User Tools

Site Tools


How To Permit EML Attachments To Bypass Exim's Filters in cPanel

What is an .eml File

An EML file is an email message that has been saved by an email client in a single file. It may contain the following email data:

  • the message content
  • the subject
  • the sender
  • the recipient(s)
  • the date
  • any email attachments

These files can often be opened in text editors by changing the extension to .txt.

Why .eml Attachments are Blocked by Exim

The issue with .eml attachments is that hackers and spammers will often use these attachments as a vector of attack to exploit the recipient of the email containing the malicious attachment. The .eml file extension has been known to be linked to certain malware, to phishing attempts, and used to bypass antivirus scanning. However, .eml files can be used legitimately by some to share email messages and for making email backup files. Considering that these email attachments are typically comprised of only text and possibly links, the content could just as well be included in the body of the message rather than potentially exposing the recipient to malware by requesting that they allow .eml attachments. If one needs to send a copy of an email, one could alternatively just forward that email.

How To Allow .eml Attachments for Exim on cPanel

If you must allow .eml files through Exim, the instructions for doing so are discussed here.

In future Cpanel updates, /etc/cpanel_exim_system_filter may get overwritten if you edit it. Thus, you cannot edit this file directly. Instead, you must create a custom filter and use it instead. The only downside of this method is that if Cpanel updates /etc/cpanel_exim_system_filter, you won't benefit from those changes, but at least you'll retain the custom changes you applied directly to your custom filter file.

Solution per 1) cPanel forums and verified via 2)cPanel's official documentation:

1. Copy the Exim filter file to your custom location (this can be named anything you'd like):

  cp /etc/cpanel_exim_system_filter /etc/cpanel_exim_system_filter_custom

2. Then edit /etc/cpanel_exim_system_filter_custom and remove the eml| from the four noncommented lines that reference it.

Per 3)cPanel documentation, the default system filter file


contains four sections:

  • Single part MIME messages with suspicious name extensions
  • Single part MIME messages with suspicious name extensions using unquoted filenames
  • Embedded VBS attachments
  • Embedded VBS attachments using unquoted filenames

To add/remove an extension, edit the regular expressions in the following four lines:

  if $header_content-type: matches "(?:file)?name=(\"[^\"]+\\\\.(?:ad[ep]|ba[st]|chm|cmd|com|cpl|crt|eml|exe|hlp|hta|in[fs]|isp|jse?|lnk|md[be]|ms[cipt]|pcd|pif|reg|scr|sct|shs|url|vb[se]|ws[fhc])\")"
  if $header_content-type: matches "(?:file)?name=(\\\\S+\\\\.(?:ad[ep]|ba[st]|chm|cmd|com|cpl|crt|eml|exe|hlp|hta|in[fs]|isp|jse?|lnk|md[be]|ms[cipt]|pcd|pif|reg|scr|sct|shs|url|vb[se]|ws[fhc]))"
  if $message_body matches "(?:Content-(?:Type:(?>\\\\s*)[\\\\w-]+/[\\\\w-]+|Disposition:(?>\\\\s*)attachment);(?>\\\\s*)(?:file)?name=|begin(?>\\\\s+)[0-7]{3,4}(?>\\\\s+))(\"[^\"]+\\\\.(?:ad[ep]|ba[st]|chm|cmd|com|cpl|crt|eml|exe|hlp|hta|in[fs]|isp|jse?|lnk|md[be]|ms[cipt]|pcd|pif|reg|scr|sct|shs|url|vb[se]|ws[fhc])\")[\\\\s;]"
  if $message_body matches "(?:Content-(?:Type:(?>\\\\s*)[\\\\w-]+/[\\\\w-]+|Disposition:(?>\\\\s*)attachment);(?>\\\\s*)(?:file)?name=|begin(?>\\\\s+)[0-7]{3,4}(?>\\\\s+))(\\\\S+\\\\.(?:ad[ep]|ba[st]|chm|cmd|com|cpl|crt|eml|exe|hlp|hta|in[fs]|isp|jse?|lnk|md[be]|ms[cipt]|pcd|pif|reg|scr|sct|shs|url|vb[se]|ws[fhc]))[\\\\s;]"

Change these lines as follows to allow .eml extensions:

  if $header_content-type: matches "(?:file)?name=(\"[^\"]+\\\\.(?:ad[ep]|ba[st]|chm|cmd|com|cpl|crt|exe|hlp|hta|in[fs]|isp|jse?|lnk|md[be]|ms[cipt]|pcd|pif|reg|scr|sct|shs|url|vb[se]|ws[fhc])\")"
  if $header_content-type: matches "(?:file)?name=(\\\\S+\\\\.(?:ad[ep]|ba[st]|chm|cmd|com|cpl|crt|exe|hlp|hta|in[fs]|isp|jse?|lnk|md[be]|ms[cipt]|pcd|pif|reg|scr|sct|shs|url|vb[se]|ws[fhc]))"
  if $message_body matches "(?:Content-(?:Type:(?>\\\\s*)[\\\\w-]+/[\\\\w-]+|Disposition:(?>\\\\s*)attachment);(?>\\\\s*)(?:file)?name=|begin(?>\\\\s+)[0-7]{3,4}(?>\\\\s+))(\"[^\"]+\\\\.(?:ad[ep]|ba[st]|chm|cmd|com|cpl|crt|exe|hlp|hta|in[fs]|isp|jse?|lnk|md[be]|ms[cipt]|pcd|pif|reg|scr|sct|shs|url|vb[se]|ws[fhc])\")[\\\\s;]"
  if $message_body matches "(?:Content-(?:Type:(?>\\\\s*)[\\\\w-]+/[\\\\w-]+|Disposition:(?>\\\\s*)attachment);(?>\\\\s*)(?:file)?name=|begin(?>\\\\s+)[0-7]{3,4}(?>\\\\s+))(\\\\S+\\\\.(?:ad[ep]|ba[st]|chm|cmd|com|cpl|crt|exe|hlp|hta|in[fs]|isp|jse?|lnk|md[be]|ms[cipt]|pcd|pif|reg|scr|sct|shs|url|vb[se]|ws[fhc]))[\\\\s;]"

You can use the following commands via SSH to accomplish this:

  cp /etc/cpanel_exim_system_filter{,_custom}
  sed -i 's/eml|//g'  /etc/cpanel_exim_system_filter_custom

3. Then log into WHM, click on Exim Configuration Editor, and change the system filter at the bottom from /etc/cpanel_exim_system_filter to /etc/cpanel_exim_system_filter_custom . Save the changes

Now Cpanel will use /etc/cpanel_exim_system_filter_custom, which if properly edited to remove the 'eml|' references, will allow EML attachments to go through in the future.

Feel free to open a support request with your 24/7 KnownHost support team if you need help implementing these changes!

control-panels/cpanel-whm/how-to-permit-eml-attachments-in-cpanels-exim-configuration.txt · Last modified: 2020/06/02 08:12 by Karson N.