Starting Dr.Web for UNIX mail servers
Contents
1. Ie Configuration 4 e a ES ES EE a ae Use control messages Request to receive messages saved in quarantine zi using special control messages Yes more gt gt Storage period Period of time to store message in quarantine 24 hours x more gt gt Size limit Maximum size of messages in quarantine o b m more gt gt Messages limit Maximum number of messages in quarantine o more gt gt Transfer to DBI Transfer of messages saved in quarantine from file storage to DBI storage No m more gt gt Archive all Move all incoming messages directly to xi Quarantine Path def backup directory for No archiving more gt gt Storage settings Preview Apply and Save Settings Figure 38 Quarantine settings On this tab you can configure main Quarantine settings the period of time to store messages in Quarantine privileges to access quarantined messages renaming rules interaction with DBI storage Plug ins Tab This tab contains general settings of all plug ins included in Dr Web MailD To adjust settings of a certain plug in open the corresponding tab Dr Web Console for UNIX mail servers Dr Web MailD version Dr Web Web Interface version BQ Dr Web mailD is running ao Before queue plug ins List of plugins to process message before it is moved to queue or mail database antispam x modifier gt lt EJ headersfilter2. EJ antivirus AG After queue plug ins List of plugins to process message after it is moved to queue or mail database antivirus gt EJ antispam Ed headersfilter Ea modifier AG Message size limit for before queue plug ins Maximum size of message to be processed by plug HN ins defined in BeforeQueueFilters parameter value o b x more gt gt Message size limit for after queue plug ins Maximum size of message to be processed by plug ra ins defined in AfterQueueFilters parameter value o b z more gt gt Preview Save Apply and Save Settings Figure 39 Settings of plug ins Values of additional actions such as redirect add header and add score are not separated by parentheses and additional actions are set as immediate values e for redirect action a list of address separated with is specified address1 domain address2 domain address3 domain e for add score action only the score value is specified i e add header value is specified as NAME BODY where NAME is the header name X DrWeb MailD by default and BODY is the header value Value of add score additional action must be escaped with double quotation marks when added to the configuration file for details see Allowed Actions For example to add the word Infected as a header for infected files on the Anti virus tab the following string must be added to the plug in config
3. Special Cases Processing messages with several recipients If a message has different recipients and Rules set different parameter values for them for example a rule setting html no matches one recipient and a rule setting html yes matches another the conflict is resolved in the following way 1 If the parameters which have different values specified for different recipients allow cloning the message is cloned separate message copies are created and sent to the corresponding recipient Each copy has the parameter value set for its recipient 2 If the parameter does not allow message cloning different parameter values for different recipients are substituted with the same parameter value from the corresponding section of configuration file settings If the parameter is not specified in the configuration file the default value is used 3 If the same rule matches all the recipients or in the matching rules the parameter value is the same this value is used Note that if parameter values are not changed in the Rules values for these parameters are taken from the corresponding configuration file For those parameters values of which are not specified in the configuration file default values are used The message is sent for check to all plug ins specified in the Filters section except for those indicated in Rules as not used lt plug in gt use no or scan all lt plug in gt 253 Ta J 1 ax Dr
4. The configure mta sh and plugin NAME configure pl scripts from the bin dir maild scripts directory do not provide full featured configuration for best performance of plug ins and MTA Use these scripts as reference source only 47 Ta J 1 ax Starting Dr Web for UNIX mail servers Starting Dr Web for UNIX mail servers This section describes startup of Dr Web for UNIX mail servers in Linux Solaris or FreeBSD operating systems For Linux and Solaris OS To run Dr Web for UNIX mail servers 1 Register the software 2 Copy or move the key file to the directory with Dr Web for UNIX mail servers executable files the default directory for UNIX systems is bin dir Name of the key file can be different in different distribution packages for details see Software Registration e If Dr Web for UNIX mail servers was purchased as a standalone product license key file is named drweb32 key In this case copy the file to the bin dir directory without changing its name e If Dr Web for UNIX mail servers was purchased as a part of Dr Web Enterprise Security Suite archive received during registration contains a key file for Dr Web Enterprise Server enterprise key and a key file for workstations agent key Rename agent key aS drweb32 key and copy it to the bin dir directory To use a key file from a different location or with another name for example agent key specify its full path as a Key parameter value in
5. Note that this integration method does not require a protected MTA to run on the same server where Dr Web for UNIX mail servers operates For details on how to configure this integration method refer to Working in SMTP LMTP Proxy Mode Ta J i ax Dr Web MailD 2 MTA Mail filter integration When this integration method is used mail system performs communication with external MTAs that send mail correspondence to the server Moreover mail system is responsible for storage of checked email messages and communicates with message recipients MUA At that Dr Web MailD is used only as an external application filter that checks received messages transmitted by the mail system Dr Web MailD returns check results and they determine further actions to be applied to the message For interaction between Dr Web MailD and mail system in the filter mode both standard protocols for example Milter and SMTP and native protocols specific to the certain mail system can be used For that Dr Web MailD includes special interaction plug ins implemented for connection to some mail systems in the filter mode In this mode Dr Web MailD can be integrated with the following mail systems e CommuniGate Pro see Description of integration configuration e Sendmail see Description of integration configuration e Postfix see Description of integration configuration e Exim see Description of integration configuration e
6. Path to directory containing XML configuration files usr share webmin drweb m Maild config full path etc drweb maild _postfix cc Path and arguments to script for sending emails opt drweb drweb inject f lt Default section in Configuration Basic x Dr Web Mail Daemon settings Path to Maild installation Full path to MailD binaries opt drweb Full path to MailD control start stop script etc init d drweb monitor interface settings send emails from maild Central protection mode no M Save Retum to index Figure 27 Module configuration Do not forget to change the default value of the send emails from field Otherwise messages sent from Quarantine for example in the event of filter false positive and messages with notifications on system operation may not reach their destination Ta ww ax Dr Web Console for UNIX mail servers User Interface When navigating within Dr Web Console for UNIX mail servers sections you cannot open the previous page using the standard Back function If you click Back or use the corresponding key combination the previous section of the main menu opens toi Configuration 4 Templates ie Quarantine bg Send Forward 3D e Not spam Report spam Sender Recipient Subject Date all dates z Size bytes z Status any status zi 01 01 2000 00 00 28 12 2011 23 59 Reset Apply Sender Recipient Subject
7. Report sending Report schedule 00 00 00 more gt gt E mail address E mail address es to send reports to more gt gt Plug in names List of plug ins report is created for more gt gt Top list size Display in a report the lists of frequently blocked objects and addresses from which the maximum 20 number of blocked objects has been sent more gt gt Statistics storage period Maximum period of time to store statistics in d zi reports database 31 ays more gt gt Administrator e mail Administrator e mail address root localhost more gt gt Filter e mail E mail address specified in From header of Fa messages with reports root localhost Notification languages Language s used in reports generation en X ia m N Apply and Save Settings Figure 52 Reports settings On this tab you can configure statistic report options for example set the schedule for sending reports to the Administrator or period of report storage in the database Dr Web Console for UNIX mail servers 383 Mail Receiving Tab Dr Web MailD Dr Web Web Interfac gt lt Pd it Dr Web MailD is running ie bed Configuration vy Common Address Address used by Receiver component to receive messages more gt gt local var drweb ipc drweb_maild N Actions applied to messages when processing errors occur
8. 186 Ta J 1 ax in the Address parameter Dr Web MailD 187 e if last MTA returns 5 SMTP code DSN is generated immediately and the message is deleted from out queues Scheme of DSN sending is similar to the one described above If DSN cannot be delivered it is deleted after the interval specified in the SendingIntervals parameter When different routes are specified in the Router parameter and in message processing rules for the same domain routes specified in the Rules have higher priority Please note that even if you configure routing of all mail messages with the Router parameter the Address parameter value must not be empty otherwise Sender fails to start Address specified in the Address parameter value is used if the match in the routing table or in message processing rules cannot be found for the recipient If all attempts of Sender to dispatch a message are failed the stalled message remains in the out failed directory until it is sent with drweb inject utility or deleted manually with the use of a system utility Courier Section In the Courier section settings of interaction between Dr Web MailD and Courier mail transfer system are specified This section is included in Dr Web MailD configuration file only if the software version is designed for operation with the MTA mentioned above ProcessingTimeout ProcessingErrors action MainPoolOptions pool options ReplyPoolOpti
9. Ta 2 1 aX Dr Web Console for UNIX mail servers Figure 30 Toolbar Using the toolbar you can e Send quarantined messages to their original recipients Select required messages from the list and click Send Forward quarantined messages to an email address Select required messages from the list and click Forward As a result a window that contains the following fields opens Recipient email address of the recipient Subject subject of the message Message description of the forwarded message Attachments messages forwarded as attachments Delete one or several quarantined messages Select required messages from the list and click Delete or press the DEL key on the keyboard Notify our developers about false spam detection Select messages which were filtered by anti spam plug in and moved to Quarantine by mistake and click Not Spam Once the button is clicked a special message notifying on false detection with the attached text of the selected messages is automatically created and sent to vrnospam drweb com The selected messages themselves are neither deleted from Quarantine nor sent to their recipients If you still want to send these messages to recipients or forward them use the corresponding buttons on the toolbar e Report spam After you click e Report spam a window opens where you can upload the file which contains the suspicious message and send it to Doctor Web laboratory This
10. Sets mode of error handling errors that occur when connecting to the specified data source Allowed modes e ignore ignore the error and continue message processing the error is only recorded in log e exception throw an exception which will be handled as an error of message processing The handling method corresponds to the value of the ProcessingError parameter specified for the module that was processing the message when the error occurred The parameter value can also be locally overridden in Lookup Default value OnError ignore Maximum idle time for LDAP connection to be closed Ta J 1 ax Dr Web MailD 201 Check for LDAP inactive connections is performed using the same time period Default value CheckPeriod 2m Dr Web MailD uses OpenLDAP library for connection to LDAP library version must be 2 0 and later If the specified LDAP server is not available Dr Web MailD attempts to establish connection until the timeout occurs specified in the Timeout parameter When the time expires an error is logged and processed in accordance with the OnError parameter value Oracle Section In the Oracle section settings for interaction between Dr Web MailD and Oracle database are specified Lib Path to library that supports Oracle OTL version 8 or later th to il tea gare Library must be built with thread support The library is searched according to the standard rules used by dl
11. With this parameter enabled Dr Web Scanner checks log file size on startup If log file size exceeds the MaxLogSize parameter value log file content will be erased and logging will start from scratch Default value LimitLog No Maximum log file size in Kbytes Used only with LimitLog Yes If this parameter value is set to 0 log file size is not checked Default value MaxLogSize 512 Enables or disables logging of information about all scanned objects regardless whether they are infected or not Default value LogScanned Yes Enables or disables logging of additional information about files packed with DIET PKLITE and other utilities Ta 1 ax LogArchived logical LogTime logical LogStatistics logical RecodeNonprintable logical RecodeMode Replace QuotedPrintable RecodeChar TEUDAN ee ne at Dr Web Command Line Scanner 66 Default value LogPacked Yes Enables or disables logging of additional information about files archived with various archiving utilities Default value LogArchived Yes Enables or disables logging of time for each record Parameter is not used if LogFileName syslog Default value LogTime Yes Enables or disables logging of scan statistics Default value LogStatistics Yes Enables or disables transcoding of characters that are undisplayable on a given terminal see also the description of the following two pa
12. gt PostgreSQL gt Firebird Berkeley SQLite v ODBC Settings Library a to library that supports ODBC version 3 0 or T Jusr lib libodbc so more gt gt Connection parameters ODBC connection parameters more gt gt Response size limit Maximum number of strings received in response o to single database request more gt gt List of domains for which ODBC request is not required more gt gt Prefix custom value Z Lookups error handling Sets an error handling procedure for lookups more gt gt ignore F Oracle gt LDAP Settings Apply and Save Settings Figure 37 Basic settings On this tab you can configure export of statistics as well as interaction between Dr Web MailD and various databases You can select parameter values from the drop down menus or specify them manually in the corresponding text fields Queries to the LDAP server must start with double or triple slash Example 127 0 0 1 dc origin description sub cn Su Double slash is used when you need to specify the address of the LDAP server Example 2 description sub cn Su Triple slash instructs to use the server specified as the Hostname parameter value in the LDAP 368 Ta yan A A Dr Web Console for UNIX mail servers 369 section of the Dr Web MailD configuration file Quarantine Tab
13. 50 Ta 2 i ax Starting Dr Web for UNIX mail servers 51 Please note that some Linux distributions may not have the below mentioned utilities installed by default In this case you need to additionally install the required packages To create required policies 1 Create a new file with SELinux policy source code te file The file defines restrictions applied to the described module The source file can be created in one of the two ways 1 With the use of audit2allow utility This way is more simple The utility generates permissive rules based on the messages on denial of access to system log files You can set automatic search of messages in log files or set path to the log file manually A audit2allow utility resides in the policycoreutils python package or policycoreutils devel package for RedHat Enterprise Linux CentOS Fedora OS depending on the version or python sepolgen package for Debian Ubuntu OS Example usage audit2allow M drweb i var log audit audit log OR cat var log audit audit log audit2allow M drweb In this example audit2allow utility searches for access denied messages in the audit log file audit2allow a M drweb In this example audit2allow searches for access denied messages in log files automatically In both cases two files are created as a result of the utility operation drweb te policy source file and drweb pp policy module which is ready for installation
14. All Dr Web for UNIX mail servers settings are stored in the following three configuration files located in the etc dir directory e maild_ lt MTA gt conf file with Dr Web MailD general settings e agent conf file with Dr Web Agent settings e monitor conf file with Dr Web Monitor settings If all files of Dr Web for UNIX mail servers are located in their default directories basic setup of the solution can be performed with the configure pl script The default directory of the script is bin dir maild scripts After startup the script prompts you to specify values for some essential parameters and writes them to the maild lt MTA gt conf configuration file Also you should use the configure mta sh script This script is responsible for setting up interaction between Dr Web for UNIX mail servers and the currently used mail system After startup the script checks whether the required mail system is installed If it appears to be missing the script finishes its operation If the required mail system is installed the script asks the user several questions on essential settings for basic setup and makes the necessary changes in corresponding configuration files Other parameters that are necessary for interaction with mail system must be adjusted manually by editing the maild_ lt MTA gt conf configuration file of Dr Web MailD Part of the lt MTA gt file name depends on the name of the MTA integrated with Dr Web for UNIX mail
15. Example 3 a The following Rules are set Rules to userl domain ru cont NotifyLangs ja AdminMail admin2 domain ru to user2 domain ru cont NotifyLangs ja AdminMail admin2 domain ru to user3 domain ru cont NotifyLangs ja AdminMail admin2 domain ru from root domain ru cont NotifyLangs ru to admin domain ru cont NotifyLangs ru ja b Default settings for MailD notifications sending are Notifier AdminMail admin domain ru FilterMail drweb domain ru NotifyLangs en Ta yas A A Dr Web MailD c The following infected message is processed FROM lt root domain ru gt TO lt userl domain ru gt lt user2 domain ru gt lt user3 domain ru gt As all notifications are sent from the address specified in FilterMail the following 5 notifications are sent o From lt drweb domain ru gt to the administrator lt admin domain ru gt o From lt drweb domain ru gt to the sender lt root domain ru gt o From lt drweb domain ru gt to the recipient lt userl domain ru gt o From lt drweb domain ru gt to the recipient lt user2 domain ru gt o From lt drweb domain ru gt to the recipient lt user3 domain ru gt Administrator with the lt admin domain ru gt address receives notifications in Russian and Japanese languages sender with the lt root domain ru gt address in English language and all users lt userl domain ru gt lt user2 domain ru gt lt user3 domain ru
16. Instructs to read the list of objects for scanning from the standard input stream stdin Sets recursive search for files to scan in subfolders Instructs to follow symbolic links to both files and folders Links that cause loops are ignored Instructs to ignore filename masks Diagnostic Parameters These parameters determine object types to be scanned for viruses al ar d m r n en d m r n ml d m r n upn ha Instructs to scan all objects defined by scan paths regardless of their file extension and structure This parameter is opposite to the ex parameter Instructs to scan only files of certain types in the specified paths The list of file types must be specified in the FileTypes variable of the configuration file The configuration file is defined by the ini parameter By default objects with the following file extensions are scanned EXE COM DLL SYS VXD OV BAT BIN DRV PRG BOO SCR CMD 386 FON DO XL WIZ RTF CL HT VB JS INF PP OBJ LIB PIF HLP MD INI MBR IMG CSC CPL MBP SH SHB SHS SHT CHM REG XML PRC ASP LSP MSO OBD THE NWS SWF MPP OCX VS DVB CPY BMP RPM ISO DEB AR ZIP R GZ Z TGZ TAR TAZ CAB LHA LZH BZ2 MSG EML 7Z CPIO This parameter is opposite to the al parameter Instructs to scan files within archives ARJ CAB GZIP RAR TAR ZIP etc An archive is understood to be a tar archive tar or compre
17. Note that all actions applied to messages by Receiver and plug ins must be configured so as to avoid denial to receive messages for check do not use the following actions reject discard tempfail Alternatively you must adjust these MTA so that they can correctly handle the cases when the callback filter rejects or discards the message Moreover if Dr Web MailD is configured to enable generation of DSN for example when the operation mode is asynchronous and the SkipDSNOnBlock parameter value is set to No and 329 T ax A A Dr Web MailD notifications the lt CONDITION gt part of the Rule must contain the validation condition that does not allow service messages to be sent to the address where MTA is waiting for the checked messages For that purpose specify validation conditions which contain the from sender parameter All DSN are always sent with the empty From field and the From field of notifications contains the address specified in the FilterMail parameter value Notifier section Example from from root localhost cont SenderAddress inet 10025 CLIENT IP This Rule sends an outgoing message to the port 10025 on the sender s host only if the From field is empty or does not contain the root localhost address The SenderAddress parameter used in rules overrides the Address parameter value specified in the Sender section dynamically Thus if the Rule is not executed the mess
18. St9bad alloc bash xmalloc cannot allocate 2 bytes 0 bytes allocated gmail queue real error while loading shared libraries libc so 6 failed to map segment from shared object Cannot allocate memory var qnail bin qmail smtpd error while loading shared libraries libc so 6 failed to map segment from shared object Cannot allocate memory Solution The problem occurs because of memory usage limit in the initialization script is too high For example if Dave Sill scripts are used the value indicated in the instruction softlimit m 2000000 must be increased by adding for instance to 20000000 Description In reply to all messages received via SMTP protocol Qmail returns the following string 451 qq trouble making network connection 4 3 0 Solution qmail queue can have not enough privileges to connect to the UNIX socket created by drweb qmail which operates as Receiver component of Dr Web MailD or paths specified by default for qmail queue do not lead to this socket Check the privileges and ensure that the value of the ListenUNIXSocket parameter in the Qmail section of the Dr Web MailD configuration file matches the default paths a list of these paths can be obtained by running qmail queue with the help command line parameter Description For each message received via SMTP protocol Qmail outputs the following string to the console upon receipt of a message body qmail inject fatal qq temporary prob
19. Ta J 1 ax Available values pass reject discard tempfail j lt file path gt Description Path to the ZMailer configuration file that is to be ignored For information on utility command line parameters refer to the description of the corresponding utility in the present document Processed Signals All program modules constantly residing in memory support processing of the following signals e SIGHUP forces modules to reread their configuration files When Dr Web Monitor receives this signal it makes all the running components reread their configuration e SIGINT and SIGTERM upon receiving any of these signals modules finish their operation Some modules can process additional signals e Upon the receipt of STGUSR2 signal Sender component makes an attempt to send all messages from the internal queue e Upon the receipt of SIGUSR1 signal drweb receiver module saves statistics on SMTP restrictions to the restriction txt file e Upon the receipt of SIGUSR1 signal all components save files with statistics on operation of dynamic thread pools and persistent connections Files with statistics are saved to the directory specified in the BaseDir parameter from the General section of Dr Web MailD configuration file Statistics on operation of dynamic thread pools is logged if the Debug verbosity level is specified Thus if the specified verbosity level is less detailed than Debug statistics is not
20. o certificate path to the file path to a certificate file with a signed public key The value of this parameter must be specified together with the value of the private_key file parameter This parameter is required for server configuration Default parameter value is not set o verify mode none peer client once fail _ if no peer _cert sets peer certificate verification mode none skip peer certificate verification This value is set by default a peer verify a peer s certificate The parameter is ignored in the client mode if the server does not send a certificate for anonymous encryption This value is set by default for client connections client once request a certificate only when connection is established for the first time disable certificate request during TLS handshake if connection is already established The value can be used only together with the peer value fail if no peer cert enable the server to treat missing of a client s certificate as an error The value can be used only together with the peer value Examples verify mode peer verify mode client once verify mode none If peer and none values are specified together the last specified value is used 133 Ta J i ax Dr Web MailD 134 o verify_ca the path to the file the path to the directory the absolute path to a file or directory where CA certificates in the PEM format are located These certificates are us
21. used for management of Quarantine and quarantined files e drweb lookup utility used for check of expressions used in Lookup e drweb inject utility used for manual sending of saved email messages including messages lost due to processing errors via the Sender component or other installed mail transfer component drweb qcontrol Quarantine Management The drweb qcontrol utility allows managing Quarantine and perform a search through it The utility interface can be used for search of messages saved to DBI storage or in files on the disk If Quarantine is saved in files on the disk it is required to start the drweb maild module before The utility is launched with the following command drweb qcontrol parameters command command lt identifiers gt Ta 1 ax Dr Web MailD 237 1 Command line parameters The following command line parameters are available In help Description Output short help information on the command line parameters to the console and exit version Description Output information on the utility version and exit y verbose Description Output information on all utility actions to the console A level lt verbosity level gt Description Set the logging verbosity level The following levels are available Quiet Error Alert Info Debug i ipc level lt verbosity level gt Description Set the verbosity level for IPC records interaction with drweb mai
22. 258 Ta yan A A Dr Web MailD Unified Score Unified Score technology allows detection of unwanted mail messages by the unified score assigned to each message Message score is a signed integer The greater it is the higher is the probability that the message is unwanted and vise versa the smaller the number the lower the probability that the message is unwanted By default a message is not considered spam if its score is less than the SpamThreshold parameter value that is 99 and less If a message score is greater than the SpamThreshold value but less than UnconditionalSpamThreshold that is from 100 to 999 by default this message is considered spam If a message score is greater than the UnconditionalSpamThreshold value 1000 by default this message is considered to be an unconditional spam Message score can be modified in the following ways e in the parameters of the Action type you can use an optional action score SCORE where SCORE is an integer which can be added to the current message score or subtracted from the score if this value is negative e Vaderetro anti spam plug in assigns a score to the message and this score is added to the total message score which is compared to spam threshold values e you can also modify a message score using Rules of some plug ins as well as by changing some parameter restrictions in the Receiver section e using Reputation IP Filter that allows modif
23. Default value Timeout 90 Tries Number of attempts by Dr Web Updater to establish connection numerical value with the selected update server Default value Tries 3 ProxyServer Host name or IP address of the proxy server which is used for host name IP address Internet access If the proxy server is not used the value of this parameter must be empty Default value ProxyServer ProxyLogin User login to access the used proxy server if it requires string authentication Default value ProxyLogin Ta ww ys ProxyPassword CSE no LogFileName syslog file name SyslogFacility syslog label LogLevel log level MaildPidFile path to file BlacklistPath path to directory AgentConfPath path to file PathToVadeRetro path to file ExpiredTimeLimit numerical value Dr Web Updater 90 The password to access the used proxy server if it requires authentication Default value ProxyPassword Path to the log file name You can specify syslog as a log file name and logging will be performed by syslogd system service Default value LogFileName syslog Log type label which is used by syslogd system service Default value SyslogFacility Daemon Log verbosity level The following levels are allowed e Quiet C jniemoi e Warning O TMS Debug e Verbose Default value LogLevel Info Path to PID file o
24. In most cases you do not need to adjust policies created by the utility So it is recommended to go to step 4 for installation of the drweb pp policy module Note that audit2allow utility outputs semodule command invocation string Copy the string to the command line and execute That way you will do instructions of step 4 Go to step 2 only if you want to adjust the policies which are automatically formed for Dr Web for UNIX mai servers components 2 With the use of policygentool utility As a parameter specify the name of the module which operation you want to configure and the path to its executable file Note that policygentool utility included in selinux policy package for RedHat Enterprise Linux and CentOS Linux OS might not function correctly In this case use audit2allow utility Example of creating policies with policygentool o For Dr Web Console Scanner policygentool drweb scanner opt drweb drweb real o For Dr Web Daemon policygentool drweb daemon opt drweb drwebd real You will be prompted to get information on some domain features and then for each of the modules 3 files will be created which determine the policy module name te module name fcu module name if Ta J i ax Starting Dr Web for UNIX mail servers 52 2 If necessary edit generated source file of the module_name te policy and then use the checkmodule utility to create a binary representation mod of the policy source
25. It can be convenient to set mail processing rules in the Dr Web MailD configuration file instead of writing one big rule you can split it into several separate rules Example GlobalRules select message append html lookup file maild files somehtml html This rule can also be specified in the following way GlobalRules select message GlobalRules append_html lookup file maild files somehtml html see description of Dr Web Modifier rules format Please note that splitting of a line into several parts with backslashes allows you to insert comments which are ignored by the rule parser when reading configuration Example to user host cont modifier LocalRules select mime headers X Spam Level 3 and more asterisks lt this is a comment is ignored if found select mime headers Subject replace Ww SPAM W TES endif for details on the rule format see the Rules section description Ta J 1 ax Dr Web Agent Operation Mode If necessary Doctor Web can be connected to a corporate or private anti virus network managed by Dr Web Enterprise Security Suite Dr Web ESS To operate in the central protection mode you do not need to install additional software or uninstall your Dr Web solution To provide you with this option Dr Web Agent can operate in one of the two following modes e Standalone mode when a protected computer is not included in a
26. Ta J 1 aX Dr Web MailD the plug in description Note that the operational logic of the lt plug in gt use parameter is similar to the one of the scan parameter exclude a plug in from or include it in the list of the used plug ins The parameter can be also used to include or exclude plug ins on Rule matching as the scan parameter does not have additive semantics Example If it is required to disable Drweb and Vaderetro plug ins with the use of two rules then the following two Rules to regex test cont scan all vaderetro to regex test cont scan all drweb result in disabling only Vaderetro plug in as repeated change of the scan parameter is rejected However if the second Rule is changed as follows to regex test cont scan all vaderetro to regex test cont drweb use no Vaderetro plug in will be disabled after appliance of the first Rule and Drweb plug in will be disabled after appliance of the second one The same effect can be reached if scan all vaderetro is substituted to vaderetro use no in the SETTINGS part of the fist Rule In the SETTINGS part of a Rule you can use parameter values set in a named settings group specified as a Rule lt section name gt section in the main configuration file For that purpose specify the rule lt group name gt directive In the current Dr Web MailD version no more than one rule parameter can be used for examples refer to Rule section description
27. Ta J 1 ax Dr Web MailD default Thus the section which contains settings in this group has the following heading Rule default at that default can be omitted and the section name can be as follows Rule To use default settings in a rule specify rule default directive A Do not confuse the Rule section and the Rules section in the latter Rules of message processing are specified The Rule section contains default values for all parameters that can be used in Rules See description of these parameters in the chapter Parameters used in Rule SETTINGS Example Rule notify block notify Virus allow any notify Cured allow admin sender notify Skip block notify Archive allow admin notify Error allow admin notify License allow admin notify Malware allow any html yes notify Rule allow admin In the given example default values for the notify and html parameters are set They will be used for all email messages unless the values are redefined by a Rule Rules Section The Rules section of the main configuration file contains general rules of message processing Note that the Rules section structure differs from structure of other sections instead of lt Parameter gt lt Value gt pairs it contains Rules of message processing that are specified one per line if force hyphenation is not used For details on the format used for s
28. To enable CommuniGate Pro hereinafter CGP to send and receive messages from Dr Web MailD do the following 1 Connect to CGP web interface it must be connected as a plug in in a remote administration tool WebAdmin 2 Select Settings then select General and open the Helpers menu 3 In the Content Filtering section add a new external filter and specify the following parameters the new filter is added in the last empty line in the filter list Enabled select in the drop down list Enter the filter name in the text field DrWeb Maild Log Level Problems Program Path bin dir drweb cgp receiver Time out 2 min select in the drop down list Auto Restart 15 sec select in the drop down list Check whether the privileges with which CGP is executed are sufficient for drweb cgp receiver startup 332 Ta J i ax Dr Web MailD 5 Select Settings then select Queue and open the Rules menu 6 Create a new rule To create a new rule do the following 1 Enter the rule name for example drweb filter and click the Add Rule button 2 Click Edit and specify the ExternalFilter value in the Action drop down list 3 In the Parameter field enter the filter name specified in the previous step on the Settings gt General gt Helpers menu In the given example the filter name is DrWeb Maild It is recommended to add additional settings to the created rule 1 To avoid repeated check of messages r
29. e Open the directory ZMAILER_SRCHOME smtpserver where ZMAILER_SRCHOME is the path to the directory with ZMailer binaries e Run the following command patch lt smtpdata c XXX patch where Xxx stands for the version of Zmailer to be patched When Dr Web MailD is interacting with Zmailer system the following modules must be running in the system this is specified in mmc file of the Dr Web Monitor e drweb notifier drweb sender e drweb maild Content Filter at SMTP Session Stage To enable Dr Web MailD support in ZMailer do the following e copy or make a symbolic link drweb zmailer sh to MAILBIN directory path to the file is specified in znailer conf e edit smtpserver conf file by adding the following string or modifying the existing one PARAM contentfilter SMAILBIN drweb zmailer sh As command line parameters cannot be specified in contentfilter you must define them in Ta J 1 aX Dr Web MailD drweb zmailer sh script Content Filter at Routing Stage All messages processed by the mail server pass the routing stage Therefore the end of the routing stage is the most suitable time for the filter to connect To make such connection possible edit SMAILBIN cf process cf file as described below Find the following lines LOGMSG This is a LIST of files where to log The LOGMSG variable is used by the intercept facility in crossbar cf to make sure only a
30. 4 4 4 4 i mime prologue 4 4 4 4 4 4 mime epilogue 4 4 4 4 4 4 4 4 4 4 4 mime body te te r ty e ey te t sender te e te eye ep ef te te te te tf tt recipient fe fe tpt ep te et ey te te te te ey ee message ef e te te ep ep ep te ey ep te te tt In the table the following conventions are used the same as for mime body applicable ignored Note that prepend_text prepend_html append text append html and addheader actions can be applied only if a composite object instead of a simple object such as a header is selected with the select operator as these commands always insert into the selected object an additional MIME object which cannot be a header value 3 Conditional validators Conditional validators are used to change the order of actions applied to the message depending whether the condition meets the validation rule or not There are the following main types of conditions 1 Branching depending on selection results if not found lt action or list of actions gt else lt action or list of actions gt endif The if found condition is true if the result set of the previous select operator is not empty The if not found condition is true in
31. Actions for RecipientRestrictions reject_unknown_domain SCORE If the host name has neither DNS A record nor DNS MX record mail from this address is blocked or if SCORE is specified an error is logged and the SCORE value is added to the score of each message transferred in the current session and to the score of the senders s IP address During check A requests and sometimes MX requests are sent If the client s IP address does not match any of the IP addresses resolved for the domain name from the EHLO HELO command mail from this address is blocked If SCORE is specified the message is passed but an error is logged and the SCORE value is added to the score of each message transferred in the current session and to the score of the sender s IP address If the sender s host name has neither DNS A record nor DNS MX record mail from this address is blocked or if SCORE is specified an error is logged and the SCORE value is added to the score of each message transferred in the current session During check A requests and sometimes MX requests are sent It is recommended to use reject unknown domain together with other restrictions for this session stage reject _unknown_domain restriction is checked first and then the others It is necessary because if the FROM field of email message is empty this restriction is not applied as there is no domain name to check in DNS But it is impossible to ban email messages w
32. If the value does not have a symbol the parameter is expressed in bytes Examples 20b 15k Ta J 1 aX Introduction permissons parameter value expressed as a three digit number which determines file access permissions in UNIX format Each permission is a combination sum of three base permissions o Read permission r is specified by 4 o Write permission w is specified by 2 o Execute permission x is specified by 1 First digit in the value defines permissions for the file owner second digit for owner s group and third digit for all other users neither owners nor members of the group Examples 755 644 logical Yes No parameter value expressed as a string that can be one of the following Yes or No path to file directory parameter value expressed as a string which contains a path to a file or folder in the file system Note that names of files and folders are case sensitive If mentioned you can specify a file mask as a parameter value A mask can include the following symbols o replaces one symbol in the file folder name o replaces any sequence of symbols including an empty sequence in the file folder name Example e this mask defines all files with a name consisting of only one character and with an extension which is of any length and starts with e x exe g e f enable and others action parameter value expressed as a string which contains
33. In addition to one mandatory action you can specify several optional actions Mandatory actions are pass reject discard tempfail Additional actions are quarantine redirect add header score Default value Action pass Actions to be applied to a message which was identified as unconditional spam by Vaderetro plug in 305 Ta J 1 ax NotifyAction actions SubjectPrefix texti UnconditionalSubjectPrefix texti NotifySubjectPrefix Cert FromProtectedNetworkScoreAdd numerical value Dr Web MailD 306 In addition to one mandatory action you can specify several optional actions Mandatory actions are pass reject discard tempfail Optional actions are quarantine redirect add header score Default value UnconditionalAction pass Actions applied to a message which was identified as spam or unconditional spam by Vaderetro plug in according to the message score and moreover classified as DSN message of group 3 by the VadeRetro library In addition to one mandatory action you can specify several optional actions Mandatory actions are pass reject discard tempfail Additional actions are quarantine redirect add header score Default value NotifyAction pass Prefix added to the message subject if the message is identified as spam by Vaderetro plug in according to the message score the message score must be greater than or equal to
34. Library is located using dlopen system call please refer to the corresponding documentation In the current version this parameter cannot be changed with SIGHUP signal restart of Dr Web MailD is required Default value Lib usr lib libldap r so Please note that when using libldap r so library in FreeBSD 6 4 amd64 the following error may occur Undefined symbol gethostbyname r Hostname string Port numerical value Timeout time Version CSE nO Bind Logicer BindDn string BindPw string LDAP server hostname If the parameter value is not specified localhost is used The parameter value can also be locally overridden in a Lookup Default value Hostname LDAP server port The parameter value can also be locally overridden in a Lookup Default value Port 389 Timeout for LDAP requests The parameter value can also be locally overridden in a Lookup Default value Timeout 10s LDAP protocol version To enable secure data transfer with TLS SSL use LDAP protocol version 3 or later The parameter value can also be locally overridden in a Lookup Default value Version 3 Enables binding before making requests For LDAP protocol version 3 binding is not necessary The parameter value can also be locally overridden in a Lookup Default value Bind No Unique name for binding The parameter value can also be locally overridden in a Lookup Defa
35. Notify Archive allow admin Notify Error allow admin Notify Rule allow admin Notify License allow admin Malware HEMP eeee HWe Wee eee xxxXxxXxXXKX KK Notify allow any le html yes Ono x Create new setting vy Rules true AND block rfile file cont quarantine yes Apply and Save Settings Figure 48 Editing rule section Dr Web Console for UNIX mail servers 379 ped Configuration Panie ovnrnine Proens mes oo tenons manrecenno soca mat imon Pons ron Protected networks List of protected networks more gt gt 127 0 0 0 8 custom value Protected domains List of protected domains custom value Include subdomains Include subdomains in protected domains list z Redirect to E mail address to send messages to when Redirect action is used root localhost Action applied to messages invoked scanning Processing errors action errors Main action pass z Additional actions quarantine rediet notify add header C S E addscoe f N Maximum score Maximum message score 10000 Actionf for maximum score Actions applied to the message when its score exceeds the threshold value specified in MaxScore Main action parameter Additio
36. RCPTS MALWARE msg RCPTS VIRUS msg Template for a report generated on detection of malware in a message Template for a report generated on detection of a virus in a message Templates of notifications sent to the message senders SENDER _ARCHIVE msg SENDER _CURED msg SENDER _ERROR msg SENDER MALWARE msg SENDER _VIRUS msg SENDER _ SKIP msg Other templates DSN msg REPORT msg Used Macros Template for a report generated on detection of archives which cannot be scanned due to excess of limits set for archives in main configuration file drweb32 ini Template for a report generated on cure of an infected message Template for a report generated on Dr Web Daemon or plug in errors Template for a report generated on detection of malware in a message Template for a report generated on detection of a virus in a message Template for a report generated on message scan failure It can happen when password protected or broken archive or a file in a non standard format is attached to a message or when message scan is aborted due to timeout Template for delivery status notification DSN Template for regular Dr Web Daemon reports The following macros can be used in any template SLC POSTMASTERS FILTER MAILS SHOSTNAMES SLANGSS Replaced with a string that have the specified number in a language files decimal number of the string for example LC150 The used language file is determined by the
