Integration with an MTA as a filter

In this section

Configuring Dr.Web MailD

Configuring MTA

Sample Settings for Specific MTAs

This method of integration implies connecting Dr.Web MailD directly to a mail server as an external filter for scanning email messages. Any mail server (such as Exim, Sendmail, Postfix and so on) that uses the Milter, Spamd or Rspamd interface is supported. When using the Postfix mail server, the component can also operate in SMTP mode (for more on operation principles in SMTP mode, refer to Integration with Dr.Web vxCube).

Configuring Dr.Web MailD

1.Connecting via the Milter, Spamd or Rspamd interface

To integrate Dr.Web MailD with your mail server, edit the values of the following parameters in the [MailD] section of the configuration file:

Parameters for integrating Dr.Web MailD with an MTA. Select an interface for the integration (Milter, Spamd or Rspamd) and specify MTA connection parameters and parameters for scanning email messages received via this interface. All Dr.Web MailD parameters for the integration via a specific interface have respective prefixes in their names (Milter*, Spamd* or Rspamd*).

1.<interface>Socket—UNIX socket or a network socket to be used by Dr.Web MailD to receive messages being scanned from the MTA via the corresponding interface.

2.Parameters that limit the duration and resource intensity of email message scanning (ScanTimeout, HeuristicAnalysis, PackerMaxLevel, ArchiveMaxLevel, MailMaxLevel, ContainerMaxLevel and MaxCompressionRatio). If you do not need detailed configuration, do not change the values of these parameters.

3.Depending on conditions, for more detailed configuration of email filtering rules, edit the default Lua procedure code for their processing.

General operation parameters of Dr.Web MailD during email message scanning. In the TemplateContacts parameter, specify an address of the UNIX mail server administrator to whom the messages with detected threats will be sent. In the ReportLanguages parameter, specify a language to be used to generate service email messages.

In the RepackPassword parameter, specify a method of password generation for protected archives with threats to be added to email messages when they get repacked. For a more detailed description of these parameters, refer to the corresponding section.

After the settings are adjusted, reload the Dr.Web Mail Security Suite configuration using the command:

# drweb-ctl reload

You can also restart Dr.Web Mail Security Suite by restarting the Dr.Web ConfigD configuration management daemon using the command:

# service drweb-configd restart

When interacting with the MTA via the Milter interface, the Lua script returns an action to be applied to the message to the MTA.

When interacting via the Spamd interface, the Lua script returns the report variable that contains the SPAM or THREAT word. The received result is processed in accordance with MTA settings (for example, in ACL for Exim): either the message is rejected or the sender receives a warning.

When interacting via the Rspamd interface, the Lua script returns the action variable that can have one of the following values: ADD_HEADER or REJECT. The result is processed in accordance with the MTA settings (for example, in ACL for Exim): either a header is added to the message before sending it to the recipient, or the message is rejected.

2.Connecting in SMTP mode

To integrate Dr.Web MailD with your mail server, edit the values of the following parameters in the [MailD] section of the configuration file:

1.SmtpSocket—socket to be used by Dr.Web MailD to receive messages being scanned from the MTA. A UNIX or network socket can be used.

2.SmtpSenderRelay—MTA socket to be used by Dr.Web MailD to send scanned messages. A UNIX or network socket can be used.

3.Additional parameters (timeout, available connection protocols, output to debug log). The parameters have the Smtp prefix. If you do not need detailed configuration, do not change the values of these parameters.

4.Depending on conditions, for more detailed configuration of email filtering rules, edit the default Lua procedure code for their processing.

After the settings are adjusted, reload the Dr.Web Mail Security Suite configuration using the command:

# drweb-ctl reload

You can also restart Dr.Web Mail Security Suite by restarting the Dr.Web ConfigD configuration management daemon using the command:

# service drweb-configd restart

Configuring MTA

1.Connecting via the Milter, Spamd or Rspamd interface

To enable the interaction between the MTA and Dr.Web MailD, edit the mail server configuration:

1.Specify an interface to be used for the interaction of the MTA with Dr.Web MailD when scanning email messages (Milter, Spamd or Rspamd).

2.Set parameters for connecting the MTA to Dr.Web MailD via the selected interface (the socket in use must match with the one specified in the <interface>Socket parameter for the corresponding interface in Dr.Web MailD settings).

3.Specify an action to be applied by the MTA after receiving email message scanning results.

Restart the MTA after changing its settings.

2.Connecting in SMTP mode

To enable the interaction between the Postfix MTA and Dr.Web MailD, edit the mail server configuration:

1.Set client parameters for sending email messages to Dr.Web MailD for scanning.

2.Set MTA parameters for sending scanned messages.

3.Set parameters for connecting the MTA to Dr.Web MailD via a specified socket.

