Configuration Parameters

In this section

Component Parameters

Data Source Sections

Adding sections for new data sources

The component uses configuration parameters specified in the [LookupD] section of the unified configuration file of Dr.Web Mail Security Suite.

Component Parameters

The section contains the following parameters:

Parameter

Description

LogLevel

{logging level}

Logging level of the component.

If this parameter is not set, the DefaultLogLevel parameter value from the [Root] section is used.

Default value: Notice

Log

{log type}

Logging method of the component.

Default value: Auto

ExePath

{path to file}

Component executable path.

Default value:

for GNU/Linux: /opt/drweb.com/bin/drweb-lookupd

for FreeBSD: /usr/local/libexec/drweb.com/bin/drweb-lookupd

RunAsUser

{UID | user name}

User on behalf of whom the component is started. Either a numerical UID of the user or a user name (login) can be specified. If the user name consists of numbers (that is, the name is similar to a numerical UID), it must be specified with the name: prefix, for example, RunAsUser = name:123456.

If the user name is not specified, the component shuts down with an error upon startup.

Default value: drweb

IdleTimeLimit

{time interval}

Maximum idle time for the component. When the specified period of time expires, the component shuts down.

Allowed values: from 10 seconds (10s) to 30 days (30d).
If the None value is set, the component will operate indefinitely; the SIGTERM signal will not be sent if the component goes idle.

Default value: 10m

DebugLibldap

{boolean}

Log or do not log debug messages of the libldap library at the debug level (with LogLevel = DEBUG).

Default value: No

LdapCheckCertificate

{No | Allow | Try | Yes}

The mode of certificate verification for LDAP connections via SSL/TLS.

Allowed values:

No—never request a server certificate.

Allow—request the server certificate. If the certificate is not provided, the session will continue normally. If the server certificate is provided but cannot be verified (the corresponding root certificate was not found), the server certificate will be ignored and the session will continue normally.

Try—request the server certificate. If the certificate is not provided, the session will continue normally. If the server certificate is provided but cannot be verified (the corresponding root certificate was not found), the session will be terminated.

Yes—request the server certificate. If the certificate is not provided or cannot be verified (the corresponding root certificate was not found), the session will be terminated.

For LDAP data sources this certificate verification mode influences the way the URL is processed when the ldaps:// scheme or the StartTLS extension is used. For AD data sources it influences the server connection, if UseSSL=Yes is specified in the corresponding section (see below).

Default value: Yes

LdapCertificatePath

{path to file}

Path to the SSL certificate used for secure connection to LDAP servers (Active Directory) via SSL/TLS.

The certificate file and the private key file (specified by the LdapKeyPath parameter) must match each other.

Default value: (not specified)

LdapKeyPath

{path to file}

Path to the private key used for secure connection to LDAP servers (Active Directory) via SSL/TLS.

The certificate file (specified by the LdapCertificatePath parameter) and the private key file must match each other.

Default value: (not specified)

LdapCaPath

{path}

Path to the directory or file with a list of root certificates which are trusted for sharing data using the LDAP protocol via SSL/TLS.

Default value: <Path to the system list of trusted certificates.>. The path depends on your GNU/Linux distribution.

For Astra Linux, Debian, Linux Mint, SUSE Linux and Ubuntu this is usually the path /etc/ssl/certs/.

For CentOS and Fedora—the path /etc/pki/tls/certs/ca-bundle.crt.

For other distributions, the path can be defined by running the command openssl version -d.

If the command is unavailable or your OS distribution cannot be identified, the /etc/ssl/certs/ value is used.

DbIdleTimeout

{time interval}

The timeout period at the end of which an established connection to a Redis database will be closed if it is idle.

Default value: 5m

MysqlDefaultConn

{URL}

URI that defines default parameters for connecting to a MySQL database.

Allowed values:

tcp://[<user>[:<password>]@][<host>][:<port>][/<database name>][?<parameter>=<value>[&…]];

unix://[<user>[:<password>]@]<socket path>[:<database name>][?<parameter>=<value>[&…]].

Take notice of the URI requirements.

Default value: (not specified)

PqDefaultConn

{URL}

URI that defines default parameters for connecting to a PostgreSQL database.

Allowed values:

tcp://[<user>[:<password>]@][<host>][:<port>][/<database name>][?<parameter>=<value>[&…]];

unix://[<user>[:<password>]@]<socket path>[:<database name>][?<parameter>=<value>[&…]].

Take notice of the URI requirements.

Default value: (not specified)

SqliteDefaultConn

{path to file}

Path to a default SQLite database file (specify the file:// scheme prefix).

Default value: (not specified)

RedisDefaultConn

{URL}

URL that defines default parameters for connecting to a Redis database.

