LogLevel

{logging level}

Logging level of the component.

If a parameter value is not specified, the DefaultLogLevel parameter value from the [Root] section is used.

Default value: Notice

Log

{log type}

Logging method of the component.

Default value: Auto

ExePath

{path to file}

Executable path to the component.

Default value:

•for GNU/Linux: /opt/drweb.com/bin/drweb-maild

•for FreeBSD: /usr/local/libexec/drweb.com/bin/drweb-maild

FixedSocketPath

{path to file}

Path to the UNIX socket file of the component fixed instance.

If this parameter is specified, the Dr.Web ConfigD configuration management daemon ensures that there is always a running component instance available to clients via this socket.

Default value: (not specified)

TemplatesDir

{path to directory}

Path to a directory that contains email message templates returned to the user in case of email blocking.

Default value:

•for GNU/Linux: /var/opt/drweb.com/templates/maild

•for FreeBSD: /var/drweb.com/templates/maild

ReportLanguages

{string}

Languages used for generation of service messages (for example, messages returned to the sender in case of email blocking). Each language is identified with a two-letter designation (en, ru and so on).

Multiple values can be specified as a list. List values must be comma-separated and put in quotation marks. The parameter can be specified more than once in the section (in this case, all its values are combined into one list).

Example: Add the following languages to the list: ru and de.

1.Adding values to the configuration file.

•Two values per line:

•Two lines (one value per line):

2.Adding values with the drweb-ctl cfset command:

Default value: en

RepackPassword

{None | Plain(<password>) | HMAC(<secret>)}

The method for generation of a password for archives with malicious objects placed in messages and sent to recipients. The following methods are allowed:

•None—archives will not be protected with a password (not recommended);

•Plain(<password>)—all archives will be protected with the same password <password>;

•HMAC(<secret>)—the unique password will be generated for each archive based on the pair (<secret>, <message identifier>).

To recover the password that protects the archive using the message identifier and the known secret, use the drweb-ctl idpass command.

Default value: None

TemplateContacts

{string}

Dr.Web for UNIX Mail Servers administrator contacts to be inserted into messages about threats (used in message templates).

The contact information is added to a repacked message only if it has an attachment with a password-protected archive with threats or other unwanted objects removed from the initial message. If, according to the current value of the RepackPassword parameter (see below), attached archives are not protected with a password, then the contact information is not added to the modified message.

Default value: (not specified)

RunAsUser

{UID | user name}

User on behalf of whom the component is started. Either a numerical UID of the user or a user name (login) can be specified. If the user name consists of numbers (that is, the name is similar to a numerical UID), it must be specified with the “name:” prefix, for example: RunAsUser = name:123456.

If the user name is not specified, the component shuts down with an error upon startup.

Default value: drweb

DnsResolverConfPath

{path to file}

Path to the DNS configuration file (DNS resolver).

Default value: /etc/resolv.conf

IdleTimeLimit

{time interval}

Maximum idle time for the component. When the specified period of time expires, the component shuts down.

The IdleTimeLimit parameter value is ignored (the component does not shut down after the time interval expires), if any of the following parameters is defined: FixedSocketPath, MilterSocket, SpamdSocket, RspamdHttpSocket, RspamdSocket, SmtpSocket or BccSocket.

Allowed values: from 10 seconds (10s) to 30 days (30d).
If the None value is set, the component will operate indefinitely; the SIGTERM signal will not be sent if the component goes idle.

Default value: 10m

SpoolDir

{path to directory}

Directory for temporary storage of scanned email messages.

Default value: /tmp/com.drweb.maild

Hostname

{string}

Sender’s host name (FQDN). It will appear in the HELO/EHLO welcome string received from the SMTP client and as the default value of srvname in the Authentication-Results title.

Default value: current host name

CaPath

{path to file or directory}

Path to the directory or file with a list of trusted root certificates.

Default value: path to the system list of trusted certificates. The path depends on your GNU/Linux distribution.

•For Astra Linux, Debian, Linux Mint, SUSE Linux and Ubuntu, this is usually the path /etc/ssl/certs/.