37. Symbols or mark the beginning of a comment Text that follows these symbols is ignored by Dr Web for UNIX mai servers modules when reading a file Contents of the file is divided into sets of named sections Possible section names are hardcoded and cannot be changed The section names are specified in square brackets Each file section contains configuration parameters grouped by meaning One line contains a value or values only for one parameter General format for parameter value setting spaces enclosing the signed are ignored is the following lt Parameter name gt lt Value gt Parameter names are hardcoded and cannot be changed Names of all sections and parameters are case insensitive Order of sections in a file and order of parameters in sections are of no consequence Parameter values in a file may be enclosed in quotation marks and must be enclosed in quotation marks if they contain spaces Some parameters can have more than one value In this case parameter values are separated by a comma or each parameter value is set separately in different lines of the configuration file If values of a parameter are separated by commas spaces between a comma and a value are ignored If a space is a part of a value the whole value must be enclosed in quotation marks If a parameter can have several values that is explicitly designated If the possibility to assign several values to a parameter is not explicitly des
38. The following table describes the plug ins that are included into the Dr Web MailD mail processing component Mandatory plug ins drweb maild MailD core Central module that provides operation of Dr Web MailD drweb notifier Notifier Module that creates notifications reports and DSN drweb receiver Receiver Module interacting with MTA receiving of incoming SMTP LMTP messages via the SMTP LMTP protocol drweb sender Sender Module interacting with MTA sending of outgoing SMTP LMTP messages via the SMTP LMTP protocol As drweb sender can transfer messages directly to the local post system the module is used almost in all schemes of Dr Web MailD and MTA integration drweb proxy client Proxy client Client proxy module for Dr Web MailD clustering The module used as a stub to a cluster node responsible for receiving and sending messages i e where Sender and Receiver are installed drweb proxy server Proxy server Server proxy module for Dr Web MailD clustering Used as a stub to a cluster node responsible for mail processing i e where the MailD core central component is installed as well as the built in MailDB databse and plug ins drweb imap IMAP filter MDA proxy module via the IMAP protocol check of messages when transferring them from MDA to MUA drweb pop3 POP3 filter MDA proxy module via the POP3 protocol check of messages when transferring them from MDA to MUA Optional plug ins used for integration with specific post systems t
39. This parameter can have a list as a value The method to determine message recipients for an envelope is described below e BLOCK sets names for malicious objects that blocked a virtual message for which notification is generated This parameter can have a list as a value and is used in Rules that have block in the conditional part e SIZE sets size of a virtual message for which notification is generated in bytes This parameter is used for searching parameters in Rules that have size in the conditional part e SCORE sets a score of the message for which the notification is generated This parameter is used for searching parameters in Rules that have score in the conditional part Sender and Recipient Determining Mechanism If special values of FROM or RCPTS are specified the sender and recipients in the envelope are determined by these indicators only except for DSN templates where the recipient is always empty Otherwise the following mechanism to determine sender and recipients is used For welcome user msg and password _user msg templates e sender s address is determined according to the AdminMail parameter from Rules e recipients addresses from the RCPTS macro thus it must be initialized otherwise an error 235 Ta J i ax Dr Web MailD 236 occurs For welcome _ client msg and password client msg templates e sender s address is set according to the value specified first for the AdminM
40. a Dr Web Console for UNIX mail servers 390 A temporary unavailable for example in the event of connection problems Dr Web Agent uses backup copies of configuration files that were previously received from the server These files are encrypted and must not be edit by users Edited files become invalid When Dr Web Console for UNIX mail servers enters Enterprise mode CPM Central Protection Mode label displays on the top navigation menu of Dr Web Console for UNIX mail servers Dr Web MailD version Dr Web Web Interface version i Dr Web MailD is running CPM Figure 60 Dr Web Console for UNIX mail servers operation mode Configuring User Permissions When Dr Web Agent is running in the Enterprise mode Dr Web Control Center administrator can partially or completely block user permission to configure Dr Web components installed on the workstation To set permissions of a workstation user e Enter Dr Web Control Center Note that the administrator must have sufficient privileges to adjust settings of Dr Web anti virus software e On the main menu select Network then click the workstation name in the hierarchical list On the open control menu left pane select Permissions This opens the permission configuration window Dr WEB Control Center W preferences ifi neighborhood Help v General aacae904 0df7 4fcc beb2 7dc9ff664254 hostname Custom settings have been specified poe
41. date lt time stamp gt Default value ExportPluginStatStorage For details on the statistics export options see Exporting Statistics Reports Section In the Reports section parameters that configure creation and sending of plug in activity reports are specified Send Enables or disables sending of reports logical eae Default value Send Yes SendTimes Schedule for sending reports ee The syntax is as follows e hour minute second period send a report at the specified time every day e Nw hour minute second period send a report at the specified time on the Nth day of week 0 Sunday 1 Monday 2 Tuesday and so on e Nm hour minute second period send a report at the specified time on Nth day of month If the period of time is specified period report includes data for this period otherwise a report includes data for 24 hours Example SendTimes 00 00 00 24h 1w 00 00 00 7d 2M BIL 2 2333 32 3116 Ta J 1 ax Mail email address Names list iE jollme iins TopListSize numerical value MaxStoreInDbPeriod time CheckForRemovePeriod time Logging Section Dr Web MailD 165 In this case three reports are sent daily report at midnight weekly report on Monday midnight and monthly report on the second day of each month at 21 23 32 Default value SendTimes 24h email addresses where reports are sent If the parameter
42. more gt gt Processing error action Main action reject x gt smtp settings Advanced Preview save Appi ana save setings Figure 53 General mail receiving settings On this tab you can specify one or several addresses for receiving SMTP LMTP requests and actions to be applied to messages which caused processing errors On the tab with advanced settings you can configure interaction between Dr Web MailD and the used MTA Ta 2 ww ax Dr Web Console for UNIX mail servers Pool settings Current values auto minimum 5 minimum 2 maximum 20 timeout seconds x stack_size b i loglevel quiet 5 stat no x Direct connections with clients No aa Stalled messages processing timeout 10 minutes z Command timeout 5 minutes x Message timeout 10 minutes x Add Received header No x Return on reject No a preview save Ee Thread pool settings Accept connections directly from clients more gt gt Timeout to process stalled messages more gt gt Timeout to execute single command Timeout to receive single message Add Received header to all received messages Receiver component policy in case of Reject action more gt gt Figure 54 Advanced mail receiving settings Current version of Dr Web for UNIX mail servers does not support conf
43. setc_dir monitor conf The modules must be installed and configured properly 109 Ta J i ax Dr Web Monitor 110 2 In the Monitor section of Dr Web Monitor configuration file set the UseEnterpriseMode parameter value to No On switching to this mode all settings of Dr Web for UNIX mail servers are unlocked and restored to their previous or default values You can access all settings of Dr Web for UNIX mail servers again and configure them For correct operation in the standalone mode Dr Web for UNIX mail servers requires a valid personal key file The key files received from the central protection server cannot be used in this mode Command Line Parameters To run Dr Web Monitor use this command drweb monitor parameters where the following parameters are allowed n help Description Show information about supported command line parameters on the screen and terminate the module V version Description Show Dr Web Monitor version on the screen and terminate the module U update Description Start updating all Dr Web for UNIX mail servers components E check only Description Check correctness of Dr Web Monitor configuration This parameter cannot be used if a Dr Web Monitor process is already running in the system A Check amm lt path to file gt Description Check correctness of configuration of all Dr Web for UNIX mail servers components E COmie lt path to file gt
44. the first virus If the value is set to yes it can significantly reduce mail server load and scan time Default value StopOnFirstInfected No Priority of Dr Web Daemon process Value must be in the following range 20 highest priority to 19 lowest priority for Linux or 20 lowest priority for FreeBSD and Solaris Default value ScanPriority 0 Types of files to be checked by type that is when the ScanFiles parameter value described below is set to ByType x and 2 wildcard characters are allowed Default value FilesTypes Jah COM SxS OV RBAN RETN EDRN PRG BOO SCE CMD Pm VECD a ma Dhl HON DOR meine p Vibe iui cies ils Waste as IEINI JN A E Bee eee Ob Lie Ge Mle Tt Vee LG Coc CEL MBP ole o s Fil OCEM REG lt M PRC ASP LSP MSO OBD THE NWS SWF BMP MPP OCX DVB CPY MSG EML Notify on files of unknown types Default value FilesTypesWarnings Yes Scan only files with extensions specified in the FileTypes parameter the ByType value or all files the A11 value This parameter can have the ByType value only in the local scan mode in other modes only the a11 value can be set In mailboxes all files are always checked regardless of the ScanFiles parameter value Attention If the ScanType value is set to local or auto for the Drweb anti virus plug in setting the ByType value to the ScanFiles parameter will force this plug in to skip all em
45. 24 26 26 29 34 37 38 40 41 47 48 48 49 50 53 55 55 56 61 68 69 69 70 70 72 73 Ta gt A ax N Log Files and Statistics Configuration Dr Web Updater Updating Anti Virus and Virus Databases Cron Configuration Command Line Parameters Blocking Updates for Selected Components Restoring Components Configuration Updating Procedure Dr Web Agent Operation Mode Command Line Parameters Configuration File Logging Section Agent Section Server Section EnterpriseMode Section StandaloneMode Section Update Section Running Dr Web Agent Interaction with Other Suite Components Integration with Dr Web Enterprise Security Suite Configuring Components to Run in Enterprise Mode Automatic Creation of New Account by ES Server Manual Creation of New Account by Administrator Configuring Components via Dr Web Control Center embedded in Enterprise Security Suite Export of Existing Configuration to ES Server Starting the System Integration with Dr Web ESS 10 Gathering Virus Statistics Dr Web Monitor Operation Mode Command Line Parameters Configuration File Logging Section 73 74 84 84 85 86 86 87 87 91 92 93 94 95 96 96 97 98 99 100 100 101 102 102 103 103 103 104 104 104 105 109 109 110 110 111 Ta Ti A Monitor Section Running Dr Web Monitor Interaction with Other Suite Components Dr Web MailD Message Processing Use
46. 358 Login Webmin Webmin Configuration Search System Information Refresh Modules Logout System hostname Operating system Webmin version Time on system Kernel and CPU System uptime CPU load averages Real memory Virtual memory Local disk space A webmin Ubuntu Linux 9 04 1 480 Wed Aug 26 16 53 16 2009 Linux 2 6 28 15 generic on i686 2 days 4 hours 21 minutes 0 13 1 min 0 18 5 mins 0 28 15 mins 1002 62 MB total 654 62 MB used 2 85 GB total 478 04 MB used 180 56 GB total 15 51 GB used Figure 23 Webmin main page To install additional modules click Webmin Configuration on the main menu and then click Webmin Modules on the open page Login Module Conf F B Webmin eee Webmin Configuration Webmin 1 480 cd A Ports and Addresses Logging os Operating System and Ernironment Webmin Configuration D Somers Search Ep amp System Information amp Refresh Modules Logout IP Access Control Proxy Servers and Downloads E is User Interface amp s S S Webmin Modules A 9 j P Index Page Options Upgrade Webmin B Edit Categories Module Titles Webmin Themes Trust Mobile Device Options aS SSL Encryption Authentication Reassign Modules s Pe ed Referrers z 8o Bl amp Anonymous Module Access File Locking Blocked Hosts and Users amp a N amp Advanced Options D
47. Default value MaxFreetime 2m ReplyPoolOptions Settings for a pool of threads processing responses from the pool options drweb maild module Default value ReplyPoolOptions auto Qmail Section In the Qmail section settings for interaction between Dr Web MailD and Qmail mail transfer system are specified This section is included in the Dr Web MailD configuration file of a package designed for operation with the MTA mentioned above ProcessingTimeout time Timeout for the drweb qmail module to wait for a message to be scanned It is recommended to set this parameter value greater than the SendTimeout parameter value from the MailBase section Default value ProcessingTimeout 40s ReadingTimeout Timeout to receive envelope and message body from the qmail time queue module Default value ReadingTimeout 20m ProcessingErrors Action applied to the messages invoked scanning errors ean Only one of these actions can be specified tempfail discard pass reject Default value ProcessingErrors reject MainPoolOptions Settings for a pool of threads processing requests pool options a Default value MainPoolOptions auto ReplyPoolOptions Settings for a pool of threads processing responses from the pool options drweb maild module Default value ReplyPoolOptions auto ListenUnixSockets address List of UNIX sockets for the drweb qmail module to receive requests from the qm
48. Example RelayDomains regex domain com Allows relaying to all domain com subdomains Example RelayDomains rfile path rfile contains a list of regular expressions Perl syntax which must be specified one per line 5 sClOMNEILN Goi o ClonieiLiall cern o COEL A wie Om In the current version of Dr Web MailD the RelayDomains parameter does not support wildcard DNS records Thus expressions of this type are not allowed RelayDomains domain Default value RelayDomains Enables or disables statistics on SMTP restrictions description of restrictions is provided below To get statistics send SIGUSER1 signal to the drweb receiver process Statistics is stored in the restrictions txt file in the directory defined in the BaseDir parameter from the General section Default value RestrictionStat No Suspends block of messages until RCPT stage even if a restriction was applied before Setting this parameter allows working with outdated versions of email clients and output the list of blocked recipient addresses to the log file Default value DelayRejectToRcpt Yes 2 Numerical restrictions of SMTP session The following parameters allow setting numerical restrictions upon violation of which SMTP protocol dialog is aborted MaxRecipients numerical value Maximum number of recipients for one email message number of RCPT TO commands When the parameter value is set to 0 maxi
49. For each filter its name is specified first and then optional parameters are enumerated with a comma as a delimiter Default value ReputationIPFilter MaxSessionScore A threshold value for the general score of each session ical val i re ee If this score exceeds the threshold value the corresponding connection will be closed and a temporary error is returned If this value is set to 0 this parameter is ignored Default value MaxSessionScore 10000 Sender Section In the Sender section settings of the Sender component responsible for sending messages are specified This section is not included in Dr Web distribution for operation with Communigate Pro mail transfer system UseSecureHash Instructs to add the XxX DrWeb Hash header mark to messages logical that are sent back to the mail system The parameter value is used if Dr Web MailD has to reject an original message after modifying it and then add the modified message to the queue of incoming email In this case a message with such header after being received by Dr Web MailD from the mail system is transmitted for delivery without a repeated check otherwise a message without the header is checked Repeated checks of messages can cause looping and result in failure to deliver The parameter must be used while interaction with the following mail systems Postfix Qmail Sendmail and Zmailer e When Dr Web MailD is interacting with the Postfix mail
50. Ge reletive pata to tile where relative path_to file is a relative path to the quarantined file for example drweb drweb quarantine puYtWx Corresponding message is sent in response to such request only if one of its recipients or its sender matches control message sender Such control message is automatically generated by MUA of the MailD notification recipient when the corresponding link in the received report is clicked Please note that the default value of the OnlyTrustedControlMails parameter of the Maild section is Yes thus control messages must be sent from a protected network specified in the ProtectedNetworks parameter of the Maila section Otherwise the control message is ignored Default value AccessByEmail Yes StoredTime Period of time to store a message in Quarantine ae When the parameter value is set to 0 this period of time is not limited Default value StoredTime 24h MaxSize Maximum total size of messages in Quarantine in KB VEE gue a If value of this parameter is set to 0 the size is not limited Ta ww ys MaxNumber numerical value MoveToDBI Yes No DBISettings string DBIUsername text value DBIPassword text value SQLInsertCommand eneee Dr Web MailD 154 For each message size of the message body is calculated rather than its actual size on the disk This parameter affects only the size of internal database and does
51. MaxArchiveLevel numerical value MaximmMemoryAllocationSize numerical value ScannerScanTimeout numerical value MaxBasesObsolescencePeriod numerical value ControlAgent address OnlyKey Logiiceu Dr Web Command Line Scanner 67 Default value CompressionCheckThreshold 1024 Maximum size of a file enclosed in an archive in Kbytes If a file size exceeds the specified value the file is skipped An email message with such a file is considered as a mail bomb Default value MaxFileSizeToExtract 500000 Maximum archive nesting level If an archive nesting level exceeds the specified value the archive is skipped An email message with such a file is considered as a mail bomb If the value is set to 0 archive nesting level will not be checked Default value MaxArchiveLevel 8 Maximum size of the memory in Mbytes that can be used by Dr Web Scanner to check one file If the value is set to 0 memory allocation is not limited Default value MaximumMemoryAllocationSize 0 Maximum time period allowed for scanning one file in seconds If the value is set to 0 scanning time is not limited Default value ScannerScanTimeout 0 Maximum time in hours after last update when virus databases are considered as up to date Upon the expiration of this time period notification displays informing that the databases are obsolete If the value is set to 0 database actuality
52. Maximum number of connections between IMAP filter and drweb maild module When the value is set to 0 number of connections is not limited Default value MaxFilterToMaildConnections 0 Maximum period for retention of inactive connections between IMAP filter and drweb maild if number of connections exceeds the specified minimum To interact with drweb maild IMAP filter maintains several connections with it and each connection can handle one operation If no more connections are available new connections are created until their amount reaches the maximum allowed specified in the MaxFilterToMaildConnection parameter value If connections are inactive during a time period specified in the FilterToMaildKeepAliveTime parameter they are closed Total amount of opened connections cannot be less than the value specified in the MinFilterToMaildConnections parameter Default value FilterToMaildKeepAliveTime 60s Settings of an auxiliary thread pool Threads handle end of message processing signals from the drweb maild Default value CallbackPoolOptions auto Settings of the main thread pool These threads handle connections from clients Each connection requires a new thread otherwise some clients are disconnected while waiting for a free thread Default value PoolOptions auto Maximum number of incoming connections If 0 is specified as a value of this parameter the number of incoming connections is not lim
53. PublicKeyFile path to file ServerHost IP address ServerPort port number CryptTraffic Yes Possible No CompressTraffic Yes Possible No EnterpriseMode If the value is set to Yes Dr Web Agent operates in the Enterprise mode if the value is set to No in the Standalone mode Default value UseEnterpriseMode No Name of the computer in Anti virus network Default value ComputerName Path to the directory where virus databases are located Default value VirusbaseDir bvar dir bases Path to the public key file required to access Dr Web Enterprise Server Default value PublicKeyFile bbin dir drwcsd pub IP address of Dr Web Enterprise Server Default value ServerHost 127 0 0 1 Number of the port required to access Dr Web Enterprise Server Default value ServerPort 2193 Encryption of traffic between Dr Web Enterprise Server and Dr Web Agent e Yes force encryption e Possible encrypt if possible e No do not encrypt Default value CryptTraffic possible Compression of traffic between Dr Web Enterprise Server and Dr Web Agent e Yes force compression e Possible compress if possible e No do not compress Default value CompressTraffic possible Ta i ax CacheDir path to directory StandaloneMode Section Dr Web Agent 99 Path to the directory where different utility files are stor
54. Ta J 1 ax Dr Web Updater 86 Command Line Parameters e help shows brief help e ini specifies another not default configuration file to be used To use another configuration file specify the full path to it with the ini command line parameter If the name of the configuration file is not specified setc_dir drweb32 ini is used Example opt drweb update pl ini path to conf file what temporarily overrides value of the Section parameter on Updater startup The new specified value is used until next start of the script Possible values Scanner or daemon Example opt drweb update pl what Scanner components displays a list of all product components available for update Example opt drweb update pl components You can also use the command line parameter not need reload o if this parameter is not specified all daemons Dr Web Daemon for Dr Web for UNIX mail servers which components were updated removed or added are restarted after update pl script finishes o if the not need reload parameter is specified without any value after the update pl script finishes no daemon of Dr Web for UNIX mail servers is restarted o if some daemon names are specified as the not need restart value the corresponding daemons are not restarted after the update p1 script finishes Names of non restarted daemons must be separated be commas and listed without white spaces The names are
55. Use the specified socket for interaction with the controlled modules P pid ee lt path to file gt Description Use the specified file as a PID file of Dr Web Agent e export config lt application name gt Description Export configuration of the specified application to Dr Web Enterprise Server Use the application name specified in the header of the Application lt application name gt section in the corresponding amc file see Interaction with other Suite components This parameter cannot be used if a Dr Web Agent process is already running in the system or if you want to export Dr Web Anti virus for Linux configuration Configuration File Configuration of Dr Web Agent is specified in the following file setc_dir agent conf For general organization concept of Dr Web for UNIX mail servers configuration files see Configuration Files Ta J i ax Dr Web Agent 96 Logging Section The Logging section contains Dr Web Agent logging settings Logging Level Dr Web Agent log verbosity level eee The following levels are available e Quiet LC Teteoyie e Alert O IAS e Debug Default value Level Info IPCLevel Log verbosity level of IPC library es evel The following levels are available e Quiet ee Hitesta sts e Alert O Timiee Debug Default value IPCLevel Error SyslogFacility Log type label used by syslogd system service syslog label Default value SyslogFa
56. and parameter Key in configuration file drweb32 ini before MailD is launched or any plugin is installed default Enter list of plugins to process message before placing it to queue DB Possible values vaderetro headersfilter drweb modifier Values are delimited with co mmas default headersfilter headersfilter Enter list of plugins to process message after placing it to queue DB Possible values vaderetro drweb modifier Values are delimited with commas default modifier Removing Distribution Package for UNIX Systems To remove all the components of Dr Web for UNIX mail servers via GUI uninstaller start it with the following command sbin dir remove sh If startup is performed without root privileges the GUI uninstaller tries to gain appropriate privileges If the GUI uninstaller fail to start then interactive console uninstaller is initialized Ta i aX Installation and Uninstallation 38 After uninstallation you can also remove drweb user and drweb group from your system During uninstallation the following actions are performed Original configuration files are removed from the etc_dir software conf directory If operational copies of configuration files are not modified by the user they are also removed If the user made any changes to them they are preserved Other Dr Web files are removed If a copy of an old file was created during installation this file is restored under the name
57. are adjusted properly 2 In the EnterpriseMode section of the Dr Web Agent configuration file set the UseEnterpriseMode parameter to No When switching to this mode all settings of Dr Web for UNIX mail servers are unlocked and restored to their previous or default values You can access all features of Dr Web for UNIX mail servers solutions again and configure them For correct operation in the standalone mode Dr Web for UNIX mail servers requires a valid personal key file The key files received from the central protection server cannot be used in this mode Using Dr Web for UNIX mail servers and Dr Web Anti virus for Linux together in the central protection mode Because of the implementation features Dr Web for UNIX mail servers and Dr Web Anti virus for Linux cannot be simultaneously operate in the central protection mode if they are both installed on the same computer To enable Dr Web for UNIX mail servers to operate in the central protection mode change the operation mode of Dr Web Anti virus for Linux to the Standalone mode and delete or move to another directory the following files setc_dir agent drweb cc amc and etc_ dir agent drweb spider amc If you want to switch Dr Web Anti virus for Linux back to the central protection mode later we recommended to save the files as a back up copy in a directory that is different from setc_dir agent In this case disable the central protection mode of Dr Web for UNIX mail servers
58. by the field in direct and reverse alphabetical order Recipient column contains information about the recipient s email address You can sort messages by the field in direct and reverse alphabetical order Subject column contains information about the message subject You can sort messages by the field in direct and reverse alphabetical order Date column contains information about the date when the message was moved to Quarantine For messages quarantined in the last twenty four hours only time is specified You can sort messages by date in ascending and descending order Size column contains information about message size You can sort messages by size in ascending and descending order To select a message from the list set the corresponding check box To select all messages in the list select the check box in the left corner of the table header Values of the Recipient Subject and Date fields are the links to the corresponding message clicking any of them switches you to the message 365 Dr Web Console for UNIX mail servers Forward Delete Report span Back to quarantine From quarantine quarantine com To Icahubt jododod com Date O5 Ape 2010 15 25 Status gy erro Subject 19025903434 3287 Enlarge your p3nts 10x Smes O_oVirus mal 18 2752350939229 age Figure 34 Quarantined message On this screen you can view message content source by clicking the ky View source link headers be clicking
59. contain the headers or there is one or more empty strings before the From field then sender address is not searched in the white list If a message contains more than one From field the address is taken from the first field WhiteList LookupLite It is allowed to use search templates wildcards lt domain gt as elements of the list For example mycompany com string matches all addresses from domain mycompany com Specified domains must be FQDN Ta ww ax BlackList LookupLite Dr Web MailD If the sender s address specified in the From field is in the white list the message score is decreased by 5000 points If the addresses specified in the both fields From and Return Path are from the white list the message score is decreased by 10 000 points Please note the following features of white list processing 1 White list is not sorted so it is possible that the same address is accidentally repeated in the list In this case the total message score is decreased by 5000 points each time the address from the Return Path and From fields is specified in the list for example if the address is found 3 times in the list the score will be decreased by 15 000 points 2 If the sender s domain from the Return Path and From fields equals to the receiver s domain from the To field and this domain is specified in the white list as a wildcard lt domain gt then the sender s address is not c
60. copy back up copies of drweb cc amc and drweb spider amc files to the etc dir agent directory and follow the instructions provided in the Dr Web Anti virus for Linux User Manual Command Line Parameters To run Dr Web Agent use the following command drweb agent parameters where the following parameters are available h help 94 Ta yan A A Dr Web Agent 95 Description Show information about supported command line parameters on the screen and terminate the module y version Description Show Dr Web Agent version on the screen and terminate the module U update all Description Start updating all Dr Web for UNIX mail servers components E update failed Description Start updating Dr Web for UNIX mail servers components updating of which failed in the standard mode check only Description Check correctness of Dr Web Agent configuration This parameter cannot be used if a Dr Web Agent process is already running in the system EOE lt path to file gt Description Enable the module to use the specified configuration file E droppwd Description Discard registration data required to access Dr Web Enterprise Server username password At the next connection attempt a new process of workstation registration will start 9 newpwd Description Change username and password required to access Dr Web Enterprise Server S socket lt path to file gt Description
61. gathering If statistics is already saved to the internal database the data is accessible and is not deleted By default statistics gathering is enabled o N name extended user name this parameter is ignored for groups Can be enclosed in single quotation marks similar to group If not specified the user name is empty The name length cannot exceed 1000 bytes Examples S 1 A 0 N Some user S 0 Please note that in order to support the sequence of groups for a certain client email management is performed for a group set for a client email but not for a set of client emails for a group Commands for User Management When operating via the control socket a term user refers to every email address entered in the system Addresses can be managed with the following commands e email set client email settings create or update an email address set in client email If the address does not exist it will be created For parameters that are not specified in settings their default values are set If an alias is set for the address you can specify this alias as a client email value upon an update e email remove client email remove an email address set in client email User is also deleted from all user groups If the address does not exist or an alias is specified an error is output e email rename client email email change the main user address set in the first parameter to the address set in the second parameter
62. is less than the period specified by the NotifyPeriod parameter Dr Web Daemon starts sending notifications upon every system startup restart or reboot Default value MailCommand usr sbin sendmail i bm f drweb Loom This parameter value specifies the period in days before license key expiration date when Dr Web Daemon starts prompting a user to renew the license If the parameter value is set to 0 Dr Web Daemon starts sending out notifications immediately after the key file expires Default value NotifyPeriod 14 Path to the file with a timestamp of the last license expiration notification Default value NotifyFile var dir notify Frequency of sending license expiration notifications e Once notification is sent only once e Everyday notification is sent daily e Ever notification is sent upon every Dr Web Daemon restart and every database update Default value NotifyType Ever Maximum time in seconds allowed for Dr Web Daemon to perform scanning of one file If the parameter value is set to 0 time to scan of one file is unlimited Default value FileTimeout 30 Enables or disables interruption of file scanning upon detection of 77 Ta yas A A ScanPriority signed numerical value FilesTypes list of file extensions FilesTypesWarnings logical ScanFiles CA f AS CheckArchives logical CheckEMailFiles logical Dr Web Daemon 78
63. is textual and consists of sections see general description of Dr Web for UNIX mail servers configuration files Dr Web MailD configuration file consists of the following sections Sections with main parameters of Dr Web MailD operation e General contains general settings of Dr Web MailD This section is mandatory e Maild contains general settings of MailD core This section is mandatory e MailBase contains settings of internal database of email messages included into MailBase This section is mandatory Notifier contains settings of Notifier used for sending notifications reports and DSN This section is mandatory e Quarantine contains settings of Quarantine This section is mandatory Filters contains settings of all used plug ins and their launch order during processing of an email message This section is mandatory Rule contains default settings for parameters used in Message processing Rules for initialization of parameter values if they are not initialized by any rule This section is mandatory and must be specified before the Rules section Rules contains rules for mail processing management This section is optional Can be empty or absent if processing rules are not used or they are moved to the internal database e Stat contains settings of statistics collection This section is optional and can be absent e Reports contains settings of reports generat
64. it is better not to assign plug ins to the AfterQueue Currently a proxy does not support callback connections to drweb milter So if the response from drweb maild is not returned immediately for example when the plug in is in the AfterQueueFilters and operation mode is asynchronous drweb milter finishes SMTP session only after expiration of the ProcessingTimeout period Optimal connection scheme for M N 1 is described below the scheme is preferable to avoid various errors in configuration 272 Ta J 1 ax Dr Web MailD 1 Set up and adjust Dr Web for UNIX mail servers on Serveri that is on the host that is used for mail traffic processing and where Proxy client component resides Check validity of the configuration with the following command etc init d drweb monitor check for Linux and Solaris usr local etc rc d 00 drweb monitor sh check for FreeBSD 2 Run Dr Web for UNIX mail servers on Server and check if the mail is processed correctly 3 Setup Dr Web for UNIX mail servers on Server2 that is on the host used for mail message check and where Proxy server component resides During setup you may skip configuration of Receiver and Sender components they are not necessary on this host 4 Adjust configuration parameters of Server2 similarly to Server1 5 Disable startup of Receiver and Sender components by commenting out the corresponding lines in the mmc file from the etc dir monitor directory on
65. log level The following levels are allowed e Quiet O lnreic ie e Alert CO Waite Debug Default value RulesLogLevel Alert PidFile Path to the PID file of drweb maild process path to file Default value PidFile Svar dir run drweb maild pid When message is blocked by any Dr Web for UNIX mail servers component i e reject action performed 550 5 7 0 error code and a text message is used for SMTP reply Text for the message can be specified in parameters described below R Enables usage of custom messages in SMTP sessions UseCustomReply These messages are sent as an SMTP reply when incoming logical message is rejected Default value UseCustomReply No R Reply that is sent when EmptyFrom action is applied and if ReplyEmptyFrom Tencens e EmptyFrom reject e UseCustomReply Yes You can specify only text part of the reply 550 5 7 0 lt Text gt Text must be enclosed in quotation marks if it contains white spaces Default value ReplyEmptyFrom DrWEB maild Messages from lt gt are blocked by administrator R Reply that is sent when ProcessingError action is applied and if e ProcessingError reject ReplyProcessingError string e UseCustomReply Yes Ta J N ax ReplyMaxScore eerie GetIpFromReceivedHeader logical Control logical ControlAddress socket address ControlPoolOption pool options SkipDSNO
66. not affect the DBI storage if connected Default value MaxSize 0 Maximum number of messages in Quarantine If value of this parameter is set to 0 this number is not limited This parameter affects only the number of messages in the internal database and does not affect the DBI storage if it is connected Default value MaxNumber 0 Moving of quarantined messages from file storage to the DBI storage To move messages to the DBI storage the File Temp and DBI Perl modules are required Default value MoveToDBI No DBI storage connection parameters Example dbi Pg dbname emails db Database must be created using SQL ASCITI character set Requirements to format of the table used for message storing are presented below Default value DBISettings User name to connect to the DBI storage Default value DBIUsername User password to connect to the DBI storage Default value DBIPassword An SQL command to add a message to the DBI storage Sequence of fields listed in the command must correspond to the format of the table in DBI see below Inserted values in the request must be replaced with question marks SQL command must contain the following fields e Message number e Relative path to a file with message File format is the following client plug in id prefix where client def string plug in name of the plug in id message number in hexadecimal form in output the
67. refer to Control constructions IP address of the client that transmitted the message if known Port number used by the client which transmitted the message if Receiver provided this information The value is set to yes if the client which sent the original message is successfully authorized if Receiver provided this information Name of the UNIX socket which was used by Receiver to get the original message if Receiver provided this information IP address of the listening socket which was used by Receiver to get the original message if Receiver provided this information Port of the listening socket which was used by Receiver to get the original message if Receiver provided this information Identifier of Receiver which got the original message if this Receiver instance was started with a non empty identifier Address specified in the SenderAddre parameter value in Rules for the message The value is set to yes if control messages for Quarantine management are allowed Name of the directory with notification templates The path is also used for search of all files specified in the template in the include directive for details refer to Control constructions Time when the message was deleted from Quarantine an empty string if the period of storing a message is not restricted The following string MailD The following string for Unix mail servers The following macros used in statistics reports R_P
68. servers Dr Web MailD Configuration Files Main configuration file Dr Web MailD settings including interaction between MTA and mail systems as well as usage of plug ins for mail check are specified in the etc dir maild lt MTA gt conf configuration file For description of the configuration file structure and parameter types see Configuration Files For description of the special parameter types used in Dr Web MailD settings see Special parameter types For description of the Lookup LookupLite and Storage special types see Lookup For the list of configuration file sections see Sections of main configuration file Part of the lt MTA gt file name depends on the name of the MTA integrated with Dr Web for UNIX mail servers Configuration files of plug ins Each plug in uses its own configuration file Configuration files of plug ins are located in the same directory as the main Dr Web MailD configuration file setc dir Configuration files of plug ins are named according to the following pattern plugin lt name gt conf where lt name gt name of the plug in For example configuration file of Drweb plug in has the following name plugin drweb conf Ta AN ax Dr Web MailD If required you can configure each plug in to use configuration files which names do not match the pattern To do that make the corresponding adjustments in the Filters section of the main Dr Web MailD configuration file S
69. system Yes must be specified only if the Milter protocol is used interaction via the drweb milter module If so drweb milter processes all messages generated by drweb sender Default value No e When Dr Web MailD is interacting with the Qmail or Sendmail system Yes must be specified if messages are sent and received by the same mail system Default value yes e When Dr Web MailD is interacting with the Zmailer system Yes must be specified only if drweb zmailer is used on the routing stage e g started from process cf In this case drweb zmailer processes all messages generated by drweb sender Default value No Ta J i ax G SecureHash SHEE InN StalledProoessinginterval time SendingIntervals time Dr Web MailD The parameter value determines content of the x DrWeb Hash header You can specify a free form string as a value recommended string length is not less than 10 characters For better security it is strongly recommended to change the default parameter value In Dr Web for UNIX mail servers solution for Zmailer MTA this parameter value must be the same as the value of the hash parameter used on drweb zmailer startup when Zmailer is used at the routing stage Default value SecureHash EDERE ES LY Timeout for processing of stalled messages Stalled message is a message that was received and processed but not transmitted to Sender for dispatch This si
70. the parameter value is determined as follows e When the searched parameter is found in one of the Rules which CONDITION is true the value is taken from the SETTINGS part of this Rule if more than one Rule are true the result parameter value depends on its semantics For details see Rules of message processing e If no Rule is specified no Rule is true or no Rule with true CONDITION contains value for the required parameter its value is taken from the corresponding section of the configuration file e If the configuration file does not contain value for the required parameter its default value is used Note that if an email message has several recipients truth of the rule is checked for each of them For details see Rules of message processing 3 Plug ins can process email messages in the synchronous mode before queue if the corresponding plug ins are specified and in the asynchronous mode after queue after saving messages to the storage if the corresponding plug ins are specified 4 Results of email message check are transmitted to Receiver if the processing results are not timed out 5 If an email message was regarded as malicious or suspicious it can be rejected deleted or moved to Quarantine If the message was rejected notifications to the sender and if required to the recipient are sent by the Notifier component 6 Sender dispatches all outgoing email messages to external mail servers or mail syst
71. use logs and statistics e Optimize Dr Web MailD operation and system resources usage e If it cannot be optimized or actions performed on the previous step did not have the intended effect modernize the hardware increase RAM and number of available processor cores Description On Solaris OS MAILD gt registers WARN messages in the log when generating notifications on a processed message or during message processing The messages are of the following type notifier WARN Decoding string 362 345 361 362 notifier WARN because of iconv error Invalid argument Solution To solve the problem change the version of the iconv system envelope and use iconv from the libiconv package which is distributed under GNU license the package can be downloaded at http www gnu org software libiconv downloading Description When using 32 bit Solaris OS version 10 the following problem can occur if load on Dr Web MailD is high Incoming messages cannot be accepted for processing and the following message is fixed in the log file Too many open files Solution The error occurs because the number of open file and socket descriptors is exausted To solve the problem optimize operation and system resources usage Description Cannot connect to MySQL data sources Dr Web MailD writes the following message to the log Cannot load library Cannot load shared library libmysgqlclient_r so 18 because libmysqlclient r so
72. which equals to Russian word tect in CP1251 encoding The filtered messages must be rejected and moved to Quarantine It is also necessary to notify administrator on that MissingHeader To RejectCondition Subject cp1251 B 8uxx8go Action reject quarantine notify 2 Suppose that if a message does not contain Subject it is required to pass the message but add the none string to the Subject field and increase the message score by 500 points MissingHeader Subject Action pass score 500 add header Subject none Dr Web Modifier Plug In Plug in fuctions Dr Web Modifier plug in is used for e Mail content analysis search of attached objects of certain MIME types graphic objects executables media files as well as MIME objects that satisfy certain criteria e Message body modification removing of MIME objects that satisfy certain criteria modification of headers and or content of MIME objects e Mail processing management blocking moving to Quarantine redirecting adding headers and Ta J N ys Dr Web MailD 312 scores depending on MIME objects found in message bodies Details on the message structure used while analyzing and processing by Dr Web Modifier is provided below Message is a composite object that can be selected to perform an action as a whole or partially as every message can be presented as a hierarchy set of elements MIME objects their h