Allowed values:

tcp://[<password>@][<host>][:<port>][/<database index>];

unix://[<password>@]<socket path>[:<database index>].

Take notice of the URI requirements.

Default value: (not specified)

URI requirements for database connection

1.Only the tcp:// and unix:// scheme prefixes (for local UNIX sockets) are used. Database-specific prefixes, such as postgresql:// or mysql://, are not supported. Path to an SQLite database file is specified with the file:// scheme prefix.

2.If the <host> field is not specified in the URI or the localhost host is specified, the 127.0.0.1 host address is substituted. In this case by default the connection to MySQL and PostgreSQL databases is established using a local UNIX socket despite that a network connection is specified.

3.If URI fields (such as <user>, <password>, <database name> and so on) or the connection parameter string contain special characters (a space, a colon and so on), use hex coding, for example:

space—%20;

:—%3A;

/—%2F;

@—%40;

%—%25.

4.For MySQL, the connection parameter string can include only the following parameters:

Parameter name

Convention in database documentation

Type

Description

init

MYSQL_INIT_COMMAND

String

An SQL command to be run after connecting to the database

compression

MYSQL_OPT_COMPRESS

Boolean

Compress or do not compress data in transit

connect-timeout

MYSQL_OPT_CONNECT_TIMEOUT

Integer

Time-out for disconnecting an unused connection in seconds

reconnect

MYSQL_OPT_RECONNECT

Boolean

Allow or deny automatic reconnection

read-timeout

MYSQL_OPT_READ_TIMEOUT

Integer

Time-out for receiving packets from the server in seconds

write-timeout

MYSQL_OPT_WRITE_TIMEOUT

Integer

Time-out for sending packets to the server in seconds

charset

MYSQL_SET_CHARSET_NAME

String

Character encoding used for the default connection

plugin-dir

MYSQL_PLUGIN_DIR

String

Path to the server directory storing plug-ins

nonblock

MYSQL_OPT_NONBLOCK

Integer

Stack size for non-blocking I/O operations

ssl-key

MYSQL_OPT_SSL_KEY

String

Path to a private key (in the PEM format) used to establish a secure connection

ssl-cert

MYSQL_OPT_SSL_CERT

String

Path to a public key certificate (in the PEM format) used to establish a secure connection

ssl-ca

MYSQL_OPT_SSL_CA

String

Path to a file (in the PEM format) containing trusted CA certificates

ssl-capath

MYSQL_OPT_SSL_CAPATH

String

Path to a directory containing trusted CA certificates (in the PEM format)

ssl-cipher

MYSQL_OPT_SSL_CIPHER

String

List of supported encryption algorithms for a secure connection

ssl-crl

MYSQL_OPT_SSL_CRL

String

Path to a file (in the PEM format) containing revoked certificates

ssl-crlpath

MYSQL_OPT_SSL_CRLPATH

String

Path to a directory containing revoked certificates (in the PEM format)

ssl-fp

MARIADB_OPT_SSL_FP

String

SHA1 hash of a trusted server certificate

ssl-fp-list

MARIADB_OPT_SSL_FP_LIST

String

Path to a file containing SHA1 hashes of tursted server certificates

tls-passphrase

MARIADB_OPT_TLS_PASSPHRASE

String

Password for a password-protected client private key

tls-version

MARIADB_OPT_TLS_VERSION

String

List of supported TLS versions

server-verify-cert

MYSQL_OPT_SSL_VERIFY_SERVER_CERT

Boolean

Allow or deny verification of server certificates

server-public-key-path

MYSQL_SERVER_PUBLIC_KEY

String

Path to a file (in the PEM format) containing an RSA public key of the server

Read more on these parameters in the database documentation: https://mariadb.com/kb/en/mysql_optionsv/.

5.For the PostgreSQL database also refer to https://www.postgresql.org/docs/current/libpq-connect.html#LIBPQ-PARAMKEYWORDS.

Data Source Sections

In addition to the general section [LookupD], the configuration file also contains sections that describe connections to data sources (one section for each connection). These sections are named using the following scheme: [LookupD.<type>.<name>], where:

<type>—connection type:

LDAP—for a directory service using LDAP;

AD—for a directory service using Active Directory;

AllMatch—for a text file in the AllMatch mode (full match);

Mask—for a text file in the Mask mode (mask matching);

Regex—for a text file in the Regex mode (matching a regular expression in the PCRE standard);

Cidr—for a text file in the Cidr mode (matching IP addresses and/or ranges);

Pq—for a PostgreSQL database;

Mysql—for a MySQL database;

Sqlite—for an SQLite database;

Redis—for a Redis database.

<name>—a unique identifier (tag) for the connection, by which the connection can be referred to from the rules.

