LogLevel

{logging level}

Logging level of the component.

If the parameter value is not specified, the DefaultLogLevel parameter value from the [Root] section is used.

Default value:Notice

Log

{log type}

Logging method of the component.

Default value: Auto

ExePath

{path to file}

Executable path to the component.

Default value: <opt_dir>/bin/drweb-maild.

•For GNU/Linux: /opt/drweb.com/bin/drweb-maild.

•For FreeBSD: /usr/local/libexec/drweb.com/bin/drweb-maild.

RunAsUser

{UID | user name}

The name of the user on whose behalf the component is run. The user name can be specified either as the user’s number UID or as the user’s login. If the user name consists of numbers (i.e. similar to number UID), it is specified with the “name:” prefix, for example: RunAsUser = name:123456.

When a user name is not specified, the component operation terminates with an error after the startup.

Default value: drweb

FixedSocketPath

{path to file}

Path to the UNIX socket of the fixed component copy.

If this parameter is specified, the Dr.Web ConfigD configuration daemon checks that there is always a running component copy that is available to the clients via this socket.

Default value: (not set)

IdleTimeLimit

{time interval}

Maximum idle time for the component. When the specified period of time expires, the component shuts down.

The IdleTimeLimit value is ignored (the component does not finish its operation after the time interval expires), if the value of any of the following parameters is set: FixedSocketPath, MilterSocket, SpamdSocket, RspamdHttpSocket, RspamdSocket, SmtpSocket, BccSocket.

Acceptable values: from 10 seconds (10s) to 30 days (30d) inclusive.
If the None value is set, the component will functionate eternally; the SIGTERM signal will not be sent if the components goes idle.

Default value: 30s

DnsResolverConfPath

{path to file}

Path to the subsystem configuration file of domain name permissions (DNS resolver).

Default value: /etc/resolv.conf

TemplatesDir

{path to directory}

Path to the directory that contains the templates for emails returned to the user in case of email blocking.

Default value: <var_dir>/templates/maild.

•For GNU/Linux: /var/opt/drweb.com/templates/maild.

•For FreeBSD: /var/drweb.com/templates/maild

TemplateContacts

{string}

Administrator contacts of Dr.Web for UNIX Mail Servers for the insertion in the messages about threats (used in message templates).

The contact information will be added to the repacked messages only if it gets an attachment with a password protected archive with threats and other unwanted objects removed from the initial message. If, according to the current value of the RepackPassword parameter (see below), attached archives are not protected with a password, then contact information is not added to the modified message.

Default value: (not set)

ReportLanguages

{string}

Languages used for generation of service mail messages (for example, mail messages returned to the sender in case of email blocking). Each language is identified by two-letter designation (en, ru, and so on).

You can specify a list as the parameter value. The values in the list must be separated with commas (each value in the quotation marks). The parameter can be specified more than once in the section (in this case, all its values are combined into one list).

Example: Add to the list the following languages: ru and de.

1.Adding of values to the configuration file.

•Two values in a line:

•Two lines (a value per line):

2.Adding values via the command drweb-ctl cfset:

Default value: en

RepackPassword

{None | Plain(<password>) | HMAC(<secret>)}

The method for generation of a password for archives with malicious objects placed in messages and sent to recipients. The following methods are allowed:

•None—archives will not be protected with password (not recommended);

•Plain(<password>)—all archives will be protected with the same password <password>;

•HMAC(<secret>)—the unique password will be generated for each archive based on the pair(<secret>, <message identifier>).

To restore the password that protects an archive using message identifier and known secret, it is possible to use the following command:drweb-ctl idpass.

Default value: None

ScanTimeout

{time interval}

Time-out for scanning one email message initiated by Dr.Web MailD.

Acceptable values: from 1 second (1s) to 1 hour (1h).

Default value: 3m

HeuristicAnalysis

{On | Off}

Enable/disable heuristic analysis for detecting unkown threats.

Heuristic analysis provides higher detection reliability but, at the same time, it increases the duration of virus scanning.