73. with Dr Web MailD It requires drweb maild package to be installed drweb maild gmail contains executable files of Sender and Receiver modules which enable interaction with Qmail mail transfer agent Dr Web MailD configuration file with settings for the specific MTA documentation and configuration script of Qmail for interaction with Dr Web 27 Ta J i ax Installation and Uninstallation 28 MailD It requires drweb maild package to be installed e drweb maild sendmail contains executable files of Sender and Receiver modules which enable interaction with Sendmail mail transfer agent Dr Web MailD configuration file with settings for the specific MTA documentation and configuration script for adjustment of Sendmail for interaction with Dr Web MailD It requires drweb maild package to be installed e drweb maild zmailer contains executable files of Sender and Receiver modules which enable interaction with ZMailer mail transfer agent Dr Web MailD configuration file with settings for the specific MTA documentation and configuration script of ZMailer for interaction with Dr Web MailD It requires drweb maild package to be installed e drweb gperftools0 contains Google Performance Tools library used by Dr Web MailD It requires drweb libs package to be installed e drweb mail servers gateways doc contains Administrator manual in English and Russian languages In distributions for 64 bit systems two additional packages are incl
74. you can set the restrictions in the settings queue state Outputs the current status of messages in the internal queue Total amount of messages and information about each message are displayed If the total amount is large that may indicate a lack of threads in the second pool of drweb maild regulated by the Out PoolOptions parameter send stat Enforces transfer export of the statistics similar to the action performed on timeout 217 Ta 1 ax send report period backup quarantine pulse dump cache stat get IL kell siclil fic 9 plugin _name send Cll achl 2el2 plugin_name force export elt 2ehl iez plugin _name Clie nemel env Dr Web MailD specified in the SendPeriod parameter from the Stat section of the Dr Web MailD configuration file This command can be used if the value of the Send parameter from the Stat section of the Dr Web MailD configuration file is set to yes Gathered statistics is transferred to Dr Web Agent Enforces sending of reports on plug in operations similar to the action performed on timeout set in the SendPeriod parameter from the Reports section of the Dr Web MailD configuration file This command can only be used when the value of the Send parameter from the Stat section of the Dr Web MailD configuration file is set to yes Period defines a time period for which the report
75. 1 ax Dr Web Console for UNIX mail servers Types of Administrator Accounts There are four types of administrator accounts Administrators with full rights have exclusive rights for management of Dr Web Enterprise Server and Anti virus network They can view and edit the Anti virus network configuration and create new administrator accounts An administrator with full rights can configure the anti virus software installed on the workstation limit and disable user intervention into anti virus software administration An administrator with full rights can view and edit the list of current administrator accounts Administrators with read only rights can only view Anti virus network settings and its separate elements but cannot modify them Group Administrators with full rights have access to all system groups and those custom groups which they are allowed to manage including nested groups Group Administrator accounts can be created for custom groups only see Administrator manual for Dr Web Enterprise Security Suite In the hierarchical tree only those groups are displayed for group administrators which they are allowed to access The list of current administrator accounts is not available for Group Administrators Group Administrators with read only rights can be granted full rights to adjust the available groups or read only rights Default administrators with full rights created automatically during Dr Web Enterprise Se
76. 141 Ta yan A A Dr Web MailID 142 e Oracle contains parameters of connections to of connection to Oracle DBMS e ODBC contains parameters of connections to of connection to data sources via ODBC if the corresponding ODBC driver is present e SQLite contains parameters of connections to of connection to SQLite DBMS e Firebird contains parameters of connections to of connection to Firebird DBMS e PostgreSQL contains parameters of connections to of connection to PostgreSQL DBMS e MySQL contains parameters of connections tottings of connection to MySQL DBMS e CDB contains parameters of connections to of connection to the CDB textual database e Berkeley contains parameters of connections to of connection to the Berkeley textual database Please note that these sections contain only common parameters used in Lookup and Storage by default Some parameters can be locally overridden in a Lookup and Storage if that is marked in their descriptions It is recommended to adjust each connection to a data source via native connection if possible as connection via ODBC works more slowly because of its universality In the configuration file any sections with parameters of connection to data sources can be present Only those sections are really used that correspond to prefixes specified in Lookups and Storages If parameters are not used they cannot influence Dr Web MailD ope
77. 2 W OK W password protected skipped All plug ins use only the language file specified first in the NotifyLangs list for Notifier For searching the necessary string upon handling of n macro specified for example for add header action the plug in always uses the following algorithm 1 Directory with language files is determined value of the LngBaseDir parameter from the Notifier section is always used 2 Used language is determined according to the first value in the NotifyLangs list from the Notifier section 3 Required language file is searched by the following criteria its name contains prefix with the plug in name and its first line contains necessary short language name 4 If the file is found the string with required n number is searched It is assumed that text in the string is encoded with the CTE and encoding that are specified in the file header The found string will be used for message processing added either to the header or message body depending on plug in action Encoding and CTE are specified in the language file header If either the required language file or string in the file cannot be found an error occurs This error is handled according to the ProcessingError parameter value If necessary you can add some strings in the language files At that added strings must satisfy the following criteria e avoid already occupied numbers because these strings are used by Dr Web MailD modules or a plug i
78. 2 put time time of saving message to the database 3 body message body 4 sender value of the From header enclosed in angle brackets 5 xrcpts list of recipients addresses Addresses in the list are separated by commas and enclosed in angle brackets 6 filename relative path to the file with message Example SQLSelectCommand SELECT ic put Eine boch sender roots Filename FROM mail export WHERE filename LIKE Default value SQLSelectCommand PulseTime Period of time to delete old messages and move messages from time the DBI storage When the parameter value is set to 0 the program specified in the PathToDrwebQp parameter value is not started Default value PulseTime 5m Ta J 1 ax Dr Web MailD 156 PathToDrwebQp Path to the drweb qp utility path to file Default value PathToDrwebQp tbin dir drweb qgp MoveAll Move all incoming messages directly to the logical Path parameter value def backup directory and then archive them The parameter must be used with MoveToDBI Yes otherwise the directory can quickly become full with incoming messages Default value MoveAll No Format of database table used for storing quarantined messages Table in DBI used for message storing must contain the following fields order of the fields is not important but their names and types must be identical to those specified below e id number Message number identifier e filenam
79. ClientsLogs parameter value Regardless of the ClientsLogs parameter if Dr Web Daemon recognizes its client scanning results will marked with a prefix indicating the client The following prefixes are available e lt web gt Dr Web ICAPD e lt smb_spider gt Dr Web Samba SpIDer e lt mail gt Dr Web MailD e lt drwebdc gt console client for Dr Web Daemon e lt kerio gt Dr Web for Kerio Internet Gateways e lt lotus gt Dr Web for IBM Lotus Domino In the FreeBSD operating system syslog service can intercept information output by Dr Web Daemon to the console In this case the information is logged character by character That occurs when the logging level is set to info in the syslog configuration file syslog conf Statistics on process pool Statistics on pool used for processing scanning request is output to the log file upon receipt of SIGUSRI1 signal the signal must be sent only to parent process as if a child process receives Ta J 1 ax Dr Web Daemon 74 SIGUSR1 it terminates Output of statistics on process pool is regulated by the stat value yes or no specified for the ProcessesPool parameter Collected statistics is not aggregated Each time the saved record contains statistics on the pool state between previous and current moment of saving Example of pool statistics output record Fri Oct 15 19 47 51 2010 processes pool statistics min 1 max 1024 auto free
80. Computing resources in a network can be managed flexibly using load balancing scheme N M where N is the number of hosts processing mail traffic and m is the number of hosts checking mail for viruses and spam A Please note that drweb maild module does not support cluster implementation and different module instances cannot share internal data statistics Quarantine database settings etc As a result each drweb maild module of the M group will has its own statistics Quarantine and configuration Proxy consists of the following components Proxy client drweb proxy client module and Proxy server drweb proxy server module e Proxy client works on a host where Receiver and Sender components are operating It is started instead of MailD core and plays its role in interaction with other components e Proxy server works on a host where the MailD core component is operating and plays the role of Receiver and Sender components Both Proxy client and Proxy server components interact with each other enabling transfer of original mail messages and their modifications to other components of Dr Web for UNIX mail servers on different hosts for further processing 270 Ta 1 ax Dr Web MailD Note that role of Sender and Receiver components can be played by different executable modules for example functions of Receiver can be performed not only by drweb receiver but also drweb milter drweb cgp receiver depending on the meth
81. Default value DrwebBaseDir svar dir DrwebProcessingError This parameter defines what action is to be applied to messages action which caused scanning errors for example if the anti virus plug in runs short of memory or cannot connect to drweb maild Allowed actions pass discard reject tempfail If the parameter value is not set or several values are mistakenly specified for example discard and pass tempfail value is used by default Default value DrwebProcessingError tempfail DrwebLogLevel Log verbosity level log level The following levels are allowed e Quiet O jaermeve Alert O Tinie Debug Ta J N ax Dr Web MailD 347 Default value DrwebLogLevel Debug DrwebIpcLevel IPC library log verbosity level log level 1 rec The following levels are allowed e Quiet O BErOL e Alert EEO Debug Default value DrwebLogLevel Debug DrwebSyslogFacility Type of facility which generates a notification message on event syslog label when using syslog system service Default value DrwebSyslogFacility Daemon DrwebMaxSize Maximum size of a checked message lizen When 0 is specified size is not limited Default value DrwebMaxSize 200 k Configuring Dr Web MailD To configure Dr Web MailD for interaction with Exim specify the path to the Exim mail system in the Address parameter in the Sender section of Dr Web MailD configuration
82. Description Module must use the specified configuration file i lt application name gt lt application name gt Description Run applications name of which are specified Use the application name specified in the header of the Application lt application name gt section in the corresponding mmc file for details see Interaction with other Suite Components This parameter cannot be used if a Dr Web Monitor process is already running in the system Example usage drweb monitor r AGENT MAILD Configuration File Adjustment of Dr Web Monitor settings is performed in its configuration file Ta J 1 aX Dr Web Monitor 111 setc_dir monitor conf For general organization concept of Dr Web for UNIX mail servers configuration files see Configuration Files Logging Section In the Logging section parameters responsible for logging information on operation of Dr Web Monitor are collected Logging Level Dr Web Monitor log verbosity level Pro rene The following levels are available e Quiet OC aieie ie e Alert Z DG Debug Default value Level Info IPCLevel Log verbosity level for IPC library log level The following levels are available e Quiet SEETEON Alert C Tato e Debug Default value IPCLevel Error SyslogFacility Log type label which is used by syslogd system service syslog label Default value SyslogFacility Daemon Fi
83. Dr Web Monitor Default value MonitorResponseTime 5 Name of the file where Dr Web Agent PID is written on Dr Web Agent startup Default value PidFile Svar dir run drweb agent pid The Server section contains parameters that control interaction of Dr Web Agent with other Dr Web for UNIX mail servers modules Address address Threads numerical value Timeout numerical value Server Socket used by Dr Web Agent to interact with other modules of the suite You can specify multiple sockets separating them by comma Default value Address local var_ dir ipc agent inet 4040 127 0 0 1 Number of drweb agent simultaneous threads This parameter determines maximum number of simultaneous connections to modules that report virus statistics to Dr Web Agent The parameter value cannot be changed with SIGHUP signal If O is specified number of threads is unlimited not recommended Default value Threads 2 Maximum time in seconds for establishing connection between Dr Web Agent and other Dr Web modules If the value is set to 0 time for establishing connection is unlimited Ta 2 g ys EnterpriseMode Section Dr Web Agent 98 Default value Timeout 15 The EnterpriseMode section contains parameters of Dr Web Agent operation in the Enterprise mode E UseEnterpriseMode logical ComputerName text value VirusbaseDir path to directory
84. Dr Web for UNIX mail servers will be blocked Thus before installing the product check SELinux operation mode with the use of getenforce command This command outputs the current operation mode which can be one of the following e Permissive protection is active but permissions are supported actions that violate the security are not denied but logged e Enforced protection is active and restrictions are enforced actions that violate the security are logged and blocked e Disabled SELinux is installed but not active If SELinux is operating in the Enforced mode temporarily until the product is installed and security policies are configured enable Permissive mode To do this enter the setenforce 0 command that temporarily until the next restart sets SELinux operation mode to Permissive To enable the Enforced mode again enter the setenforce 1 command Note that regardless of the mode enabled with the setenforce command after system restart SELinux will operate in the mode specified in the settings normally SELinux configuration file is located in the etc selinux directory In general if audit daemon is used the log file resides in var log audit audit log Otherwise notifications on forbidden actions are logged to the following log file var log messages For correct operation of anti virus components when SELinux is enabled compile special security policies once the product installation completes
85. ESS server version 10 To start using the central protection server Dr Web ESS 10 configure standard integration and also make additional settings A The products operating in FreeBSD 6 x cannot be integrated with Dr Web ESS 10 Configuring connection to Dr Web ESS 10 As Dr Web ESS does not support management of Dr Web Monitor and Dr Web Daemon drweb agent10 uses two supplementary configuration files in addition to the standard file setc dir agent conf es monitor conf and es daemon conf They are located in the same directory These files store configuration for Dr Web Monitor and Dr Web Daemon The configuration settings will be used for adjusting operation of these modules in enterprise mode Each file line contains the parameter value of the corresponding module configuration The format is as follows lt section gt lt parameter gt lt value gt where lt section gt is the name of the section from the component configuration file lt parameter gt is the parameter name and lt value gt is the value Ta 1 ax Dr Web Agent specified for this parameter Example for es monitor conf file that contains settings for Dr Web Monitor component operation in enterprise mode Monitor RunAppList DAEMON This line contains the value of RunAppList parameter stored in Monitor section in Dr Web Monitor configuration file This parameter value is used when the suite is running in enterprise mode In this case Dr We
86. ID for each of the modules drweb receiver Receiver s identifier drweb sender Sender s identifier drweb proxy server Identifier shared by paired Receiver and Sender interacting with MailD core via this component see Using Internal Proxy drweb imap IMAP filter s identifier used similar to the Receiver identifier for search of the corresponding Sender drweb pop3 POP3 filter s identifier used similar to the Receiver identifier for search of the corresponding Sender drweb milter Receiver s identifier drweb cgp receiver Receiver s identifier drweb cgp sender Sender s identifier drweb courier Receiver s identifier drweb gmail Receiver s identifier section lt Ma CEKUMN gt Description Name of the configuration file section that contains settings for the module If the parameter is not specified the module uses settings from the default section These are the following default sections for each module drweb receiver Receiver drweb sender Sender drweb proxy server ProxyServer drweb imap IMAP Ta ww ax Dr Web MailD 126 e drweb pop3 POP3 O ekwelb mni leez lrer e drweb cgp receiver CgpReceiver e drweb cgp sender CgpSender lt drweb courier Courier drweb qmail Qmail 3 drweb zmailer The following command line parameters are specific for drweb zmailer u user Usermanez Description User account name under which drweb ma
87. If client email does not exist an error is output If the index value exceeds the maximum number of rules for the specified email or index is less or equal 0 an error is output If the specified value is alias settings for the original address are updated After successful modification the rules are output in the email get rules output format email get custom tag emails list receive information with the tag associated with each user in the emails list If an address does not exist an error is output but the execution continues If information with the tag is not found an empty string is output Information for each address is separated by a line feed If the symbol is specified instead of tag information on all tags is output Output format client idl1 emaill tag info client id2 email2 tag2 info2 email set custom tag client email info set the info text connected with the tag for the client email user If the user is not found an error is output If info is not specified the tag with all the related information is deleted e email info emails list receive complete information on all addresses in the emails 223 Ta J i ax Dr Web MailD list If an address does not exist in the list an error is output but the execution continues Output Rules for an address are compiled for all groups and address settings If an alias is specified the information on groups and settings is taken from th
88. If the address specified in the first parameter does not exist or is alias or an address with the new name already exists an error is output and no action is performed e email set groups client email list of groups set the list of groups which contain client email address The group order is important group settings at the end of the list prevail If list of groups is empty the whole list of groups for client email address is discarded In list of groups groups are space delimited If client email or another group in the list does not exist an error is output and no action is performed If a group is found more than once in the list an error is output If client email is alias the original recipient is updated If client id is specified for the list of groups list it must match client id from the client email address Otherwise an error is output If client id is not specified in alias from list of groups it is considered equal to the client id from the client email e email get groups emails list receive the group list with all the addresses from 222 Ta AN ax Dr Web MailD emails list list If an address from the list is missing an error is output but the execution continues If client email is alias information on the original recipient is output Output format client id emaill groupl group2 group3 client id email2 group21 group22 group23 where groupN may be enclosed in single quotation marks
89. LANGS macro Conversion of the result text to the required encoding is configured by the values of the SCHARSETS and SCONTENT_ TRANSFER _ENCODING macros Address to which all notifications are sent value of the AdminMail parameter from the Notifier section is used Address used by Dr Web MailD value of the FilterMail parameter from the Notifier section is used Name of the host on which Dr Web MailD is operating value of the Hostname parameter from the General section is used This macro cannot be used in loops for details refer to Control constructions Contains the list of languages on which notifications are generated values Ta yan A A Dr Web MailD 280 SLANGS SCHARSETS SCONTENT TRANSFER ENCODINGS STYPES SFULLHEADERSS SMSGIDS SSUBJECTS DIRECT SUBJECTS SSENDERS SRCPTSS SSECURE RCPTSS LOG REPORTS STOP_ REASONS SREPORTS SMESSAGE STATUSS S BLOCK LISTS SCAN_STATS of the NotifyLangs parameter from the Notifier section are used This macro can have a list as a value and can be used in loops for details refer to Control constructions Name of the language on which this part of a notification is generated The macro value defines interpretation of some other macros for example SCHARSETS Set of the current language characters The character set is specified in the lanquage file Name of the currently used language is specified by the L
90. LocalRules parameter value in the configuration file that is escape quotation marks and slash symbols if any e single quote is not escaped e double quote is escaped with 6 back slashes e back slash is escaped with 7 back slashes The picture below illustrates an example of a local filtering rule modifier LocalRules that triggers if a message subject is equal to the following string It s big small text Dr Web M Dr Web Web Interfac Configuration Template Basic quaremine Puo ins Fut Gagne Reports wateeceving sending met wep Pops Proxy il Dr Web MailD is running ml id 1 0337 1x AND NOT zd block file with regular expressions _ 1 rfile add condition Action Continue stop modifier E LocalRules i select mime headers Subject It s WWbigiiiiiiism Create new setting Apply and Save Settings Figure 47 Rule editing Rule sets are created by clicking Create new rule section To edit a rule set either newly created or an old one click it Dr Web Console for UNIX mail servers 378 Dr Web MailD v Dr Web Web Interface configuration Pd Br Web maib is running a a Eo y Rule sections v Editing rule section default Settings Notify block Notify Virus Notify Notify allow any Cured allow admin sender Skip block
91. MTA if more than one connection attempt is specified for Sender in the Address or Router parameters in the Sender section After that Sender delays dispatching of the message In this case Receiver sends the SMTP response 250 Maild Error that indicates queuing of the email message that is to be sent as soon as problems with MTA connection are fixed The Maild Error message indicates that the situation is abnormal for the synchronous mode it is supposed to process mail traffic and transfer it to the target MTA rapidly Also in this case errors of the ERROR Broken pipe type may be logged These errors indicate that Sender was trying to send to MailD core a report through the connection closed upon the time out General recommendations 1 Synchronous mode is not supposed for intense workload It is recommended to select this mode only when Dr Web MailD operates as a local_mail filter Do not select this mode if Dr Web MailD operates as a high load SMTP gateway If most part of mail traffic through Dr Web MailD consists of messages with large attachments or with large number of attachments as well as if delays in the channel or problems with the target MTA are possible it is recommended to select the asynchronous mode Also it is not recommended to assign plug ins to the before queue if those plug ins can process a message during a long time period When the synchronous mode is selected it is strongly recommende
92. Mail Transfer Protocol Multipurpose Internet Mail Extensions Mail Delivery Agent agent which is responsible for mail delivery usually an integral part of a mail server Mail Transfer Agent mail server or its integral part which is responsible for mail receipt and mail transfer Mail User Agent DNS record about IP adresses of Mail agents into domain Open Database Connectivity API Post Office Protocol Version 3 Simple Authentication and Security Layer framework Simple Mail Transfer Protocol Structured Query Language Transmission Control Protocol A AN v Aq A Introduction System Requirements Dr Web for UNIX mail servers is compatible with e Linux distributions that meet requirements listed in Compatibility with Linux Distributions e FreeBSD version 6 x and higher for Intel x86 and amd64 platform e Solaris version 10 for Intel x86 and amd64 platform Used platform must be fully compatible with x86 processor architecture in 32 bit or 64 bit modes 64 bit systems must support 32 bit applications The products operating in FreeBSD 6 x cannot be integrated with Dr Web ESS 10 For example To enable support for 32 bit applications in systems based on Debian Ubuntu Linux the libc6 i386 library must be installed in systems based on ALT Linux the i586 glibc core library For successful operation of Dr Web for UNIX mail servers it is required to e Install and run Dr Web Daemon and anti virus Dr W
93. Port of a server which received the message server us lt UNIX socket gt Description Name of the UNIX socket of the server that received the message Ta N ax G Dr Web MailD 125 i16l SA CISIME IE Sie gt Description Unique identifier of Receiver that transmitted the message Si 0NE Io Description Flag indicating that the message was received from an authorized user Gi Ze lt size gt Description Size of the checked message the value is of the size type E SCOTS lt s cone Description Score assigned to the message number md client lt MailDesk Client name gt Description Unique identifier of the MailDesk Client 2 Other plug ins except for drweb zmailer have two specific parameters used for operation with several Sender and Receiver components simultaneously unique id lt identifier gt Description Unique component identifier This parameter enables MailD core to work with several copies of Sender and Receiver components Every new Sender Receiver pair must be started with the unique identifier paired Sender and Receiver components must have the same ID Thus an email message must be dispatched by Sender which has the same ID as Receiver which got the message If the component with the required ID is not found the default Sender is selected List of available Senders is reinitialized via the STGHUP signal The following list shows the way MailD core treats a component
94. Qmail see Description of integration configuration e Courier see Description of integration configuration e Zmailer see Description of integration configuration When it is possible to integrate Dr Web MailD with a mail system the MTA Mail filter mode is preferred to the SMTP proxy universal mode as the filter mode requires less load on calculating server capacity in this case Dr Web for UNIX mail servers performs only anti virus and anti spam functions and is not responsible for receiving and sending mail correspondence The MTA Mail filter integration method assumes that the protected MTA is running on the same server where Dr Web for UNIX mail servers operates 3 POP3 IMAP_ proxy integration In this mode Dr Web for UNIX mail servers is used for message check upon transferring the message to the MUA of the end recipient via IMAP or POP3 mail protocol and not at the moment when the message is received This integration solution can be implemented only if the mail system protected with Dr Web for UNIX mail servers is not a proxy but is finite meaning that the system serves requests from the end MUA In this case Dr Web for UNIX mail servers is embedded as a proxy between MUA and MDA and transfers messages returned to MDA at the MUA request to check them by Dr Web MailD This method does not require MDA and MUA to run on the same server as Dr Web for UNIX mail servers does For details on how to configure this integra
95. Ta J i ax Installation and Uninstallation Configuration Scripts After installation of the components you can use the configure pl configuration script to setup basic configuration of Dr Web MailD This script is located in the bin dir maild scripts directory On startup the script offers you to specify e order of mail processing with a certain plug in for example whether it should receive messages before or after they are added to the database e language to use for notifications and an address where they are to be sent e paths to the lists of protected networks and domains Also you should use the configure mta sh script This script is responsible for setting up interaction between Dr Web for UNIX mail servers and the currently used mail system After startup the script checks whether the required mail system is installed If it appears to be missing the script finishes its operation If the required mail system is installed the script asks the user several questions on essential settings for basic setup and makes the necessary changes in corresponding configuration files This information is enough to start Dr Web for UNIX mail servers but for a full featured performance it is required to configure each component and MTA manually For detailed information on parameters methods and techniques see the corresponding chapters of this Manual Adjustment and Startup Plug ins Integration with Mail Transfer Systems
96. Technical Support Example lt drwebvirustop period 24 top 2 user lt UUID gt lastdata 2005 04 12 07 00 00 04 gt lt item gt lt caught gt 69 lt caught gt lt percents gt 24 1258741258741 lt percents gt lt place gt 1 lt place gt lt vname gt Win32 HLLM Netsky 35328 lt vname gt lt item gt lt item gt lt caught gt 57 lt caught gt lt percents gt 19 9300699300699 lt percents gt lt place gt 2 lt place gt lt vname gt Win32 HLLM MyDoom 54464 lt vname gt lt item gt lt drwebvirustop gt In this file the following XML attributes are used e period duration in hours of the statistics collection process e top number of the most frequently detected threats shown in the table number of rows e user user identifier e lastdata time when user last sent data to the server e vname threat name e place threat place in the statistics e caught number of detections of the certain threat e percents percentage of the total number of detections A Value of the period parameter and size of the sample cannot be changed by user Ta J i ax Dr Web Monitor Dr Web Monitor Dr Web Monitor is a memory resident module drweb monitor It is used to increase fault tolerance of the whole Dr Web for UNIX mail servers suite It ensures correct startup and termination of suite components as well as restart of any component if it is operating abnormally Dr Web Monitor s
97. Use No Driver Name of the used SASL authentication driver text r E F In the current version only the cyrus driver is available To use it install and set up cyrus sas12 library Ta 2 1 ax BrokenAuthClients logical AuthenticatedHeader logical Cyrus SASL Section Dr Web MailD 167 Default value Driver cyrus Support for outdated SMTP clients which use irregular syntax of AUTH protocol Default value BrokenAuthClients Yes Adds names of registered users to the Received header When the value is set to Yes names of registered users are visible to everyone Default value AuthenticatedHeader No In the Cyrus SASL section parameters which configure operation of cyrus sas1 SASL driver are specified Lib path to file Path encens ServerHostname CSE nO ServerRealm string Absolute path to the cyrus sas12 library Default value Lib usr lib libsasl2 so 2 Name of the configuration file conf extension is added automatically The cyrus sas12 library receives its settings from this file Note that Dr Web MailD does not check whether the file specified in the parameter exists and is correct If the file is missing or is incorrect the cyrus sasl2 library automatically uses its default settings and no notification is generated on that Default value Path maild Host name FQDN that is automatically added as domain to the user par
98. Web MailD 209 OnError Sets the mode of error handling errors that occur in Lookup ignore exception when connecting to the specified data source Allowed modes e ignore ignore the error and continue message processing the error is only logged e exception generate an exception which is handled as a message processing error The handling method corresponds to the ProcessingError parameter value set for the module in operation of which this error occurred The parameter value can also be locally overridden in a Lookup Default value OnError ignore Note that when using libmysqlclient_r so library in FreeBSD 6 4 amd64 the following error may occur Undefined symbol gethostbyname r If the specified host or MySQL database are not accessible connection is attempted to be established during 2 seconds After the timeout occurs an error is logged and handled according to the OnError parameter value CDB Section In the CDB section settings for interaction between Dr Web MailD and CDB database are specified Sources Path to the CDB database file path to file P Default value Sources SkipDomains List of domains for which request to database is not required LookupLit 7 ee This parameter often allows to improve total performance and considerably reduce server load Please note that the parameter value is LookupLite The parameter value can also be locally overridden in a Lookup Default va
99. a certain identifier from Quarantine e stat output statistics on quarantined messages with a certain identifier Example drweb qcontrol stat def 1 def backup B 00014F8B DW SHOT PRODUCT UOdshM from ai l to ai fff time 2008 08 14 12 10 57 2 def drweb F 00014F8F DW SHOT PRODUCT QqFpdH from ai 4 to ai fff time 2008 08 14 13 00 50 3 def backup C 00014F8C DW SHOT PRODUCT A39xp7 from ai 2 to ai fff time 2008 08 14 13 00 50 4 def backup F 00014F8F DW SHOT PRODUCT tMi6W2 from ai 4 to ai fff time 2008 08 14 13 00 50 5 def drweb 3 00014F93 DW SHOT PRODUCT n9xPjU from ai 3 to ai fff time 2008 08 14 13 30 49 6 def backup 3 00014F93 DW SHOT PRODUCT ewYFVA from ai 3 to ai fff time 2008 08 14 13 30 49 7 def backup 4 00014F94 DW SHOT PRODUCT JQ3sLH from ai 3 to ai fff time 2008 08 14 13 30 49 Actions are applied in the order they are set that is you can specify several actions in one command Example drweb qcontrol send remove def backup F 00014F7F DW SHOT PRODUCT yv4ro9 sends an email message with the def backup F 00014F7F DW_ SHOT PRODUCT yv4ro9 identifier to the original recipients and then deletes the message from Quarantine Ta J 1 aX Dr Web MailD 239 If Dr Web MailD is set up to store quarantined messages in DBI storage the following additional SQL command must be specified in the command line e sql remove command allows to remove a message fr
100. a user setting for a recipient can match a group setting for another recipient If so the algorithm described above is used You can use the control socket interface as well as the web interface for work with users user groups and aliases Interactive control socket commands for viewing users and user groups e email info Show all information about users As well as individual Rules of message processing the internal database stores additional information on each user The information can be output in the following format client id email A 0 1 S 0 1 name username aliases aliasl alias2 groups groupl group2 rules 1 SETTINGS1 2 SETTINGS2 custom tagl infol tag2 info2 where e client id an empty string 220 Ta J i lt ey gt Dr Web MailD 221 e A flag indicating whether the user is active If the user is inactive all related Rules are ignored e s flag indicating whether gathering of individual statistics is enabled at that level of general statistics gathering must be set to high e name namel user name used mainly in the web interface e aliases groups rules custom lists of aliases user groups rules and other user settings e groups info Show all information about user groups Each group has the same set of options as that for a user always empty client id string user group name activity status statistics flags list of users and additional servi
101. actions those that are applied to objects by Dr Web for UNIX mail servers components In some cases the parameter can have one basic and three additional actions specified in such a case the name of the parameter type is actions list Basic action must be the first in the list Different parameters can have a different action list and in this case it is specified separately for each parameter For information on available actions see Allowed actions address parameter value expressed as a string which contains socket address of a Dr Web for UNIX mail servers component or used external program Address is of the following format TYPE ADDRESS There are three available Ty PEs o inet a TCP socket ADDRESS is specified in the following format PORT HOST NAME where HOST NAME can be either a direct IP address or domain name of the host Example Address inet 3003 localhost o local a local UNIX socket ADDRESS is a path to the socket file Example Address local var_dir daemon o pid a real process address that is to be read from the process PID file This address type is allowed only in certain cases that are explicitly designated in the parameter description text value string parameter value expressed as a text string The text can be enclosed in quotation marks and the text must be enclosed in quotation marks if it contains spaces pool options settings of a thread poo
102. actions to be performed if the CONDITION is true for a message o stop stop further search of matching Rules o cont continue search Rules downwards If CONDITION is false for a message the directive specified after that has no effect Rule search continues If a rule is too long and cannot be specified on a single line insert a character at the end of the line and continue the rule on the next line 243 Ta J i ax Dr Web MailD 244 Rule CONDITIONS Each of the CONDITION parts is a combination of Boolean terms BOOL _ TERM lt log_op gt BOOL TERM where BOOL _TERM Boolean term that can get either true or false value after the message parameter is checked the parameter can be set with the param_name value expression or identically equal to true or false A Boolean term has the following format lt param name value gt true false param name parameter name value parameter value Do not use white spaces between the parameter name and its value that is after the colon character in Boolean terms Names of parameters that can be used in rule conditions are presented in the following table any Either sender s or recipient s address Lookup Example any regex domain com Either sender s or recipient s address must be in the domain com from Address of the message sender Lookup sender Example from admin domain com Sender of the message must have the adm
103. address must be specified and Sendmail system chooses the appropriate client address for this connection e Through another transport connection drweb milter module sends commands to drweb maild module and waits for its response In the scheme given above drweb milter module works as a proxy or transformer between the Sendmail system interface and drweb maild module Note features of operation through Milter in synchronous and asynchronous modes Sendmail and drweb milter can operate on different computers but drweb milter and drweb maild modules must operate on the same computer Configuring Sendmail To set up interaction between Sendmail and Dr Web MailD changes to sendmail mc and sendmail cf configuration files are required To avoid recompilation of the sendmail cf configuration file you can insert or add there the following lines if the corresponding definitions are already present in the file For versions 8 14 0 and later HEHEHEHEHE EEEE EE E E EE EE Input mail filters HEHEHEHEHE EEEE E E EE EEEE O InputMailFilters drweb milter O Milter LogLevel 6 aE EH EAEE TEE EAE ERE ERE EEEE EEEH Xfilters HEE AEAEE TEHETE TEE TEE Ea TERE Ea BE Xdrweb milter S _ ADDRESS __ F T T C 1m S 5m R 5m E 1h To check locally sent messages with mail or sendmail system call all changes made to sendmail cf configuration file must be copied to submit cf and submit mc files Please
104. and LMTP protocols Dr Web MailD configuration file with corresponding settings documentation and configuration script for Dr Web Monitor It requires drweb maild package to be installed drweb maild cgp contains executable files of Sender and Receiver modules which enable interaction with Communigate Pro mail transfer agent Dr Web MailD configuration file with settings for the specific MTA documentation and configuration script of Communigate Pro for interaction with Dr Web MailD It requires drweb maild package to be installed drweb maild courier contains executable files of Sender and Receiver modules which enable interaction with Courier mail transfer agent Dr Web MailD configuration file with settings for the specific MTA documentation and configuration script of Courier for interaction with Dr Web MailD It requires drweb maild package to be installed drweb maild exim contains executable files of Sender and Receiver modules which enable interaction with Exim mail transfer agent Dr Web MailD configuration file with settings for the specific MTA documentation and configuration script of Exim for interaction with Dr Web MailD It requires drweb maild package to be installed drweb maild postfix contains executable files of Sender and Receiver modules which enable interaction with Postfix mail transfer agent Dr Web MailD configuration file with settings for the specific MTA documentation and configuration script of Postfix for interaction
105. are remove discard reject Optional actions are quarantine redirect notify add header score Default value Incurable reject quarantine notify R Actions to be applied to messages containing adware Powar ie In addition to one mandatory action you can specify several actions p optional actions Mandatory actions are pass remove discard reject Optional actions are quarantine redirect notify add header score Default value Adware reject quarantine notify R Actions to be applied to messages containing dialers Dialers m In addition to one mandatory action you can specify several actions 3 2 optional actions Mandatory actions are pass remove discard reject Optional actions are quarantine redirect notify add header score Default value Dialers reject quarantine notify R Actions to be applied to messages containing jokes which can Jokes scare or annoy users actions ot P J In addition to one mandatory action you can specify several optional actions Mandatory actions are pass remove discard reject Optional actions are quarantine redirect notify add header score Please note that several values may be specified at one time Default value Jokes reject quarantine notify R Actions to be applied to messages containing riskware Riskware seinen In addition to one mandatory action you can specify several Ta yan A A SkipObject ArchiveRestrictio
106. are not accessible updating process stops and terminates e If only one of the files is accessible it is used regardless of the value specified for the FallbackToDr1 parameter If both files are accessible Dr Web Updater uses the file specified in the CustomDrlFile parameter If it is impossible to connect to any of the servers from this file specified in CustomDr1File and the FallbackToDr1 value is set to yes Dr Web Updater tries to establish connection with the servers from the file specified in the Dr1File parameter If the connection fails the updating process stops and terminates 4 Dr Web Updater tries to connect to servers from the selected file in random order until connection is established Dr Web Updater waits for the server to respond during the period specified in the Timeout parameter 5 Dr Web Updater requests the list of available updates from the selected Dr Web GUS server and then requests the corresponding Izma archives If the archives are not available on the server the updates are downloaded as vab files To unpack Izma archives 1zma utility is used Path to the directory with the utility is specified in the LzmaDecoderPath parameter 6 After updates are unpacked they are saved to the corresponding directories as described in Updating Ta yan A A Dr Web Agent 92 Dr Web Agent Dr Web Agent is a resident module used to manage settings of Dr Web for UNIX mail servers modules define anti
107. are output If not specified messages are output for the whole period o DATE1 output messages moved to Quarantine after the specified time inclusive o DATE2 upper time line of moving the message to Quarantine inclusively The DATE format corresponds to the ISO format YYYYMMDDTHHMMSS where T separator between 227 Ta yan A A y Dr Web MailD 228 time and date The time is set and output as local time on a host where Dr Web MailD is operating o SIZE maximum size in bytes Returns only messages with the size exceeding the specified value When the value is set to 0 the size is unlimited o SUBJECT_SUBSTR substring enclosed in quotation marks in the original subject of the message that is before the message was modified by the product components If the substring does not contain spaces the enclosing quotation marks can be omitted If quotation marks are present in the name the character must be doubled o order order in which results are returned ascent ascending descent descending Default value descent If there is a mistake in a parameter the quarantine search command cannot be executed If several recipient templates are specified only messages that contain all templates are output similar to the effect of AND logical operator For all parameters except rcpt the value specified last in the command line is used For rcpt the number of recipients increases with every new
108. are specified Logging is performed for all main Dr Web for UNIX mail servers modules Level log level Log verbosity level used by Dr Web MailD components 5G Dr Web MailD 166 The following levels are available e Quiet ZRET TOT e Alert OC Taito e Debug Default value Level Info IPCLevel Log verbosity level of the IPC library log level The following levels are available e Quiet O jue ove e Alert OC Tigizo Debug Default value IPCLevel Alert SyslogFacility Log type label which is used by the syslogd system service syslog label Default value SyslogFacility Mail FileName Name of the log file or syslog if the syslog system service is syslog path to file used Default value FileName syslog Using SASL This chapter provides you with description of sections that contain SASL authentication parameters Current version of Dr Web for UNIX mail servers supports SASL authentication only via the cyrus sasl driver Thus if SASL authentication is used both SASL and Cyrus SASL sections must exist in the configuration file See also a configuration example of authentication via Cyrus SASL SASL Section In the SASL section you can specify parameters of SASL autentification in Dr Web for UNIX mail servers designed for working as a proxy server via SMTP LMTP protocol Use Enables or disables SASL authentication logical Sree fae Default value