Example: [LookupD.LDAP.auth1].

Connection-specific sections comprise a set of parameters depending on a source type. The number of sections is unlimited.

1.Parameters used in LDAP sections

Parameter

Description

Url

{string}

URL that defines the used LDAP server and extracted data. In accordance with RFC 4516, the URL is constructed on the basis of the following scheme:

<scheme>://<host>[:<port>]/<dn>[?<attrs>[?<scope>[?<filter>[?<extensions>]]]]

Where:

<scheme>—method of connection to the server (the following schemes are allowed: ldap, ldaps and ldapi);

<host>[:<port>]—LDAP server address at which the request is sent;

<dn>—distinguished name of an object, information about which is received;

<attrs>—names of record attributes, the values of which must be received in the request;

<scope>—search scope (base, one, sub);

<filter><filter>—filtering condition for the values of extracted attributes;

<extensions>—list of LDAP extensions used in the request.

Features

In the list of attributes <attrs>, it is possible to use special selection characters *, + and 1.1.

The following automatically resolved markers can be used in the <dn> and <filter> parts of the URLs:

$u is automatically replaced with user—the user name sent by a client component;

$d is automatically replaced with domain—the domain sent by the client component;

$D—a chain of <subdomain>.<domain> transformed into dc=<subdomain>,dc=<domain>;

$$—the $ character.

If the <filter> condition requires using special characters (for example: *, (, ), \, the character with code 0) as usual ones, they should be formatted as \XX. In addition, special characters in LDAP URLs are encoded using %XX sequences. For example, when using the / character in a URL in the ldapi scheme as a part of the path to a local LDAP server socket, this character is encoded as %2f.

As allowed extensions in <extensions>, only StartTLS and 1.3.6.1.4.1.1466.20037 are supported, they use TLS (i.e. a secure connection with an LDAP server is established, even if the use of the ldaps secure scheme is not explicitly indicated). If the name of the used extension is preceded by the ! character, then the use of TLS is required, i.e. in case it is impossible to establish a secure connection, the request will not be performed. Otherwise, the request will be performed even if a secure connection is not established.

These extensions cannot be used with the secure ldaps scheme. For more information, refer to RFC 4516 or man ldap_search_ext_s.

Examples:

ldaps://ds.example.com:990/$D?givenName,sn,cn?sub?(uid=$u)
ldap://ldap.local/o=org,dc=nodomain?ipNetworkNumber?sub?(objectClass=ipNetwork)?!StartTLS

Default value: (not specified)

BindDn

{string}

An object in the LDAP directory to which the user is bound to get authorization.

Example: cn=admin,dc=nodomain

Default value: (not specified)

BindPassword

{string}

The password for authentication on the LDAP server.

Default value: (not specified)

ChaseReferrals

{boolean}

Follow or do not follow references to other LDAP servers, if the current LDAP server returns them in response to requests.

Default value: No

2.Parameters used in AD sections

Parameter

Description

Host

{string}

Domain name (FQDN) or IP address of a host running the server of the Active Directory service to be connected to.

Example: win2012.win.local

Default value: (not specified)

Port

{integer}

Port on the host which is listened to by the server of the Active Directory service.

Default value: 389

Dn

{string}

DN of an object in the Active Directory (similar to the dn part of the LDAP URL).

Example: dc=win,dc=local

Default value: (not specified)

User

{string}

Full identifier of a user on the server.

Example: Administrator@WIN.LOCAL

Default value: (not specified)

Password

{string}

The password for authentication on the Active Directory server.

Default value: (not specified)

ChaseReferrals

{boolean}

Follow or do not follow references to other LDAP servers, if the current Active Directory server returns them in response to requests.

Default value: No

UseSSL

{boolean}

Use or do not use SSL/TLS for connecting to an Active Directory server.

Default value: No

3.Parameters used in AllMatch, Mask, Regex, and Cidr sections

Parameter

Description

File

{path}

Path to a text file containing search strings.

Example: /etc/file1

Default value: (not specified)

Features

Strings from a file specified in the section of the AllMatch type are used in a case-insensitive search to find a full match.

Strings of a file specified in the section of the Mask type are treated as masks (wildcards). Masks can be considered a simplified version of regular expressions containing special characters besides standard ones. Comparing the strings with the masks is case-insensitive. Masks can contain the following special characters and expressions:

*—any character sequence;

?—any character;

[<character set>]—any character from the set (for example, [bac]);

[!<character set>]—any character that does not match any character from the set (for example, [!cab]);

[[:<class>:]]—any character from the provided POSIX character class (alnum, alpha, ascii, blank, cntrl, digit, graph, lower, print, punct, space, upper, xdigit).

