rejected during MIME ACL checks: exim_check_attachment.sh: contains a dangerous payload.

[sahostking]

We seem to have the following error occur when a customer sends pastel backups which is popular online accounting system backup to his email.

Very small files but contains a dat file within a zip which I think ESF does not like.

rejected during MIME ACL checks: exim_check_attachment.sh: 'Accboml.zip' contains a dangerous payload.

Found the following file to probably be the cause:

/etc/exim.easy_spam_fighter/check_mime.conf

with the following content:

deny
message = zip file contains an attachment with a dangerous payload ($mime_filename).
condition = ${if !eq{$acl_c_esf_skip}{1}}
condition = ${if match \
{${lc:$mime_filename}} \
{\N(\.zip)$\N} \
{1}{0}}
condition = ${run{/bin/sh -c '/etc/exim.easy_spam_fighter/exim_check_attachment.sh zip $message_exim_id $mime_decoded_filename'}{0}{1}}
log_message = exim_check_attachment.sh: '$mime_filename' contains a dangerous payload.

How do we allow it to send without the above causing issues.

If I remove those lines from the file I think it will reappear when we rebuild exim or an update runs surely?

For now we whitelisted the email address in /etc/virtual/whitelisted_senders.

 

[Richard G]

Hello again.
The .dat file is listed as suspicious file so you need to have a look in the /etc/exim.easy_spam_fighter/exim_check_attachment.sh file.
The content under UNZIP looks like:

 egrep -i '[.](bat|btm|cmd|com|cpl|dat|dll|exe|lnk|msi|pif|prf|reg|scr|vb|vbs|url|jar)$

remove "dat" from there so it looks like:

 egrep -i '[.](bat|btm|cmd|com|cpl|dll|exe|lnk|msi|pif|prf|reg|scr|vb|vbs|url|jar)$

and restart exim.

You might have to chattr that file so it won't change on any update.

 

[sahostking]

Thanks

Think the path was
nano /etc/exim.easy_spam_fighter/exim_check_attachment.sh

Thanks will try

 

[Richard G]

Oeps, sorry, yes that was the path that I ment.
I corrected my post for future readers/references.