109. ax Dr Web MailD 346 e Compile and install Exim system If the execution of make or make install commands is interrupted with error messages like libexec 1d elf so 1 Shared object libgcc_s so 1 not found required by libboost_thread so then there are two possible ways to fix it o Copy Libstdct so 6 and libgcc_s so 1 libraries or make links with the same name to them from bin dir 1lib to the system library directory o execute the following command from the console export LD LIBRARY PATH bin dir lib LD LIBRARY PATH and then compile and install Exim once again from the console After that configure Exim system For quick configuration you may use values of parameters from bin dir doc maild local_scan configure sample file Just copy the necessary lines to the local_scan section of the Exim configuration file To retrieve information on the Receiver settings execute the following command from the console PATH TO BIN DIR exim bP local_scan where PATH _TO BIN DIR is the path to the Exim binaries In the Exim configure file the following additional parameters can be set DrwebTimeout Period during which Exim is waiting for drweb maild to scan a time message It is recommended to set a greater value than the one of the SendTimeout parameter in the MailBase section Default value DrwebTimeout 60s DrwebBaseDir Dr Web MailD base directory where sockets database etc are logical stored
110. be set in the data source settings or locally overridden in the Lookup value expression the state when Sender cannot receive required route from the used data source is handled as an error in Sender operation Error message is logged In this case e in the synchronous mode Receiver returns the SMTP error code 451 Requested action aborted local error in processing to the message sender and the email message is deleted from all queues of Dr Web MailD e in the asynchronous mode the message is marked as stalled and Sender tries to send it at intervals specified in the StalledProcessingInterval parameter value Incorrect Lookup string can cause Dr Web MailD to terminate on its startup when reading a configuration file if Dr Web MailD cannot parse the Lookup string structure and recognize the type It is recommended to use a special utility for testing correctness of Lookups Note that full information on queries to data sources sent via Lookups is output only if the log verbosity level is not less detailed than DEBUG Lookup Usage Examples Example 1 ProtectedDomains odbc select domain from maild where domain S s With this query all messages from the domain found in domain column of maiid table in ODBC data source are marked as messages belonged to the protected domain Example 2 ProtectedEmails file etc dir email ini localhost ldap skipdomains file home trusted_ domains ldaps sub mail Ss Wi
111. can not follow maild rules ERROR error in parse Example 5 any sqlite select skipaddr from domain where skipaddr Ss cont scan all drweb This query enables checking of addresses If sender s or recipient s addresses are in the skipaddr field of domain table of SQLite database Drweb plug in is not used for them Lookup Usage Restrictions LookupLite Type Sometimes it is impossible to use Lookup of certain types with the full set of prefixes not all prefixes are allowed In this case a special Lookup type LookupLite is used LookupLite is a value type similar to Lookup but you can specify only the following types of the Lookup o value this is an optional prefix and can be absent for single value o file LookupLite is used in e settings of Lookups e g SkipDomains parameter for each Lookup e settings of plug ins At any attempt to specify a forbidden type of Lookup the following message is output to the log Wed Jun 10 14 02 20 2009 4160149200 Modifier ERROR Error in init lookup cdb select from root mail base file for CDB txt where key domain can t use this lookup here A It is recommended to use a special utility for testing correctness of Lookups and LookupsLite Storage Data Type Storage data type describes objects used to store data Syntax of the Storage type is similar to Lookup except for the following differences e another set of prefixes is used e th
112. checked unless the current score is less than the specified parameter value Checks for a spam trap The recipient s address must be of the lt USER HOST gt format If the host name is in the list defined by the ProtectedDomains parameter unless the list is empty see below and the user name is in the list defined by the SpamTrap parameter see below the message is blocked or if SCORE is specified an error is logged and the SCORE value is added to the message score Full email address can be also specified in the SpamTrap list Blocks messages with empty FROM header and several recipients or if SCORE is specified an error is logged and the SCORE value is added to the message score Skip all other checks on this SMTP session stage if the client has successfully passed SASL authentication If SCORE is specified a client that has successfully passed SASL authentication is checked unless the current score is less than the specified parameter value Ta yan A A Dr Web MailD Examples SenderRestrictions trust protected networks reject Allows receiving email messages only from IP addresses which belong to the networks specified in the ProtectedNetworks parameter value Messages from other IP addresses are rejected SenderRestrictions trust protected networks trust protected domains sleep 5 add score 10 Allows receiving email messages from IP addresses which belong to the networks specified in the Prote
113. chown drweb qmail bin_ dir qmail queue chmod 4711 sbin dir qmail queue chown qmailgq qmail sqmail dir qmail queue original chmod 4711 qmail dir qmail queue original 4 Also add qmailg and qmaild users to the drweb group and drweb user to the qmail group Configuring Dr Web MailD All settings providing proper operation of Dr Web MailD with Qmail are collected in the Sender and Qmail sections of Dr Web MailD configuration file and are described in the following sections of the current Manual Sender and Qmail It is recommended to set the SecureHash parameter value in the Sender section of the Dr Web MailD configuration file you can specify a free form string advisory length not less than 10 characters and set the UseSecureHash parameter value in the same section to Yes These parameters configure addition of a special header X DrWeb Hash that prevents looping of a message when it is checked as the message can be added to the incoming email queue again if it was modified during the check When Dr Web MailD work with Qmail system the following modules must be running in the system this is specified in mmc file of Dr Web Monitor e drweb notifier drweb sender e drweb maild drweb qmail 349 Ta J 1 ax Dr Web MailD Known Issues Description On startup Qmail returns one of the following errors terminate called after throwing an instance of St9bad alloc what
114. components Green and underlined Hyperlinks to topics and web pages Monospace Code examples input to the command line and application output Italics Placeholders which represent information that must be supplied by a user For command line input it indicates parameter values CAPITAL LETTERS Names of keys and key sequences Plus sign Indicates a combination of keys For example ALT F1 means to hold down the ALT key while pressing the F1 key Exclamation mark A warning about potential errors or any other important comment To define directories where the suite components are installed the following conventions are used Sbin_ dir etc_dir and var_ dir Depending on the OS these symbols refer to the following directories for Linux and Solaris sbin dir setc dir svar dir for FreeBSD sbin dir setc dir svar dir opt drweb etc drweb var drweb usr local drweb usr local etc drweb var drweb The following conventions are used in the Manual ASCII CIDR DEB DNS HTML IP IPv4 IPv6 IPC MD5 OS PID POSIX RFC American Standard Code for Information Interchange Classless Inter Domain Routing Extension for package files for software distribution in Debian and others used dpkg Domain Name System HyperText Markup Language Internet Protocol Internet Protocol version 4 Internet Protocol version 6 Inter Process Communication Message Digest 5 algorithm Operating System Process I
115. contains sockets databases and other path to directory files In the current version value of this parameter cannot be changed by SUGHUP signal Restart of YeMAILD gt is required Default value BaseDir svar dir Ta 2 1 ax MaxTimeoutForThreadActivity time IpcTimeout time Hostname string Maild Section Dr Web MailD 143 Maximum time for a thread to close This parameter is used on system restart or shutdown Total time for the system to shut down is calculated in the following way number of pools and the MaxTimeoutForThreadActivity parameter value are multiplied together and then a certain time constant is added to the result Default value MaxTimeoutForThreadActivity 30s Timeout for establishing connection between components or waiting response After timeout is expired the connection is disconnected Also an error of interaction between components is fixed This error is processed as specified in the ProcessingErrors parameter value in the Maild section In the current version value of this parameter cannot be changed when reloading the system by SUGHUP signal Timeout period must be approximately equal to average time of processing an email message by plug ins It is particularly significant if the before queue mode is enabled message is checked by plug ins from the list specified in the BeforeQueueFilters parameter value in the Filters section Default val
116. daily or weekly check of the hard drive o Instructs to use the standard output stdout 99 Disables information output ok Instructs to list all scanned objects in the report and mark the clean object with Ok Instructs to log Dr Web Scanner operations in the specified file The file name is required for enabling logging Add a plus if you want to append the log file instead of overwriting it log lt path to file gt imi spath to file gt Instructs to use the specified configuration file By default Dr Web Scanner uses drweb32 ini this configuration file is shared by Dr Web Daemon Dr Web Scanner and Dr Web Updater Dr Web Scanner uses parameters specified in the Scanner section of this file The list of the scanner parameters and available values are similar to the those specified in the Daemon section i Sein to file gt Instructs to use the specified language file The default language is English a Control Agent Run Dr Web Scanner in the central protection mode address gt mi Disables the use of the configuration file for adjusting scanner settings Dr Web Scanner is configured via command line parameters pns Disables interruption of scanning process even upon receipt of interruption signals SIGINT only key On startup only key file is received from Dr Web Agent You can use the hyphen postfix no space to disable the following parameters ar cu ha ic fl ml ok sd s
117. email message transmits it to Dr Web MailD for check via the SMTP LMTP protocol Having checked the message Dr Web MailD returns it to the same server which transmitted the message via the SMTP LMTP protocol The scheme of the Callback mode implementation is shown in the picture below MTA MTA Picture 21 Integration between Dr Web MailD and mail systems in the Callback mode The set of running components and main settings are similar to those of the SMTP LMTP proxy integration mode Special Settings of Callback Mode The feature of the Callback mode settings is that Sender must return the email message to the same host which sent this message to Receiver but to another port For that purpose add special Rules that modify the procedure of sending messages The rules are specified in the Rules section of the main Dr Web MailD configuration file When specifying the Rules use the SenderAddress parameter to set the address to which checked messages are returned Specify the Rules as follows lt CONDITION gt cont SenderAddress inet lt pont num gt CLIENT IP where lt CONDITION gt condition when the Rule is executed in the most trivial case specifying true is sufficient and lt port num gt number of the port where MTA is waiting for a message for example 10025 CLIENT IP special macro that is substituted with the address which Receiver stores as the address from which the message was received
118. empty parameter value and run the whole suite with root privileges Interaction between Dr Web MailD and CGP mail system has the following features it is performed locally via the PIPE mechanism Dr Web MailD performs functions of a content filter and thus cannot modify message headers Therefore when Dr Web MailD needs to change message headers for example to mark a message as spam usually by adding the SPAM string to the message subject the following method is used Dr Web MailD sends CGP a notification with request to reject the original message and simultaneously adds the modified message to the queue of incoming email The message is checked by Dr Web MailD for the second time and the following actions are applied to prevent looping e The drweb cgp receiver module skips all messages received via PIPE without check As drweb cgp sender loads new messages to CGP via PIPE the repeated check is prevented However this results in skipping all other messages queued by any program via PIPE e To avoid skipping such messages it is recommended to add a special header to them This is configured by UseSecureHash and SecureHash parameters in the CgpSender section of the Dr Web MailD configuration file If the UseSecureHash parameter value is set to Yes such 333 Ta J 1 aX Dr Web MailD header with the X DrWeb Hash name is added to a message when being assigned to the queue of CGP incoming email The SecureHash parame
119. executable files and its documentation It requires drweb agent drweb common and drweb boost147 packages to be installed drweb maild contains Dr Web MailD executable files and its documentation It requires drweb maild common package to be installed drweb maild common contains libraries for Dr Web Agent Dr Web Monitor and Dr Web MailD It requires drweb common drweb gperftools0 drweb agent and drweb monitor packages to be installed drweb maild plugin drweb contains library of Drweb plug in its configuration file documentation and configuration script It requires drweb maild package to be installed drweb maild web contains web interface of Dr Web for UNIX mail servers drweb maild plugin headersfilter contains library of Headersfilter plug in its configuration file documentation and configuration script It requires drweb maild package to be installed drweb maild plugin modifier contains library of Modifier plug in its configuration file documentation and configuration script It requires drweb maild package to be installed drweb maild plugin vaderetro contains configuration file of Vaderetro plug in documentation and configuration script It requires drweb maild and drweb libvaderetro packages to be installed drweb libvaderetro contains library of Vaderetro plug in drweb maild smtp contains executable files of Sender and Receiver modules which enable operation of Dr Web for UNIX mail servers as a proxy server for SMTP
120. expression from the list the action specified in the BlockByFilename parameter settings is applied This check is performed only to files where no viruses are found Default value RegexsForCheckedFilename R Actions to be applied to messages which were not scanned by Dr Web Daemon due to license expiration In addition to one mandatory action you can specify several optional actions Mandatory actions are pass tempfail discard reject Optional actions are quarantine redirect notify add header score Default value LicenseLimit pass R Actions to be applied to messages infected with a known virus In addition to one mandatory action you can specify several optional actions Mandatory actions are cure remove discard reject Optional actions are quarantine redirect notify Default value Infected cure quarantine R Actions to be applied to messages which could be infected with an unknown virus In addition to one mandatory action you can specify several optional actions Mandatory actions are pass remove discard reject 294 Ta J 1 ax Dr Web MailD 295 Optional actions are quarantine redirect notify add header score Default value Suspicious reject quarantine notify R Actions to be applied to incurable messages pega ables In addition to one mandatory action you can specify several actions e optional actions Mandatory actions
121. file Please note that for successful policy compilation a checkpolicy package must be installed in the system Usage example Checkmodule M m o drweb mod drweb te 3 Create a policy module drweb pp with the use of semodule_package utility Example semodule package o drweb pp m drweb mod 4 To install a new policy module into the module store use the semodule utility Example semodule i drweb pp After system restart SELinux security subsystem will be configured to enable correct operation of Dr Web for UNIX mail servers For details on how to configure SELinux and on its operation features refer to documentation for the used Linux distribution Ta J i ax Registration Procedure Registration Procedure Permissions to use Dr Web for UNIX mail servers are specified in the key file License key file contains the following information e list of Dr Web for UNIX mail servers components licensed to the user e license period e list of plug ins licensed to the user some plug ins do not require registration in the key file e other restrictions for example number of emails to be checked by plug ins per day By default the license key file is located in the directory with Dr Web for UNIX mail servers executables License key file is digitally signed to prevent its editing Edited key file becomes invalid It is not recommended to open your key file in text editors in order to avoid its accidental inv
122. for text inserted with koi8 commands append _text and prepend_text directly tad from rules more gt gt Use custom reply Custom messages in SMTP sessions re HN more gt gt No Reply Reply string to be used as SMTP reply when message is rejected by modifier plugin Size limit Maximum size of a message to scan more gt gt te b ga oe Log verbosity level Plug in log verbosity level info Preview Apply and Save Settings Figure 44 Modifier settings Please note that modification rules in the Global rules field must be specified according to the same principle as the GlobalRules parameter value in the configuration file of Dr Web Modifier that is escape quotation marks and slash symbols if any e single quote is not escaped e double quote is escaped with 6 back slashes e back slash is escaped with 7 back slashes The picture above illustrates an example of a modification rule that triggers if a message subject is equal to the following string It s big small text 375 Dr Web Console for UNIX mail servers Dr Web Web Interfac w Configuration Te B Dr Web Maid is running y Rule sections Section default number of settings 10 vy Rules gt true AND block rfile file cont quarantine yes Apply and Save Settings Figure 45 Message processing rules This tab contains settings of the Rules section of Dr Web Mai
123. if a message is classified as spam because its score is equal or less than the Threshold value Vaderetro plug in can add the text specified as the SubjectPrefix parameter value in the Vaderetro configuration file to the message subject The text is added only if the SubjectPrefix parameter value is not an empty string Similarly to that the NotifySubjectPrefix parameter value can be added to the beginning of the Subject field of a notification If a message was marked as unconditional spam according to the UnconditionalSpamThreshold parameter a value of UnconditionalSubjectPrefix is added to the beginning of the Subject field of this message A message score can change depending on the information on the sender and recipient addresses 1 You can specify white and black lists of senders addresses WhiteList and BlackList configuration parameters respectively If one of the senders addresses is in the black or white list the message score is changed by 5000 points increased or decreased respectively for every address found in the list For details refer to the description of the parameters 2 You can specify number of points by which it is required to change the score of a message from protected networks that is networks specified in the ProtectedNetworks parameter of the Maild section in the main Dr Web MailD configuration file 3 You can also use special cache reply cache that stores information on messages from protected
124. if it contains the corresponding record about the sender recipients Data about the sender recipients is taken from the message envelope If the source sequence of symbols is found select message command is performed a whole message is selected Example If a message is sent to the administrator you can add a welcome note at the end using the append_text command see below select recipient root localhost append text hello root It is clear that if the message is not sent to the administrator no items are selected and therefore the append _text command is not applied This feature allows avoiding use of conditional operators if the alternative action when required elements are not found is absent e select_mimes This command allows moving from selection of headers to selection of MIME objects that contain them That enhances plug in operation when it is required to select headers and then to select an object by the same criterion Selection of at least one component of the object is enough for selection of the whole object not including nested MIME objects for a composite MIME object Note that it is required to consider text encoding for all modification rules that use a header or a part of a A message Rules of working with header values in arbitrary encoding are described in Work with String Values Ta J 1 aX Dr Web MailD 316 To select elements that satisfy several criteria use log
125. in Courier system usr lib courier sbin courierfilter start drweb user with whose privileges Dr Web Daemon component operates must be included in courier group to gain read access to files created in the spool by Courier mail system Transmission of processed messages to Courier MTA Settings that manage transmission of processed messages to MTA are specified in the Sender section of the configuration file For that perpose the following parameters must be specified MailerName Courier Method pipe Address lt path to the post system for message sending gt by default usr lib courier bin sendmail Configuring Dr Web MailD All settings providing proper operation of Dr Web MailD with Courier are collected in the Sender and Courier sections of the Dr Web MailD configuration file and described in the following sections of the current Manual Sender section and Courier section When Dr Web MailD is working with mail system Courier the following modules must be running in the system this is specified in mmc file of Dr Web Monitor e drweb notifier e drweb sender e drweb maild Ta J 1 ax Dr Web MailD e drweb courier Known Issues Description During Dr Web MailD restart due to receipt of SIGHUP signal the following problems can occur on high load or when one of Dr Web Daemon scanning daemons is not available addresses of which are listed in Drweb plug in settings or if the scan
126. in Mail Processing Rules supports cloning of email messages That is if the message has several recipients and for different recipients there are rules with different parameter values the message is to be cloned according to the number of the recipients The parameter value is defined separately for each copy by the rule which is true for it If a parameter Status is not specified in its description this parameter cannot be used in Mail Processing Rules Description of parameters is provided in this document in the same order as they are specified in the corresponding configuration file created upon Dr Web for UNIX mail servers installation The Parameter type field can be one of the following e numerical value parameter value expressed as a whole non negative number e time parameter value expressed as a date unit The value is a whole number that can be followed by a symbol defining the type of a date unit s seconds m minutes h hours symbol is case insensitive If the value does not have a symbol the parameter is expressed in seconds by default Examples 30h 15m 6 in the last example time is expressed in seconds e size parameter value expressed as a unit of memory size disk space or RAM The value is a combination of a whole number that can be followed by a symbol defining the type of a memory size unit o bytes k kilobytes m megabytes g gigabytes symbol is case insensitive
127. in the synchronous mode Dr Web MailD response to a client contains SMTP code 55 or 250 depending on the ReturnReject parameter value in the Receiver section and a text message which content is determined by values of the parameters described below Their values must be enclosed in quotation marks R Use custom messages as an SMTP reply if a message is rejected UseCustomReply logical Default value UseCustomReply No R Custom message used as an SMTP reply when Action ReplyRuleFilter reject s applied and also when UseCustomReply yes You text can specify only the text part of the message Text must be enclosed in quotation marks if it contains white spaces Example S50 So 7 MWESsic pareo E repy Default value ReplyRuleFilter DrWEB HeadersFilter plugin Message is rejected by headers rule filter If UseCustomReply No or the corresponding string is not specified the following standard message outputs The message has been rejected by the Dr Web MailD Note that it is required to consider encoding of the search text for all filter rules that change or search a header value or a part of a message Rules of working with header values in custom encoding are described in the Work with String Values Examples The following examples shows how to set actions of Dr Web HeadersFilter plug in 1 Suppose that it is required to filter email messages either without the To header or Subject of
128. input value Output format N id SENDER RCTPS SIZE DATE SUBJECT BLOCK OBJECT1 BLOCK OBJECT2 where o N ordinal number of the found message o SENDER sender of the message from the envelope o RCPTS recipients of the message from the envelope o SUBJECT subject of the message output in UTF8 encryption o SIZE size of the message in bytes o DATE date of moving the message to Quarantine o BLOCK OBJECTN object blocking the message Examples Quarantine search Returns the list of all messages in Quarantine starting from the newest Quarantine search range 45 15 id def drweb Returns 15 newest messages in Quarantine missing first 45 messages for the Drweb plug in Quarantine search rcpt john smith com Returns all messages with john smith com recipient in Quarantine starting from the newest Aq P ry A v Dr Web MailD 229 quarantine search sort size sender period 20090101T100001 20090102T100000 size 5242880 id def vaderetro Outputs the messages in descending order received for Vaderetro plug in on January 1 2009 from 10 a m to 10 a m of the next day and size of which exceeds 5 MB Output example Quarantine search 0 def drweb 9 00021569 maild BMED3y lt ai drweb com gt lt alias_ ai81 drweb com gt 829 20091117T102126 EICAR test2 EICAR Test File NOT a Virus T def backup 9 00021569 maild 3PLb8e lt ai
129. is generated value is in the time format If this value is not specified the report contains statistics for a 24 hour period Enforces back up of the internal database Enforces start of the drweb qp utility for Quarantine processing similar to the action performed on timeout set in the PulseTime parameter from the Quarantine section of the Dr Web MailD configuration file All cached statistics is moved from cache to the internal database Outputs information on messages stored in the internal database where e id number of the requested message e idl id2 outputs information on messages with numbers from the range defined by these values e idl outputs information on all messages with numbers beginning with id1 numbers must be specified in hexadecimal notation e plugin _name name of the plug in which moved the message to the database now symbol means that the parameter is not specified When no parameter is specified information on all messages from the database is output Example get drweb outputs information on messages moved to the database by Drweb plug in get outputs information on all messages stored in the database Sends specified messages to the recipients from the envelope Only messages not yet dispatched to the recipients with send no in get command output can be sent Description of the parameters is similar to that of the get command except for the new paramete
130. locally overridden in a Lookup Default value SkipDomains OnError Sets the mode of error handling errors that occur in Lookup ignore exception when connecting to data source Allowed modes e ignore ignore the error and continue message processing the error is only logged e exception generate an exception which is handled as a message processing error The handling method corresponds to the ProcessingError parameter value set for the module in operation of which this error occurred The parameter value can also be locally overridden in Lookup Default value OnError ignore Notes 1 Dr Web MailD uses the libclntsh library to connect to Oracle databases it is distributed with Oracle client and supports OTL v8 or later 2 To connect to Oracle database specify username password and connection name for the ConnectData parameter in the following format user password CONNECTION You can specify the connection name in one of the following ways e if Oracle DBMS is installed on the same computer as Dr Web MailD define environment variable ORACLE HOME for Dr Web MailD as per the Oracle DBMS documentation After that specify one of the TNS names in file SORACLE_HOME network admin tnsnames ora as the connection name e copy the connection description without line breaks from the SORACLE HOME network admin tnsnames ora file located on the server Example Let us assume that there is an tnsnames ora
131. locally overridden in a Lookup Default value SkipDomains Sets the mode of error handling errors that occur in Lookup when connecting to the specified data source Allowed modes e ignore ignore the error and continue message processing the error is only logged e exception generate an exception which is handled as a message processing error The handling method corresponds to the ProcessingError parameter value set for the module in operation of which this error occurred The parameter value can also be locally overridden in a Lookup value Default value OnError ignore If the specified host or database are not accessible connection is attempted to be established until timeout occurs the timeout value is specified for the connect_timeout parameter in the connection string in the example above the timeout is set to 5 seconds After that an error is fixed and handled according to the action set for the OnError parameter MySQL Section In the MySQL section settings for interaction between Dr Web MailD and MySQL database are specified User St LN Password erriac MySQL database user name Default value User MySQL database password Default value Password Name of the MySQL database Ta J N ys Host hostname Port address Connections numerical value SizeLimit numerical value Lib path to file SkipDomains LookupLite Dr W
132. logged For details on Dr Web MailD internal statistics format see Internal Statistics section Please note that not all parameters can change their values upon receipt of STGHUP signal that is if you change values of these parameters and send SIGHUP signal to Dr Web MailD modules changes will not be applied That is designated in the description of such parameters If it is necessary to change their values restart Dr Web MailD Also note that both Dr Web Monitor component and Dr Web Agent component do not support processing of SIGUSR1 and SIGUSR2 signals Upon receipt of these signals the components terminate Dr Web MailD 127 Ta J i ax Dr Web MailD 128 Logging Logged data can be output to the file or to the syslog system service Output destination is defined in the configuration file of Dr Web MailD in the Logging section When syslog is used every string looks as follows tid where name sub level sid mta id text e tid identifier of the thread which is responsible for string output e name name of the component which performs an output for example plug in or module name e sub name of the component service to perform output The most important services are o ipc interprocess communication service o thrN support service of the thread poo with the N number o report report support service o ldap odbc oracle sqlite mysql postgres cdb ber
133. lost but the database will not be destroyed and system performance will increase If there are no special requirements for system reliability you may leave No as this parameter value Default value SyncMode No Notifier Section In the Notifier section settings of drweb notifier module Notifier component are specified Notifier is responsible for generation and sending MailD notifications DSNs and reports on operation of Dr Web for UNIX mail servers components PoolOptions Notifier thread pool settings pool options E Default value PoolOptions auto TemplatesBaseDir Path to the directory where templates of MailD notification reports path to directory and DSNs are stored Default value TemplatesBaseDir etc dir maild templates LngBaseDir Path to the directory where language files used for generation of path to directory notifications are stored Ta 1 ax R c AdminMail email address FilterMail email address R c NotifyLangs SUE TeAL ims TemplatesParserLoglevel log level RulesLogLevel log level Dr Web MailID 151 Description of language file structure and use is provided here Default value LngBaseDir etc dir maild ing Postmaster email address It is possible to specify several addresses In this case generated notifications and reports except for DSN which is always dispatched only to the sender of a message which c
134. mail servers drweb by default Default value ChownToUser drweb Bae Y CgpSender Section Dr Web MailD 189 In the CgpSender section settings for interaction between Sender and CommuniGate Pro mail transfer system are specified This section is included in Dr Web MailD configuration file only if the software version is designed for operation with the MTA mentioned above UseSecureHash logical SecureHash string PoolOptions pool options SubmitDir path to directory SubmitFilesMode permissions SubmitFilenamesPrefix string Instructs to add the X DrWeb Hash header mark to messages that are sent back to the mail system The parameter value is used if Dr Web MailD has to reject an original message after modifying it and then add the modified message to the queue of incoming email If No is specified a message received by Dr Web MailD from a mail system is transmitted directly for delivery without performing a check if the message was added to the mail system queue of incoming mail locally via PIPE If Yes is specified a message received by Dr Web MailD from a mail system is transmitted directly for delivery without performing a check if both the message has such header and the message was added to the mail system queue of incoming mail locally via PIPE Note that this parameter is used by both Sender and Receiver Therefore changing of the value requires not only se
135. mode Console displays the corresponding warning and Apply and Save Settings Preview and Save buttons become unavailable uarantine a Configuration Settings are only available for viewing E DEN sec Quarantine Plug ins Rules Engine Reports Maii receiving Sending mait imap Pops Proxy Y Common Hostname Hostname of Dr Web computer more gt gt gt test_host gt MySQL gt PostgreSQL gt Firebird gt CDB gt Berkeley gt SQLite ODBC Settings gt LDAP Settings gt Stat gt Advanced Apply and Save settings Figure 62 Read only user permissions Configuring Workstation When a new workstation is created its configuration settings are inherited from a group it belongs to That group is called the primary group If the settings of the primary group are modified these changes are inherited by all workstations included into the group unless the workstation configuration is customized When creating a workstation you can specify what group is to be treated as primary By default the primary group is the Everyone group Inheritance in nested groups depends on the group hierarchy If for a station no custom settings are specified it inherits configuration from its parent group and this process repeats recursively Therefore search for the group configuration is performed upwards through the hierarchical tree of nes
136. networks list of recipient addresses in order to consider this information while analyzing messages sent to the protected networks and being a reply on the messages If the message sender is already cached the message score can be changed by the specified number of points Note that a message undergoes all checks successively so if several conditions were true for the same message all changes are summarized For example if a message sender is in the black list and the sender is in the reply cache the message score is increased by a penalty for the sender being in the black list and then by a value specified in the ReplyToProtectedNetworkScoreAdd plug in parameter of the plug in configuration Messages which were mistakenly marked as spam should be sent to vrnonspam drweb com Spam messages accidentally passed by the spam filter should be sent to vrspam drweb com Installing Vaderetro Plug In To connect Vaderetro plug in to Dr Web for UNIX mail servers add vaderetro string to the list of plug ins for message processing in the Dr Web MailD configuration file If you want messages to be processed by Vaderetro plug in before they are imported to the database add the plug in name to the list of the BeforeQueueFilters parameter values from the Filter section of Dr Web MailD configuration file Example BeforeQueueFilters drweb vaderetro If you want messages to be processed by the Vaderetro plug in after they are imported to
137. not contain empty and garbage lines such as separators or comments which cannot be used aS Lookup values regular expressions for rfile are given correctly to match the Perl regular expressions syntax files do not contain superfluous data file size is not too large as when a file of large size is read a memory allocation error can occur in this case Dr Web MailD is terminated e ldap the value is the path to the LDAP server The value is set in the following format paraml val1 param2 val2 ldap_url where 1ldap_url is an URL of LDAP query Specify param1 param2 and others to override their values in the Lookup query the values are set in the LDAP section of Dr Web MailD configuration file You can specify only those parameters for which this option is explicitly stated see description of the section parameters For parameters that are not specified values from the LDAP section of Dr Web MailD configuration file are used URL of LDAP query 1dap_ur1 is as follows ldap hostport dn attrs scope filter exts where o hostport host name can be specified with a port number separated by a colon portnumber o dn database name where search is performed o attrs comma separated list of request attributes o scope can have one of the following values base one sub o filter filter name o exts set of LDAP and or API extensions Example ldap ldap example net dc ex
138. of Rules in the configuration file becomes inefficient as complexity of rule search is proportional to the number of rules specified in the file In this case Rule search in the database is more efficient and moreover optimizes memory usage Order of message processing and Rule search When processing a message with a plug in or another component it can request a parameter value from MailD core In this case the required parameter value is selected according to the following algorithm e View of Rules in the built in database that are connected with the message recipient specified in 242 Ta J 1 aX Dr Web MailD the RCPT TO e View of Rules in the built in database that are connected with all user groups of the recipient The view is performed in the reverse order starting from settings of the last user group to the first user group in the list e View of Rules specified in the Rules section Note the procedure of Rule search o All Rules in the current group are checked in the same order as they are set o For each rule CONDITION is checked if the conditional part is true the required parameter value is searched in the SETTINGS part of the rule o If CONDITION is false the required value is searched in the next Rule o If CONDITION is true and is followed by a cont directive search continues in the next Rule If the true CONDITION is followed by a stop directive rule search stops regardless whether
139. of any parameter that manages actions on messages you can specify an email address where filtered messages are redirected by default an email address specified as the RedirectMail parameter value on the Engine tab is used Ta N ax Dr Web Console for UNIX mail servers Advanced settings allow to configure custom replies sent to users upon message block Use custom reply Reply strings to be used as SMTP reply when messages have been rejected DrWEB MailD Message is rejected due to filename patter No a Use TCP_NODELAY Enable TCP_NODELAY parameter for socket No I more gt gt Log file limit Maximum size of drwebd log file 50 KB zi more gt gt Infected reply Reply string to be used as SMTP reply when HN Infected reject or Incurable reject actions are DrWEB Antivirus Message is rejected because it contains applied and also when UseCustomReply yes more gt gt Malware reply Reply string to be used as SMTP reply when N Adware Dialers Jokes Riskware Hacktools reject DrWEB Antivirus Message is rejected because it contains actions are applied and also when UseCustomReply yes more gt gt Suspicious reply Reply string to be used as SMTP reply when N Suspicious reject action is applied and also when DrWEB Antivirus Message is rejected because it contains UseCustomReply yes more gt gt Error reply
140. on checked messages PLUGIN DATE P R D T Q RE N C S U F I DI DM DSV DC DD DSK DAR CS SS US DE DTA DTD DTJ DTR DTH PS RS DS TS QS RES NS F3 IS WT 2 Statistics on blocked messages PLUGIN DATE FROM IP BLOCK1 TYPE1 BLOCK2 TYPE2 Where e PLUGIN name of the plug in on which statistics is output If is specified general statics displays including statistics on messages which were not transmitted by any plug in DATE time when the record was created For general statistics on checked messages it means the beginning of the time interval during which statistics is saved End of the time interval is the beginning of a new record If the following record does not exist then 5 minutes are added to the beginning of the period The format matches ISO format YYYYMMDDTHHMMSS where T separator between time and date Time is set and output as local time for the host with Dr Web for UNIX mail servers The following values until wr inclusive are output in the NAME VAL format where NAME name of the value P PS VAL its numeric value If some of these values are not specified it is treated as equal to 0 P PS R RS D DS T TS applied Q QS applied RE R ES applied N NS C CS S SS U US F ES I IS DI DM lt number gt lt size in bytes gt of the messages for which
141. option cannot be applied to messages from the list If a user considers a message that was not detected to be spam it is required to save the message as a file to the file system Filter Panel Filter panel simplifies processing of quarantined messages Sender Recipient Subject Date all dates z Size bytes Staus any stetus z C 2042010 00001 11052010 23 53 Reset Apply Figure 31 Filter panel Using the filter system you can select messages that satisfy the following criteria e Sender email address of a message sender In this field you can enter a full email address or only a part of it e Recipient email address of a message recipient In this field you can enter a full email address or only a part of it e Subject any text to be looked for in the corresponding field of quarantined messages As a result only those messages are displayed which Subject field contains the specified text string both complete and partial match are allowed e Date date when a message was moved to Quarantine You can select a certain time period from the drop down list or set the period using the calendar which opens after you click the button The following date options are available o all dates select all the messages stored in Quarantine o today select messages moved to Quarantine between the midnight and the present moment o yesterday select messages moved to Quara
142. or E E SSMS ra a wesziuwstadousset osm niemie 5 weszmuwsiadon fose neeaae famam ses 7 UTanilinwanted IS SMCFraud 1N Figure 16 Computer threats statistics You can change search options and repeat the search To do this 1 Select either Mail or Files check boxes to get statistics on computer threats detected in emails or files 2 In the drop down lists for Start date and End date select start end date and time for the Ta J i aX Dr Web Agent 107 required period 3 In the Top field enter the required number of rows in the statistics table most frequently detected threats will be shown 4 Click Query The file with aggregate statistics in the XML format can be found at http info drweb com export xml top Example lt drwebvirustop period 24 top 5 vdbaseurl http info drweb com virus description updatedutc 2009 06 09 09 32 02 gt lt item gt lt vname gt Win32 HLLM Netsky lt vname gt lt dwvlid gt 62083 lt dwvlid gt lt place gt 1 lt place gt lt percents gt 34 201062139103 lt percents gt lt item gt lt item gt lt vname gt Win32 HLLM MyDoom lt vname gt lt dwvlid gt 9353 lt dwvlid gt lt place gt 2 lt place gt lt percents gt 25 1303270912579 lt percents gt lt item gt lt item gt lt vname gt Win32 HLLM Beagle lt vname gt lt dwvlid gt 26997 lt dwvlid gt lt place gt 3 lt place gt lt percents gt 13 4593034783378 lt percents gt lt ite
143. part wie seejoily Default value ReplySkipObject DrWEB anti virus Message is rejected because it cannot be checked Ta J 1 T gt i wo Dr Web MailD 299 R Custom message used as an SMTP repy when ReplyArchiveRestriction ArchiveRestriction reject action is applied and also text value when UseCustomReply Yes You can specify only the text part of the message Text must be quoted if it contains white spaces Example D0 Soa MwWessic par tOr repy Default value ReplyArchiveRestriction DrWEB anti virus Message is rejected because it contains archive which violates restrictions R Custom message used as an SMTP reply when one of the ReplyError following actions are applied ScanningErrors text value ProcessingErrors and also when UseCustomReply Yes You can specify only the text part of the message Text must be quoted if it contains white spaces Example S50 5 70 MWesxic pare WHE reply Default value ReplyError DrWEB anti virus Message is rejected due to software error R Custom message used as an SMTP repy when ReplyBlockByFilename BlockByFilename reject action is applied and also when text value UseCustomReply Yes You can specify only the text part of the message Text must be quoted if it contains white spaces Example 550 5 7 0 Text part of reply Default value ReplyBlockByFilename DrWEB MailD Message is rejected due to filename
144. path to certificate Please note that the user whose privileges are used by the IMAP filter usually drweb user must have read access to the file with the certificate In the current program version caching of SSL sessions is not supported Default value ServerTLSSettings ClientTLSSettings TLS SSL TLS SSL settings used for client communications over IMAP settings Eyaracle ClientTLSSettings use sslv2 no private key file path to pkey certificate path to certificate Please note that the user whose privileges are used by the IMAP filter usually drweb user must have read access to the file with the certificate In the current program version caching of SSL sessions is not supported Default value ClientTLSSettings IoTimeout Timeout for all input output operations with the client s socket time when operation is in progress Default value IoTimeout 60s Ta J N ax ProcessingTimeout time MinFilterIMpildtorectios numerical value MFilterMildomections numerical value FilterMildegiliwTime time CallbackPoolOptions pool options PoolOptions pool seoptions MaxConnections numerical value MaxConnectionsPerIp numerical value Dr Web MailD Timeout for drweb maild to process messages Default value ProcessingTimeout 60s Minimum number of connections between IMAP filter and drweb maild Default value MinFilterToMaildConnections 2