•For CentOS and Fedora—the path /etc/pki/tls/certs/ca-bundle.crt.

•For other distributions, the path can be determined by running the openssl version -d command.

•If this command is unavailable or your OS distribution cannot be identified, the /etc/ssl/certs/ value is used

WarnOfUnknownDomain

{boolean}

Add a warning to exercise caution to the email message body, because the sender’s domain is not on the list of protected domains (refer to the ProtectedDomains parameter). The warning message is specified in the ExternalDomainWarning parameter.

Allowed values:

•On, Yes, True—add the warning;

•Off, No, False—do not add the warning.

Default value: No

ProtectedDomains

{string}

List of domains protected with Dr.Web products. If the sender’s domain is not on this list, a warning to exercise caution is added to the email message body (refer to the WarnOfUnknownDomain and ExternalDomainWarning parameters).

Multiple values can be specified as a list. List values must be comma-separated and put in quotation marks. The parameter can be specified more than once in the section (in this case, all its values are combined into one list).

Example: Add domains drweb.com and drweb.ru to the list.

1.Adding values to the configuration file.

•Multiple values per line:

•One value per line:

2.Adding values with the drweb-ctl cfset command:

Default value: localhost

ExternalDomainWarning

{encoding; warning message}

Message of the warning to exercise caution to be added to the email message body if the sender’s domain is not on the list of protected domains (refer to the ProtectedDomains parameter) and the value of the WarnOfUnknownDomain parameter is Yes.

The encoding of the email message is specified in the charset field of the email message header. The list of encodings complying with RFC2047 is available at https://www.iana.org/assignments/character-sets/character-sets.xhtml. If the encoding cannot be determined, the default value is used. For this case, it is recommended to compose the warning message using the Latin alphabet. If multiple values with the same encoding are specified, the text provided in the last of such values will be used for such encoding.

Example: Add a warning message for the KOI8-R encoding (also known as csKOI8R).

1.Adding values to the configuration file, one value per line:

2.Adding values with the drweb-ctl cfset command:

Default values:

{"default", "Attention: The message was sent from an external domain. It is not recommended to follow links, open attachments, or provide confidential information."}

{"utf-8", "Внимание: письмо отправлено с внешнего домена. Не рекомендуется переходить по ссылкам, открывать вложения или предоставлять конфиденциальную информацию."}

ScanTimeout

{time interval}

Time-out for scanning one email message.

Allowed values: from 1 second (1s) to 1 hour (1h).

Default value: 3m

HeuristicAnalysis

{boolean}

Enable or disable heuristic analysis for detecting unkown threats while performing a message scan initiated by Dr.Web MailD.

Heuristic analysis provides higher detection rates, but at the same time increases scanning duration.

Allowed values:

•On, Yes, True—enable the heuristic analysis;

•On, Yes, True—disable the heuristic analysis.

Default value: On

PackerMaxLevel

{integer}

Maximum nesting level for packed objects. A packed object is executable code compressed with special software (UPX, PELock, PECompact, Petite, ASPack, Morphine and so on). Such objects may include other packed objects that may also include packed objects and so on. The value of this parameter specifies a nesting limit beyond which packed objects inside other packed objects are not scanned.

The nesting level is not limited. If the value is set to 0, nested objects are not scanned.

Default value: 8

ArchiveMaxLevel

{integer}

Maximum nesting level for archives (.zip, .rar and so on) in which other archives may be enclosed, whereas these archives may also include other archives and so on. The value of this parameter specifies a nesting limit beyond which archives enclosed in other archives are not scanned.

The nesting level is not limited. If the value is set to 0, nested objects are not scanned.

Default value: 8

MailMaxLevel

{integer}

Maximum nesting level for mailer files (.pst, .tbb and so on) in which other files may be enclosed, whereas these files may also include other files and so on. The value of this parameter specifies a nesting limit beyond which objects inside other objects are not scanned.

The nesting level is not limited. If the value is set to 0, nested objects are not scanned.