Allowed values:

•On—use heuristic analysis when scanning;

•Off—do not to use heuristic analysis.

Default value: On

PackerMaxLevel

{integer}

Maximum nesting level for packed objects. A packed object is executable code compressed with special software (UPX, PELock, PECompact, Petite, ASPack, Morprine and so on). Such objects may include other packed objects which may also include packed objects. etc. The value of this parameter specifies the nesting limit beyond which packed objects inside other packed objects will not be scanned.

The value of this parameter can be any integer number greater than 0. If the value is set to 0, nested objects are not scanned.

Default value: 8

ArchiveMaxLevel

{integer}

Maximum nesting level for archives (zip, rar, and so on) in which other archives may be enclosed (and these archives may also include other archives, and so on). The value of this parameter specifies the nesting limit beyond which archives enclosed in other archives will not be scanned.

The value of this parameter can be any integer number greater than 0. If the value is set to 0, nested objects are not scanned.

Default value: 8

MailMaxLevel

{integer}

Maximum nesting level for files of mailers (pst, tbb and so on) in which other files may be enclosed (and these files may also include other files and so on). The value of this parameter specifies the nesting limit beyond which objects inside other objects will not be scanned.

The value of this parameter can be any integer number greater than 0. If the value is set to 0, nested objects are not scanned.

Default value: 8

ContainerMaxLevel

{integer}

Maximum nesting level for other types of objects inside which other objects are enclosed (HTML pages, jar-files, etc.). The value of this parameter specifies the nesting limit beyond which objects inside other objects will not be scanned.

The value of this parameter can be any integer number greater than 0. If the value is set to 0, nested objects are not scanned.

Default value: 8

MaxSizeToExtract

{size}

Maximum size for files enclosed in archives. Files whose size is greater than the value of this parameter will be skipped when scanning. There is no size limit for files in archives by default.

The value of this parameter is specified as a number with a suffix (b, kb, mb, gb). If no suffix is specified, the value is treated as size in bytes.

If the value is set to 0, files in archives will not be checked at all.

Default value: None

MaxCompressionRatio

{integer}

Maximum compression ratio of compressed/packed objects (ratio between the uncompressed size and the compressed size). If the ratio exceeds the limit, this object will be skipped during the scanning, initiated by Dr.Web MailD.

The compression ratio must not be smaller than 2.

Default value: 500

MilterSocket

{path to file | IP address:port}

The socket for connection to MTA as Milter filter of mail (MTA will connect to this socket when using Dr.Web MailD as the corresponding filter). Usage of the UNIX socket or network socket is allowed.

The rules of processing of messages coming via Milter, are specified in MilterHook parameter (see below).

Default value: (not set)

MilterDebugIpc

{Boolean}

Indicates whether Milter protocol messages should be saved to debug log (LogLevel = Debug).

Default value: No

MilterTraceContent

{Boolean}

Output bodies of email messages, received for scanning via Milter protocol interface in debug log (LogLevel = Debug).

Default value: No

MilterHook

{path to file | Lua function}

Lua script for processing email messages received via Milter interface, or path to the file containing the script (see Email Processing in Lua section).

If the path no the file is wrong, an error will be returned when launching the component.

Default value:

local dw = require "drweb"
local dwcfg = require "drweb.config"

function milter_hook(ctx)

 -- Reject the message if it is likely spam
if ctx.message.spam.score >= 100 then
   dw.notice("Spam score: " .. ctx.message.spam.score)
   return {action = "reject"}
 else
   -- Assign X-Drweb-Spam headers in accordance with spam report
  ctx.modifier.add_header_field("X-DrWeb-SpamScore", ctx.message.spam.score)
   ctx.modifier.add_header_field("X-DrWeb-SpamState", ctx.message.spam.type)
   ctx.modifier.add_header_field("X-DrWeb-SpamDetail", ctx.message.spam.reason)
   ctx.modifier.add_header_field("X-DrWeb-SpamVersion", ctx.message.spam.version)
 end