145. pattern If UseCustomReply No or the corresponding string is not specified the following standard message outputs The message has been rejected by the Dr Web MailD Examples The following examples shows how to set actions of the Drweb anti virus plug in 1 Example of setting Suspicious action If a message is infected by an unknown suspicious object it is necessary to reject the message move it to Quarantine and add a new header x DRWEB PLUGIN CHECK STATUS which value is extracted from the string with ID 120 in the default lanquage file Suspicious reject quarantine notify add header X DRWEB PLUGIN CHECK STATUS 120 2 Example of setting ArchiveRestriction action If a message contains an attached archive and this archive violates restrictions specified for archive checking the message must be passed to the recipient or checked by the rest of the plug ins but it is also necessary to increase the message score by 100 points and notify the administrator on that ArchiveRestriction pass notify score 100 Ta J i ax Dr Web MailD Vaderetro Anti Spam Plug In Vaderetro is a plug in used in Dr Web for UNIX mail servers It filters out spam using VadeRetro library designed by Vade Retro Technology company a division of GoTo Software company VadeRetro library analyzes mail in the autonomous mode without requesting external sources for additional information on spam Moreover the library as
146. period ignore plugin The command is used for receiving statistics on the current user specified instead of client email e If statistics on the specified address does not exist for example the address is incorrect an empty string is output e If the address is alias statistics on the main address is output Optional parameters can be set in random order stat remove client period ignore plugin Removal of statistics As a result number of deleted records is displayed stat remove group client group period ignore plugin Removal of statistics on the group client group As a result the number of deleted records is displayed stat remove email client email period ignore plugin Removal of statistics on the specific user client email As a result the number of deleted records is displayed remove old stat time Removal of all statistics on all groups and users if it is older than the time set in time type time If the value is not set all statistics older than 24 hours is removed Ta J N aX Dr Web MailD dump cache stat Import the internal cache of general statistics on Clients to the internal database This function is periodically called by the software itself It is also called on receipt of a SIGHUP signal or shutdown Statistics Output Statistics on operation of each plug in is output in the following format which consists of two parts 1 General statistics
147. presented in three variations for major UNIX based operating systems UNIX systems hereinafter Linux FreeBSD and Solaris x86 As far as all these solutions for UNIX systems differ from each other only slightly all of them will be referred to as Dr Web for UNIX mail servers Critical differences are described in the corresponding chapters and paragraphs The manual is designed for a person responsible for anti virus protection and security Administrator hereinafter Filtration of email correspondence in UNIX systems has the following features e Monitoring of all incoming SMTP traffic to provide virus detection and neutralization In most cases viruses are not directly aimed at UNIX systems For example through electronic mail ordinary Windows viruses are distributed including macro viruses for Word Excel and other office applications e Filtration of spam and other unsolicited messages Dr Web for UNIX mail servers performs both tasks mentioned above A range of problems to be solved by Dr Web for UNIX mail servers is limited only by the set of installed components receivers of incoming messages and senders of outgoing messages and plug ins special libraries responsible for direct processing of messages If necessary a user can extend function set of the solution by adding new modules created in C or C programming languages That is possible due to the use of unified interface API To access the API new client module
148. protocol for example Sendmail or Postfix Qmail contains settings of interaction with the Qmail mail system This section is optional and can be absent However this section is mandatory if Dr Web for UNIX mail servers is integrated with the Qmail mail system IMAP contains settings of Dr Web for UNIX mail servers operation as a proxy between mail system and mail clients that use the IMAP protocol This section is optional and can be absent if Dr Web for UNIX mail servers is not used as a proxy between mail system and mail clients that use the IMAP protocol POP3 contains settings of Dr Web for UNIX mail servers operation as a proxy between mail system and mail clients that use the POP3 protocol This section is optional and can be absent if Dr Web for UNIX mail servers is not used as a proxy between mail system and mail clients that use the POP3 protocol In the configuration file only sections that contain parameters of interaction between Dr Web for UNIX mail servers and integrated MTA are mandatory Sections with parameters of interaction with unused MTA are ignored even if the sections are present For details on using configuration file sections on integration with different mail systems see MTA connections The following sections contain parameters of connection to different data sources LDAP relational DBs text files LDAP contains parameters of connections to of connection to LDAP data sources
149. resolve dependences remain in the system 2 The second variant of the command removes from the system all packages names of which start with the drweb string this is a standard pattern for a Dr Web package name Please note that this command removes from the system all packages which name corresponds to the pattern not only those of Dr Web for UNIX mail servers You can also use alternative package managers or example YaST to install or remove the packages FreeBSD operating system Installation You can install Dr Web products from meta ports for FreeBSD Download the drweb maild meta_current current freebsd_all tar gz archive from __http officeshield drweb com drweb freebsd ports After that unpack the archive and use the make install command to compile and install Dr Web for UNIX mail servers If you install Dr Web for UNIX mail servers in FreeBSD 6 1 specify the path to the usr ports Mk directory using the I parameter That directory contains the ports tree Example tar xzvf drweb maild meta_current current freebsd_ all tar gz make install I usr ports Mk Please note that after you update Dr Web for UNIX mail servers from native packages it is required to restart the suite To do that reload Dr Web Monitor by running the following command etc init d drweb monitor restart An attempt to reload the module by sending a SIGHUP signal will cause an error if the plug in libraries were updated 46
150. score for the certain IP address and the number of messages passed to MailD core equals to 20 score per msg 20 e ratio between the general score for the certain IP address and the number of connections from this IP address equals to 30 score per conn 30 e number of invalid recipients declined after the RCPT TO command transferred by the SMTP client equals to 3 min wrong rcpts 3 anti_dha filter is triggered if e ratio between the number of invalid message recipients declined after the RCPT TO command and the number of valid recipients equals to 0 02 wrong per valid rcpts 0 02 e number of invalid recipients declined after the RCPT TO command transferred by the SMTP client Ta J 1 aX Dr Web MailD equals to 20 min wrong rcpts 20 Please note that when an IP address is checked by SessionRestriction on the connection stage only those scores are considered that were counted for this IP address during the previous session and the current stage So min_conn counter is always activated before the others If the IP address passed SessionRestriction restriction but on next session stages its scores exceed the thresholds specified in the Reputation IP Filter settings then the IP address is not blocked until the next session for this IP address is established Simultaneous Use of Several Receiver Sender Components You can connect several Receiver and or Sender components to drweb maild simultaneously This feature
151. service characters In the modification rules for the plug in it is strongly not recommended to use values and regular expressions that contain quotation marks or a backslash because their escaping with the character can cause an error when parsing the string in the Dr Web MailD configuration file However if it is necessary to use such characters follow the rules e when using quotation marks in modification rules several characters are necessary to escape the marks In the current version of Dr Web MailD 6 backslashes are required e to escape a character specify 7 backslashes before it e single quotation mark apostrophe does not require escaping Examples To reject messages with a subject that contains quotation marks or one character respectively GlobalRules select mime headers Subject if found reject endif GlobalRules select mime headers Subject if found reject endif Reject messages with a subject that contains the following text text quoted text GlobalRules select mime headers Subject text quoted text if found reject endif Connecting Modifier Plug In To connect Dr Web Modifier plug in to Dr Web for UNIX mail servers add the modifier string to the list of plug ins for message processing in the Dr Web MailD configuration file If you want messages to be processed by Dr Web Modifier plug in before they are imported
152. settings of Dr Web Headersfilter plug in which allows filtering of messages by their headers Scan encoded headers Yes a w Configuration Dr Web Console for UNIX mail servers s running Co ss eo eS Ea Ee Eee vy Common Headers scan before decoding more gt gt Reject Prefix custom value J Value Message filtering rules more gt gt Reject embedded parts Prefix custom value Value Rules are similar to those from RejectCondition Parameter but they affect only headers of attached objects more gt gt Accept embedded parts Prefix custom value J value Action Main action reject a Additional actions Rules are similar to those from AcceptCondition parameter but they affect only headers of attached objects more gt gt notify x quarantine redirect __ O addheader _ sd addscore __ SCSY Use custom reply Action to be applied to filtered messages more gt gt Reply strings to be used as SMTP reply when Apply and Save Settings No zi messages have been rejected Log verbosity level Plug in log verbosity level info a The string HEADER Figure 41 Header filter settings regular expression must be specified in the Value field for all Condit
153. single copy of a message is saved when required Each sender recipient address pair can cause an intercept which can specify a file to save the message to This variable is appended to elsewhere and processed at the end of this function Add the following gt Dr Web MailD support ch DEFAULT BIN PATH drweb zmailer sh hash _ EDIT THIS file SPOSTOFFICE router S file case Sch in 1 reject or disacrd bin rm f file return 1 tempfail bin rm f file return Re f esac gt end of Dr Web MailD support Replace EDIT THIS value of the hash parameter with the value equal to the one of the SecureHash parameter in the Sender section of Dr Web MailD configuration file and specify Yes for the UseSecureHash parameter in the same section Additional Settings A simple way to disable receipt of messages with an empty SMTP sender envelope usually error messages or messages saying that delivery failed are sent with an empty SMTP envelope also such messages are often sent by spammers is to install policytest c XXX patch Installation procedure is similar to installing smtpdata c XXX patch file As ZMailer starts drweb zmailer module each time a new message is processed for optimized system performance all drweb zmailer settings must be specified in the command line they can be defined for example in drweb zmailer sh script Parameters that can be specified in th
154. subdomains in the list of protected domains Default value IncludeSubdomains yes Settings for a pool of threads that process messages before they are queued Default value InPoolOptions auto Settings for a pool of threads that process messages after they are queued Default value OutPoolOptions auto email address where messages are sent to when Redirect action is used if the address is not specified as a parameter of the Redirect action Default value RedirectMail root localhost Send control messages only from the protected network If Receiver did not provide information about client s IP address set GetIpFromReceivedHeader Yes that enables MTA to add the correct Received header to all messages before transmitting them to Dr Web for UNIX mail servers To ensure correct work of control messages all outgoing email traffic of clients must be scanned by Dr Web for UNIX mail servers Default value OnlyTrustedControlMails Yes Maximum message score If message score exceeds this parameter value actions specified in the MaxScoreAction parameter are applied to this message and message check stops This parameter is checked before a message is transmitted to plug ins and after the message is checked by each plug in Default value MaxScore 10000 Actions applied to the message when its score exceeds the threshold value specified in the MaxScore parameter More than one action can b
155. the SpamThreshold parameter value See also a note below the table Default value SubjectPrefix Prefix added to the message subject if the message is identified as unconditional spam by Vaderetro plug in according to the message score the message score must be greater than or equal to the UnconditionalSpamThreshold parameter value It is added when a message score is greater than the UnconditionalSpamThreshold parameter value See also a note below the table Default value UnconditionalSubjectPrefix Prefix added to the message subject if the message is identified as spam or unconditional spam by Vaderetro plug in according to the message score and moreover classified as DSN message of group 3 by the VadeRetro library See also a note below the table Default value NotifySubjectPrefix If a message is sent from a protected network specified in the ProtectedNetworks list in the Maild section of the main Dr Web MailD configuration file the message score increases by the specified value the value may be negative Ta yan A A Dr Web MailD 307 If you want to disable this function specify 0 as a value of this parameter Default value FromProtectedNetworkScoreAdd Manages the ProtectedNetworkReplyCacheLifeTime and UseReplyCache ReplyToProtectedNetworkScoreAdd parameters enables Yes No and disables use of reply cache This cache is used as temporary storage of the messag
156. the gt A Headers link and attachments if there are any Click the Back to quarantine button to return to the main Quarantine screen Navigation Pane previous fl 2245862883 10 nt gt lems perpage 10 v Oisplayed records 1 10 from a total of 4677 Figure 35 Navigation pane Additional navigation tools include e page navigator to go to the previous or next page of the table displayed as previous and next links you can use the following keyboard shortcut press CTRL together with the right or left arrow to go to the next or previous page correspondingly e page navigator for browsing through all pages of the table displayed as page number links Link to the current page is not active and is marked with green colour e indicator of the total number of messages in the list and number of messages displayed on the page You can adjust the number of messages displayed on the page To do that select one of the available numbers from the drop down list 10 20 50 100 After you select the required number the table is automatically reformatted A After the table is reformatted or its content is sorted all previous selections are removed Configuration You can select required parameter values from drop down lists by clicking lus buttons or specifying the values manually in the corresponding text fields Detailed description of each parameter is provided in the Help system To use it click more gt gt Aft
157. the required value is found or not Parameter value is determined according to the rule search results in the following way e If the searched parameter is found in one of the matching rules the value is taken from the SETTINGS part note that if more than one of the matching Rules contain this parameter its result value depends on the parameter semantics For details see Rule Format and Special Cases e If no rule is found no rule is matching or no matching rule contains the searched parameter its value is taken from the corresponding section of the configuration file e If the searched parameter is not specified in the configuration file the default parameter value is taken Rule Format Rule format Each message processing rule is specified as a string of the following type CONDITION stop cont SETTINGS where e CONDITION condition which must be true for a message to which settings and or actions specified in the SETTINGS part are applied e SETTINGS settings and or actions applied to a message for which CONDITION part of the rule is true Note that the SETTINGS part can be absent That can be in one of the following cases 1 If the Rule does not contain specific settings and is used for filtering 2 If the Rule uses settings that are loaded from an external source while the CONDITION is check Lookup from LDAP DB file or another source is used e Directive following the CONDITION part specifies
158. the contrary case When the condition is true actions specified afterwards are applied until either the end of branching endif operator or an alternative branch operator is found The alternative branch else lt action or list of actions gt can be absent In this case when the condition is false execution continues after the endif statement In the lt action or list of actions gt part a new selection can be formed with the select operator and its condition is validated i or goto The new selection substitutes the previous one which was used for condition validation For example select lt A gt if found select lt B gt reject endif In this case set of elements lt A gt is selected If the selection is empty execution goes to endif and 320 Ta AN ax N Ww Dr Web MailD stops no action is performed to the message Otherwise new selection is formed from the message specified as lt B gt at that it substitutes the previous selection lt a gt for subsequent operators If the selected set is not empty the message is rejected Otherwise no action is performed to it reject action is ignored for an empty lt B gt selection Branching depending on a message score if score lt op value gt lt action or list of actions gt else lt action or list of actions gt endif The if score condition is true if the current message score corresponds to the specified expression The if score comma
159. the following Rule is specified in the Rules section of the main configuration file Rules true cont modifier LocalRules select message append text Scanned 4 modifier LocalRules quarantine In this case the following procedure is performed for the message with the test drweb com sender address 1 At first Rules from the built in database are applied As they are identically true true is specified as condition their values are used Moreover the modifier LocalRules parameter has additive semantics and values from the Rules are sequentially concatenated 2 According to the third Rule rules field value for the test drweb com address is queried from the database The received value is added to the current concatenated parameter value 3 As stop directive did not occur and the modifier LocalRules parameter has additive semantics true Rules in the Rules section of the configuration file are searched Found values of the modifier LocalRules parameter are concatenated 257 Ta J i ax Dr Web MailD As the result for the message sent to test drweb com the modifier LocalRules parameter has the following concatenated value modifier LocalRules select message append text Scanned 1 quarantine select message append text Scanned 2 select message append text Scanned 3 select message append text Scanned 4 quarantine Error Handling and Rule Validation Err
160. this parameter is deprecated and is not used anymore Default value FrozenTimeout 2h DeleteTimeout Maximum time period for a message to be stored in the mail time database Ta 1 ax Dr Web MailD 150 Default value DeleteTimeout 48h BackupPeriod Time period for a mail database backup ied TE When the parameter value is set to 0 no backup is performed Default value BackupPeriod 0 BackupName Name of mail database backup file ee a aae If the specified file name ends with question mark 2 each backup is stored in a separate file and the question mark in the file name is replaced with the time value when the copy is created Default value BackupName bvar dir msgs db maildb backup MaxBodySizeInDB Maximum size of a message body stored in mail database a When size of a message body exceeds this parameter value the message is stored in a separate external file Default value MaxBodySizeInDB 1k SyncMode Synchronization mode used for internal database Moguicaulk i pare a If the value of this parameter is set to yes the fsync function is called for each transaction As a result the database stored on disk is always up to date but system performance is decreased in some cases only slightly If the value is set to No OS buffering is used for database synchronization As a result on drweb maild module emergency shutdown data from the last transactions can be
161. threads in the pool e active number of threads in active state at the moment of record creation e pending number of tasks that are wait for free thread in the pool at the moment of record creation e min minimal possible number of threads in the pool e max maximal possible number of threads in the pool e threshold step by which the number of threads in the pool is increased decreased if necessary Statistics is not aggregated Upon receipt of time signal the current state of the pool is fixed Moreover separate files with statistics are created for certain pools Statistics is also saved to such files upon receipt of STGUSR1 signal and Dr Web MailD shutdown Files with statistics are named according to the following patterns e name callback clilsrv unique id txt for statistics on connections e name callback thr N unique id txt for statistics on pools where e name name of the component name of the corresponding module without drweb part e callback callback of the Receiver interface e cli for client connections e srv for server connections e unigue id for modules started with the unique identifier e thr fora thread pool If such file already exists statistics is added to the end of this file Each record starts with the following start Tue Oct 9 14 44 15 2008 curr Tue Oct 9 14 44 29 2008 period Od Oh Om 14s where e start time of the previo
162. to process messages Default value PendedConnections 64 CanChangeBody Enables MTA to modify the body of a message received from the logical mail system Postfix MTA supports this function in version 2 4 or later In the current version this parameter cannot be changed with SIGHUP signal restart of Dr Web MailD is required If this parameter value is set to yes a checked message is Ta 1 ax ProcessingTimeout time ProcessingErrors action MinPersistConnection numerical value UseStat logical Dr Web MailD returned to MTA delivery queue with drweb milter Receiver regardless of what queues after queue or before queue the checking plug ins are assigned to If this parameter value is set to No a checked message is returned to MTA delivery queue with drweb sender Sender if the message was modified during the check for example when a virus was removed as in this case the message cannot be returned to the mail system queue and it is transmitted to MTA as a new message If the message was not modified it is returned to the MTA delivery queue with drweb milter Receiver regardless of what queues the checking plug ins are assigned to All service notifications including DSN reports redirected with redirect action and cloned messaged are sent only with drweb sender Sender regardless of the CanChangeBody parameter value and what queues the checking plug ins are assigned
163. to the database add the plug in name to the list of the BeforeQueueFilters parameter values from the Filter section of the Dr Web MailD configuration file Example BeforeQueueFilters modifier If you want messages to be processed by Dr Web Modifier plug in after they are imported to the database add the plug in name to the list of the AfterQueueFilters parameter values from the Ta J 1 ax Dr Web MailD 323 Filter section of the Dr Web MailD configuration file Example AfterQueueFilters modifier Setting Modifier Plug In All main parameters that regulate plug in operation are set in the etc dir plugin modifier conf configuration file Description of the configuration file structure and parameter types can be found in Configuration Files Parameters are described in the order they appear in the main configuration file In the Modifier section general settings for Dr Web Modifier plug in are specified Modifier section List of global modification rules used by the plug in for message GlobalRules processing list of rules Example The rule below adds a note in the html format to the message GlobalRules select message append html lt b gt checked lt b gt The rule below deletes messages from the specified users GlobalRules select mime headers From weirdohacker server net if found reject endif Default value GlobalRules R Encoding that the plug in uses fo
164. to the MailD core component which is responsible for message check 2 MailD core performs MIME parsing of the messages and transmits them to plug ins The components is also responsible for saving the messages to the storage Parameters for the processed message are selected in the following order a search for Rules stored in the built in database and associated with the recipient the recipient is determined according to the RCPT TO specified by the sender b search for Rules stored in the built in database and associated with the user groups which the recipient belongs to The search is performed in reverse order until the parameter value is found from the last to the first group in the list c search for the parameter value from Rules defined in the configuration file Rules section Rules are searched according to the following procedure o All Rules are checked in the order they are specified in the current group of Rules o For each Rule its CONDITION is checked If the CONDITION is true the parameter value is searched in the SETTINGS part of the Rule o If the CONDITION is false the Rule is rejected and the next Rule is checked o If the CONDITION is true and is followed by the cont directive the Rule is rejected and the next Rule is checked If the CONDITION is true and is followed by the stop directive the search stops regardless of whether the parameter value is found or not As the result of a rule check
165. total value of its positive scores Please note that enabled full check when Fullcheck Yes can slow down the overall operation speed Also if this parameter value is set to Yes specifying the message sender in the white list see below might have no effect the message can be classified as spam based on the analysis of its inner content even if its sender belongs to the white list Default value FullCheck Yes R yes value of this parameter disables check of messages sent to NoHamFrom the addresses specified in the embedded ham list of VadeRetro logical library for example nospam domain ru Note that the list is embedded and cannot be modified Default value NoHamFrom Yes R Add x Drweb SpamState and x Drweb SpamScore headers AddXHeaders to a message iogneali eos 4 ER j The first one contains information whether or not a message is spam The second one contains the total message score after full check Default value AddXHeaders Yes R Add x Drweb SpamVersion header with information on AddVersionHeader Vaderetro version iogmeali oeae Default value AddVersionHeader No R Add x Drweb SpamState Num header to a message Ta yan A A Dr Web MailD 303 AddXDrwebSpamStateNumHeader It includes numerical value assigned by the VadeRetro library aliogucalsy according to the classification results a message can be classified as one of the following
166. value Ta yas A A Dr Web MailD 277 A notification can be one of the following three types e MailD notifications sent on a certain message Notifier uses message processing Rules for details on the Rules refer to the Message Processing Rules section to check whether it is required to generate a notification for each of the following participants e message sender e message recipients individual notifications are sent to those recipients for whom different notification settings are specified e Dr Web MailD administrator Name of the template file used for generation of notifications is formed by adding the sender repts_ and admin_ prefixes respectively to the name of the event on which notification is generated and adding the msg extension Thus a template file name corresponds to the following regular expression admin rcpts sender msg For example sender virus msg is a name of a template used for notification on virus detection If a template with such a name is not found an error occurs Events on which MailD notifications can be generated and suffixes used to indicate a type of the event are listed in the table below archive Attached archive is not checked due to violation of archive check restrictions specified for the scanning Dr Web Daemon cured Successful attempt to cure a threat detected in a mail attachment error Error occurred when checking the message license Failure to c
167. value is not specified email addresses defined in the AdminMail parameter value in the Notifier section are used You can specify several email addresses separated by commas Please note that if the value of the Mail parameter is set reports are not sent to the address specified in the AdminMail parameter Default value Mail List of plug ins for which report is created The plug ins are separated by commas If this parameter value is not specified report is created for plug ins listed in the BeforeQueueFilter and AfterQueueFilter parameters in the Filters section Default value Names Outputs to the report the lists of frequently blocked objects and addresses from which maximum amount of blocked objects was sent The parameter value defines number of entries in each list If the parameter value is set to 0 lists are not created If the parameter value is set to 1 size of the lists is not limited Default value TopListSize 20 Maximum period of time to store statistics in the reports database If the parameter value is set to 0 old entries are not deleted Note that this parameter is deprecated and is not used anymore Default value MaxStoreInDbPeriod 31d Period of time at the end of which old entries are deleted from the reports database Note that this parameter is deprecated and is not used anymore Default value CheckForRemovePeriod 5m In the Logging section parameters for log files
168. values are used directly Special symbols You can use the following special symbols in Lookup queries e s is substituted with the requested element For example if an address is requested s is substituted with the full address without angle brackets if a domain is requested s is substituted with the domain name e Sd if an address is requested d is substituted with the domain part of this address Otherwise the full address is inserted e Su if an address is requested u is substituted with the username from this address If a domain is requested an empty string is inserted e is substituted with a single Note that in some cases values of special symbols cannot be determined for substitution during Lookup Primarily it concerns parameters used by Receiver component to check SMTP restrictions SMTP LMTP on the INTRO stage of SMTP session connection of a client On this stage e For all checks whether the client s IP address is in the network list see the ProtectedNetworks parameter in the Maild section o s IP address of the connected client o d u empty as the corresponding value is not determined e For all checks whether the client s domain is in the domain list see the ProtectedDomains parameter in the Maild section o s domain name of the client s host if FQDN was resolved otherwise its IP address o d Ss o Su empty as the corresponding value is not determined On nex
169. will not be checked Default value MaxBasesObsolescencePeriod 24 Dr Web Agent socket address Example ControlAgent inet 4040 127 0 0 1 local var dir ipc agent Dr Web Scanner receives a license key file and configuration from Dr Web Agent if OnlyKey No Default value ControlAgent local var dir ipc agent Enables receiving only a license key file from Dr Web Agent without configuration At that Dr Web Scanner uses the local configuration file If the value is set to No and the address of a Dr Web Agent socket is specified Dr Web Agent also receives statistics on Dr Web Scanner operation information is sent after scanning of each file Ta 2 ww ax Dr Web Command Line Scanner 68 Default value OnlyKey No Exit Codes When the scan task ends Dr Web Scanner returns an exit code which determines result of scanning The exit code is always constructed as an combination sum of codes that are related to the corresponding events of scanning process The possible events and related codes are following al 2 4 8 16 32 64 128 Known virus detected Modification of known virus detected Suspicious object found Known virus detected in archive mailbox or other container Modification of known virus detected in archive mailbox or other container Suspicious file found in archive mailbox or other container At least one infected object succesfully cured At least one infect
170. 18 Undefined symbol strnlen Solution This error is detected only on FreeBSD OS and if the solution includes libc so 7 library in the usr local drweb 1ib 64 directory To solve the problem replace the libe so 7 library in the usr local drweb 1ib64 directory to a similarly named symbolic link to the system library lib libc so 7 Description In the Dr Web MailD log the following messages are registered Can not send msg from temp dir lt dir path gt gt remove dir and forget about it where lt dir path gt path to a directory in the message storage for example var drweb msgs db A 00000B9A Solution The situation described above does not indicate an error in message processing Such messages can be logged due to a repeated attempt to send messages when Dr Web MailD is restarted after an emergency shutdown These lines in the log are indicators that messages were successfully sent to the target MTA but MailD core the central component did not finish clearing directories in the message 355 Ta J 1 ax Dr Web MailD storage Description Users of MS Exchange mail server receive unreadable DSN if messages sent by them were not delivered Solution The situation described above is related to features of MS Exchange that is not fully compliant with RFC 3464 requirements To solve the problem replace the standard dsn msg DSN notification template to the special version designed specially for
171. 238 The list of messages is composed according to the unique identifiers that are relative paths to the quarantined messages To set the identifiers you can use the following special template symbols e z corresponds to the symbol sequence of zero or indefinite length _ corresponds to one arbitrary symbol Note that every identifier must start with def Example def 00014F7F all messages moved to Quarantine and number of which contains 00014F7F sequence or is equal to it def drweb all messages moved to Quarantine by Drweb plug in File identifiers are taken from the command line or from search criteria specified on the startup see below If the search criteria and file identifiers in the command line are specified simultaneously they are joined If neither an identifier in the command line nor search criterion is specified the identifier is expected in the standard input The following commands are available e view view all messages with a certain identifier via the program specified in the PAGER environment variable If no value is specified the cat program is used e send send all messages with a certain identifier to the original recipients For dispatch the drweb inject utility is used e redirect list _of_rcpts send all messages with a certain identifier to the addresses from the list of rcpts list For dispatch the drweb inject utility is used e remove remove all messages with
172. 36 Dr WEB Anti virus Anti spam for UNIX mail servers Administrator Manual Doctor Web 2014 All rights reserved This document is the property of Doctor Web No part of this document may be reproduced published or transmitted in any form or by any means for any purpose other than the purchaser s personal use without proper attribution TRADEMARKS Dr Web SpIDer Mail SpIDer Guard CureIt CureNet Dr Web AV Desk and the Dr WEB logo are trademarks and registered trademarks of Doctor Web in Russia and or other countries Other trademarks registered trademarks and company names used in this document are property of their respective owners DISCLAIMER In no event shall Doctor Web and its resellers or distributors be liable for errors or omissions or any loss of profit or any other damage caused or alleged to be caused directly or indirectly by this document the use of or inability to use information contained in this document Anti virus Dr Web for UNIX mail servers Version 6 0 2 Administrator Manual 01 12 2014 Doctor Web Head Office 2 12A 3rd str Yamskogo polya Moscow Russia 125124 Web site www drweb com Phone 7 495 789 45 87 Refer to the official web site for regional and international office information Doctor Web Doctor Web develops and distributes Dr Web information security solutions which provide efficient protection from malicious software and spam Doctor Web customers can be fou
173. 5727 P 1 C 1 PS 539 CS 539 WT 11 20120311T165953 P 1 U 1 F 1 DE PS 539 US 539 FS 539 WT 51 vaderetro 20120311T165953 P 1 U 1 PS 539 US 539 WT 5 modifier 20120311T165953 P 1 C 1 PS 539 CS 539 WT 3 headersfilter 20120311T170453 P 1 F 1 PS 539 FS 539 drweb 20120311T170453 P 1 C 1 DE 1 PS 539 CS 539 WT 11 20120311T171208 P 1 U 1 F 1 PS 539 US 539 FS 539 WT 52 vaderetro 20120311T171208 P 1 U 1 PS 539 US 539 WT 5 modifier 20120311T171208 P 1 C 1 PS 539 CS 539 WT 3 headersfilter 20120311T171412 P 1 F 1 PS 539 FS 539 WT 33 drweb 20120311T171412 P 1 C 1 DE 1 PS 539 CS 539 WI 5 E 1 E 1 Ta J i ax Dr Web MailD 234 3 Request for statistics on blocked messages only for all plug ins gt stat client ignore total drweb 20120406T194038 root testlab solaris i drweb ru 10 3 0 91 No such file or directory DE DE No such file or directory DE DE Trojan Grab DI No such file or directory DE DE drweb 20120406T194039 root testlab solaris i drweb ru 10 3 0 91 No such file or directory DE DE No such file or directory DE DE Trojan Grab DI No such file or directory DE DE drweb 20120406T194040 root testlab solaris i drweb ru 10 3 0 91 No such file or directory DE DE No such file or directory DE DE Trojan Grab DI No such file or directory DE DE 4 Request for
174. 6 Ta 1 ax Dr Web MailD 117 MailBase MailD core Quarantine Sender Notifier plugin Some modules also support modification dispatching of received email messages as well as receiving of verification results from the MailD core component for example the drweb milter module supports this option and returns verification results to the Sendmail mail system before the SMTP session terminates Special database which stores received email messages until their check completes and they are sent to the recipient if the plug ins operate in the asynchronous mode email messages are stored as files in file storage The component also contains lists of users message recipients their groups their personal settings of message processing as well as aggregated statistics The main component Parses the MIME parts of email messages transmits messages for check to plug ins and saves messages into a database Received verification results are sent either to the Receiver component if the message is processed in the asynchronous mode and the timeout is not expired or to the Sender component The checked message if allowed is transferred for delivery to the Sender component Functions of this component are performed by the drweb maild module The special directory of a file system or DBI storage Used for temporary storage of email messages which were marked as suspicious or malicious if an email message was not de
175. 6 0 0 2 X 14 Dr Web Mail Daemon HeadersFilter plugin 6 0 0 2 X 15 Dr Web Mail Daemon Modifier plugin 6 0 0 2 X 16 Dr Web Mail Daemon VadeRetro plugin 6 0 0 2 X 17 Dr Web Mail Daemon 6 0 0 2 X 18 Dr Web Maild Web Interface 6 0 0 2 X 19 Dr Web mail server and mail gateways documentation 6 0 0 2 X 20 Dr Web Monitor 6 0 0 3 X 21 Dr Web Antivirus Scanner 6 0 1 3 X 22 Dr Web Updater 6 0 0 4 To select a package you want to remove or deselect some previously selected package enter the corresponding package number and press Enter You may enter A or All to select all the packages and N or None to deselect all of the m Enter R or Remove to remove selected packages Enter 0 Q or Quit to quit the dialog ALL values are case insensitive Select 3 To select components to remove follow the prompts 4 To confirm you selection and start uninstallation enter Y or Yes they are case insensitive and press ENTER user hostname Mann Mpaska Bug drweb agent drweb bases drweb boost144 drweb common drweb daemon drweb epm6 0 0 Libs drweb epm6 0 0 uninst drweb gperftoolso drweb libs drweb libvaderetro drweb maild cgp drweb maild common drweb maild plugin drweb drweb maild plugin headersfilter drweb maild plugin modifier drweb maild plugin vaderetro drweb maild drweb monitor drweb scanner drweb updater Are you sure you want to remove the selected packages YES no 5 You can res
176. 8 0410 12 27 1KB KM yo yo anonhost test maildesk Opnnovect o saKkonynnoce 28 0410 12 27 9820 I yo yo anonhost test maildesk Npemnoxenne no pexname 28 0410 12 27 84K O yoyo anonhost test maildesk 15 axupit 340 Fpynnet npeanpuatnh OCT npogam 28 0410 12 27 2KB r yoyo anonhost test maildesk AOkyMeHTbI ANA npekpawenna Aoropopa 28 0410 12 27 4KB I i yo yo anonhost test maildesk Gnoxu 28 0410 12 27 2KB D yo yo anonhost test maildesk Doctorate degree can be yours 23 0410 12 27 1KB O yo yo anonhost test maildesk Homenknatypa aen otaena Kanpos 28 04110 12 27 4KB O yoyo anonhost test maildesk Oprah certified wieght loss solution Acai Berri 28 0410 12 27 2KB Figure 33 List of messages Administrator has access to all quarantined messages sent to recipients from groups controlled and managed by this Administrator Tabular data is organized in the following way Status column contains information about the message status reason why it was moved to Quarantine Status is displayed as one of the following icons message contains virus W message is marked as spam 4 message is quarantined according to internal filtering rules message evoked an error during processing When you move the pointer over the status icon a tooltip appears with detailed description of the reason why the message was quarantined Sender column contains information about the sender s email address You can sort messages
177. ANGS macro Content Transfer Encoding for the current language The value for a certain language is specified in the language file Name of the current macro is specified by the SLANGS macro Notification content type HTML or PLAIN The content type is specified by the html parameter in the message processing Rules Complete set of mail message headers Internal message identifier in MTA which transmitted the message Message subject empty if the subject is not specified When inserted to the generated message the macro value is converted if required according to SCHARSETS and SCONTENT_TRANSFER_ENCODINGS macro values Message subject empty if the subject is not specified Is not converted to another encoding or CTE when inserted Address of the original message sender List of all message recipient addresses This macro can have a list as a value and can be used in loops for details refer to Control constructions This macro is similar to RCPTSS if the message has only one recipient Otherwise the macro value is set to Recipients of original message lt gt Records from the Dr Web MailD log file that contain information on processing of the message on which the notification is generated Record from the Dr Web MailD log file that contain the reason for sending this notification Plug in report on analysis of the message on which the notification is generated Status of the original message specified by
178. All mail fails are scanned regardless of the ScanFiles parameter value Default value ScanFiles All Enables or disables scanning of subdirectories Default value ScanSubDirectories Yes Enables or disables checking of files in archives RAR ARJ TAR GZIP CAB and others Default value CheckArchives Yes Enables or disables checking mail files Default value CheckEMailFiles Yes Masks for files to be skipped during scanning Multiple values are allowed separated by commas Default value ExcludePaths proc sys dev Allows or forbids Dr Web Scanner to follow symbolic links during scanning Default value FollowLinks No Mask for renaming files when the Rename action is applied Default value RenameFilesTo Path to the Quarantine directory Default value MoveFilesTo var dir infected Enables or disables Delete action for complex objects archives mailboxes HTML pages if they contain infected files Please note if the action is enabled a whole complex object is to be deleted Use this option carefully Default value EnableDeleteArchiveAction No Sets one of the following actions upon detection of an infected file Report Cure Delete Move Rename Ignor Delete and Move actions are applied to a whole complex object upon detection of infected files within it Default value InfectedFiles Report Ta J 1 ax SuspiciousFiles action Incura
179. C 3463 e SIZE RFC 1870 e AUTH RFC 4954 When Dr Web MailD operates in the SMTP LMTP proxy mode the following modules must be running in the system this is specified in mmc file of the Dr Web Monitor e drweb notifier e drweb sender e drweb receiver e drweb maild All settings for drweb receiver and drweb sender modules are collected in the Receiver and Sender sections of the Dr Web MailD configuration file and described in Receiver and Sender sections of the current Manual Also it is additionally necessary to make that the Dr Web Monitor component has been launched with the root privileges to provide this specify root value for User and Group parameters in the Monitor section of monitor conf configuration file When mail is received directly from the Internet drweb receiver uses implemented anti spam technologies that make mail filtering easier and more efficient and allow filtration on the SMTP session stage e SMTP session restriction control technology 328 Ta J 1 ax Dr Web MailD e Technologies to estimate reputation of the connection sender Reputation IP Filter and Unified Score See also recommendations on using synchronous and asynchronous modes of message processing SMTP Callback Mode Dr Web MailD can operate as both a proxy server for SMTP LMTP protocol and as a service for checking emails in the Callback mode In this mode MTA which receives an