Default value: 8

ContainerMaxLevel

{integer}

Maximum nesting level for other types of objects inside which other objects are enclosed (HTML pages, .jar files and so on). The value of this parameter specifies a nesting limit beyond which objects inside other objects are not scanned.

The nesting level is not limited. If the value is set to 0, nested objects are not scanned.

Default value: 8

MaxCompressionRatio

{integer}

Maximum compression ratio of compressed/packed objects (the ratio of an uncompressed size to a compressed size). If the ratio exceeds the limit, this object is skipped during the scanning initiated by Dr.Web MailD.

The compression ratio must be no less than 2.

Default value: 500

MaxSizeToExtract

{size}

Maximum size for files enclosed in archives. Files whose size is greater than the value of this parameter are skipped during scanning. There is no size limit for files in archives by default.

The value of this parameter is specified as a number with a suffix (b, kb, mb, gb). If no suffix is specified, the value is treated as a size in bytes.

If the value is set to 0, files in archives are not scanned.

Default value: None

MilterDebugIpc

{boolean}

Log or do not log Milter messages at the debug level (LogLevel = Debug).

Allowed values:

•On, Yes, True—log;

•Off, No, False—do not log.

Default value: No

MilterTraceContent

{boolean}

Log or do not log body of email messages received for scanning via the Milter interface at the debug level (LogLevel = Debug).

Allowed values:

•On, Yes, True—log;

•Off, No, False—do not log.

Default value: No

MilterSocket

{path to file | IP address:port}

Socket to connect to an MTA as a Milter filter of email messages (the MTA connects to this socket while using Dr.Web MailD as the corresponding filter). Usage of a UNIX socket or a network socket is allowed.

The rules for processing messages passed via Milter are specified in the MilterHook parameter (see below).

Default value: (not specified)

MilterHook

{path to file | Lua function}

Lua script for processing email messages received via the Milter interface or a path to the file containing this script (refer to the Email Processing in Lua section).

If the file path is invalid, an error is returned while starting the component.

Default value:

local dw = require "drweb"
local dwcfg = require "drweb.config"

function milter_hook(ctx)

 -- Reject the message if it is likely spam
 if ctx.message.spam.score >= 100 then
   dw.notice("Spam score: " .. ctx.message.spam.score)
   return {action = "reject"}
 else
   -- Assign X-Drweb-Spam headers on the basis of the spam report
   ctx.modifier.add_header_field("X-DrWeb-SpamScore", ctx.message.spam.score)
   ctx.modifier.add_header_field("X-DrWeb-SpamState", ctx.message.spam.type)
   ctx.modifier.add_header_field("X-DrWeb-SpamDetail", ctx.message.spam.reason)
   ctx.modifier.add_header_field("X-DrWeb-SpamVersion", ctx.message.spam.version)
 end

  -- Scan the message for threats and repack it if they are present
  for threat, path in ctx.message.threats{category = {"known_virus", "virus_modification", "unknown_virus", "adware", "dialer"}} do
    ctx.modifier.repack()
    dw.notice(threat.name .. " found in " .. (ctx.message.part_at(path).name or path))
  end

  -- Repack if an unwanted URL has been found
  for url in ctx.message.urls{category = {"infection_source", "not_recommended", "owners_notice"}} do
    ctx.modifier.repack()
    dw.notice("URL found: " .. url .. "(" .. url.categories[1] .. ")")
  end

 -- Add the X-AntiVirus header
 ctx.modifier.add_header_field("X-AntiVirus", "Checked by Dr.Web [MailD version: " .. dwcfg.maild.version .. "]")

 -- Accept the message with all scheduled transformations applied
  return {action = 'accept'}
end

SpamdDebugIpc

{boolean}

Log or do not log Spamd messages at the debug level (LogLevel = Debug).

Allowed values:

•On, Yes, True—log;

•Off, No, False—do not log.

Default value: No

SpamdSocket

{path to file | IP address:port}

Socket to connect to an MTA as a Spamd filter of email messages (the MTA connects to this socket while using Dr.Web MailD as the corresponding filter). Usage of a UNIX socket or a network socket is allowed.