  -- Check if the message contains viruses, repack if so
  for threat, path in ctx.message.threats{category = {"known_virus", "virus_modification", "unknown_virus", "adware", "dialer"}} do
    ctx.modifier.repack()
    dw.notice(threat.name .. " found in " .. (ctx.message.part_at(path).name or path))
  end

  -- Repack if unwanted URL has been found
  for url in ctx.message.urls{category = {"infection_source", "not_recommended", "owners_notice"}} do
    ctx.modifier.repack()
    dw.notice("URL found: " .. url .. "(" .. url.categories[1] .. ")")
  end

 -- Assign X-AntiVirus header
ctx.modifier.add_header_field("X-AntiVirus", "Checked by Dr.Web [MailD version: " .. dwcfg.maild.version .. "]")

 -- Accept the message with all scheduled transformations applied
  return {action = 'accept'}
end

SpamdSocket

{path to file | IP address:port}

The socket for connection to MTA as Spamd filter of email messages (MTA will connect to this socket when using Dr.Web MailD as the corresponding filter). Usage of the UNIX socket or network socket is allowed.

The rules of processing of messages coming via Spamd, are specified in SpamdReportHook parameter (see below).

Default value: (not set)

SpamdDebugIpc

{Boolean}

Output Spamd protocol messages in debug log (LogLevel = Debug).

Default value: No

SpamdReportHook

{path to file | Lua function}

Lua script that processes email message, received via Spamd interface, or path to the file containing the script (see Email Processing in Lua section).

If unavailable file is specified, an error appears when loading the component.

Default value:

local dw = require "drweb"

function spamd_report_hook(ctx)
  local score = 0
  local report = ""

  -- Add 1000 to the score for each threat found in the message
  for threat, path in ctx.message.threats{category = {"known_virus", "virus_modification", "unknown_virus", "adware", "dialer"}} do
      score = score + 1000
      report = report .. "Threat found: " .. threat.name .. "\n"
      dw.notice(threat.name .. " found in " .. (ctx.message.part_at(path).name or path))
  end

  -- Add 100 to the score for each unwanted URL found in the message
  for url in ctx.message.urls{category = {"infection_source", "not_recommended", "owners_notice"}} do
      score = score + 100
      report = report .. "Url found: " .. url .. "\n"
      dw.notice("URL found: " .. url .. "(" .. url.categories[1] .. ")")
  end

  -- Add the spam score
  score = score + ctx.message.spam.score
  report = report .. "Spam score: " .. ctx.message.spam.score .. "\n"
  if ctx.message.spam.score >= 100 then
      dw.notice("Spam score: " .. ctx.message.spam.score)
  end

  -- Return the check result
  return {
     score = score,
     threshold = 100,
     report = report
     }
end

SpoolDir

{path to directory}

Temporary storage directory for scanned email messages.

Default value: /tmp/com.drweb.maild

RspamdHttpSocket

{path to file | IP address:port}

The socket for connection to MTA as mail Rspamd filter (this socket will be used by MTA while using Dr.Web MailD as the corresponding filter with HTTP option of Rspamd protocol). Usage of the UNIX socket or network socket is allowed.

The rules of processing of messages coming via Rspamd, are specified in RspamdHook parameter (see below).

Default value: (not set)

RspamdSocket

{path to file | IP address:port}

The socket for connection to MTA as mail Rspamd filter (this socket will be used by MTA while using Dr.Web MailD as the corresponding filter with legacy option of Rspamd protocol). Usage of the UNIX socket or network socket is allowed.

Default value: (not set)

RspamdDebugIpc

{Boolean}

Output Rspamd protocol messages in the debug log (LogLevel = Debug).

Default value: No

RspamdHook

{path to file | Lua function}

Lua script that processes email message, received via Rspamd interface, or path to the file containing the script (see Email Processing in Lua section).

If unavailable file is specified, an error appears when loading the component.

