime_filename $mime_decoded_filename'}{0}{1}} accept
    Try send attachment with rar 7z or zip file with binary inside to this server and work :)
    0
  • efuzone
    Hi, The option for filter rar attachments with binary inside not work. p7zip in centos is not compatible with rar. Thanks jayharland . I fix this with the next workaround:
    1. Install p7zip with more support files (not rar). yum install epel-release -y yum install p7zip p7zip-plugins -y 2. Install unrar: cd /usr/src wget http://www.rarlab.com/rar/rarlinux-x64-3.8.0.tar.gz tar xzvf rarlinux-x64-3.8.0.tar.gz cd rar make install 3. Create the next script in server (example: /etc/exim_check_compress.sh): #!/bin/bash name=$1 location=$2 EXTENS='.(ad[ep]|asd|ba[st]|chm|cmd|com|cpl|crt|dll|exe|hlp|hta|in[fs]|isp|jse?|jar|lnk|md[bez]|ms[cipt]|ole|ocx|pcd|pif|reg|sc[rt]|sh[sb]|sys|url|vb[es]?|vxd|ws[cfh]|cab)' COMPAC='.(zip|rar|7z|arj|bz2|gz|uue|xz|z)' validityExtension=`echo $name | egrep -i "${COMPAC}$" | wc -l` if [ "$validityExtension" != "0" ]; then if [ "`echo $name | egrep -i '.(rar)$'`" != "" ]; then if [ `/usr/local/bin/unrar l $location | gawk '{ print $1 }' | egrep -i "${EXTENS}$" | wc -l` -gt 0 ]; then exit 1 fi else if [ `/usr/bin/7z l -y $location | tail -n +14 | awk '{print $6}' | egrep -i "${EXTENS}$" | wc -l` -gt 0 ]; then exit 1 fi fi fi exit 0 4. Execute: chmod +x /etc/exim_check_compress.sh 5. Add the next variables to exim configuration one by one (WHM / Exim Configuration / Advanced / In the end of SECTION config clic in "Add additional configuration setting". BINFORBIDDEN = Windows-executable attachments forbidden WINBIN = exe|com|js|pif|scr|bat|flv|reg|btm|chm|cmd|cpl|dat|dll|hta|jse|jsp|lnk|msi|prf|sys|vb|vbe|vbs|ace COMPREXT = zip|rar|7z|arj|bz2|gz|uue|xz|z acl_smtp_mime = acl_check_mime 6. In (WHM / Exim Configuration / Advanced / Section BEGINACL) define the acl: acl_check_mime: deny message = BINFORBIDDEN log_message = forbidden attachment: filename=$mime_filename, \ content-type=$mime_content_type, recipients=$recipients condition = ${if or{\ {match{$mime_content_type}\ {(?i)executable|application/x-ace-compressed}}\ {match{$mime_filename}{\N(?i)\.(WINBIN)(\.(COMPREXT))*$\N}}\ }} deny message = Compressed BINFORBIDDEN condition = ${if or{\ {match{$mime_content_type}{(?i)application/\ (octet-stream|x(-zip)?-compressed|zip)}}\ {match{$mime_filename}{\N(?i)\.(COMPREXT)$\N}}\ }} condition = ${if <{$message_size}{1500K}} decode = default log_message = forbidden binary in attachment: filename=$mime_filename, \ recipients=$recipients condition = ${run{/bin/sh -c '/etc/exim_check_compress.sh $mime_filename $mime_decoded_filename'}{0}{1}} accept
    Try send attachment with rar 7z or zip file with binary inside to this server and work :)

    Hello, I tried same method but it is not working.. I have zipped exe file into zip and i am receiving it.. Please tell me what to do
    0
  • cPanelMichael
    I tried same method but it is not working.. I have zipped exe file into zip and i am receiving it.. Please tell me what to do

    Hello, These are unsupported workarounds, but you may want to try using the workaround guide for zip files only from the earlier post if you don't need it for the RAR extension: Post-2412927 Additionally, if this is something you'd like to see supported by default in cPanel & WHM, I recommend opening a feature request: Submit A Feature Request Thanks!
    0

Please sign in to leave a comment.