180. DEBUG cured from allow Thu May 29 16 03 44 2009 3081324208 maild rules DEBUG Thu May 29 16 03 44 2009 3081324208 maild rules DEBUG error from allow admin allow Thu May 29 16 03 44 2009 3081324208 maild rules DEBUG Thu May 29 16 03 44 2009 3081324208 maild rules DEBUG license admin allow Thu May 29 16 03 44 2009 3081324208 maild rules DEBUG Thu May 29 16 03 44 2009 3081324208 maild rules DEBUG malware from allow to allow admin allow Thu May 29 16 03 44 2009 3081324208 maild rules DEBUG Thu May 29 16 03 44 2009 3081324208 maild rules DEBUG rule admin allow Thu May 29 16 03 44 2009 3081324208 maild rules DEBUG Thu May 29 16 03 44 2009 3081324208 maild rules DEBUG skip from allow Thu May 29 16 03 44 2009 3081324208 maild rules DEBUG Thu May 29 16 03 44 2009 3081324208 maild rules DEBUG virus from allow to allow admin allow Thu May 29 16 03 44 2009 3081324208 maild rules DEBUG scan all Thu May 29 16 03 44 2009 3081324208 maild rules DEBUG html 1 In this example processing of a message with a flag of successful sender authorization auth is emulated Other message parameters are not specified In the output you can view all the settings that are applied to the message by the matching Rules this example shows users of what type will receive notifications in each of the message check result the message is checked with all connected plug ins and reports are generated in the HTML format
181. Date Size D I quarantine script wazup misha jodaka ru ROLEX GUCCI LOUIS VUITTON Great Prices for the Holidays E quarantine script wazup medved jodaka ru 0 Facebook Password Reset Confirmation Customer Message B 4 quarantine script wazup admin jodzone ru 0 Facebook Password Reset Confirmation Customer Message E notspam script wazup E notspam script wazup E t notspam script wazup El notspam script wazup E virus jodzone ru E virus jodzone ru E virus jodzone ru lol jodaka ru Appliance 00 30 18 48 62 67 was updated misha jodaka ru Re medved jodaka ru New drweb officeshield image server 6 0 0 1009161 admin jodzone ru maild 6 0 moves to maild 6_0 branch misha jodaka ru O virus 55144145766 9241 make love not war 58 6830617197531 lol jodaka ru O virus 9096814425 36858 make love not war 46 7774318968456 admin jodzone ru 0 virus 55269083183 4361 make love not war 15 1541390164947 18 11 2010 10 17 1 6KB 18 11 2010 10 17 33 83KB 18 11 2010 10 17 33 83KB 18 11 2010 10 18 3 27KB 18 11 2010 10 18 4 05KB 18 11 2010 10 18 3 18KB 18 11 2010 10 18 3 51KB 18 11 2010 11 17 1 18MB 18 11 2010 11 17 604 94KB 18 11 2010 11 17 469 5KB previ 6289 10 ERY 12 12 14 15 not Items per page 10 gt Displayed records 101 110 from a total of 755 Figure 28 Dr Web console for UNIX Mail Servers Next to the module header information about current versions of Dr Web MailD and Dr Web for UNIX mail servers
182. Dentifier in UNIX based OS Portable Operating System Interface for Unix Request for Comments 15 T Ws A aN Introduction 16 RPM SSL TCP TLS URL UUID XML Package files format and extension for Red Hat Package Manager Secure Socket Layers protocol Transmission Control Protocol Transport Layer Security protocol Uniform Resource Locator Unique User IDdentifier eXtensible Markup Language The following conventions are used in the chapters about Dr Web MailD and Dr Web Console for UNIX mail servers A record API CGI CIE DB DBMS DNSBL DSN DSN FQDN IMAP JSON LDAP LMTP MIME MDA MTA MUA MX record ODBC POP3 SASL SMTP SQL TCP DNS record about correspondence between hostmane and IP address Application Programming Interface Common Gateway Interface Content Transfer Encoding i e standard of MIME object encoding 7 bit or 8 bit encoding for email messages Database DataBase Management System DNS blacklist DNS blocklist a list of IP addresses published through the DNS Most often used to publish the addresses of computers or networks linked to spamming Delivery Status Notification Data Source Name in ODBC Fully Qualified Domain Name i e a domain name that can be interpreted unambiguously The name includes names of all parent domains in the DNS hierarchy Internet Message Access Protocol JavaScript Object Notation Lightweight Directory Access Protocol Local
183. Directory where anti virus engine Dr Web Engine stores temporary files It is used for unpacking archives or when the system is low on memory Default value TempPath tmp 61 Ta 1 ax LngFileName path to file Key path to file OutputMode Terminal Quiet HeuristicAnalysis logical ScanPriority signed numerical value FilesTypes list of file extensions FilesTypesWarnings logical ScanFiles All ByType Dr Web Command Line Scanner 62 Language file location By default language files have a dw1 extension Default value LngFileName bin dir lib ru_scanner dwl Key file location license or demo By default key files have a key extension Default value Key bin dir drweb32 key Output mode e Terminal console output e Quiet no output Default value OutputMode Terminal Enables or disables heuristic detection of unknown viruses Heuristic analysis can detect previously unknown viruses which are not included in the virus database It relies on advanced algorithms to determine if scanned file structure is similar to the virus architecture Because of that heuristic analysis can produce false positives all objects detected by this method are considered suspicious Please send all suspicious files to Dr Web through http vms drweb com sendvirus for checking To send a suspicious file put it in a password protected archive include passwor
184. E Message processing rule If the value contains a comma and this symbol is not enclosed in quotation marks the symbol must be specified before the comma only if the value is not a comma separated list otherwise specify three back slashes Examples true cont headersfilter RejectCondition FileName e e FileName com headersfilter RejectPartCondition FileName e e FileName com true cont vaderetro action discard quarantine e tag a string that contains symbols from the a zA z0 9 set The string is used for search of information related to the user or user group For the web interface the value is set to Ta AN ax Dr Web MailD web e info a string that contains information on the user or user group Cannot contain line breaks and null symbols e settings set of settings specified for the user user group Specified as a list of parameter value pairs separated by whitespace The following parameters are allowed in the current version o A active can be set to 0 not active or 1 active If the user or user group is not active the rules related to them are ignored when processing By default if the flag is not specified users and user groups are active o S stat configures gathering of statistics for the user or user group The value can be set to 0 disabled gathering or to 1 enabled gathering Setting flag to O stops statistics
185. ErrorsPerSession A A W OEC EOT REOOO Many Siwicors No MaxMsgSize 552 5 3 4 Message siz xceeds file system y imposed limit ES MaxJunkCommands 421 4 7 0 Error too many errors No MaxHELOCommands AL A OEC Eor EOC many Errors No 3 Restrictions and conditions for different stages of SMTP session Parameters described below Restrictions configure check of IP addresses on various SMTP session stages Check is performed if the address is not marked as Trusted By default only connections from localhost and UNIX sockets are considered trusted The restrictions allow filtering of unwanted mail in drweb receiver module on the stage of SMTP session before messages are transmitted to drweb maild That saves resources and adds an additional level of spam filtration which increases spam detection probability SMTP Restrictions are applied on the following stages of SMTP session e connection of the new client INTRO restrictions are specified in the SessionRestrictions parameter e receipt of HELO EHLO command restrictions are specified in the HeloRestrictions parameter e receipt of FROM command that is when the client specifies sender for the new message restrictions are specified in the SenderRestrictions parameter e receipt of RCPT command that is when the client adds a new recipient to the message restrictions are specified in the RecipientRestrictions parameter e receipt of DATA command that is when the client
186. General Quarantine Plug ins Rules Engine Reports Mailreceiving Mailsending Imap Pop3 Proxy Database Properties Installed components General Advanced MailBase settings v Tables Summary data Protected networks 127 0 0 0 8 a 4 Infection Protected domains domain1 domain2 domain3 a 4 Errors vee Z Indude subdomains a 4 Begin end Redirect to root localhost Aa s Viruses n E F Accept control messages only from trusted networks a 4 Status Jei License limint action Pass a 4 Summary statistics Move to quarantine Virus bases Redirect All network installations Configuration Be Permissions Notify Schedule E Emails list 7 Add header Update restrictions Header a F E Dr Web for IBM Lotus Domino pe score L Dr Web MailD for Linux Dr Web Daemon for Linux 5 OT ees Empty From Continue a 4 SpIDer Guard for Linux Dr Web Icap Daemon for Linux arent aparan Dr Web NSS Daemon Redirect Dr Web Samba SpIDer for Linux Bg Dr Web Components Monitor for Unix F Add header Add score 0 Processing errors action Pass Aa Figure 63 Configuration of Dr Web MailD for Linux via Dr Web Control Center interface If appropriate permissions are set parameters can be reconfigured via Dr Web Console for UNIX mail servers The configuration process is similar to the one in the Standalone mode If the workstation user has insufficient privileges for that settings are open in read only mode Ta J
187. LANGS class ancherlinks gt LC561 lt a gt lt p gt lt for gt lt td gt lt tr gt lt table gt lt div gt lt br gt lt body gt lt html gt lt for gt lt if gt lt if TYPE PLAIN gt lt for LANG LANGS gt 001 DrWeb MailFilter Notification Content Type text plain charset SCHARSETS Content Transfer Encoding CONTENT TRANSFER ENCODINGS SLC542S SR PERIODS lt for RP_NAME R_PLUGINS gt LC543 SRP NAMES lt if RP BLOCKED OBJECTS WITH NUM AND PERCENTS gt lt if RP BLOCKED OBJECTS NUM 0 gt lt if RP BLOCKED OBJECTS NUM 1 gt LC544 Ta J i ax Dr Web MailD lt if gt lt if RP BLOCKED OBJECTS NUM 1 gt LC545 RP BLOCKED OBJECTS NUM LC546S lt if gt SRP BLOCKED OBJECTS WITH NUM AND PERCENTSS lt if gt lt if gt lt if RP SENDERS ENVELOPE WITH NUM AND PERCENTS gt lt if RP SENDERS ENVELOPE NUM 0 gt lt if RP SENDERS ENVELOPE NUM 1 gt LC547 lt if gt lt if RP_SENDERS_ENVELOPE NUM 1 gt LC545 R
188. LUGINS R_PERIODS SRP_NAMES RP_ BLOCKED OBJECTS WITH N UM AND PERCENTSS RP_ SENDERS ENVELOPE WITH_ NUM_AND_ PERCENTSS List of plug ins for which statistics reports are generated The value is specified in the Names parameter from the Reports section This macro can have a list as a value and can be used in loops for details refer to Control constructions Time period during which statistics reports are generated Plug in for which the statistics report is generated Calculated statistics on blocked objects for the plug in specified in the RP_NAMES macro value Statistics on senders of the blocked objects for the plug in specified in the Ta 1 ax Dr Web MailD 282 RP_CLIENT_IP_WITH_NUM_AND _PERCENTS RP_BLOCKED OBJECTS NUM RP_ SENDERS ENVELOPE NUMS RP_CLIENT_IP_NUMS SRP _TEMPFAIL SIZES RP_PASSS SRP REJECTS RP_DISCARD RP_TEMPFAILS SRP REJECT PLUS _TEMPFAILS SRP _QUARANTINES SRBE REDIRECTS SRP _NOTIFYS RP_PASS SIZES RP_REJECT_SIZE SRP DISCARD SIZE RP_REJECT_PLUS_TEMPFAIL S IZES SRP QUARANTINE SIZES SRBE REDIRECT SIZES RP_NAMES macro value Statistics on IP addresses blocked by the plug in specified in the RP_NAMES macro value Number of blocked objects included in the statistics If the macro value is 0 objects are not output If the value is 1 all blocked objects are output In other cases the specified
189. ME1 VALUE1 NAME2 VALUE2 where e NAME case insensitive parameter name e VALUE parameter value If a parameter is not locally overridden in a Lookup their default values or values from the corresponding lt DATASOURCE gt section of Dr Web MailD configuration are used where lt DATASOURCE gt corresponds to the Lookup prefix Note that usage of SkipDomains in Lookup has no meaning if the Lookup is to determine parameter values on those SMTP session stages when the domain cannot be determined that is d special symbol is empty Domain cannot be determined on the INTRO stage of SMTP session see above Features of Lookups processing Please note that during Lookup processing Dr Web MailD waits for connection to a data source DBMS or LDAP server during a timeout specified in the the data source settings or overridden locally in the Lookup prefix This can slow down the performance of Dr Web MailD if the network connection is not stable or specified connection parameters are incorrect If connection attempt fails during the timeout the error is fixed and processed according to the OnError parameter value specified either in the data source settings or overridden locally in the 137 Ta yan A A Dr Web MailD 138 Lookup prefix If a Lookup is used as the Router parameter value specified in the Sender section and the OnError exception error handling mode is used this mode can
190. MS Exchange The template is located in the dsn_ for exchange msg file For details on how to replace the template see Notification processing 356 Ta J 1 ax Dr Web Console for UNIX mail servers 357 Dr Web Console for UNIX mail servers Setup and configuration of Dr Web for UNIX mail servers can be performed via a specially designed web interface Dr Web Console for UNIX mail servers It is implemented as a plug in to Webmin for details on the Webmin interface visit its official website at http www webmin com To achieve optimal performance of the Dr Web Console for UNIX mail servers web interface ensure that the following Perl modules are installed in your system e XML Parser Perl module for parsing XML documents e XML XPath set of modules for parsing XPath statements e Encode module for encoding conversion e Date Parse module for conversion date to UNIX format CGI module that enables operation with Common Gateway Interface e CGI Carp module for creation of HTTPD report on errors e JSON module for parsing and converting to JSON JavaScript Object Notation e Digest MD5 module for using MD5 encryption algorithm e MIME Words module for using RFC 2047 encoding e MIME Entity module for decoding and parsing MIME messages e MIME Parser Perl module for parsing MIME threads e MIME Head Perl module for parsing headers of MIME me
191. NUMBER MAX NUMBER current maximum number of messages If the maximum value is not set 0 is output o SIZE MAX SIZE current maximum size of messages in Quarantine in bytes If the maximum value is not set 0 is output o client id1 def string o total information on the whole database Ta J i ax Dr Web MailD 230 e quarantine send id like emaill email2 sends messages from Quarantine to the specified recipients email1 email2 If no recipient is specified the messages are sent to their original recipients from the envelope Message sending result is output in the following format RES in sending to RCPTS LIST id where o RCPTS LIST actual list of message recipients o RES OK Of ERROR depending on the sending result o id path to the file with the message body Output format OK in sending to lt ai drweb com gt lt as sd gt def backup 6 00004DD6 maild VQ80Ro OK in sending to lt ai drweb com gt lt as sd gt def backup 6 00004DC6 maild PWfge3 e quarantine add id from rcptl rcpt2 adds the specified file to Quarantine where from message sender rcptN recipients Addresses can be enclosed in angular brackets lt gt If a file with the specified id does not exist an error is output Receiving Statistics Statistics on Dr Web for UNIX mail servers operation for users and user groups can be received via the command interface of the control so
192. No Features of Lookup usage in the ProtectedNetworks parameter Lookups that retrieve Network IP address from a data source by the domain name or user name that is Lookups that use the d and u macros cannot be set as a value of this parameter because at this step when the parameter is accessed to check the SessionRestrictions trust protected network restriction only the IP address from which the connection was 147 Ta J i ax Dr Web MailD established is available and the address cannot be resolved in the FQDN For example if you use such Lookup in the following SQL query select net from networks where domain d the net address will not be selected from the database and therefore will not be marked as trusted However you may use Lookups that retrieve Network IP addresses by the full address that is Lookups that use the s macro At that the Lookup points to the client s IP address so it can be used only in queries to those data sources that either contain lists with IP addresses or can resolve an IP address in the FQDN The following example shows a correct query select net from networks where net s If the net field contains a client s IP address that was inserted into the query via the s macro the IP address is marked as trusted Note that the SkipDomains setting does not work in a Lookup as at this step the domain name is unidentified For details on restrictions concerning the usage of domain an
193. ODUCTS lt SFILTER_MAILS gt To System Administrator lt SPOSTMASTERS gt Subject A prohibited archive has been detected Content Type multipart mixed boundary 001 DrWeb MailFilter Notification MIME Version 1 0 Precedence junk X Antivirus Ticket Dr Web notification lt if TYPE HTML gt lt for LANG LANGS gt 001 DrWeb MailFilter Notification Content Type text html charset CHARSETS Content Transfer Encoding SCONTENT_TRANSFER_ENCODINGS lt DOCTYPE html PUBLIC W3C DTD XHTML 1 0 Transitional EN http www w3 org TR xhtm11 DTD xhtmli transitional dtd gt sender_cured msg lt html xmlns http www w3 org 1999 xhtm1 gt Peno ETO MED pera i iv Content T zi t text html hi t SCHARSETS lt meta p equiv Content Type content tex ml charset gt sender_malware msg lt title gt LC515 lt title gt sender_skip msg lt include style css gt sender_virus msg lt head gt lt body gt lt div align center gt lt table width 600 border 0 cellspacing 0 cellpadding 0 gt lt tr gt lt td align center valign top gt lt a name top id top_SLANGS gt lt a gt lt include head temp1 gt lt table width 100 gt lt tr gt lt td align right gt lt if_pinocw I TCTs Figure 59 Templates Running in Enterprise Mode To start Dr Web Console for UNIX mail servers in the central protection mode configure Dr Web Agent as described in the corresponding sectio
194. ORT HOST where PORT and HOST must have definite values e g inet 3001 localhost For UNIX sockets address must be specified in the following format local SOCKPATH _ where SOCKPATH _ string must define the path which is accessible with the privileges the filter is started e g local var run drweb milter sock Additional information on filter configuration can be found in Sendmail system documentation You must restart Sendmail after specifying all necessary parameter values To enable logging of Sendmail message identifiers by drweb maild module sendmails message ID as well as sending to drweb maild information on successful authorization the following line must be included in sendmail cf O Milter macros envfrom i auth type suspension points denote other parameters which values are of no importance in this case Ta J 1 aX Dr Web MailD 338 To allow Dr Web MailD to define IP address and host name of the sender as well as to transfer drweb maild module the interface address which received the message add the following line to sendmail cf configuration file O Milter macros connect if addr suspension points denote other parameters which values are of no importance in this case To disable output of the following messages to syslog X Authentication Warning some domain com drweb set sender to DrWeb DAEMON some domain com using f include the user with whose privileges drwe
195. P and LMTP protocols e filter for supported mail transfer systems Integration with the following MTA is supported o Sendmail o Postfix o Exim o CommuniGate Pro o Courier o Zmailer o Qmail e a proxy server for post protocols of end user MUA POP3 IMAP which operates as a filter between MTA and MUA Parameters of Dr Web MailD operation mode and separate modules are defined in the configuration files Also it is possible to control Dr Web MailD via the special intercative management interface like a command line Structure of Dr Web MailD General structure of Dr Web for UNIX mail servers is described in the Introduction Structure of Dr Web MailD is presented in the figure below Also this figure shows the scheme of interaction between Dr Web MailD and MTAs MTA Receiver Quarantine Notifier Figure 17 Structure of Dr Web MailD Short description of Dr Web MailD is given in the following table Receiver The component is used to receive email messages from mail systems MTA or MDA Component functions are performed by different modules drweb receiver drweb milter drweb cgp receiver and others that are included in the solution structure depending on the post system integrated with Dr Web for UNIX mail servers The component supports simultaneous work as part of several modules that perform Receiver functions which allows receiving and processing email messages from several sources at once 11
196. POP3 and IMAP filters according to the processing results This macro can have one of the following values reject discard tempfail and error List of strings describing reasons to block the message by a plug in more than one reason is possible For example if a threat is detected Drweb plug in returns the threat name If the message is blocked due to another reason for example as a reaction to a SkipObject event the plug in returns a full value of the configuration string lt parameter gt lt value gt which caused the message block Statistics on results of the plug in message check Ta yan A A Dr Web MailD 281 SARCHIVE RECORDS SORIGINAL MESSAGES R_MAILSS CO_ CLIENT IPS CO_CLIENT PORTS CO_AUTHS SCO SERVER UNIX SOCKS CO SERVER _IP SCO SERVER PORTS Sco RSs IDS CO_ SENDER ADDRESSS Q CONTROL BY EMAILS STEMPLATES DIRS Q REMOVE TIMES SPRODUCTS SEXT_ PRODUCTS Name of the file in Quarantine Body of the original message for which notification is generated Be careful when inserting the macro in a notification if for example the original message body contained a virus the generated notification could be blocked by another anti virus system List of addresses to which notifications are to be sent The macro value is specified in the Mail parameter in the Reports section This macro can have a list as a value and can be used in loops for details
197. P_ SENDERS ENVELOPE NUM LC548 lt if gt SRP SENDERS ENVELOPE WITH NUM AND PERCENTSS lt if gt lt if gt lt if RP CLIENT IP WITH NUM AND PERCENTS gt lt if RP CLIENT IP NUM 0 gt lt if RP CLIENT IP NUM 1 gt SLC566S lt if gt lt if RP CLIENT IP NUM 1 gt LC545 RP CLIENT IP NUM LC565 lt if gt SRP CLIENT IP WITH NUM AND PERCENTSS lt if gt lt if gt SLC549S LC550 RP_PASS RP_PASS_SIZE SLE551 RP_REJECT RP_REJECT_SIZE SLC5525 SRP DISCARDS S RP_ DISCARD SIZES SLC553 SRP TEMPFAILS RP_TEMPFAIL SIZES SLC554 SRP QUARANTINES RP QUARANTINE SIZES SLC555 SRP REDIRECTS RP REDIRECT SIZE SLC556 SRP NOTIFYS SRP NOTIFY SIZES SLC557 SRP CHECKED MSGS RP_CHECKED SIZES SLC5715 SRP BLOCK PERCS S RP_ BLOCK SIZES LC570 SRP CHECK TIME SUMS RP CHECK TIME AVR LC558 lt if RP NAME drweb gt lt if RP AGENT STAT UUID gt SLC567 SLC5688 http stat drweb com view SRP AGENT STAT UUIDS lt if gt lt if gt lt for gt lt for gt lt if gt 001 DrWeb MailFilter Notification Language Files Language files are used as a source of text data string resource for generation of notifications output of text messages or insertion of text fragments into processed email messages Language files are used mainly by Notifier but they can also be used by the plug ins for example Drweb plug in uses text from a language fi
198. Parameters used only in Rules c Enables or disables generation of notifications in HTML format html logical If the value is set to yes Dr Web MailD generates notifications in HTML format otherwise they are generated as text Note that this parameter does not manage DSN 247 Ta yas A A Dr Web MailD 248 Enables or disables moving rejected messages to Quarantine quarantine 3 3 logical If the value is set to Yes such messages are quarantined Otherwise messages cannot be move to Quarantine even if they were rejected c Determines which plug ins specified in the Filters section scan are used by Dr Web MailD to check messages text If the parameter value is set to a11 Dr Web MailD uses all plug ins If the parameter value is set to No Dr Web MailD uses no plug ins Plug ins are listed with a colon as a delimiter To exclude a plug in from the list use a minus sign with no white spaces before the plug in name Note that if the value is set to A11 plug in names cannot be specified in the list without a minus sign as that is useless Examples scan All use all plug ins scan no do not use any plug in scan All plugin1 use all plug ins except for plugin1 scan Pluginl Plugin2 use only Plugin1 and Plugin2 plug ins scan All Plugin1 invalid as it is not allowed to use plug in names without after A11 scan Plugin1 A11 invalid as a11 must be specifie
199. Quarantine Tab Plug ins Tab Anti Spam Tab Headers Filter Tab Anti Virus Tab Modifier Tab Rules Tab Engine Tab Reports Tab Mail Receiving Tab Sending Mail Tab IMAP Tab POP3 Tab Proxy Tab Templates Running in Enterprise Mode Configuring User Permissions 351 351 352 352 352 353 353 354 357 357 359 361 361 362 363 364 366 366 368 369 369 370 371 373 374 376 379 382 383 385 386 387 388 388 389 390 10 Ta 2 ax N Configuring Workstation Types of Administrator Accounts Contacts 391 393 394 11 Ta J 1 ax Introduction Introduction This Manual describes the following Dr Web solutions for mail processing and filtering in UNIX based systems e Anti virus Anti spam Dr Web for UNIX mail servers e Anti spam Dr Web for UNIX mail servers e Anti virus Dr Web for UNIX mail servers e Anti virus Anti spam Dr Web for UNIX mail gateways e Anti spam Dr Web for UNIX mail gateways e Anti virus Dr Web for UNIX mail gateways In fact all these solutions differ from each other only by combination of installed modules and plug ins Hereinafter all of them will be referred to as Dr Web for UNIX mail servers Depending on the set of installed modules interaction with different mail transfer systems can be established successful mail protection from viruses and spam can be achieved and also the suite can operate as a mail gateway Each solution is also
200. QueueFilters queue use asynchronous mode Increase IPC timeout the IpcTimeout parameter in the General section to 5 minutes if Drweb plug in is used Increase file scanning timeout in Dr Web Daemon settings as well as the value of the Timeout parameter in Drweb plug in settings maximum 10 minutes Mount directory with messages and Quarantine directory Svar dir msgs and Svar dir infected into the tmpfs file system but only if sufficient RAM memory is available in case of large number of messages Set the maximum size of a message body saved to the internal DB to 1 KB set MaxBodySizeInDB k in the MailBase section Stop restricting message size and amount of disk space available for Quarantine set 0 as a value 269 Ta J 1 aX Dr Web MailD of the MaxSize and MaxNumber parameters in the Quarantine section Note that if DBI is used Quarantine with large messages will be saved to DBMS that will cause additional load on server It does not influence Dr Web MailD operation directly but can affect the average load on the server 7 Restrict time to store messages in Quarantine if no special condition is required controlled with the StoredTime parameter in the Quarantine section Otherwise they will consume disk space 8 Control disk space consumed by svar dir msgs out and var dir msgs out failed directories which allows to detect problems with message delivery and keep free space on
201. R A Message filtering rules RejectCondition If a message header matches any specified condition the message is filtered out Actions to be applied for filtered messages can be specified in the Action parameter of this section The rules can be specified for any header conditions Ordinarily a rule consists of a header name and a regular expression HEADER regular expression You can combine several conditions using brackets or logical operators OR and AND The not equal operator can also be used Expressions containing white spaces must be enclosed in quotation marks Example RejectCondition Subject money AND Content Type text html Moreover there are two additional types of filtration e No HEADER NAME condition that allows filtration of messages without a certain header Example RejectCondition No From filters out all messages without the Fron field e HEADER NAME 8bit filters out all messages with 309 Ta yan A A Dr Web MailD 310 headers containing 8 bit symbols See also a note below the table Default value RejectCondition R A Rules for accepting messages AcceptCondition ee ee If a message header matches any specified condition scanning stops and message is immediately sent to other plug ins for further processing Acceptance conditions can be specified for any header Description of condition set for th
202. Reply string to be used as SMTP reply when N ScanningErrors ProcessingErrors reject actions DrWEB Antivirus Message is rejected due to software ern are applied and also when UseCustomReply yes more gt gt Block by filename reply Reply string to be used as SMTP reply when HN BlockByFilename reject action is applied and also when UseCustomReply yes more gt gt Apply and Save Settings IPC level IPC library log verbosity level alert E Syslog facility Syslog facility type generating notifications on il zi Dr Web events if syslogd is used for Dr Web and its Mai components activity logging more gt gt Libraries Path to plug in libraries more gt gt Section Name of section of the configuration file where parameters regulating plug in operation can be found Figure 43 Anti virus advanced settings Modifier Tab This tab contains general settings of Dr Web Modifier plug in included in Dr Web for UNIX mail servers 374 Dr Web Console for UNIX mail servers Dr Web Ma Dr Web Web Interface version t Configuration 4 ates Pd T 2r Web MailD is running E e eS eee ee A Iter Ea Global rules List of general rules for message processing select mime headers Subject more gt gt wIt s WAA bIg AAN small text if found reject endif Encoding Encoding specified by plug in
203. Settings for a pool of threads processing requests from drweb proxy server components to send mail via the Sender component Before the message is transmitted to Sender a temporary directory is created where this message is stored Sender returns operation results to the dwreb proxy server Default value SenderPoolOptions auto List of socket addresses used by the drweb proxy server component to receive requests from drweb proxy client components drweb proxy client transmits messages for checking to the drweb proxy server component according to the value set for the ProxyServersAddresses parameter from the ProxyClient section Default value Address inet 8088 0 0 0 0 List of socket addresses used by drweb proxy client components to receive send requests Addresses are specified as follows ADDRESS1 WEIGHT1 ADDRESS2 WEIGHT2 where ADDRESS has a basic address type and WEIGHT is an optional numeric value in the range 0 100 defining a weight of this address This WEIGHT determines a relative work load on a certain host in the network The greater the value the greater the load on the server Socket addresses specified in the parameter value must match socket addresses set as a value of the Address parameter from the ProxyClient section 212 Ta J 1 aX Dr Web MailD Default value ProxyClientsAddresses inet 8066 CLIENT IP ReceiverPoolOptions pool Settings for a pool of threads tra
204. UNIX mail servers and its components The present manual provides information on setup configuration and usage of Dr Web for UNIX mail servers that is e General product description e Installation of Dr Web for UNIX mail servers e Running Dr Web for UNIX mail servers Usage of Dr Web Updater Usage of Dr Web Agent e Usage of console scanner Dr Web Scanner Usage of background on demand scanner Dr Web Daemon Usage of Dr Web Monitor e Configuration of Dr Web for UNIX mail servers solution At the end of this manual you can find contact information for technical support Doctor Web products are constantly developed Updates to virus databases are issued daily or even several times a day New product versions appear They include enhancements to detection methods as well as to the means of integration with UNIX systems Moreover the list of applications compatible with Doctor Web is constantly expanding Therefore some settings and functions described in this Manual can slightly differ from those in the current program version For details on updated program features refer to the documentation delivered with an update Ta 2 ww ax Introduction Terms and Abbreviations The following conventions are used in the Manual Bold Names of buttons and other elements of the graphical user interface GUI and required user input that must be entered exactly as given in the guide Green and bold Names of Doctor Web products and
205. Web MailD 254 Example 1 a The following two rules are specified Rules to userl domain ru cont drweb Suspicious pass quarantine notify to user2 domaun ru cont drweb Suspicious discard quarantine notify b Message with the following headers is processed FROM lt another_user externaldomain com gt TO lt userl domain ru gt lt user2 domain ru gt In this case the message is not cloned as setting of Drweb plug in specified for Suspicious is taken from the plugin drweb conf configuration file This is because settings for recipients are different and the drweb Suspicious parameter is not of the cloning type Example 2 a The following three rules are set Rules to userl domain ru cont drweb Suspicious pass quarantine notify to user2 domain ru cont drweb Suspicious discard quarantine notify from another user externaldomain com cont drweb Suspicious reject add header BLA BLA b The processed message is the same as in the previous example FROM lt another_user externaldomain com gt TO lt userl domain ru gt lt user2 domain ru gt Only the last rule is applied to the message as drweb Suspicious does not have additive semantics and is not of the cloning type Thus different settings specified in the first two rules cause the value to reset to the default The third rule is also applied to the message and sets the reject add header BLA BLA value to the drweb Suspicious parameter
206. Web MailD configuration file can be applied because Exim does not return the code of successful receipt to drweb sender until the delivery is finished To avoid this problem you may configure Exim to send all messages to the queue first and only after that to perform delivery 343 Ta 2 i ax Dr Web MailD 344 Add a new ac1 to the Exim configuration file acl check drweb scanned warn condition if and def received protocol eq received protocol drweb scanned yes no control queue only accept and then enable it acl not smtp acl check drweb scanned Connecting to Exim Using Special Transport The description below is valid only for Exim 4 xx For information on adjusting the settings for earlier versions of Exim 3 xx refer to the corresponding documentation for example at http www exim org index html In Exim settings you must add a special transport and a router Find the Routers Configuration section in the configuration file of the mail system It starts with the following header FEAE AEAEE EAE AE AE AEAEE AE aa a aa aE a a aa EEE ROUTERS CONFIGURATION Specifies how remote addresses are handled FEFE TERE HE TEREE TE TEETE AE EAE FE E TE AE TE FE HE TE TE HE TE TE HE EREE EE E E E E E EEH ORDER DOES MATTER A remote address is passed to each in turn until it is accepted Raa EET EEE EEE FE E TE AE TE FE HE TE EE HEE EEE E E E E E EEH An
207. Web MailD components to start or shut down in the maild lt mta gt mmc control file of Dr Web Monitor as larger number of threads requires more time to stop In this case it is also strongly recommended to adjust parameters of the whole complex see below 266 Ta J i ax Dr Web MailD 267 Possible symptoms of system resources exhaustion 1 It may occur that the successive thread in a pool cannot be created If so the following error is logged in a log of the corresponding component ERROR lt some description gt boost thread resource error In this case decrease the number of active threads for the corresponding thread pool When it is set automatically auto specify the thread number explicitly If the specified number is not sufficient and increase in number of threads causes an error increase server performance that is install more RAM and increase number of cores available for Dr Web MailD 2 On heavy load processing of messages cannot be performed If so Dr Web MailD logs the following error Too many open files The error occurs because of exhaustion of file descriptors available for Dr Web MailD including socket descriptors To solve the problem on Solaris OS 10 before drweb receiver startup define the LD PRELOAD 32 environment variable and assign the following value usr lib extendedFILE so 1 to it You can do that e directly in the console if drweb receiver is started n
208. Web MailD configuration file A On startup Dr Web MailD temporarily renames files of used plug in libraries by adding an additional extension cache to the file name It is done to avoid conflicts when updating libraries by Dr Web Updater component For example Drweb plug in library is renamed on startup to libdrweb so cache Drweb Anti Virus Plug In Drweb is an anti virus plug in for Dr Web for UNIX mail servers It performs anti virus check of electronic mail For proper operation of Drweb plug in Dr Web CoreEngine and Dr Web Daemon are required they perform direct anti virus check Dr Web Daemon and Dr Web CoreEngine are included into general distribution package of Dr Web for UNIX mail servers and must be installed before installation of the Drweb plug in Messages already segmented are sent to the drwebd module Dr Web Daemon for scanning in segments Therefore support of MIME processing by Dr Web Engine as well as by Dr Web Daemon is not required Once message analysis is complete the plug in sends scanning results to MailD core and if yes is specified as a value of the AddXHeaders parameter in the plug in configuration file adds the following headers e X Anti virus Name where Name is the name and version of the anti virus software e X Anti virus Code where Code is a termination code of Dr Web Daemon Drweb plug in parameters can be adjusted by default in the plugin _drweb conf configuration file Connectin
209. Web MailFilter Notification MIME Version 1 0 lt if TYPE HTML gt lt for LANG LANGS gt 001 DrWeb MailFilter Notification Content Type text html charset SCHARSETS Content Transfer Encoding CONTENT TRANSFER ENCODINGS lt DOCTYPE html PUBLIC W3C DTD XHTML 1 0 Transitional EN http www w3 org TR xhtml1 DTD xhtmll transitional dtd gt lt html xmlns http www w3 org 1999 xhtmlL gt lt head gt lt meta http equiv Content Type content text html charset SCHARSETS gt lt title gt LC510S lt title gt lt include style css gt lt head gt lt body gt lt div align center gt lt table width 600 border 0 cellspacing 0 cellpadding 0 gt lt tr gt lt td align center valign top gt lt a name top id top SLANGS gt lt a gt lt include head temp1l gt lt table width 100 gt lt tr gt lt td align right gt lt for RP NAME R_PLUGINS nbsp gt lt a href SRP_ NAMES SLANGS class ancherlinks gt LC543 SRP _NAMES lt a gt lt for gt lt td gt lt tr gt lt table gt lt p class titletext gt SPRODUCTS LC542 SR_PERIODS lt p gt lt for RP _NAME R_ PLUGINS gt lt table width 100 gt lt tbody gt lt tr gt lt th colspan 2 class header gt lt a name RP_ NAMES _SLANGS gt lt a gt LC543 SRP_NAMES lt th gt lt tr gt lt tr gt lt td colspan 2 gt lt tabl
210. XXXYY vdb regular weekly updates for riskware e dwrtoday vdb hot updates for riskware Virus databases can be automatically updated with Dr Web Updater module bin dir update pl After installation a user crontab file etc cron d drweb update is automatically created to run Updater every 30 minutes That ensures regular updates and maximum protection You can modify this file to change update period Cron Configuration For Linux a special file with user settings is created in the etc cron d directory during installation of the software It enables interaction between cron and Dr Web Updater In the task created for crond the vixie cron syntax is used If you use a different cron daemon such as deron create a task to start Dr Web Updater automatically For FreeBSD and Solaris manual configuration of cron is required to enable its interaction with Dr Web Updater For example when you use FreeBSD you may add the following string to crontab of drweb user 30 usr local drweb update pl If you work with Solaris the following set of commands is used crontab e drweb 0 30 opt drweb update pl Please note that by default the cron daemon launches Dr Web Updater once in 30 minutes at the 0 and 30 minutes of every hour This may result in increased load on the Dr Web GUS update servers and cause update delays To avoid such situation it is recomended to change default values to arbitrary 85
211. _TEMPFAILS SRP_TEMPFAIL SIZE lt td gt lt tr gt lt tr gt lt td class body gt LC554 lt td gt lt td align right class body gt RP_QUARANTIN SRP_QUARANTINE SIZES lt td gt lt tr gt lt tr gt lt td class body gt LC555 lt td gt lt td align right class body gt RP REDIRECTS SRP_REDIRECT SIZES lt td gt lt tr gt lt tr gt lt td class body gt LC556 lt td gt lt td align right class body gt RP_NOTIFYS SRP_NOTIFY SIZES lt td gt lt tr gt lt tr gt lt td class subtitle gt LC557 lt td gt Pa UV lt td align right class subtitle gt RP_CHECKED MSGS SRP CHECKED SIZE lt td gt E lt tr gt lt tr gt lt td class subtitle gt SLC571S8 lt td gt lt td align right class subtitle gt RP_BLOCK P SRP_BLOCK SIZES lt td gt lt tr gt lt tr gt lt td class subtitle gt SLC570 lt td gt ERCS lt td align right class subtitle gt SRP CHECK TIME SUMS SRP CHECK TIME AVRS LC558 lt td gt lt EE gt lt tbody gt lt table gt lt if RP NAME drweb gt lt if RP AGENT STAT UUID gt lt p align right class regulartext gt LC567 lt a href http stat drweb com view S RP AGENT STAT UUIDS gt SLC568S lt a gt lt p gt lt if gt lt if gt lt p gt lt a href top S
212. ad on the used servers is enabled Addresses are listed in the following format ADDRESS1 WEIGHT1 ADDRESS2 WEIGHT2 where ADDRESS is a socket address in the standard form and WEIGHT is an optional parameter defining priority of this Dr Web Daemon instance can be from 0 to 100 inclusive At least one address in the list must be correct and accessible Apart from standard address types you can specify path to the PID file of Dr Web Daemon from which necessary information about the sockets can be retrieved Examples Specifying path to the PID file Address pid var_ dir run drwebd pid Specifying several addresses Address pid var_dir run drwebd pid 10 inet 3000 srv2 example com 5 Default value Address pid var_dir run drwebd pid Timeout for Dr Web Daemon to execute a command Timeout When the parameter value is set to 0 time is not limited time Default value Timeout 30s Ta yan A A Dr Web MailD 293 Mode of interaction with Dr Web Daemon for scanning of email ScanType messages The following modes are allowed local remote auto e local only names of files to scan are transferred e remote only file content is transferred e auto Automatic mode Either file names or file content are transferred The mode is selected according to the message size whether local or remote Dr Web Daemon is used and mode synchronous or asynchronous
213. aemon Testing and Diagnostics If no problems occurred during initialization Dr Web Daemon is ready to use To ensure that the daemon is initialized correctly use the following command netstat a and check whether required sockets are created 70 Ta 2 ww ax Dr Web Daemon 71 TCP sockets Active Internet connections servers and established Proto Recv Q Send Q Local Address Foreign Address State tcp 0 0 localhost 3000 LISTEN Unix socket Active UNIX domain sockets servers and established Proto RefCnt Flags Type State I Node Path unix 0 ACC STREAM LISTENING 1127 svar_dir daemon Missing of the required sockets in the list indicates problems with Dr Web Daemon initialization To perform a functional test and obtain service information use Dr Web Daemon console client drwebdc TCP sockets drwebdc nHOSTNAME pPORTNUM sv sb Unix socket drwebdc uSOCKETFILE sv sb Report similar to the following example is output to the console Version DrWeb Daemon 6 00 Loaded bases Base var drweb bases drwtoday vdb contains 5 records Base var drweb bases drw60003 vdb contains 409 records Base var drweb bases drw60002 vdb contains 543 records Base var drweb bases drwebase vdb contains 51982 records Base var drweb bases drw60001 vdb contains 364 records Total 53303 virus finding records If the report was not output run exte
214. age score to the specified SCORE value SCORE pare A f z If it is used on SessionRestrictions Or HeloRestrictions stages it affects the score of every message in the session on other stages it affects the score of the current processed message add_score Add the specified SCORE value to the current message score SCORE rer 2 A A If it is used on SessionRestrictions Or HeloRestrictions stages it affects the score of every processed message in the session on other stages it affects the score of the current processed message Restrictions actual for different check steps Actions for SessionRestrictions trust_protected_network If the IP address of the connection is included in the list SCORE specified in the ProtectedNetworks parameter the Maild section the address is either marked as Trusted or if SCORE is specified its value is added to the score of each message transferred in the current session and to the score of the sender s IP address trust_protected_domains Checks if the IP address of the connection is in the list SCORE defined by the ProtectedDomains parameter the 175 Ta 1 ax Dr Web MailD 176 trust_white_networks SCORE trust_white_domains SCORE reject _dnsbl SCORE reject black networks SCORE reject black domains SCORE Actions for HeloRestrictions restriction Maild section The check is performed using double DNS request PTR request is s
215. age will be sent to the MTA specified in the Sender settings It is recommended to specify an active MTA in the settings to rapidly receive messages notifying on problems that occurred upon email processing in the picture above this MTA is indicated with a dashed line Working with POP3 IMAP Mail Clients Dr Web for UNIX mail servers can be used for checking messages not when mail system receives them but at the moment they are transferred via IMAP and POP3 to the MUA of the end receiver This integration solution can be implemented only when the mail system protected with Dr Web for UNIX mail servers is not a proxy but is finite meaning that the system serves requests from the end MUA To implement the solution the following two proxy components are included into Dr Web for UNIX mail servers e POPS filter used for intercepting messages of POP3 the protocol during communication between MUA and MDA Implemented as drweb pop3 module e IMAP filter used for intercepting messages of IMAP protocol during communication between MUA and MDA Implemented as drweb imap module The following picture illustrates Dr Web MailD connection diagram when working with mail clients MTA MDA IMAP POP3 filter Quarantine Dr Web MailD Puc 22 Work with mail clients 330 Ta J 1 ax Dr Web MailD General operation principles 1 Filter of the user protocol POP3 filter or IMAP filter depending on the use
216. ail messages WITHOUT anti virus check Default value ScanFiles All Enables or disables checking of files in archives The following formats are supported Z1P WinZip InfoZIP etc RAR ARJ TAR GZIP CAB and others Default value CheckArchives Yes Enables or disables checking of email files Default value CheckEMailFiles Yes Ta 1 ax ExcludePaths list of path file masks FollowLinks logical RenameFilesTo mask MoveFilesTo path to directory BackupFilesTo path to directory LogFileName syslog file name SyslogFacility syslog label SyslogPriority log level LimitLog logical Dr Web Daemon 79 Masks for files to be skipped during scanning Default value ExcludePaths proc sys dev Enables or disables Dr Web Daemon to follow symbolic links during scanning Default value FollowLinks No Mask for renaming files when the Rename action is applied Default value RenameFilesTo Path to the Quarantine directory Default value MoveFilesTo var dir infected Directory for backup copies of cured files Default value BackupFilesTo svar dir infected Log file name You can specify syslog as a log file name and logging will be performed by syslogd system service In this case also specify the SyslogPriority parameter values SyslogFacility and Default value LogFileName syslog Log type label us