Default value:

local dw = require "drweb"

function rspamd_hook(ctx)
  local score = 0
  local symbols = {}

  -- Add 1000 to the score for each threat found in the message
  for threat, path in ctx.message.threats{category = {"known_virus", "virus_modification", "unknown_virus", "adware", "dialer"}} do
      score = score + 1000
      table.insert(symbols, {name = threat.name, score = 1000})
      dw.notice(threat.name .. " found in " .. (ctx.message.part_at(path).name or path))
  end

 -- Add 100 to the score for each unwanted URL found in the message
  for url in ctx.message.urls{category = {"infection_source", "not_recommended", "owners_notice"}} do
      score = score + 100
      table.insert(symbols, {name = "URL " .. url, score = 100})
      dw.notice("URL found: " .. url .. "(" .. url.categories[1] .. ")")
  end

  -- Add the spam score
  score = score + ctx.message.spam.score
  table.insert(symbols, {name = "Spam score", score = ctx.message.spam.score})
  if ctx.message.spam.score >= 100 then
      dw.notice("Spam score: " .. ctx.message.spam.score)
  end

  -- Return the check result
  return {
     score = score,
     threshold = 100,
     symbols = symbols
  }
end

SpfCheckTimeout

{time interval}

Maximum total time for SPF check.

Default value: 20s

SpfVoidLimit

{integer}

Maximum number of empty answers allowed during SPF check.

Default value: 2

SmtpSocket

{path to file | IP address:port}

The socket for connection to MTA as mail filter for messages in SMTP mode (MTA will connect to this socket when using Dr.Web MailD as the external filter). Usage of the UNIX socket or network socket is allowed.

Default value: (not set)

SmtpSenderRelay

{path to file | IP address:port}

The socket for connection to MTA as mail filter for scanned messages in SMTP mode (MTA will connect to this socket when using Dr.Web MailD as the external filter). Usage of the UNIX socket or network socket is allowed.

Default value: (not set)

BccSocket

{path to file | IP address:port}

The socket for connection to MTA as mail filter for messages in BCC mode (MTA will connect to this socket when using Dr.Web MailD as the external filter). Usage of the UNIX socket or network socket is allowed.

Default value: (not set)

BccReporterAddress

{string}

The email address from which Dr.Web MailD reports will be sent after scanning of email attachments in BCC mode.

Default value: (not set)

BccReporterPassword

{None | Plain(<password>)}

The password for the email address from which Dr.Web MailD reports will be sent after scanning of email attachments in BCC mode.

Allowed values:

•None—email is not protected by a password;

•Plain(<password>)—email is protected with the specified password.

Default value: None

BccReportRecipientAddress

{string}

The email address to which Dr.Web MailD reports will be sent after scanning of email attachments in BCC mode.

Default value: (not set)

BccSmtpServer

{string}

The MTA address for sending email messages in SMTP and BCC modes. Usage of the domain, the IP-address or the UNIX socket is allowed.

Default value: (not set)

VxcubePlatforms

{platform, … | All}

The list of OS platforms for executing email attachment files when using Dr.Web vxCube as the email message scanning tool in the external filter mode (SMTP or BCC).

The values in the list must be separated with commas (each value in the quotation marks). The parameter can be specified more than once in the section (in this case, all its values are combined into one list).

Allowed values:

•<platform>—the value of the os_code field (OS name with bitness specified) from the platforms API call in Dr.Web vxCube (for details see User manual for Dr.Web vxCube, section Platform);

•All—all available platforms.

Default value: All

VxcubeFileFormats

{format, … | All}

The list of OS platforms for executing email attachment files, which will be sent for analysis when using Dr.Web vxCube as the email message scanning tool in the external filter mode (SMTP or BCC).

The values in the list must be separated with commas (each value in the quotation marks). The parameter can be specified more than once in the section (in this case, all its values are combined into one list).

Allowed values:

•<format>—the value of the name field (file format name) from the formats API call in Dr.Web vxCube (for details see User manual for Dr.Web vxCube, section Format);

•All—all available formats.

