Skip to main content

MailHeaders patch with EA4

KV Karia
Dear Staff Members, Users, Exim Configuration Manager -> Trust X-PHP-Script headers to determine the sender of email sent from processes running as nobody description says that If the MailHeaders patch is installed in EasyApache, cPanel will use the X-PHP-Script to determine the sender of a message for Email Archiving and Limits. Now, question is, with cpanel 64.0 (built 36) Easy Apache 4 -> how to check MailHeaders patch installed or not? and if not, how to install it? Earlier, in EA3 there is way to do so by WHM > EasyApache (Apache Update) > Step 6 Exhaustive Options List in the PHP section In EA4, there is no option like Exhaustive Options List. Please guide.

Comments

12 comments

Date Votes
  • cPanelMichael
    Now, question is, with cpanel 64.0 (built 36) Easy Apache 4 -> how to check MailHeaders patch installed or not? and if not, how to install it?

    Hello, The patch is installed by default as part of the core PHP installation in EasyApache 4. EX:
    # /opt/cpanel/ea-php56/root/usr/bin/php -i|grep mail.add_x_header mail.add_x_header => On => On # /opt/cpanel/ea-php70/root/usr/bin/php -i|grep mail.add_x_header mail.add_x_header => On => On
    Thank you.
    0
  • advanta
    Hello, How to disable this patch? When I changed from
    mail.add_x_header = On
    to
    mail.add_x_header = Off
    at
    /opt/cpanel/ea-php56/root/etc/php.ini
    The headers in e-mail were changed from
    X-PHP-Script: URL/admin/index.php for IP_ADDRESS X-PHP-Originating-Script: 500:mail.php
    to
    X-PHP-Script: URL/admin/index.php for IP_ADDRESS
    But how to disable X-PHP-Script? Thank you.
    0
  • cPWilliamL
    Did you confirm via 'phpinfo()' file in the same website/directory that 'mail.add_x_header' is in fact disabled?
    0
  • advanta
    Yes, mail.add_x_header Off Off
    0
  • cPWilliamL
    Have you also disabled "Trust X-PHP-Script headers" at WHM > Exim Configuration Manager? Initially, you were asking how to enable this, now you're asking how to disable this.
    0
  • advanta
    This has been changed:
    Updating "Trust X-PHP-Script headers to determine the sender of email sent from processes running as nobody" from "On" to "Off". "Trust X-PHP-Script headers to determine the sender of email sent from processes running as nobody" was updated.
    But,
    X-PHP-Script: URL/admin/index.php for IP_ADDRESS
    is still added to the headers of e-mail.
    0
  • cPanelMichael
    Hello, This is answered on the following thread: Disable x-php-script Thank you.
    0
  • advanta
    It's not simply. Is any simply way? Like checkbox at easyapache etc.
    0
  • cPanelMichael
    Hello, There's no other supported method at this time, but I encourage you to open a feature request if you'd like to see an option to disable this module included in the EA4 interface: Submit A Feature Request Thank you.
    0
  • pincom_stu
    Hi all, I read through some of these older threads related to this issue, and just wanted to provide some more details on what I think is the best solution. See here: How to Customize the Exim System Filter File | cPanel & WHM Documentation I just verified it works and will not be overwritten by cPanel. It's a supported mechanism. Here's the example file file I have located under the directory /usr/local/cpanel/etc/exim/sysfilter/options: # CUSTOM FILTER if "${if def:header_X-PHP-Script: {there}}" is there then headers remove X-PHP-Script endif if "${if def:header_X-PHP-Originating-Script: {there}}" is there then headers remove X-PHP-Originating-Script endif
    0
  • rinogo
    Thank you SO much for your solution, pincom_stu! It worked perfectly for me. It's frustrating that the ability to turn off these headers hasn't already been included in WHM. X-PHP-SCRIPT (and similar headers) may be a nice header to have enabled for those running web hosting businesses, but is that really the target market of cPanel? For those running one-off custom sites via cPanel (likely the *actual* market of cPanel), not being able to turn this on and off at will is frustrating. Sure, it's useful for tracking down an illicit (hacked) script. However, keeping it active all the time on a (non-hacked) website will unnecessarily trigger spam filters (e.g. SpamAssassin's own `PHP_SCRIPT` rule). It's silly to keep this header present 100% of time time - something that all cPanel users are apparently doing unless they use a custom filter like the one proposed by pincom_stu. This header should follow PHP's lead by being disabled by default and only becoming active when enabled. The suggestion to "Submit a Feature Request" isn't very encouraging. Regardless, in the hopes that this helps, I did find a page to vote for this feature to be added:
    0
  • AlphaDesignsGroup
    Here's the example file file I have located under the directory /usr/local/cpanel/etc/exim/sysfilter/options: # CUSTOM FILTER if "${if def:header_X-PHP-Script: {there}}" is there then headers remove X-PHP-Script endif if "${if def:header_X-PHP-Originating-Script: {there}}" is there then headers remove X-PHP-Originating-Script endif

    I am using CPanel Version 106.0.11, so things may have changed. I tried the above code in a 'custom filter', with no luck. But with a little searching, I used the below code, and it worked perfectly!! I have been altering the X-PHP-Script variables for a long time, and preferred to use it on a per-email situation. The code below will remove these variables on Every email sent through my server :( Any other suggestions would be great :) The changes are the actual 'headers remove' lines. # CUSTOM FILTER if "${if def:header_X-PHP-Script: {there}}" is there then headers_remove="X-PHP-Script" endif if "${if def:header_X-PHP-Originating-Script: {there}}" is there then headers_remove="X-PHP-Originating-Script" endif
    0

Please sign in to leave a comment.

Didn't find what you were looking for?

New post