A mask matching some substring must cover a search substring surrounded by * characters (e.g., *host*). If you need to specify one of special characters, you need to escape such character with the backslash: \[, \], \*, \?. If needed, the backslash can be escaped as well: \\. There is no need to escape any other characters, e.g. the \a\b\c\*\d\?\\ string will be converted to the abc*d?\ string. Examples of masks:

#Matches the name string exactly
name

#Matches three-character strings where
#the first character is c, the second is any, and the third is t
#For example: cat, cut, cct
c?t

#Matches strings user, users, us3rr, ussr1 and so on
#(the [:alpha:] character class matches any alphabetical
#character, the special character ? matches any character)
us[[:alpha:]34]r?

#Matches strings .con, file.col, 3...co! and so on
#(before .co—any character sequence, after—
#any character except m and ?)
*.co[!m\?]

#Matches any string containing the host part,
#for example: host, localhost, hostel, ghosts
*host*

Strings from a file specified in the section of the Regex type are interpreted as PCREs (Perl Compatible Regular Expressions). Matching strings with regular expressions is done case-insensitively. Examples of regular expressions:

#IPv4
(\d{1,3}.){3}\d{1,3}

#Email address in the .com domain
\w+@\w+\.com

Strings from a file specified in the section of the Cidr type are interpreted as IP addresses or IP address ranges. Both IPv4 and IPv6 formats for IP addresses as well as address ranges are allowed. A subnet mask can be specified in the bit (octet) format, as well as in the CIDR (Classless Inter-Domain Routing) notation, for example:

#IPv4
192.168.0.1
192.168.0.0/12
192.168.0.0/255.255.255.224

#IPv6
fe80::c7e8/32
fe80::c7e8/255.255.255.224

4.Parameters used in the Pq, Mysql and Sqlite sections

Parameter

Description

Conn

{string}

Database connection string.

Allowed values:

for the Mysql (MySQL) and Pq (PostgreSQL) sections:

tcp://[<user>[:<password>]@]<host>[:<port>][/<database name>][?<parameter>=<value>[&…]];

unix://[<user>[:<password>]@]<socket path>[:<database name>][?<parameter>=<value>[&…]];

Examples:

tcp://user:pwd@localhost:1234/userdb

unix://user:pwd@/tmp/pgsql.sock:userdb

Take notice of the URI requirements.

for the Sqlite (SQLite) section:

Path to a database file (specify the file:// scheme prefix).

Example: file:///home/user/users.db

Default value: defined by the corresponding *DefaultConn parameter value

Request

{string}

String of an SQL query (SELECT) to the database. Like with AD and LDAP sources, the following automatically resolved markers can be used in the query:

$u, $U are replaced with user—the user name sent by a client component;

$d, $D are replaced with domain—the domain sent by the client component;

$$ is replaced with the $ character.

Example: SELECT username FROM users INNER JOIN domains ON users.domain = domains.id WHERE domains.name = $d AND users.name = $u

Default value: (not specified)

Only the query of the SELECT type can be specified as an SQL query. After making substitutions, the query is passed to the database “as is”. If the query result contains more than one column, then all columns except the first will be ignored.

5.Parameters used in Redis sections

Parameter

Description

Conn

{string}

Redis database connection string.

Allowed values:

tcp://[<password>@]<host>[:<port>][/<database index>];

unix://[<password>@]<socket path>[:<database index>];

Take notice of the URI requirements.

Example: tcp://localhost:6379

Default value: defined by the RedisDefaultConn parameter value

Request

{string}

Redis database query string. The following automatically resolved markers can be used in the query:

$u, $U are replaced with user—the user name sent by a client component;

$d, $D are replaced with domain—the domain sent by the client component;

$$ is replaced with the $ character.

Example: HVALS bad_users

Default value: (not specified)

If the query result contains more than one column, then all columns except the first will be ignored.

Adding sections for new data sources

To add a new section for a data source of some type with a <name> tag using the Dr.Web Ctl command-line management tool for Dr.Web Mail Security Suite (run with the drweb-ctl command), it is sufficient to use the following command:

# drweb-ctl cfset LookupD.<type> -a <name>

Example:

# drweb-ctl cfset LookupD.AD -a WinAD1
# drweb-ctl cfset LookupD.AD.WinAD1.Host 192.168.0.20

The first command will add a section named [LookupD.AD.WinAD1] to the configuration file, and the second command will modify the value of the Host parameter within this section.

Alternatively, you can write the new section directly to the configuration file (for example, by adding it to the end of the file):

[LookupD.AD.WinAD1]
Host = 192.168.0.20

Both ways have the same effect; however, if you edit the configuration file directly, you will also need to apply the changed settings by reloading the configuration of Dr.Web Mail Security Suite with the command:

# drweb-ctl reload