Default value: All

VxcubeSampleRunTime

{time interval}

The time for executing an email attachment file, sent for analysis when using Dr.Web vxCube as the email message scanning tool in the external filter mode (SMTP or BCC).

Default value: (not set)

SmtpHook

{path to file | Lua function}

Lua script that processes email message, received in SMTP mode, or path to the file containing the script (see Email Processing in Lua section).

If the parameter UseVxcube=Yes value is specified in the [Root] section of the configuration file, the action of email attachment scanning with Dr.Web vxCube is added to Lua script by default.

Default value:

local dw = require "drweb"

function smtp_hook(ctx)
  -- Reject the message if it is likely spam
  if ctx.message.spam.score >= 100 then
      dw.notice("Spam score: " .. ctx.message.spam.score)
      return {action = "discard"}
  else
      -- Добавить заголовки X-Drweb-Spam с отчетом о спаме
      ctx.modifier.add_header_field("X-DrWeb-SpamScore", ctx.message.spam.score)
      ctx.modifier.add_header_field("X-DrWeb-SpamState", ctx.message.spam.type)
      ctx.modifier.add_header_field("X-DrWeb-SpamDetail", ctx.message.spam.reason)
      ctx.modifier.add_header_field("X-DrWeb-SpamVersion", ctx.message.spam.version)
  end

  -- Check if the message contains viruses, repack if so
  threat_categories = {"known_virus", "virus_modification", "unknown_virus", "adware", "dialer"}
  if ctx.message.has_threat({category = threat_categories}) then
      for threat, path in ctx.message.threats({category = threat_categories}) do
        dw.notice(threat.name .. " found in " .. (ctx.message.part_at(path).name or path))
      end
      ctx.modifier.repack()
      return {action = "accept"}
  end

  -- Repack if unwanted URL has been found
  url_categories = {"infection_source", "not_recommended", "owners_notice"}
  if ctx.message.has_url({category = url_categories}) then
      for url in ctx.message.urls({category = url_categories}) do
        dw.notice("URL found: " .. url .. " (" .. url.categories[1] .. ")")
      end
      ctx.modifier.repack()
      return {action = "accept"}
  end

  -- Accept the message with all scheduled transformations applied
  return {action = 'accept'}
end

SmtpRetryInterval

{time interval}

Time-out for scanning or sending a message re-attempt in case of an error when operating in SMTP mode.

Default value: 5m

SmtpRequireTls

{Always | IfSupported | Never}

Defines the SMTP protocol policy when operating with STARTTLS extension in SMTP mode.

Allowed values:

•Always—always use protected connection. Interrupt connection if the server does not support its protection.

•IfSupported—prefer protected connection if the server supports it. Otherwise, send message via unprotected channels.

•Never—do not use unprotected connection.

Default value: Always

SmtpDebugIpc

{Boolean}

Indicates whether SMTP commands in SMTP mode should be saved to debug log (LogLevel = Debug).

Default value: No

SmtpTraceContent

{Boolean}

Indicates whether email content in SMTP mode should be saved to debug log (LogLevel = DEBUG).

Default value: No

CaPath

{path to file or directory}

Path to the directory or file with the list of trusted root certificates.

Default value: path to the list of trusted certificates. The path depends on the GNU/Linux distribution.

•For Astra Linux, Debian, Linux Mint, SUSE Linux and Ubuntu, usually it is the /etc/ssl/certs/ path.

•For CentOS and Fedora it is the /etc/pki/tls/certs/ca-bundle.crt path.

•For other distributions a path can be defined by executing the command openssl version -d.

•If a command is unavailable or an OS distribution could not be identified, the value /etc/ssl/certs/ is used.

Hostname

{string}

Sender’s host name (FQDN). It will appear in the welcome string HELO/EHLO, received from SMTP client, as well as the default value for srvname in the title Authentication-Results.

Default value: current host name