The rules for processing messages passed via Spamd are specified in the SpamdReportHook parameter (see below).

Default value: (not specified)

SpamdReportHook

{path to file | Lua function}

Lua script that processes email messages received via the Spamd interface or a path to the file containing the script (refer to the Email Processing in Lua section).

If the file path is invalid, an error is returned while starting the component.

Default value:

local dw = require "drweb"

function spamd_report_hook(ctx)
  local score = 0
  local report = ""

  -- Add 1000 to the score for each threat found in the message
  for threat, path in ctx.message.threats{category = {"known_virus", "virus_modification", "unknown_virus", "adware", "dialer"}} do
      score = score + 1000
      report = report .. "Threat found: " .. threat.name .. "\n"
      dw.notice(threat.name .. " found in " .. (ctx.message.part_at(path).name or path))
  end

  -- Add 100 to the score for each unwanted URL found in the message
  for url in ctx.message.urls{category = {"infection_source", "not_recommended", "owners_notice"}} do
      score = score + 100
      report = report .. "Url found: " .. url .. "\n"
      dw.notice("URL found: " .. url .. "(" .. url.categories[1] .. ")")
  end

  -- Add the spam score
  score = score + ctx.message.spam.score
  report = report .. "Spam score: " .. ctx.message.spam.score .. "\n"
  if ctx.message.spam.score >= 100 then
      dw.notice("Spam score: " .. ctx.message.spam.score)
  end

  -- Return the scan result
  return {
     score = score,
     threshold = 100,
     report = report
     }
end

RspamdDebugIpc

{boolean}

Log or do not log Rspamd messages at the debug level (LogLevel = Debug).

Allowed values:

•On, Yes, True—log;

•Off, No, False—do not log.

Default value: No

RspamdHttpSocket

{path to file | IP address:port}

Socket to connect to an MTA as an Rspamd mail filter (the MTA connects to this socket while using Dr.Web MailD as the corresponding filter, by using the HTTP version of the Rspamd protocol). Usage of a UNIX socket or a network socket is allowed.

The rules for processing messages passed through Rspamd are specified in the RspamdHook parameter (see below).

Default value: (not specified)

RspamdSocket

{path to file | IP address:port}

Socket to connect to an MTA as an Rspamd mail filter (the MTA connects to this socket while using Dr.Web MailD as the corresponding filter, by using the legacy version of the Rspamd protocol). Usage of a UNIX socket or a network socket is allowed.

Default value: (not specified)

RspamdHook

{path to file | Lua function}

Lua script that processes email messages received via the Rspamd interface or a path to the file containing the script (refer to the Email Processing in Lua section).

If the file path is invalid, an error is returned while starting the component.

Default value:

local dw = require "drweb"

function rspamd_hook(ctx)
  local score = 0
  local symbols = {}

  -- Add 1000 to the score for each threat found in the message
  for threat, path in ctx.message.threats{category = {"known_virus", "virus_modification", "unknown_virus", "adware", "dialer"}} do
      score = score + 1000
      table.insert(symbols, {name = threat.name, score = 1000})
      dw.notice(threat.name .. " found in " .. (ctx.message.part_at(path).name or path))
  end

 -- Add 100 to the score for each unwanted URL found in the message
  for url in ctx.message.urls{category = {"infection_source", "not_recommended", "owners_notice"}} do
      score = score + 100
      table.insert(symbols, {name = "URL " .. url, score = 100})
      dw.notice("URL found: " .. url .. "(" .. url.categories[1] .. ")")
  end

  -- Add the spam score
  score = score + ctx.message.spam.score
  table.insert(symbols, {name = "Spam score", score = ctx.message.spam.score})
  if ctx.message.spam.score >= 100 then
      dw.notice("Spam score: " .. ctx.message.spam.score)
  end

  -- Return the scan result
  return {
     score = score,
     threshold = 100,
     symbols = symbols
  }
end

SpfCheckTimeout

{time interval}

Maximum total time for the SPF check.