Sample Settings for Specific MTAs

Typical sample settings for Postfix, Sendmail, Exim and CommuniGate Pro MTAs for connecting Dr.Web MailD as an external email filter via the Milter, Spamd or Rspamd interface or in SMTP mode are provided below.

In the examples below, replace the <MailD socket>, <MailD IP address> and <MailD port> values with the parameters of the Dr.Web MailD socket specified in the Dr.Web MailD settings in the <interface>Socket parameter, where <interface> is the prefix in the name of the parameter corresponding to the selected MTA interface, or in the SmtpSocket parameter (in SMTP mode). The SMTP mode also requires the <Postfix socket> value to be replaced with the value of the Postfix socket specified in the Dr.Web MailD settings in the SmtpSenderRelay parameter.

For example, if Dr.Web MailD is to be integrated with the MTA via the Milter interface using the network socket, both the MTA and Dr.Web MailD operate on the local host, and Dr.Web MailD listens to port 12345 for connecting via Milter, specify this value in the MilterSocket parameter in the [MailD] section of the Dr.Web Mail Security Suite configuration file. In the MTA settings, specify the value 127.0.0.1:12345 in place of the <MailD socket> variable, the address 127.0.0.1—in place of the <MailD IP address> variable, the value 12345—in place of the <MailD port> variable.

In settings of some MTAs, the socket address to connect to Dr.Web MailD must be preceded with the <type> prefix specifying the type of the connection in use (inet, inet6 or unix).

1.Postfix

Milter:

Add the following lines to the main.cf MTA settings file:

smtpd_milters = <type>:<MailD socket>
milter_content_timeout = 300s
milter_default_action = tempfail
milter_protocol = 2

Only the smtpd_milters and milter_protocol parameters are obligatory; other parameters can be skipped.

 

In SMTP mode:

Add the following lines to the master.cf MTA settings file:

# Client parameters for sending email messages to MailD for scanning
scan         unix  -       -       n       -       10      smtp
   -o smtp_send_xforward_command=yes
   -o disable_mime_output_conversion=yes
   -o smtp_generic_maps=

# Mail server settings for sending scanned messages
<Postfix socket> inet  n       -       n       -       10      smtpd
   -o content_filter=
   -o receive_override_options=no_unknown_recipient_checks,no_header_body_checks,no_milters
   -o smtpd_helo_restrictions=
   -o smtpd_client_restrictions=
   -o smtpd_sender_restrictions=
   -o smtpd_relay_restrictions=
   -o smtpd_recipient_restrictions=permit_mynetworks,reject
   -o mynetworks=127.0.0.0/8
   -o smtpd_authorized_xforward_hosts=127.0.0.0/8

Add the following lines to the main.cf MTA settings file:

content_filter = scan:<MailD socket>
receive_override_options = no_address_mappings

If Dr.Web MailD and Postfix operate on different hosts, replace the values of mynetworks and authorized_xforward_hosts with those of the Dr.Web MailD host.

2.Sendmail

Milter:

Add the following line to the sendmail.mc sample settings file:

INPUT_MAIL_FILTER(`drweb-milter', `S=<MailD socket>, F=T')

After changing the sample file sendmail.mc, convert it into an active configuration file sendmail.cf using any of the commands:

make -C /etc/mail
sendmailconfig
m4 /etc/mail/sendmail.mc > /etc/mail/sendmail.cf

All the commands listed above assume that Sendmail configuration files are located in the /etc/mail directory.

3.Exim

Spamd:

Add the following lines to the exim.conf configuration file:

spamd_address = <MailD socket>
acl_smtp_data = acl_check_data
 
acl_check_data:
warn spam  = nobody:true
add_header = X-Spam_score: $spam_score\n\
X-Spam_score_int: $spam_score_int\n\
X-Spam_bar: $spam_bar\n\
X-Spam_report: $spam_report

deny message = This message scored $spam_score spam points.
spam = nobody:true
condition = ${if >{$spam_score_int}{10000}{true}{false}}

accept message = This message scored $spam_score spam points.
spam = nobody:true
condition = ${if >{$spam_score_int}{1000}{true}{false}}
remove_header = Subject
add_header = Subject: [SPAM] $rh_Subject

Rspamd:

Add the following lines to the exim.conf configuration file:

spamd_address = <MailD socket> variant=rspamd
acl_smtp_data = acl_check_data

acl_check_data:
# Add header fields
warn spam  = nobody:true
add_header = X-Spam_score: $spam_score\n\
 X-Spam_score_int: $spam_score_int\n\
 X-Spam_bar: $spam_bar\n\
 X-Spam_report: $spam_report

# Reject the message with proper description if Rspamd filter tells to do so
deny spam = nobody:true
message = ${extract{2}{:}{$spam_action}}
condition = ${if eq{${extract{1}{:}{$spam_action}}}{reject}}

# Accept the message otherwise
accept

The provided configuration examples assume using Exim 4.6 (or later) compiled with the option WITH_CONTENT_SCAN=yes.