217. ail parameter in the configuration ignoring the matching Rules e recipients addresses are determined according to the AdminMail parameter from the matching Rules For DSN dsn msg Or dsn_ for exchange msg templates e sender s address is always empty e if the FROM parameter is specified the values specified first fro this parameter is set as the sender s address otherwise recipients addresses are determined by the RCPTSS macro If the __ FROM parameter is not specified and the RCPTS macro is not initialized an error occurs For other templates e sender s address is set aaccording to the FilterMail parameter value from the matching Rules e recipients addresses according to the RCPTS macro thus the macro must be initialized otherwise an error occur Command Example Usage Output text of a message generated as DSN for the ai drweb com and test drweb com recipients notify dsn msg show RCPTS ai drweb com FULLHEADERS From lt fake gt _RCPTS test drweb com Generate a message from the admin_virus msg template and send the message in the synchronous mode notify admin virus msg sync RCPTS test FULLHEADERS From lt fake gt Dr Web MailD Utilities The following utilities are included in Dr Web for UNIX mail servers suite for ease in adjustment and management of Dr Web MailD e drweb qp used for interaction between Quarantine and DBI Cannot be launched manually e drweb qcontrol utility
218. ail queue module for message scan Sockets in this list must be also specified in the list of files monitored by the qmail queue module This list can be viewed with qmail queue help command Default value ListenUnixSockets local var_dir ipc qmail Ta J 1 ax Dr Web MailD 193 QmailQueue Path to the original initial qmail queue file path to file Default value QmailQueue var qmail bin qmail queue original IMAP Section In the IMAP section settings for drweb imap module are specified the IMAP filter component used to intercept mail via IMAP protocol when working with mail clients ServerAddress Address used by the filter to connect to the IMAP server address i 5 Default value ServerAddress inet imap 127 0 0 1 ListenAddress A list of socket addresses used to receive requests from clients ii a Tie E The following types of addresses can be specified inet or inet ssl if you use TLS SSL encryption The latter address type requires IMAPS protocol to be used by the IMAP filter Default value ListenAddress inet 5200 0 0 0 0 ServerTLSSettings TLS SSL TLS SSL settings for server communications over IMAP eee et It is possible to connect as TSL SSL server only if a certificate certificate and private key private key file are specified and inet ss1 socket is used Example ServerTLSSettings use sslv2 no private key file path to pkey certificate
219. aka ru 0 Facebook Password Reset Confirmation Customer Message G quarantine script wazup admin jodzone ru 0 Facebook Password Reset Confirmation Customer Message notspam script wazup lol jodaka ru Appliance 00 30 18 48 62 67 was updated E notspam script wazup misha jodaka ru Re 77777 notspam script wazup medved jodaka ru New drweb officeshield image server 6 0 0 1009161 El i notspam script wazup admin jodzone ru maild 6 0 moves to maild 6_0 branch E f virus jodzone ru misha jodaka ru O virus 55144145766 9241 make love not war 58 6830617197531 virus jodzone ru lol jodaka ru 0 virus 9096814425 36858 make love not war 46 7774318968456 ff virus jodzone ru admin jodzone ru 0 virus 55269083183 4361 make love not war 15 1541390164947 6 2 8 9 10 BRU 12 13 14 15 net Figure 29 Quarantine tab The Quarantine tab contains the following elements e toolbar e filter panel e table with the list of quarantined messages e list of additional navigation tools and its display settings Dr Web Console for UNIX mail servers 362 Web MailD is running any status Reset Date Size 18 11 2010 10 17 1 6KB 18 11 2010 10 17 33 83KB 18 11 2010 10 17 33 83KB 18 11 2010 10 18 3 27KB 18 11 2010 10 18 4 05KB 18 11 2010 10 18 3 18KB 18 11 2010 10 18 3 51KB 18 11 2010 11 17 1 18MB 18 11 2010 11 17 604 94KB 18 11 2010 11 17 469 5KB Items per page 10 Displayed records 101 110 from a total
220. al number of messages checked by the plug in specified in the SRP NAMES macro RP_ CHECKED SIZE Total size of all messages checked by the plug in specified in the SRP NAMES macro RP_AGENT_STAT_UUIDS UUID of the switch used by Dr Web Agent for sending statistics to the Dr Web statistics server or to the central protection server the macro value is a Control Constructions n empty string if this option is disabled In the notification templates the following control constructions can be used 1 Custom Macro Declaration If required you can declare custom macros lt def NAME DATA gt directly in the template by using the following construction where NAME macro name without a character DATA new macro value Name of the macro can consist of characters in the a zA Z range A new macro value can be quoted The character that follows the back slash is treated directly that is you can use this character to add for example a back angle bracket character Example lt def MY MACROS lt my macros gt gt In this example the SMy MACROSS macro 2 Inserting External File Content that contains lt my macros gt is declared You can add the external file content to the template by using the following directive lt include FILENAME gt where FILENAME name and path to the file relative to the STEMPLATES DIR macro value File name and file path can
221. al settings are used when processing Otherwise the special settings are ignored e Statistics flag S enables or disables statistics gathering for the user group To enable gathering of statistics for an individual user set level of general statistics gathering to high Parameter search algorithm To determine a parameter value for a processed message the following algorithm is used e Parameter value is searched in Rules stored in the internal database and related to the message recipient the recipient is specified by the sender in RCPT TO e Parameter value is searched in Rules stored in the internal database and related to all groups of the recipient Viewing of the rules is performed in reverse order from rules of the last group in the list to the rules of the first one until the required value is found e Parameter value is searched in the Rules section of the main configuration file Ta J i ax Dr Web MailD Note the order of viewing Rules o All Rules in the currently viewed group are checked in the order they are specified o For each Rule the CONDITION part is checked If it is true the required parameter value is searched in the SETTINGS part of the rule o If the CONDITION is false the parameter value is searched in the next Rule o If the CONDITION is true and is followed by the cont directive the parameter value is searched in the next Rule If the stop directive is specified viewing of Rules st
222. alidation Users who have purchased Dr Web for UNIX mail servers from Doctor Web certified partners obtain the license key file Key files contain the following information which depends on the license type The license key file also contains information on the user and seller of the product For evaluation purposes users may also obtain a demo key file It allows them to enjoy full functionality of the Dr Web for UNIX mail servers solution but has a limited term of use and no technical support is provided License key file can be supplied as e a drweb32 key file license key for workstations or as a zip archive containing a license key file in case of purchasing Dr Web for UNIX mail servers as a standalone product e a zip archive which contains a key file for Dr Web Enterprise Server enterprise key and a key file for workstations agent key in case of purchasing Dr Web for UNIX mail servers as a part of Dr Web Enterprise Security Suite License key file can be received in one of the following ways e by email as a ZIP archive containing license key file with key extension usually after registration on the website Extract the license key file using an appropriate archiving utility and copy or move it to the directory with Dr Web for UNIX mail servers executable files default directory for UNIX systems is bin dir e within the distribution package e on a separate data carrier as a file with key extension In this case a u
223. alled to resolve dependences of some removed packages Please note that this command removes all unused packages from the system not only those of Dr Web for UNIX mail servers Ta 1 ax Installation and Uninstallation 45 You can also use alternative package managers for example rpmdrake to install or remove the packages Red Hat Enterprise Linux Fedora CentOS yum 1 Installation Add to the etc yum repos d directory the file with following content 32 bit version drweb name DrWeb stable baseurl http officeshield drweb com drweb el5 stable i386 gpgcheck 1 enabled 1 gpgkey http officeshield drweb com drweb drweb key 64 bit version drweb name DrWeb stable baseurl http officeshield drweb com drweb el5 stable x86_ 64 gpgcheck 1 enabled 1 gpgkey http officeshield drweb com drweb drweb key To install Dr Web for UNIX mail servers yum install lt package name gt 2 Deinstallation To remove Dr Web for UNIX mail servers yum remove lt package name gt To remove all installed packages from Dr Web use the following command in some systems it is required to escape the character with a backslash yum remove drweb Removal with the use of yum has the following features 1 The first variant of the command removes only the lt package name gt package but other packages which could be automatically installed on the package installation to resolve depende
224. ally 6 On the Finish screen click Close to exit setup Welcome Install Type Select Software Confirm Postinstall information Installation complete License Installing Finish Dr WEB 4 Ba Next Close Figure 11 Finish screen Using Console Installer Console installer starts automatically if the GUI installer fails to start If the console installer also fails to start for example if it is impossible to gain necessary privileges you can try to run the following command with root privileges 34 Ta J 1 ax Installation and Uninstallation 35 drweb mail product name version number OS name setup sh To install from console 1 Once the console installer starts the following dialog window opens user hostname This installation script will help you install DrWeb for Mail server Antivirus Antispam Do you want to continue YES no 2 If you want to install Dr Web for UNIX mail servers enter Y or Yes values are case insensitive otherwise enter N or No Press ENTER 3 If you chose to install Dr Web for UNIX mail servers installer suggests you to select the installation type user hostname Matin MpasKa Bug Monck TepmnHan CnpaBKa Select the installation type Dr Web for CGP Full installation Dr Web for Courier Full installation Dr Web for Exim Full installation Dr Web for Postfix Full installation Dr Web for QMail Full install
225. ameter is not specified the svar _dir ipc agent path is used If the switch is specified without a path configuration from Dr Web Agent is not requested timeout lt time period gt Description Set the maximum allowed time to wait for response from Dr Web Agent when requesting configuration E lt identifier gt Description Set the unique identifier of Sender used for mail dispatch If not specified the default Sender is used E env from lt address gt Description Set the message sender for the message envelope If not specified the parameter value is the name of the user under whose account the utility is launched If the username is not found the utility exits with a non zero error code 241 Ta J 1 ax Dr Web MailD P SS IE ONIN lt address gt Description Specify the From field value if the despatched email message does not have that field a ignore dot Description Instruct not to treat a string with the only dot character as a terminating symbol of message entry ExCEACt E nee TESS A OALS MES Description Instruct to add all message recipients from the To field to the recipients in the email envelope Example of mail dispatch with the use of the drweb inject utility cat var drweb msgs out failed 00000A59tNVvGZ8 drweb inject f sender domain rcpt domain This command instructs to send a message saved to the 00000A59tNvGz8 file and located in the msgs out
226. ameters in the Sender section of the Dr Web MailD configuration file Address usr local sbin sendmail Method pipe MailerName postfix In the Address parameter you can set the path to the sendmail program from Postfix package Once all the required parameters are specified you must start restart Dr Web MailD at first and then start restart Postfix All settings that configure operation of drweb milter with Sender and Receiver components are collected in the Receiver Sender and Milter sections of the Dr Web MailD configuration file and are described in the following sections of the current Manual Receiver section Sender section and Milter section When Dr Web MailD is working with Postfix mail system the following modules must be running in the system this is specified in mmc file of Dr Web Monitor e drweb notifier e drweb sender e drweb maild 342 Ta J 1 ax Dr Web MailD e drweb receiver Integration with Exim Integration instructions in this documentation are given for Exim version 4 xx If you want to use earlier versions of Exim 3 xx please refer to the corresponding documentation for example http www exim org index html When Dr Web MailD interacts with Exim mail system drweb receiver module acts as a Receiver component and drweb sender acts as a Sender component There are two possible methods to connect Exim mail system to Dr Web MailD e Connection by the
227. ample dc net cn sn sub cn e odbc postgres oracle mysql firebird sqlite the value is an SQL query to the database in the corresponding DBMS for ODBC to DSN data source SQL query is of the following format paraml val1 param2 val2 sql_request where sql_request is a text of SQL query to the database and param1 param2 and others are parameters from the lt DATASOURCE gt section of Dr Web MailD configuration file for the given Lookup lt DATASOURCE gt is name of used DBMS or ODBC and is always equal to prefix which is used in the given Lookup that is ODBC PostgeSQL Oracle MySQL Firebird SQLite From this section only those parameters can be specified for which this option is explicitly stated see description of the section parameters Pairs param value must be included only if it is necessary to override their values in the given Lookup query For parameters that are not specified values from the lt DATASOURCE gt section of Dr Web MailD configuration file are used Ta J i ax Dr Web MailD You can use special symbols as in the Lookup queries A Important notes 1 If a SELECT query returns records which contain more than one string query of the following type SELECT fieldl field2 FROM all strings returned by DBMS are assigned to Lookup values It is not recommended to use such queries because different DBMS can return such responses in dif
228. annot be delivered are sent to all specified addresses At that all of the addresses appear in the message body It is recommended to configure this parameter otherwise MailD notifications and reports will not be sent Please note that you can set several values to this parameter Default value AdminMail root localhost email address specified in the From header of MailD notifications and reports Please note that DSN is always sent with an empty sender s address field that is required by standards Thus this parameter is not used for DSN dispatching Default value FilterMail root localhost Language s used for generation of notifications and reports Listed languages must correspond to language files located in the directory specified in LngBaseDir Description of language file structure and their usage is provided here Plug ins always use the first language in this list Default value NotifyLangs en Log verbosity level of the subsystem that create reports based on templates The following levels are allowed e quiet error e alert SENEO e debug Default value TemplatesParserLogLevel info Log verbosity level of the Rule processor The followed levels are allowed e quiet e error alert SENEO e debug Ta J 1 ax MsgIdMap TSEN QuarantinePrefix string Dr Web MailID 152 Default value RulesLogLevel info Mapping of message identifier set
229. applied to the whole message for example pass Quarantine Mail messages are moved to Quarantine on request from any plug in or drweb maild module They are saved to the quarantine path def name directory where name is the name of the module which sent the request When a message is moved to Quarantine two files are created The first file is named name Its name is formed according to the FilenamesMode and FilenamesPrefix parameter values The file contains the original message body all _ symbols are replaced with symbols The second file is named name envelope and it contains the original message envelope in the following format e int4 t length of the sender s address e sN sender address e int4 t number of recipients e int4 t sN for each recipient where int4_ t is a 4 byte integer with a sign in network byte order 214 Ta J i ax Dr Web MailD If the value of the MoveAll parameter is set to Yes all messages processed by Dr Web MailD is saved to path def backup directory Besides saving the message body to the Quarantine directory the message is registered in the internal database and the following information is saved to it message envelope save time reason for move and so on Quarantine can be effectively managed via the control socket You can search send redirect remove and perform other actions with the Quarantine content Maximum period of time for messages to be stored i
230. ar drweb bases drw60012 vdb Ok virus records 3511 Loading var drweb bases drw60000 vdb Ok virus records 1194 Loading var drweb bases dwn60001 vdb Ok virus records 840 Loading var drweb bases drwebase vdb Ok virus records 78674 O O Loading var drweb bases drwrisky vdb Ok virus records 1271 Loading var drweb bases drwnasty vdb Ok virus records 4867 Total virus records 538681 Key file opt drweb drweb32 key Key file number XXXXXXXXXX Key file activation date XXXX XX XX Key file expiration date XXXX XX XX After displaying this report Dr Web Scanner terminates and command line prompt To scan for viruses or neutralize detected threats specify additional command line parameters By default Dr Web Scanner starts with the following parameters ar ha fl ml sd al ok These parameters are optimal for thorough anti virus protection and can be used in most typical cases If any of the parameters is not required disable it with postfix as described above Ta J 1 aX Dr Web Command Line Scanner Disabling scan of archives and packed files will significantly decrease an anti virus protection level because viruses are often distributed in archives especially self extracting archives attached to an email message Office documents Word Excel dispatched within an archive or a container can also pose a threat to security of your computer as they are vulnerable to macro vi
231. arameter 2 Configure at least one of the following parameters accordingly ExportStat logical ExportBlockObjectsStorage string Export statistics to storages specified in the corresponding parameters see below Default value ExportStat No List of parameters that configure export of statistics on blocked messages This data is saved immediately after a message is blocked but only if it was scanned by the anti virus module that is statistics is not exported if a message was blocked because of processing errors 161 Ta i ax Dr Web MailD Names of the table and fields in the database can be arbitrary but they must be of the same type as exported data Fields in the query must be ordered like in the database It is not necessary to use all available values in the query Text fields lt varchar_long gt must be enclosed in single quotation marks List of values that can be used in the query e number lt int gt unique message identifier q_name lt varchar_long gt path to the quarantined file where the message was saved if it was saved in Quarantine e virus name lt varchar long gt name of the blocked object found in the message e virus_code lt int gt code of the blocked object found in the message The list of codes o 1 infected o 2 virus modification o 3 suspicious cured deleted filtered skipped archive restrictions error
232. arameter from the General section For details on statistics format refer to Internal Statistics Statistics on thread pools of drweb sender and drweb receiver modules is saved to sender thr txt and receiver thr txt files respectively Statistics contain data on the current size of the pool number of active threads and queued connections It is recommended to increase the maximum allowed number of pools t_max when the number of queued connections pending is approaching to the number of active threads active Actual number of threads for example if counted with ps aHx command is always greater than the number specified in the pool settings That is because pool settings define only the number of processing threads but during operation helper threads are also created It is required to increase the maximum limit of threads with caution Before you change the setting estimate e Amount of used memory e Number of files and sockets to be open that is file descriptors e CPU power The greater the t_min value is specified determines the number of threads in a pool the more time is required by Dr Web MailD components to start and establish connections For example if Drweb anti virus plug in is used threads from the plug in thread pool establish connection with Dr Web Daemon on the plug in startup therefore time period which MailD core needs to start increases If the minimum number of threads in a component pool is to
233. arameter is used Global modification rules used by Dr Web Modifier can be specified only in the GLobalRules parameter in the plug in configuration file Modifier section Note that the GlobalRules parameter cannot be used in Message processing Rules and value of the LocalRules parameter cannot be specified in the plug in configuration file Modification rule format Any modification rule consists of the following parts lt Selection operator gt lt Conditional validator gt lt Action operator gt lt Action operator gt Note that operators in modification rules are separated by commas You can set more than one action operators Conditional validation can be absent Minimum required form of the rule includes a selection operator and an action operator Modification rules are always specified on a single line If it is necessary to split the rule on several lines specify the symbol an the end of the line immediately before the rule to split for example lt Selection operator gt lt Action operator gt lt Action operator gt As an action operator you can also specify an element fetch with its conditional validators and action operators 1 Selection operators Selection of items from the message is performed with the select lt element gt operator where lt element gt is a placeholder for the type of elements to be selected for analysis and processing The following types are available
234. arantine section settings for proper Quarantine operation are specified Path path to directory FilesMode permissions Path to the Quarantine directory Default value Path var_dir infected Permissions for files that are moved to Quarantine Default value FilesMode 0660 Ta yan A A Dr Web MailD 153 FilenamesMode Naming convention for files to be moved to Quarantine Sta Tei Randag e Std renaming quarantined files with mkstemp command FilenamesPrefix XXXXXX template is used where FilenamesPrefix is the prefix specified in the FilenamesPrefix parameter value and XXXXXX is a combination of random letters and digits e Tai renaming quarantined files according to TAI International Atomic Time ssec usec FilenamesPrefix XXXXXX template is used e Rand48 renaming quarantined files with lrand48 command FilenamesPrefix XXXXXXXX template is used Default value FilenamesMode Std FilenamesPrefix Prefix used to rename files which are moved to Quarantine j LLI LLI LLI LLI Terena The parameter value must not contain and characters Default value FilenamesPrefix maild AccessByEmail Permission to process requests to receive messages saved to logical Quarantine via control messages Control message must be sent to the email address specified in the FilterMail parameter value or in Rules with the special Subject header
235. ate servers of Dr Web Global Updating System Dr Web GUS can also store them within Izma archives When new viruses are discovered small files only several KBytes in size with database segments describing these viruses are released to provide quick and effective countermeasures Updates are the same for all supported platforms There are daily hot updates drwtoday vdb and regular weekly updates drwXXXYY vdb where Xxx is a version number of an anti virus engine and YY is a sequential number starting with 00 for example the first regular update for version 6 0 is named drw60000 vdb Hot updates are issued daily or even several times a day to provide effective protection against new viruses These updates are installed over the old ones that is a previous drwtoday vdb file is overwritten When a new regular update is released all records from drwtoday vdb are copied to drwXXXYY vdb and a new empty drwtoday vdb file is issued If you want to update virus databases manually you must install all missing regular updates first and then overwrite drwtoday vdb file To add an update to the main virus databases place the corresponding file to the directory with Dr Web for UNIX mail servers executable files var drweb bases by default or to any other directory specified in the configuration file Signatures for virus like malicious programs adware dialers hacktools and others are supplied in two additional files drwrisky vd
236. ate file name The full name is composed according to the following scheme file name is prepended with the respective prefix sender repts_ admin_ report or dsn file extension is substituted with msg The resulting file name e g sender file nameN msg is searched in the directory specified in the TemplatesBaseDir parameter value in the Notifier section Example NotificationNamesMap virus my virus archive my arch Address where the message must be sent The address is transmitted to Sender It is possible to specify several address separating them by the character similar to the Router parameter from the Sender section When using the SenderAddress parameter in Rules of the following type lt CONDITION gt cont SenderAddress address1 address2 address3 a message that satisfies lt CONDITION gt is sent to the first available address from the list That is if address1 is unavailable the message is sent to address2 and if that address is also unavailable to address3 This parameter can use the following special macros e CLIENT IP IP address of the client which sent the message e CLIENT PORT Port of the client from which sent the message e SERVER IP IP address served by Dr Web MailD e SERVER PORT Port on which the message was received by Receiver If Sender supports this parameter the component transmits the message to the specified address For example the following
237. ater the timeout is set to 5 seconds and cannot be changed In versions 8 12 and later this timeout can be changed in the description of the filter the C value Xdrweb milter S _ ADDRESS __ F T T C 1m S 5m R 5m E 1h Integration with Mail Postfix Main Operation Principles Dr Web MailD can be connected to Postfix in one of the following ways e In the after queue mode http www postfix org FILTER_README html advanced_filter e In the before queue mode http www postfix org SMTPD PROXY README html e Using Milter protocol http www postfix org MILTER_README html A Only Postfix version 2 3 3 and later can be used with Milter protocol Operation in After Queue and Before Queue Modes In the after queue mode Dr Web MailD interacts with Postfix in the following way 1 drweb receiver module Receiver component acting as an SMTP LMTP server receives a Ta J 1 aX Dr Web MailD new message from Postfix SMTP module and redirects it to drweb maild MailD core component for analysis 2 According to the analysis results the message is either sent to the mail system maybe as a modified copy or blocked in this case additional reports can be sent to the mail system 3 Redirecting messages to Postfix mail system is performed via drweb sender acting as an SMTP LMTP client which dispatches messages to smptd daemon For details on configuring filters for Postfix refer to the Postfix documentation which ca
238. ates for Dr Web Agent and perform additional configuration steps For details refer to the Dr Web Agent section Dr Web Engine and virus databases that are regularly updated Dr Web Updater implemented as a Perl script a component that provides regular updates to virus databases Dr Web MailD a component that provides processing of the mail traffic and integration of other Dr Web components with the Sendmail Postfix Courier Qmail CommuniGate Pro ZMailer and Exim mail transfer systems In addition to that this component can perform functions of a mail proxy that is direct checking of SMTP LMTP mail traffic Dr Web MailD can also operate as a part of anti virus network under control of Dr Web Enterprise Security Suite The component is delivered with a set of plug ins which are used for mail processing for example o Anti virus plug in Drweb using Dr Web Daemon o Anti spam plug in Vaderetro Dr Web Console for UNIX mail servers web management interface a Webmin built in module used for Dr Web for UNIX mail servers management and configuration via the web interface from any browser The following picture shows the structure of Dr Web for UNIX mail servers and its components 13 A AN V Aq A Introduction 14 MTA Administrator Dr Web Console Dr Web MailD Dr Web vamomp SH Dr Web Bases Dr Web Scanner Dr Web Updater DnWeb for UNIX mail servers Figure 1 Structure of Dr Web for
239. ation Dr Web for Sendmail Full installation Dr Web for ZMailer Full installation Custom Configuration ONYAUBWNrH Choose one configuration to install 1 To select a required mode enter the respective number and press ENTER 4 If you selected Custom Configuration specify required components to install Installation and Uninstallation 36 user hostname 16 Dr Web Mail Daemon Dr Web plugin v6 0 0 2 new 17 Dr Web Mail Daemon HeadersFilter plugin v6 0 0 2 new 18 Dr Web Mail Daemon Modifier plugin v6 0 0 2 new 19 Dr Web Mail Daemon VadeRetro plugin v6 0 0 2 new 20 Dr Web Mail Daemon Postfix connector v6 0 0 2 new 21 Dr Web Mail Daemon qmail connector v6 0 0 2 new 23 Dr Web Maild Web Interface v6 0 0 2 new 24 Dr Web Mail Daemon ZMailer connector v6 0 0 2 new 25 Dr Web Mail Daemon v6 0 0 2 new 26 Dr Web Monitor v6 0 0 3 new 27 Dr Web Antivirus Scanner v6 0 1 3 new w E E f 22 Dr Web Mail Daemon Sendmail connector v6 0 0 2 new E Ei EI mi ra 28 Dr Web Updater v6 0 0 4 new To select a package you want to install or deselect some previously selected package enter the corresponding package number and press Enter You may enter A or All to select all the packages and N or None to deselect all of the m Enter I or Install to install selected packages Enter 0 Q or Quit to quit the dialog All values are case insensitive Select To specify a
240. b Monitor starts only Dr Web Daemon Example for es_daemon conf file that contains settings for Dr Web Daemon component operation in enterprise mode Daemon MaxCompressionRatio 500 This line contains the value of MaxCompressionRatio parameter stored in Daemon section in Dr Web Daemon configuration file This parameter value is used when the suite is running in enterprise mode In this case Dr Web Daemon uses 500 as the threshold value of compression ratio To connect Dr Web for UNIX mail servers to the central protection server Dr Web ESS 10 1 Open agent mmc meta configuration file used by Dr Web Monitor for communication with Dr Web Agent and replace the specified binary file name drweb agent with drweb agent10 2 In es_monitor conf file specify components to be started int enterprise mode For that purpose edit the es _monitor conf accordingly The set of started components must be similar to the set of components started in standalone mode specified as the value of RunAppList parameter stored in Monitor section in Dr Web Monitor configuration file If more than one component must be started they are specified as a comma separated list Note that white spaces are not allowed Example Monitor RunAppList DAEMON MAILD As the component names here should be used the names specified in Application section of mmc files 3 If required configure parameters in es daemon conf file that is used by Dr Web Daemon respectiv
241. b and drwnasty vdb with the structure similar to virus databases These files are also regularly updated dwrxxYyy vdb and dwnXXYYY vdb are for regular updates and dwrtoday vdb and dwntoday vdb are for hot updates 84 Ta J i ax Dr Web Updater From time to time as new anti virus techniques are developed new versions of the anti virus package are released containing the updated algorithms implemented in the anti virus engine Dr Web Engine At the same time all released updates are brought together and the new package version is completed with the updated main virus databases with descriptions of all known viruses Usually after an upgrade of a package version new databases can be linked to the old Dr Web Engine Please note that this does not guarantee detection or curing of new viruses as it requires upgrading of algorithms in Dr Web Engine Being regularly updated virus databases have the following structure e drwebase vdb general virus database received with the new version of the package e drwXXXYY vdb regular weekly updates e drwtoday vdb hot updates released daily or several times a day drwnasty vdb general database of other malware received with the new version of the package e dwnXXXYY vdb regular weekly updates for other malware e dwntoday vdb hot updates for other malware e drwrisky vdb general database of riskware received with the new version of the package e dwr
242. b milter is operating drweb user by default to the trusted users list in submit cf file This can be done by adding the user to the list directly in submit cf and sendmail cf configuration files FEAE a aE aT aa a Ea a Trusted users HHHHHH HHH HH HEHEHE EHH Tdrweb Or by adding the following line to the submit mc file define conf TRUSTED USERS drweb Configuring Dr Web MailD All settings that manage operation of drweb milter with Sender component are collected in the Sender and Milter sections of the Dr Web MailD configuration file and are described in the following sections of the current Manual Sender section and Milter section Ensure that the SecureHash parameter value in the Sender section of the Dr Web MailD configuration file is specified arbitrary character string can be set as the parameter value recommended length is more than or equal to 10 symbols In addition Yes value must be specified for the UseSecureHash parameter in the same section These parameters configure addition of a special header X DrWeb Hash that prevents looping of a message when it is checked as the message can be added to the incoming email queue again if it was modified during the check When Dr Web MailD is working with Sendmail the following modules must be running in the system this is specified in mmc file of the Dr Web Monitor e drweb notifier drweb sender drweb maild e drweb milter Known Is
243. be installed in the system for example drweb daemon package requires drweb common and drweb bases packages they will be installed automatically If you install Dr Web for UNIX mail servers to a computer where other Dr Web products have been previously installed from EPM packages then at every attempt to remove a module via graphical installer you will be prompted to remove absolutely all Dr Web modules including those from other products Please pay special attention to the actions you perform and selections you make during uninstallation to avoid accidental removal of some useful components Installation from Distribution Package for UNIX Systems Dr Web for UNIX mail servers solution is distributed as a self extracting package drweb mail product name version number OS name run The following components are included in this distribution e drweb common contains the main configuration file drweb32 ini libraries documentation and directory structure During installation of this component drweb user and drweb group are created e drweb bases contains Anti virus search Engine Dr Web Engine and virus databases It requires drweb common package to be installed e drweb 1ibs contains common libraries for all the components of the suite e drweb epm6 0 2 1libs contains libraries for graphical installer and uninstaller It requires drweb 1libs package to be previously installed e drweb epm6 0 2 uninst contains files of g
244. be quoted The cha is you can use this character to add for ex Example lt include style css gt racter that follows the back slash is treated directly that ample a back angle bracket character In this example text from the st yle css file is inserted in the stead of the directive Ta J i ax Dr Web MailD 3 Conditional Operators You can use conditional operators in the templates The operators are defined as follows lt if NAME DATA gt TEXT lt if gt where NAME macro name DATA regular expression to check the macro value regular Perl expressions are used TEXT text to be inserted into the message if the condition is true The following two conditional operators are available e True if the macro value corresponds to the regular expression e True if the macro value does not correspond to the regular expression If a part of the construction in square brackets is not specified that is the condition is lt if NAME gt the construction is treated as lt if NAME gt Use of nested conditional operators is allowed for details see below If the operator includes the def directive to declare a new macro this macro is defined only if the conditional part is true At that a new macro value is saved and becomes available after the conditional operator is checked Example lt def N n123 gt lt if N gt N is not empty lt if
245. be specified inet or inet ssl if you use TLS SSL encryption The latter address type requires POP3S protocol to be used by the POP3 filter Default value ListenAddress inet 5110 localhost ServerTLSSettings TLS SSL TLS SSL settings for server communications over POP3 eti s oe Settings are separated by commas It is possible to connect as TSL SSL server only if a certificate and private key private _key_file are specified and inet ss1 socket is used Example ServerTLSSettings use sslv2 no private key file path to pkey certificate path to certificate Please note that the user whose privileges are used by the POP3 filter usually drweb user must have read access to the file with the certificate Default value ServerTLSSettings ClientTLSSettings TLS SSL TLS SSL settings for client communications over POP3 settings ge Settings are separated by commas Example ClientTLSSettings use_sslv2 no private key file path to pkey certificate path to certificate Please note that the user whose privileges are used by the POP3 filter usually drweb user must have read access to the file with the certificate Default value ClientTLSSettings IoTimeout Timeout for all input output operations with a client socket when time the operation is in progress Default value IoTimeout 60s Ta J N ys ProcessingTimeout time MinFilterItMaildimrectios numerical
246. ble license key files Default value Key sbin dir drweb32 key This parameter is used only if you have an email license for less than 50 addresses Specified file must contain a list of email addresses no more than specified by the license one email address per line for which both incoming and outgoing messages will be checked Aliases are treated as separate addresses Default value MailAddressesList etc dir email ini Output mode e Terminal console output e Quiet no output Default value OutputMode Terminal Allows to disable or enable daemon mode for Dr Web Daemon With Yes value specified Dr Web Daemon runs as a foreground process This parameter can be used for certain monitoring utilities for example Dr Web Monitor Default value RunForeground No User under which Dr Web Daemon operates It is strongly recommended to create a separate drweb user account which will be used by Dr Web Daemon and filters It is not recommended to run Dr Web Daemon with root privileges even though it may take less time to configure This parameter cannot be changed when reloading configuration using SIGHUP 75 Ta J 1 ys PidFile path to file BusyFile path to file ProcessesPool process pool settings OnlyKey Logiceul Dr Web Daemon Default value User drweb File to store Dr Web Daemon s PID and UNIX socket if it is enabled by the Socket parameter or port
247. bleFiles action ActionAdware action ActionDialers action ActionJokes action ActionRiskware action ActionHacktools action ActionInfectedMail action ActionInfectedArchive action Dr Web Command Line Scanner 64 Sets one of the following actions upon detection of a suspicious file Report Delete Move Rename Ignor Default value SuspiciousFiles Report Sets one of the following actions applied if an infected file cannot be cured use only if InfectedFiles Cure Report Delete Move Rename Ignor Default value IncurableFiles Report Sets one of the following actions upon detection of adware Report Delete Move Rename Ignor Default value ActionAdware Report Sets one of the following actions upon detection of a dialer program Report Delete Move Rename Ignor Default value ActionDialers Report Sets one of the following actions upon detection of a joke program Report Delete Move Rename Ignor Default value ActionJokes Report Sets one of the following actions upon detection of a potentially dangerous program Report Delete Move Rename Ignor Default value ActionRiskware Report Sets one of the following actions upon detection of a hacktool Report Delete Move Rename Ignor Default value ActionHacktools Report Sets one of the following actions upon detection of an in
248. blocked by Reputation IP Filter mark the address as trusted in the SessionRestrictions parameter and all the subsequent connections from this IP will be ignored by Reputation IP Filter Reputation IP filter allows assigning a score to the IP address according to the gathered statistics on connections and temporary blocking of this IP address if its total score is greater than a threshold value The following filters are available anti_dha errors_filter score filter Reputation IP Filter checks an IP address immediately after SessionRestriction check is performed and only if the address is not marked as trusted that is if the address is marked as trusted during SessionRestriction check the address is not processed by Reputation IP Filter Filters are listed using comma as a delimiter and checked in the order they are specified For each filter its name is specified first and then its parameters separated by spaces all these parameters are optional Parameters are set aS NAME VAL pairs there must be no white spaces between the value and equal sign General parameters for filters are described below u is a positive integer I is an integer D is a positive floating point number e min_msgs U minimum number of messages passed for check to MailD core After the value is exceeded a corresponding filter is activated If the value is set to 0 this parameter is ignored e min _errors U minimum number of errors registered o
249. box for incoming messages GlobalRules select mime headers Subject support problem if found select mime headers To company com if found redirect support company com endif pass endif select mime headers Subject price sale buy if found select mime headers To company com if found redirect sell company com endif pass endif select mime headers To company com redirect inbox company com pass Ta J i ax Dr Web MailD 6 Find and rename all attached executables GlobalRules select mime headers Content disposition filename exe or mime headers Content type name exe replace ex_ exe pass Work with String Values Note that it is required to consider encoding of the search text in all rules and plug in parameters that use a message header or body Values that are specified directly and not in Latin can match only if the search text encoding is the same as the encoding used in the configuration file If it is required to use values in another encoding insert a string transformed into the required encoding and coded using a transport code for example base64 The final string value must be of the following form lt source enc gt lt B Q gt lt coded text gt where e lt source enc gt source text encoding for example UTF 8 CP1251 e lt B Q gt indicator of the used transport encoding B ba
250. bsent initialization of Dr Web Daemon proceeds Dr Web Daemon enters daemon mode so all information about initialization problems cannot be output to the console and is logged to the log file Creation of a socket for interaction between Dr Web Daemon and other Dr Web for UNIX mail servers modules When TCP sockets are used there can be several connections loading continues if at least one connection is established When a UNIX socket is used Dr Web Daemon user account must have appropriate privileges to read and write from the directory of this socket User accounts for modules must have execution access to the directory and write and read access to the socket file Users do not have write permission for the default socket directory var run If the User parameter is specified adjust the Socket parameter and provide alternative path to the socket file If creation of the UNIX socket was unsuccessful initialization of Dr Web Daemon terminates Creation of a PID file with Dr Web Daemon PID information and transport addresses User account under which Dr Web Daemon is started must have appropriate privileges to write to the directory of the PID file Users do not have write permission for the default socket directory var run SO if the User parameter is specified adjust the PidFile parameter and provide alternative path to the PID file If creation of the PID file was unsuccessful initialization of Dr Web Daemon terminates Dr Web D
251. bug Log verbosity levels If allowed you can set one of the following log verbosity levels for a Dr Web for UNIX mail servers component the list is arranged in ascending order of detail o Quiet Logging is disabled o Error The component logs only fatal errors o Alert The component logs errors and important warnings o Warning The component logs errors and all warnings o Info The component logs errors warnings and information messages o Notice This mode is similar to the Info mode but the component also logs notifications o Debug This mode is similar to the Notice mode but the component also logs debug information o Verbose The component logs all details on its activity this mode is not recommended because a Ta J 1 ys Introduction large volume of logged data can considerably reduce performance of both the program and syslog service if it is enabled Each Dr Web for UNIX mail servers component can have different set of allowed log verbosity levels For information on available verbosity levels see description of the corresponding parameters Logging into syslog If you select the mode of logging information into syslog it is necessary to specify a verbosity log level and a message source label The label can be used by the syslog service for internal routing of messages to different logs Routing rules are configured in the syslog daemon configuration file usually the pa
252. by Dr Web for UNIX mail servers with an anti virus plug in Dr Web Agent can simultaneously process statistics on computer threats from several different Dr Web products which are able to interact with Dr Web Agent If Dr Web Agent is operating in the Enterprise mode you can view statistics on the special page of Dr Web Control Center In this case statistics gathered by Dr Web Enterprise Server is also sent to the Doctor Web statistics server as a summary of the Anti virus network statistics Statistics is available in both HTML and XML formats The second format is convenient if you plan to publish this statistics on another website since data in the XML format can be transformed according to the website concept and design To view aggregate statistics on computer threats for all supported servers visit http stat drweb com You can view a list of detected threats for all supported servers in descending order with overall percentage of detections A Appearance of the webpage can differ depending on the used browser The following figure shows threats statistics page cinema smell Dr WEB B TET cioba Ln Solutions Buy YY Download Information ti Partners Support gt Forums 4 About us Dr Web Virus Statistics Statistics Start date 8 w Oct e 2012 00 00 e Mail End date 9 e Oct e 2012 18 00 e Files 20 Dr WEB seat md han Top 50 Query fame eg z anuano