Default value: 20s

SpfVoidLimit

{integer}

Maximum number of empty answers allowed during the SPF check.

Default value: 2

SmtpDebugIpc

{boolean}

Log or do not log SMTP messages at the debug level (with LogLevel = DEBUG) in SMTP mode.

Allowed values:

•On, Yes, True—log;

•Off, No, False—do not log.

Default value: No

SmtpTraceContent

{boolean}

Log or do not log email content at the debug level (with LogLevel = DEBUG) in SMTP mode.

Allowed values:

•On, Yes, True—log;

•Off, No, False—do not log.

Default value: No

SmtpRetryInterval

{time interval}

Time-out for a repeated attempt of scanning or sending a message in case of an error while operating in SMTP mode.

Allowed values: from 1 second (1s) to 1 day (1d).

Default value: 5m

SmtpRequireTls

{Always | IfSupported | Never}

SMTP policy for using the STARTTLS extension in SMTP mode.

Allowed values:

•Always—always use a protected connection; interrupt the connection if the server does not support its protection.

•IfSupported—prefer a protected connection if the server supports it; otherwise, send messages via unprotected channels.

•Never—do not use unprotected connection.

Default value: Always

SmtpSslCertificate

{path to certificate file}

Path to a certificate file for connecting an MTA to Dr.Web MailD operating as an external email filter in SMTP or BCC mode.

Default value: (not specified)

SmtpSslKey

{path to private key file}

Path to a private key file for connecting an MTA to Dr.Web MailD operating as an external email filter in SMTP or BCC mode.

Default value: (not specified)

SmtpTimeout

{time interval}

Maximum time interval (in minutes) during which scanning must be performed if Dr.Web MailD operates in SMTP mode. If the scanning has not been performed during the specified time interval, the action specified in the SmtpTimeoutAction parameter will be performed. If a zero value is specified, the scanning is performed immediately after adding the message to the queue or after another failed scanning attempt. If this parameter value is greater than an SmtpRetryInterval parameter value, two scanning attempts will be made within the specified time interval.

Allowed values: 0 or from 1 minute (1m) to 1 week (1w).

Default value: 1h

SmtpTimeoutAction

{Accept|Discard}

Action to be performed after the time interval specified in the SmtpTimeout parameter expires.

Allowed values:

•Accept—accept (allow the MTA to send the message to the recipient);

•Discard—discard the message without notifying the sender.

Default value: Accept

SmtpSocket

{path to file | IP address:port}

Socket to connect to an MTA as a mail filter in SMTP mode (the MTA connects to this socket while using Dr.Web MailD as an external filter). Usage of a UNIX socket or a network socket is allowed. The server connecting via this socket uses a certificate whose path is specified in the SmtpSslCertificate parameter and a private key whose path is specified in the SmtpSslKey parameter.

Default value: (not specified)

SmtpSenderRelay

{path to file | IP address:port}

Socket to connect Dr.Web MailD to an MTA to send messages that passed scanning in SMTP mode (Dr.Web MailD acting as an external filter connects to the MTA via this socket). Usage of a UNIX socket or a network socket is allowed.

Default value: (not specified)

SmtpHook

{path to file | Lua function}

Lua script that processes email messages received for scanning in SMTP mode or a path to the file containing this script (refer to the Email Processing in Lua section).

If the UseVxcube=Yes parameter value is specified in the [Root] section of the configuration file, the step of scanning email attachments with Dr.Web vxCube is added to the Lua script by default.

Default value:

local dw = require "drweb"

function smtp_hook(ctx)
  -- Reject the message if it is likely spam
  if ctx.message.spam.score >= 100 then
      dw.notice("Spam score: " .. ctx.message.spam.score)
      return {action = "discard"}
  else
      -- Assign X-Drweb-Spam headers on the basis of the spam report
      ctx.modifier.add_header_field("X-DrWeb-SpamScore", ctx.message.spam.score)
      ctx.modifier.add_header_field("X-DrWeb-SpamState", ctx.message.spam.type)
      ctx.modifier.add_header_field("X-DrWeb-SpamDetail", ctx.message.spam.reason)
      ctx.modifier.add_header_field("X-DrWeb-SpamVersion", ctx.message.spam.version)
  end