4.CommuniGate Pro

Rspamd:

1.Communication with CommunigatePro requires the custom module that is included in the Dr.Web repository and can be installed via a standard package manager.

For Debian, Ubuntu or Mint:

# apt-get install drweb-cgp-plugin

For Red Hat Enterprise Linux or CentOS:

# yum install drweb-cgp-plugin

For Fedora:

# dnf install drweb-cgp-plugin

If Dr.Web Mail Security Suite was installed from a universal package, then the drweb-cgp-plugin module is already installed; there is not need to install it individually.

2.The module is installed in the directory /opt/drweb.com/share/cgp/ on GNU/Linux or /usr/local/libexec/drweb.com/share/cgp/ on FreeBSD. After the installation is complete, go to this directory and make the CgpDrweb_AS_AV.py file executable:

# cd /opt/drweb.com/share/cgp/
# chmod +x CgpDrweb_AS_AV.py

The module must be installed on the same server on which CommuniGate Pro is started. Module operation requires Python 3.6.1 or later.

3.Make the Helpers section of the CommunigatePro web interface available. Enable the Advanced or Expert view mode (see the settings: PreferencesInterface).

4.Configure CommuniGate Pro in the management web interface:

Go to Settings → General → Helpers and connect the module to CommuniGate Pro:

In the Content Filtering section, set a new filter and toggle it to Enabled.

Specify the filter name (for example, CgpDrweb_AS_AV).

In the Program Path parameter, specify a path to the script file (/opt/drweb.com/share/cgp/CgpDrweb_AS_AV.py for GNU/Linux or /usr/local/libexec/drweb.com/share/cgp/CgpDrweb_AS_AV.py for FreeBSD) and the options with which the script will be started (-r—socket address and port, -u or --rspamd-unix-socket—path to the UNIX socket, --debug—enable the debug mode). For detailed information about available options, run the command:

$ ./CgpDrweb_AS_AV.py --help

Save changes.

Go to Settings → Mail → Rules.

Specify a new rule name (for example, CgpDrweb_AS_AV) and click Add Rule.

Select the Highest rule priority and save changes.

Click Edit to the right of the rule name.

From the Data drop-down list, select Message Size; in the Operation field, select less than, and in the Parameter field, specify 40960000.

In the Action field, select ExternalFilter; in Parameter, select the name of the previously created filter (CgpDrweb_AS_AV in this case).

Save changes.

Add a threat detection response rule, specify its name (for example, Drweb_threats) and click Add Rule.

Specify 5 as the rule priority, save changes.

Click Edit to the right of the rule. Add the conditions for the rule twice:

·From the Data drop-down list, select Header Field; in the Operation field, select is, and in the Parameter field, specify X-Spam-Action: reject.

·From the Data drop-down list, select Header Field; in the Operation field, select is, and in the Parameter field, specify X-Spam-Symbol-1: threat*.

In the Action field, select Reject with; in Parameter, specify a text message (for example, The message contains threat(s)).

Save changes.

Add a threat detection response rule, specify its name (for example, Drweb_spam) and click Add Rule.

Specify 5 as the rule priority, save changes.

Click Edit to the right of the rule. Add the conditions for the rule:

·from the Data drop-down list, select Header Field;

·in the Operation field, select is;

·in the Parameter field, select X-Spam-Action: tag.

In the Action field, select Tag Subject; in Parameter, specify a header prefix (for example, [SPAM]).

Save changes.

5.Copy the content of the file below to a text document and save it as hook.lua.

-- Scanning procedure for messages
-- received using the Rspamd interface

function rspamd_hook(ctx)

-- Scanning the message for threats
if ctx.message.has_threat() then
  return {
    score = 900,
    threshold = 100,
    action = "reject",
    symbols = {
      {
        name = "threat",
        score = 900
      }
    }
  }
end

-- Scanning the message for spam
if ctx.message.spam.score > 100 then
  return {
    score = ctx.message.spam.score,
    threshold = 100,
    action = "tag",
    symbols = {
      {
        name = "spam",
        score = ctx.message.spam.score
      }
    }
  }
end

return {
   score = ctx.message.spam.score,
   threshold = 100,
   action = "accept",
   symbols = {
    {
      name = "The message is clean",
      score = 0
    }
   }
  }
end

6.Specify a socket address and a port to receive connections from the MTA:

# drweb-ctl cfset MailD.RspamdHttpSocket <socket address>:<port>

7.Specify a path to the hook:

# drweb-ctl cfset MailD.RspamdHook <path to hook>

If you edit the code of the hook, restart Dr.Web ConfigD after making changes:

# service drweb-configd restart

Dr.Web MailD configuration parameters are described in detail in the corresponding section.