Skip to main content

Remove EXTERNAL from subject on exim for email leaving your domain

In an earlier post I mentioned how to tag/add EXTERNAL to the subject header on exim.  I made the changes on our Sophos UTM which may require re-applying the configuration files after Sophos UTM update.

I ended up adding and elif block to act on outgoing emails in the exim.system_filter file

this is the block I added.  Change your domain as appropriate and add additional lines if you need to.

elif
 $header_from: contains "@yourdomain.com>"
 and $header_to: does not contain "@yourdomain.com>"
 and $header_subject: contains "[EXTERNAL]"
then
 headers add "Old-Subject: $h_subject:"
 headers remove "Subject"
 headers add "Subject: ${sg{$h_old-subject:}{[[]EXTERNAL[]]}{}}"
 headers remove "Old-Subject"
endif

This is the full exim.system_filter file

To have the $h_from or $header_from act on the domain part and not the display name part if someone was trying to spoof the from name I added the > at the end of the domain.  If you have alert domains that do not add display name they will get tagged with EXTERNAL.  You can add the full email address for those from addresses.

you will need to edit the exim.conf and add the line
system_filter = /etc/exim.system_filter
then restart exim

On Sophos UTM 9 to restart exim
/var/mdw/scripts/smtp restart

if
 $header_from: does not contain "@yourdomain.com>"
 and $header_from: does not contain "name@internaldomain.localdomain"
 and $header_from: does not contain "@anotherdomain.com"
 and $header_from: does not contain "@rt.tricongeophysics.com>"
 and $header_subject: does not contain "[EXTERNAL]"
then
 headers add "Old-Subject: $h_subject:"
 headers remove "Subject"
 headers add "Subject: [EXTERNAL] $h_old-subject"
 headers remove "Old-Subject"
elif
 $header_from: contains "@yourdomain.com>"
 and $header_to: does not contain "@yourdomain.com>"
 and $header_subject: contains "[EXTERNAL]"
then
 headers add "Old-Subject: $h_subject:"
 headers remove "Subject"
 headers add "Subject: ${sg{$h_old-subject:}{[[]EXTERNAL[]]}{}}"
 headers remove "Old-Subject"
endif


Sam Saqr

Comments

Popular posts from this blog

Best Free Antivirus for Home use

Best Free Antivirus
Are you looking for a good anti-virus that is free.  My current recommendation is Free Sophos Home. https://home.sophos.com/en-us/free-anti-virus-windows.aspx
Sophos Home the free version comes with Real Time Antivirus, Parental Website Filtering, Web protection, Remote management, and support for 10 PC's and Macs from one free account.
I have used the Sophos Endpoint paid version for several years at my work and has been a great product.
Web Protection and Parental Website Filtering are useful from keeping all computers from known infected websites.  Sophos makes this easy by having categories.  You want to block all know malware/spyware infected websites.

EXTERNAL domain warning for zimbra

With the phishing attempts that consonantly target users your company can get exposed to a possible infiltration because a user thought a representative of the company sent them an email asking to change the password or to cleanup a full inbox, etc. In the email they will have a link and a login page that is used to collect the users login name and password. Many companies are starting to implement some kind of indication to the user that the email originated outside the company. Some will add a tag to the subject like [EXTERNAL] if the mail system has capabilities for using transport rules, spamassasin header, postfix header_checks.

Other phishing attempts would use CEO names in the name field with a different return email address. The way users fall for this is they do not look at the originating email address. It also does not help that most mail clients will only show display name when provided instead of the email.

Currently zimbra does not have a way to create a…