  -- Scan the message for threats and repack it if they are present
  threat_categories = {"known_virus", "virus_modification", "unknown_virus", "adware", "dialer"}
  if ctx.message.has_threat({category = threat_categories}) then
      for threat, path in ctx.message.threats({category = threat_categories}) do
        dw.notice(threat.name .. " found in " .. (ctx.message.part_at(path).name or path))
      end
      ctx.modifier.repack()
      return {action = "accept"}
  end

  -- Repack if an unwanted URL has been found
  url_categories = {"infection_source", "not_recommended", "owners_notice"}
  if ctx.message.has_url({category = url_categories}) then
      for url in ctx.message.urls({category = url_categories}) do
        dw.notice("URL found: " .. url .. " (" .. url.categories[1] .. ")")
      end
      ctx.modifier.repack()
      return {action = "accept"}
  end

  -- Accept the message with all scheduled transformations applied
  return {action = 'accept'}
end

BccSocket

{path to file | IP address:port}

Socket to connect to an MTA as a mail filter in BCC mode (the MTA connects to this socket while using Dr.Web MailD as an external filter). Usage of a UNIX socket or a network socket is allowed. The server connecting via this socket uses a certificate whose path is specified in the SmtpSslCertificate parameter and a private key whose path is specified in the SmtpSslKey parameter.

Default value: (not specified)

BccReporterAddress

{string}

Email address from which Dr.Web MailD reports will be sent after scanning email attachments in BCC mode.

Default value: (not specified)

BccReporterPassword

{None | Plain(<password>)}

Password for a mailbox using which Dr.Web MailD reports will be sent after scanning email attachments in BCC mode.

Allowed values:

•None—email is not protected by a password;

•Plain(<password>)—mailbox is protected with the specified password.

Default value: None

BccReportRecipientAddress

{string}

Email address to which Dr.Web MailD reports will be sent after scanning email attachments in BCC mode.

Default value: (not specified)

BccSmtpServer

{string}

MTA address for sending email messages in SMTP and BCC modes. Usage of a domain, an IP address or a UNIX socket is allowed.

Default value: (not specified)

BccTimeout

Maximum time interval (in minutes) during which scanning must be performed if Dr.Web MailD operates in BCC mode. If the scanning has not been performed during the specified time interval, the Discard action will be performed. If a zero value is specified, the scanning is performed immediately after adding the message to the queue or after another failed scanning attempt. If this parameter value is greater than an SmtpRetryInterval parameter value, two scanning attempts will be made within the specified time interval.

Allowed values: 0 or from 1 minute (1m) to 1 week (1w).

Default value: 1h

VxcubePlatforms

{platform, … | All}

List of OS platforms for executing email attachments while using Dr.Web vxCube as an email message scanning tool in external filter mode (SMTP or BCC).

The values of the list must be comma-separated (each value put in quotation marks). The parameter can be specified more than once in the section (in this case, all its values are combined into one list).

Allowed values:

•<platform>—the value of the os_code field (the OS name with its bitness specified) from the platforms API call in Dr.Web vxCube (for details, refer to the User manual for Dr.Web vxCube, the Platform section);

•All—all available platforms.

Default value: All

VxcubeFileFormats

{format, … | All}

List of email attachment formats to be sent for analysis while using Dr.Web vxCube as an email message scanning tool in external filter mode (SMTP or BCC).

The values of the list must be comma-separated (each value put in quotation marks). The parameter can be specified more than once in the section (in this case, all its values are combined into one list).

Allowed values:

•<format>—the value of the name field (format designation) from the formats API call in Dr.Web vxCube (for details, refer to the User manual for Dr.Web vxCube, the Format section);

•All—all available formats.

Default value: All

VxcubeSampleRunTime

{time interval}

Time for executing an email attachment sent for analysis to Dr.Web vxCube while using it as an email message scanning tool in external filter mode (SMTP or BCC).

Default value: (not specified)