253. can be used for the following purposes to enable concurrent interaction with several MTAs or SMTP LMTP proxy to enable differentiation of settings for each Receiver Sender pair which allows using different settings for monitored interfaces to enable redirection of messages from one MTA to another i e for routing Note that functions of Sender and Receiver components can be performed by different executable modules for example not only drweb receiver module can be used as Receiver but also drweb milter or drweb cgp receiver depending on the used method of integration with MTA A complete list of modules and their roles Sender Receiver in Dr Web MailD are provided in the Used Modules section In the present section it is assumed that drweb sender module performs the role of Sender and drweb receiver module of the Receiver To enable simultaneous usage of several components 1 Assign a unique identifier to each Sender and Receiver component each element within the Sender or Receiver group must have a unique identifier but ID of a Receiver must match an ID of a Sender 2 Define the configuration source for each component 3 Assign the ID of the Receiver that got the message as a tag 4 After a message is processed drweb maild searches for an available Sender with the same ID as the Receiver s If not found the message is dispatched to the default Sender the only Sender with no unique ID specified which mus
254. case insensitive Example opt drweb update pl not need reload drwebd Blocking Updates for Selected Components You can configure Dr Web Updater to block updates to selected components of your Dr Web for UNIX mail servers To view the list of available components use the components command line parameter Example update pl components Available Components agent drweb frozen icapd frozen vaderetro_ lib If updates to a component are blocked that component is marked as frozen Frozen components are not updated when Dr Web Updater is started Ta J i ax Dr Web Updater 87 Blocking updates To block updates for specific component use the freeze lt components gt command line parameter where lt components gt s a comma separated list of components to be frozen Example update pl freeze drweb Updates for component drweb are frozen Run command updater unfreeze drweb to start updates again Unblocking updates To enable updates for a frozen component use the unfreeze lt components gt command line parameter where lt components gt iS a comma separated list of components to be unfrozen Example update pl unfreeze drweb Updates for component drweb are no longer frozen A Unfreezing will not update the component Restoring Components When Dr Web for UNIX mail servers components are being updated Dr Web Updater saves their back up copies to th
255. ce information Output format is as follows client idl group A 0 1 S 0 1 emails emaill email2 custom tagl infol tag2 info2 Interactive control socket commands for managing users and user groups Managing of users user groups and aliases is performed with special commands in which the following concepts are used e email user mail address according to RFC 5322 It can be enclosed in angle brackets lt gt or single quotation marks Address length cannot exceed 1024 bytes e client email pair of client id email values where client id for Dr Web MailD is always an empty string e emails list List of client email pairs Items are separated by whitespace e group Group name enclosed in single quotation marks If a group name does not contain spaces the quotation marks can be omitted If a group name is enclosed in single quotation marks symbol within the group name must be doubled for example It s a group name gt It s a group name Length of a group name cannot exceed 1024 bytes e client group pair client id group values where client id for Dr Web MailD is always an empty string e ext client group client id group client id similar to client group where client id for Dr Web MailD is always an empty string e group list List of client group Items are separated by whitespace e ext group list List of ext client group Items are separated by whitespace e RUL
256. cessary use the sudo or su commands Debian Ubuntu apt 1 Installation Debian repository is signed with the digital key It is necessary to import the key or correct operation To do this use the following command wget O httwp officeshield drweb com drweb drweb key apt key add Ta 1 ax Installation and Uninstallation 43 or curl http officeshield drweb com drweb drweb key apt key add To add the repository to your system add the following line to etc apt sources list file deb http officeshield drweb com drweb debian stable non free To install Dr Web for UNIX mail servers use the following commands apt get update apt get install lt package name gt 2 Deinstallation To remove Dr Web for UNIX mail servers use the following command apt get remove lt package name gt To remove all installed packages from Dr Web use the following command in some systems it is required to escape the character with a backslash apt get remove drweb To automatically remove unused packages from the system use the following command apt get autoremove Removal with the use of apt get has the following features 1 The first variant of the command removes only the lt package name gt package but other packages which could be automatically installed on the package installation to resolve dependences remain in the system 2 The second variant of the command removes from t
257. cessed by plug ins for a long time In this case it is not recommended to assign plug ins to the BeforeQueueFilters list as it slows down interaction with MTA when transmitting messages Moreover in this case errors can occur if the IpcTimeout parameter value the General section is too small less than the average time period required for message processing That might result in loss of messages they will not be delivered to the recipient and the sender will not be informed about that Rule Section Parameter values that are frequently used in Message processing rules SETTINGS part can be organized into named groups Each of the groups is present in the main Dr Web MailD configuration file as a section Rule lt group name gt where lt group name gt unique name of the setting group The name is case insensitive and can contain Latin characters numbers and white spaces Parameter values in each section are specified as lt Parameter gt lt Value gt pairs one parameter per line that is why it is not required to escape commas in parameter values Section ends when another section of the configuration file starts any section including one with settings of another named group or when the configuration file ends Settings specified in a named group can be used for any mail processing Rule with the rule lt group name gt directive see Rules of message processing In the current version of Dr Web MailD you can spe
258. cessing the error is only logged e exception generate an exception which is handled as a message processing error The handling method corresponds to the ProcessingError parameter value set for the module in operation of which this error occurred 203 Ta yan A A Dr Web MailD 204 The parameter value can also be locally overridden in a Lookup Default value OnError ignore To connect to ODBC data sources Dr Web MailD uses any library which supports ODBC version 3 0 or later The used library must be built with thread support It is recommended to use UnixODBC library version 2 0 or later If the specified host or database are not accessible connection is attempted to be established until timeout occurs the timeout value is specified for the connect_timeout parameter in the connection string After that an error is fixed and handled according to the action set for the OnError parameter SQLite Section In the SQLite section settings for interaction between Dr Web MailD and SQLite database are specified Database path to file SizeLimit integer Lib path to file BusyTimeout time in milliseconds SkipDomains LookupLite OnError ignore exception Path to the SQLite database file Default value Database Maximum number of strings received in response to a single database request When the parameter value is set to 0 maximum number of receive
259. ch value from the standard input e Sie Description Specify that only check for the searched object in the Lookup is required without getting the value the output can be one of the following FOUND or NOT FOUND depending on the query result Ta 1 aX Dr Web MailD Examples drweb lookup q q e e w q NOT FOUND drweb lookup q q e q q FOUND q drweb lookup q test drweb com e ldap displayName sub mail s FOUND test drweb com drweb lookup q test drweb com ldap displayName sub mail Ss notify virus block notify virus allow rcpt drweb ProcessingErrors pass drweb lookup q test drweb com odbc select rules from maild where a S s scan all drweb drweb inject Sending Mail The drweb inject utility allows delivery of local mail via Sender The utility receives a message body from standard input and returns 0 for success and not 0 if an error occurs The sent email message can be piped to the utility via conveyor for example as a cat command result or redirected to the standard output via lt The following command line parameters are available Delp Description Output short help information on the command line parameters to the console and exit version Description Outputs information on the utility version and exit agent lt file path gt Description Set the path to the socket of Dr Web Agent component to receive configuration by default if the par
260. cify no more than 1 rule parameter Number of user sections is not restricted All sections that contain named setting groups must be specified before the Rules section in the configuration file Example These lines declare MySettings section which specifies two parameters block MailD notifications and disable moving to Quarantine see description below Rule MySettings quarantine no notify block The following two rules specified in the configuration file use the section to set values of the quarantine and notify parameters Rules Rept regex example com cont rule MySettings Sender lol foo com amp amp block virl cont notify Skip allow notify Virus allow rule MySettings After that MailD notifications are blocked and messages sent to the example com domain cannot be moved to Quarantine If a message is sent from the 1o1 foo com address and the vir1 blocking object is found MailD notifications on detected viruses and skipped messages will be allowed for all types of notification recipients At that other notifications and moving files to Quarantine are blocked these settings are imported from the used MySettings group specified in the Rule MySettings section Section of default settings Main configuration file always includes section with default settings for those parameters that are not specified in the file their values can be set only in Rules This setting group has strictly defined name 159
261. cility Daemon FileName Path to the log file tin to Fil 1 s i ice ee a You can specify syslog as a log file name and logging will be performed by syslogd system service Default value FileName syslog Agent Section The Agent section contains general Dr Web Agent settings Agent MetaConfigDir Name of the directory where meta configuration files of drweb path to directory agent are located These files contain settings of interaction between Dr Web Agent and other modules of the Dr Web suite Meta configuration files are provided by Dr Web developers and do not need to be modified Default value MetaConfigDir etc dir agent Ta ww ys UseMonitor logical MonitorAddress address MonitorResponseTime numerical value PidFile path to file Server Section Dr Web Agent 97 Yes value indicates to drweb agent that Dr Web Monitor is used as a part of Dr Web for UNIX mail servers Default value UseMonitor Yes Socket used by Dr Web Agent for interaction with Dr Web Monitor the parameter value must be the same as the Address parameter value in the Dr Web Monitor configuration file Default value MonitorAddress local var_ dir ipc monitor Maximum time to get a response from drweb monitor module in seconds If Dr Web Monitor does not respond during this period Dr Web Agent considers drweb monitor not running and stops trying to establish connection with
262. cket Statistics is received with the use of special commands where the following common notions are used e email user mail address according to RFC5322 It can be enclosed in angular brackets lt gt or quotation marks Length of the address cannot exceed 1024 bytes e client email client id email where client id is always an empty string e group name of the group enclosed in quotation marks If the substring contains no spaces the quotation marks can be omitted If a quotation mark is used the character must be doubled Length of the group name cannot exceed 1024 bytes e client group client id group where client id is always an empty string When working with statistics consider that statistics on users and user groups is saved directly to the corresponding records of the internal database When data is saved and the most recent record exists in the database for more than five minutes a new record is created and further changes are saved to it As these commands work only with the internal database the most recent record with statistics on users and user groups contains information for the period from its creation to the current moment Commands for Working with Statistics Commands for working with statistics have the following general parameters e period period DATE1 DATE2 outputs statistics for the selected period including the time interval limits where o DATE1 lower limit of t
263. connected with the modules startup in one of the available ways logging to the file notifying via email startup of a custom program Notification methods used for various modules are set in the Dr Web Monitor meta configuration file mmc To start Dr Web Monitor in the automatic mode do one of the following e change the value of the ENABLE variable to 1 in the drweb monitor enable file for Linux and Solaris e add drweb monitor enable YES line to the etc rc conf file for FreeBSD Please note that if at the post install script runtime you select the Configure Services option in the conversation all services including Dr Web Agent will be started automatically Location of the enable files depends on Dr Web for UNIX mail servers installation type a Installation from the universal package for UNIX systems Files will be saved to etc_dir directory and have the following names drwebd enable drweb monitor enable Installation from native DEB packages Files will be saved to etc defaults directory and have the following names drwebd drweb monitor Installation from native RPM packages Files will be saved to etc sysconfig directory and have the following names drwebd enable drweb monitor enable Interaction with Other Suite Components Interaction with other suite components is performed with the use of Dr Web Monitor meta configuration files mmc files These files are included in packages of t
264. content of Content disposition headers is replaced select mime headers Content disposition filename exe or mime headers Content type name exe replace ex exe pass These commands cannot be applied to composite parts of a message That is the following modification rule has no effect to a message that contains a composite MIME object with two nested objects as Container shown in the figure above select message replace all text because composite objects do not contain any data they only serve as containers for other objects For replace and replace_all commands in the lt replacement expression gt and lt new_text gt arguments you can use function calls as func_name Argument for these functions is the current replacement expression The following functions are implemented o urlencode encoding the argument to a string that can be used as URL o self return the expression unchanged Example select mime headers Subject S replace all SPAM S self At the start of Subject heading the SPAM string is inserted For example This is Subj header is replaced with SPAM This is Subj Example select mime body replace http check url com url urlencode http S In the message body text that corresponds the specified template for example Visit http vasya com id 3 is replaced with Visit http check url com url http 3A 2F 2Fvasya 2Eco
265. correctness of the Lookup use drweb lookup utility and accessibility of the used data source If the Router parameter value is Lookup with OnError exception error handling mode this mode can be set in data source settings as well as locally overridden in Lookup value expression then if Sender cannot receive required route from the used data source this situation must be handled as an error in Sender An error message is logged In this case e in the synchronous mode Receiver returns 451 SMTP error code to the message sender Requested action aborted local error in processing and the processed email message is removed from all queues of Dr Web MailD e in the asynchronous mode the message is marked as stalled and Sender tries to send it at intervals specified in the StalledProcessingInterval parameter If an email message cannot be sent to any of the matching addresses the following actions are performed depending on the return code sent by the last MTA e Sender starts sending delayed messages after an interval specified in the SendingIntervals parameter This process is configured by the rules specified in the Router parameter If sending of delayed messages fails Notifier generates a DSN if allowed in the SendDSN parameter If special routes are not specified for the domain of the undelivered message sender the routes are specified in the Router parameter or in message processing rules this DSN is sent to the address specified
266. ctedNetworks parameter value and from domains specified in the ProtectedDomains parameter value Processing of other messages is paused for 5 seconds and 10 points are added to the score of these messages It is possible to gather statistics on each restriction to define the quantity of blocked messages and efficiency of the restriction To get the gathered data send the special signal to the drweb receiver process as described in the Signals section of the current manual To enable or disable statistics gathering use the RestrictionStat parameter see above in part 1 of this section 4 Check parameters for different SMTP sessions BlackNetworks Network black and white lists Look cepa These lists are used in trust white networks and WhiteNetworks reject black networks actions Lookup Syntax is similar to the one of the ProtectedNetworks parameter in the Maild section Please note that the parameter value is Lookup Default value BlackNetworks WhiteNetworks DNSBLList DNSBL server list This list is used in reject_dnsb1 action LookupLit Sc a Servers are checked one after another in the order they are specified in the parameter value until the message is blocked upon the server response that the IP address is a spammer or the list ends Accessibility of the servers is checked by requesting them to resolve special IP address 127 0 0 2 defined by the specification The server must return positi
267. cteristics 1 IMAP filter component Supports interaction with IMAP servers including the cache function This component is a proxy server between MailD core drweb maild and IMAP server MDA The component filters messages which the server sends to the user MDA IMAP server can run on the local computer as well as on a remote computer Functions of the component are performed by the drweb imap module Its settings are specified in the IMAP section of the main Dr Web MailD configuration file The IMAP filter component caches main message headers to speed up access to them Theoretically it is possible to run out of available memory and slow down filter operation by filtering large number of messages that are formed in a special way and contain a lot of headers To prevent this situation IMAP filter has MaxCachedHeadersPerMail setting that controls maximum total size of cached headers Note that if this value is too small names and types of MIME attachments can display incorrectly on users computers The filter is disabled by default To enable it uncomment the following string in the mmc file of Dr Web Moritor maild_ lt MTA gt mmc drweb imap local var drweb ipc agent 15 30 MAIL drweb drweb 2 POP3 filter component 331 Ta J i ax Dr Web MailD Supports operation with POP3 servers The component is a proxy server between MailD core drweb maild and POP3 server MDA The component filters messages which
268. d first scan Plugin1 invalid as A11 is missing before the plug in name Ta J i ax notify lt notification type gt allow block lt address types gt Dr Web MailD 249 This parameter configures different types of notifications If the value is set to allow sending notifications of the corresponding type is allowed If the value is set to block sending notifications of the corresponding type is blocked If the notification type is not specified this parameter value is applied to all notifications What notification types are available depends on what types are supported by Dr Web Notifier Additionally installed plug ins can add their own notification types By default the following notifications are available e notify Virus notifications on detection of a virus in a message e notify Cured notifications on cured viruses detected in a message e notify Skip notification on skipped messages e notify Archive notifications on messages that were not checked due to archive check restrictions e notify Error notifications on errors that occurred during message check e notify Rule notification on a message blocked by a Rule e notify License notifications on messages that were not checked due to licence restrictions e notify Malware notifications on detected malicious programs The parameter value can be followed by an optional modifier indicating what types of recipient s addres
269. d memory size is restricted only to the size of available memory Default value MaxCachedHeadersPerMail 64k Maximum number of messages to be cached during one session IMAP filter maintains cache of checked messages because IMAP protocol allows the client to perform lots of partial requests to one message In most cases requests are performed sequentially but if a user accesses several records it is necessary to cache more than one message If the value of this parameter is set to 0 which is strongly NOT recommended number of cached messages is unlimited Default value MaxLettersPerUser 6 Maximum amount of disk space to be occupied by cached messages Default value MaxDiskPerUSer 10m 195 Xa SAO Ke Dr Web MailD 196 N7 OnFilterErrors Action to be applied to the message when an error occurs before actions the message is transmitted to the drweb maild module Possible values are reject or pass Default value OnFilterErrors reject POP3 Section In the POP3 section settings for drweb pop3 module are specified the POP3 filter component used to intercept mail via POP3 protocol when working with mail clients ServerAddress Address used by the POP3 filter to connect to the POP3 server dd address Default value ServerAddress inet pop3 localhost ListenAddress A list of socket addresses used to receive requests from clients poe aces The following types of addresses can
270. d Modules Command Line Parameters Processed Signals Logging Internal Statistics RFC Standards Adjustment and Startup Dr Web MailD Configuration Files Special Parameter Types Lookup Lookup Usage Examples Lookup Usage Restrictions LookupLite Type Storage Data Type Sections of Main Configuration File General Parameters General Section Maild Section MailBase Section Notifier Section Quarantine Section Filters Section Rule Section Rules Section Stat Section Reports Section Logging Section Using SASL SASL Section Cyrus SASL Section MTA Connections Receiver Section 122 123 127 128 128 131 132 132 133 135 138 139 139 140 142 142 143 149 150 152 156 159 160 161 164 165 166 166 167 168 169 Ta J i ax Sender Section Courier Section CgpReceiver Section CgpSender Section Milter Section Qmail Section IMAP Section POP3 Section Data Sources LDAP Section Oracle Section ODBC Section SQLite Section Firebird Section PostgreSQL Section MySQL Section CDB Section Berkeley Section Internal Proxy ProxyClient Section ProxyServer Section Statistics Exporting Statistics Quarantine Using DBI Using Control Email Messages Migrating to New Quarantine Version Interactive Management General Management Commands User Group and Alias Management Commands for User Management Commands for Alias Management Commands for Group Management Wo
271. d in the message body and attach Dr Web Scanner report Default value HeuristicAnalysis Yes Dr Web Scanner process priority Value must be between 20 highest priority and 19 Linux or 20 other UNIX like operating systems Default value ScanPriority 0 File types to be checked by type i e when the ScanFiles parameter explained below has ByType value x and 2 wildcard characters are allowed Default value FilesTypes EXE COM SYS OV BAT BIN DRV ING BOO SCR CMD WD SEG IDilib WON DOR Sah a Wn ee Cl Ge Veo Le eee Re IPDS OBR Ibs ARLE IMD Re JUNIE IMIBIR IMIG CSC Clb IWR SiS Sisl IL SO Caimi INE Milly PRC ASE LSP MSO CBD THE tws Sve EME MPE O gt lt IDWAS CIP EMSC Jamil Notifies about files of unknown types Default value FilesTypesWarnings Yes Instructs to scan all files Al1 value or only files with the extensions specified in the FileType parameter ByType value Ta 1 ax ScanSubDirectories logical CheckArchives logical CheckEMailFiles logical ExcludePaths list of path file masks FollowLinks logical RenameFilesTo mask MoveFilesTo path to directory EnableDeleteArchiveAction logical InfectedFiles action Dr Web Command Line Scanner 63 The parameter can have the ByType value only in the local scan mode In other modes the value must be set to A11
272. d not to decrease the IPCTimeout default value If it is necessary to decrease the value ensure that it is commensurate with the time required for processing by all of the plug ins IPCTimeout value must be greater If the time out occurs during processing of a message it can be lost and not delivered to the recipient In this mode it is also assumed that no delays occur when Sender dispatches messages to the target MTA it must be available and correctly configured Features of operation with MTA via Milter protocol 1 If connection between Dr Web MailD and MTA is established via the Milter protocol the drweb milter module is used as Receiver returning of a checked message back to the MTA queue is configured by the CanChangeBody parameter value specified in the Milter section of the configuration file If some plug ins are assigned to the BeforeQueue that is the synchronous mode is selected the parameter CanChangeBody Yes and significant delays occur while message processing for example one of the plug ins does not finish message processing during the period specified by ProcessingTimeout then MTA receives SMTP response code specified in the ProcessingError parameter all mentioned parameters are specified in the Milter section of the configuration file When the synchronous mode is selected the parameter CanChangeBody No and a component Mai D core or Sender stops responding while processing a message MTA recei
273. d protocol is configured as a proxy to receive messages transmitted from MUA to MDA through the corresponding protocol Messages received from MUA are transferred to the target MDA it can be local or remote in relation to Dr Web MailD After a message is transmitted from MDA to MUA it passes through the filter component which sends the message for check to MailD core via the interface used by Receiver 4 MailD core checks the message using Processing rules and configured plug ins 5 If MailD core responds with the positive check result the message is transmitted further to MUA Otherwise instead of the requested message MUA receives a report on the detected threat This report is generated by Notifier If MailD core is enabled to send reports on detected threats the corresponding reports generated by Notifier are dispatched by Sender it sends the reports for final delivery to MTA that is specified in Sender settings Note the following restrictions when Dr Web MailD is used for checking messages via client protocols All used plug ins must be assigned to the BeforeQueueFilters queue that is message check in asynchronous mode when messages are saved to the storage is not allowed due to aspects of POP3 and IMAP operation redirect action must not be used in Rules and plug in settings as a message transmitted from MDA to the user s MUA cannot be redirected to another address Filter component chara
274. d right after the following line begin routers add the following description drweb router driver accept condition if eq received protocol drweb scanned 0 1 check local user retry use local part transport drweb transport If check of the recipients is necessary uncomment the check_local_user parameter Ta 2 1 ax Dr Web MailD 345 In the Exim configuration file find the section where transport is described It starts with the following header FEAE AEAEE AE E AE AE AEAEE AE AE AE EE AE FETE AEAEE HE TETEE TE EHE TRANSPORTS CONFIGURATION FEAE AEAEE AEE AE AE AE AE E AE AE AEAEE AE FEAE AEAEE HE TETEE TE EFE ORDER DOES NOT MATTER FERETE TEIE EEEE Tat a TETEE aa Only one appropriate transport is called for each delivery FEAE AEAEE AE E AE AE AEAEE HE ea a a aE a AE EFE FERETE TEIE EEEE You must add a description of the required transport to this section drweb transport driver lmtp socket ADDRESS _ 100 batch max timeout 5m user drweb headers add X Maild Checked DrWEB for Exim Where ADDRESS_ is the address of drweb receiver listening module the Address parameter in the Receiver section of the Dr Web MailD configuration file for example a UNIX socket var _dir ipc drweb_maild Then you must specify the path to Exim mail system in the Address parameter in the Sender s
275. d strings is not limited Default value SizeLimit 1 Path to the libsqlite3 so library Default value Lib usr lib libsqlite3 so Timeout for Dr Web MailD in milliseconds to make an entry to the database Default value BusyTimeout 2000 List of the domains for which query to the database is not required This parameter often allows to improve total performance and considerably reduce server load Please note that the parameter value is LookupLite The parameter value can also be locally overridden in a Lookup Default value SkipDomains Sets the mode of error handling errors that occur in Lookup when connecting to the specified data source Allowed modes e ignore ignore the error and continue message processing the error is only logged e exception generate an exception which is handled as a Ta J 1 ax Dr Web MailD 205 message processing error The handling method corresponds to the ProcessingError parameter value set for the module in operation of which this error occurred The parameter value can also be locally overridden in a Lookup Default value OnError ignore Note the following features of using SQLite DBMS e Every time when information is written to the database its file is locked So if more than one program is working with the same SQLite database file it is possible that a writing process cannot obtain exclusive access to the database during the time s
276. d user name see Lookup description Features of error processing If during message processing an error or event matching one of the constrains MaxScore MaxMimeParts LicenseLimit occurs the action specified in the corresponding parameter is applied e EmptyFrom MaxScoreAction LicenseLimit e ProcessingErrors Please be careful when specifying actions for these parameters Remember that 1 If one of the discard reject or tempfail actions is specified mail processing stops and a message is deleted without being delivered to its recipient When the discard action is selected the sender does not receive notifications if the message was rejected Alternatively to discard action reject and tempfail actions enable notifications to the sender upon message rejection Depending on the operation mode the sender can be notified with an SMTP response sent by Receiver in the synchronous mode or with a DSN sent by Sender in asynchronous mode 2 If the pass action is specified mail processing also stops but the message is transmitted for delivery without completion of the processing that is if some plug ins did not check the message they will not be called So if the event occurred before the message was saved to the storage while the message was processed by plug ins assigned to the BeforeQueue queue the message will be delivered in the synchronous mode otherwise when the message was processed by plug ins assigned to t
277. database dbname sql _ select SELECT password FROM users WHERE user Su r Note that it is not always necessary to create an authentication configuration file for Cyrus SASL If such a file is not created default authentication settings and default authentication data source are used Notification Templates Notification templates are represented as files which have the msg extension These files store an email message structure corresponding to RFC 822 and can contain different headers Template files are used by Notifier to generate service messages that can be one of the following types MailD notifications statistics reports and DSN notifications In addition to plain text you can also use macros in a template body by marking them with a character While a notification is generated from the template they are replaced with real macros Notification processing When Dr Web MailD is processing a message any plug in can request a notification on any event virus detection processing error message blocking Notifications are created by Notifier the drweb notifier plug in which generates a message and then sends it via Sender Moreover Sender can request Notifier to generate a DSN message for the sender notifying on a delivery failure All notifications and reports including DSN are generated from the templates which Notifier searches for in the directory specified in the TemplatesBaseDir parameter
278. ders drweb agent not working and tries to restart it If 0 is specified response time is unlimited Default value AgentResponseTime 5 113 Ta J 1 ys Dr Web Monitor Running Dr Web Monitor When Dr Web Monitor is started with the default settings the following actions are performed 1 Dr Web Monitor searches for and loads its configuration file If the configuration file is not found loading process stops Dr Web Monitor starts operating in the daemon mode So information about loading problems cannot be output to the console and thus is logged to the file Socket for Dr Web Monitor interaction with other Dr Web for UNIX mail servers modules is created If a TCP socket is used several connections can be established loading process continues if at least one connection is established If a UNIX socket is used it can be created only if the user whose privileges are used to run drweb monitor has read and write access to the certain directory If a socket cannot be created loading process stops PID file with information on drweb monitor process identifier is created If the PID file cannot be created loading process stops drweb monitor module starts other suite components If a module cannot load Dr Web Monitor tries to restart it If all Dr Web Monitor attempts to start the module failed Dr Web Monitor unloads all previously loaded modules and terminates Dr Web Monitor reports problems
279. des an encryption public key for access to Dr Web ESS If you are the anti virus network administrator you can locate the file in the corresponding directory on the Enterprise Server e Set the ServerHost parameter value to the IP address or host name of the Enterprise Server e Set the ServerPort parameter value to the Enterprise Server port number 3 To connect to the central protection server set the UserEnterpriseMode parameter value to Yes 93 Ta J i ax Dr Web Agent In the central protection mode some features and settings of Dr Web for UNIX mail servers may be modified and blocked in compliance with the general security policy A key file for operation in this mode is received from the central protection server Your personal key file on the local computer is not used To run Dr Web Agent in the central protection mode drweb agent es package must be installed To enable Dr Web for UNIX mail servers to fully support the central protection mode set Dr Web Monitor to operate in enterprise mode For more details see Operation Mode of Dr Web Monitor If settings of modules for interaction with MTA drweb courier drweb cgp receiver were updated on the central protection server send a SIGHUP Or STOP START signal to the modules for the update to take effect To use standalone mode 1 Ensure that all parameters in the StandaloneMode section of the Dr Web Agent configuration file by default setc_ dir agent conf
280. dresses parameter in the ProxyClient section on Serveri Server2 hosts specifies addresses of Server3 Server4 Server5 see the scheme above which are used by Proxy server components to receive requests 271 Ta J 1 aX Dr Web MailD The ProxyClientsAddresses parameter in the ProxyServer section on Server3 Server4 Server5 hosts specifies addresses of Serveri Server2 see the scheme above which are used by Proxy client components to receive requests Example ProxyServersAddresses inet 8066 10 3 0 73 10 inet 8066 10 3 0 72 5 In this case 10 3 0 73 host will receive twice as much mail messages as 10 3 0 72 host does 5 and 10 messages out of 15 respectively If the WEIGHT is not specified it is considered to be equal to 1 by default If several addresses have the same WEGHT they are considered equivalent and receive the same amount of requests If the WEIGHT is set to 0 such addresses are considered backup addresses Requests are sent to them only if no other available addresses with WEIGHTs equal to or greater than 1 are left General address selection algorithm looks as follows 1 Randomly selects an address according to weights than more weight the more probability to selection 2 Attempts to send a message to the selected address 3 If the message was sent successfully the algorithm ends Otherwise one of the following is selected e another address with the same weight if exist
281. drweb com gt lt alias_ai81 drweb com gt 828 20091117T100213 EICAR test e quarantine count range START NUMBER sort SORT_ TYPE sender EMAIL SUBSTR rcpt EMAIL SUBSTR period DATE1 DATEZ2 size SIZE subject SUBJECT SUBSTR id id like order ascent descent similar to the quaarantine search command but instead of the messages total number of found messages is output Output examples Quarantine count 234 e quarantine remove id like part of emaill part of email2 removes the specified recipients searched as a substring part of emaill part of email2 from the envelopes of the messages identifiers of which match id like all specified recipients must be present in the envelope If a message has no recipients left or the list for their removal is not specified the whole message is removed from Quarantine Examples quarantine remove backup drweb com gt All messages sent to addresses ending in drweb com are deleted from Quarantine and backup quarantine remove lt foo dwreb com gt lt foo2 dwreb com gt All messages sent to both foo dwreb com and foo2 dwreb com addresses are deleted from Quarantine and backup e quarantine limits outputs the current restrictions set for Quarantine Output format client id NUMBER MAX NUMBER SIZE MAX SIZI FJ eai total NUMBER MAX NUMBER SIZE MAX SIZI where o
282. drweb qmail Qmail mail Q drweb sender Sender SMTP LMTP drweb receiver Receiver proxy default E drweb sender Sender For details on integration between Dr Web for UNIX mail servers with MTA see Integration with Mail Transfer Systems Receiver Section In the Receiver section settings of the Receiver component module drweb receiver are specified This component is used in Dr Web for UNIX mail servers if the solution interacts with Exim Zmailer and Postfix mail systems if Postfix mail system does not use the Milter protocol or operates in the SMTP LMTP proxy mode 1 General parameters Address Address used by Receiver to receive messages ee Socket used for receiving messages is specified either TCP socket or UNIX socket Default value Address inet 25 0 0 0 0 PoolOptions Thread pool settings for Receiver pool options p P Default value PoolOptions auto RealClients Accept connections directly from clients logical 3 Default value RealClients Yes ProcessingErrors Action applied to messages when processing errors occur eo The parameter value can be one of the following actions tempfail discard reject Only one action can be specified Default value ProcessingErrors reject StalledProcessinginterval time Timeout to process stalled messages Stalled messages are messages got by Receiver but not processed in time and thus not sent to MailD core That can happ
283. dsn msg template to it with the following command cp dsn for exchange msg dsn msg That allows you to avoid reconfiguration of Notifier If you may need to use the standard dsn msg template in the future save its copy before the change Instead of using the command described above you can create a Rule that changes the NotificationNamesMap parameter value That allows avoiding the change of the template files Templates Available by Default By default Dr Web for UNIX mail servers is supplied with the following template files Ta 2 N ax Dr Web MailD 279 Templates of reports sent to the administrator ADMIN ARCHIVE msg ADMIN CURED msg ADMIN _ERROR msg ADMIN LICENSE msg ADMIN MALWARE msg ADMIN RULE msg ADMIN VIRUS msg Template for a report generated on detection of archives which cannot be scanned due to excess of limits set for archives in main configuration file drweb32 ini Template for a report generated on cure of an infected message Template for a report generated if Dr Web Daemon or plug in errors occur Template for a report generated when an email message cannot be checked due to license restrictions Template for a report generated on detection of malware in an email message Template for a report generated on rejection of a message due to a some rule Template for a report generated on detection of a virus in a message Templates of notifications sent to the message recipients
284. e body typical spam goto n 1 discard select mime headers Content disposition exe remove select message append text checked 2 Delete messages received from the specified users GlobalRules select mime headers From weirdohacker server net if found reject endif 3 Redirect messages received from the specified users GlobalRules select mime headers To someaddress my net com redirect anotheraddress my net com In this case original message is delivered to someaddress my net com user and copy of this message is delivered to anotheraddress my net com user If you do not need to deliver the message to the original recipient use the rule described below 4 Select messages by certain conditions redirect the selectes messages to the specified address and delete original messages in order not to deliver them to their original recipients GlobalRules select mime headers Subject Help if found select mime headers To someaddress my net com if found redirect anotheraddress my net com discard endif stop endif 5 Redirect messages received on the corporate mail box depending on the subject a Messages with subject satisfying to the expression support problem are redirected to technical support b Messages with subject satisfying to the expression price sale buy are redirected to sales department c All other messages are redirected to the main mail
285. e n where n is the score that VadeRetro assigns to a message The header is added only if the AddXHeaders parameter value is set to Yes e X Drweb SpamState b where b is Yes for spam and infected messages and No for non spam messages and DSN The header is added only if the AddXHeaders parameter value is set to Yes e X Drweb SpamState Num s where s is a message classification result s can take the following values 0 1 2 and 3 o s 0 this message is not spam os 1 this message is spam o s 2 this message contains a virus os 3 this message is a DSN This header is added only if Yes is specified for the AddxDrwebSpamStateNumHeader parameter of the vaderet ro configuration file e X Drweb SpamVersion version where version is the version of VadeRetro library This header is added only if Yes is specified for the AddVersionHeader parameter of the Vaderetro configuration file e X Spam Level z where zis a set of each of them equals to 10 score points assigned to a message This header is added only if Yes is specified for the AddxXSpamLevel parameter of the Vaderetro configuration file e X DrWeb SpamReason some text where some text is some encoded diagnostic message from the anti spam module It is necessary for improvement of the quality of spam detection This header is added only when the AddXHeaders parameter for this message is set to yes 300 Ta J i ax Dr Web MailD Moreover
286. e string Relative path to the file with the message e put_time timestamp Time of adding the message to the database e sender string Value of the From header enclosed in angle brackets e repts string List of recipients from the message header TO CC BCC Values are separated by commas and enclosed in angle brackets e body string Message body Please note that data types presented in the list must be replaced with similar data types that are available in the used DBMS integer varchar and others Filters Section In the Filters section general setting of Dr Web MailD plug ins are specified LibDir A directory with plug ins ath to directory tig 2 Default value LibDir bin dir maild plugins Settings Plug ins startup options BD eevee ano They are specified in the following format lt plugin_settings gt lt plugin_settings gt where e lt plugin settings gt is a string plugin name lt PARAM gt lt PARAM gt e lt PARAM gt is a pair setting name setting value Example Settings vaderetro max_size 400k log_level debug drweb max_size 10m For Vaderetro plug in maximum size of a message to scan is set to 400 Kbytes log verbosity level is set to debug for Drweb plug in maximum size of a message to scan is set to 10 Mbytes A full list of plug in options that can be specified in the Settings parameter is presented below All values
287. e 0 this message is not spam e 1 this message is spam e 2 this message is infected with virus e 3 this is DSN Default value AddXDrwebSpamStateNumHeader No R Add x Spam Level header to a message It consists of AddXSpamLevel symbols Moguscanl ce Each symbol means 10 score points For example message with 110 score points will get x Spam Level xxxxxxxxx header Default value AddxXSpamLevel No R Enable heuristic check for viruses by the VadeRetro library CheckForViruses feed ea Upon detection of a virus the library classifies the message to group 2 Default value CheckForViruses Yes Enable spam check for those messages that are classified by the CheckDelivery VadeRetro library as DSN messages of group 3 logical f ye ao If spam attributes are found the message is classified to group 1 Default value CheckDelivery No R Determines whether to add extra scores to a message with Cyrillic AllowRussian text if the value is set to yes the scores are not added F 1 l logical Default value AllowRussian Yes R Determines whether to add extra scores to a message with AllowCJK Chinese Japanese or Korean text or not if the value is set to logical Yes the scores are not added Default value AllowCJK Yes R A White list of sender addresses Sender addresses are taken from Return Path and From headers of an email message If an email message does not
288. e RejectCondition parameter is also true for the AcceptCondition parameter Thus for details on AcceptCondition refer to the RejectCondition parameter description provided above Default value AcceptCondition R The yes value enables processing of rules specified by the FilterParts RejectPartCondition and AcceptPartCondition logical parameters Default value FilterParts Yes R A Filtering rules that are similar to those for the RejectCondition RejectPartCondition and AcceptCondition parameters but affecting only headers of conditions attached objects AcceptPartCondition Also the following condition can be used FileName mask iconii ione where mask is a regular expression Filtration of messages according to these rules is possible only if Yes value is specified for the FilterParts parameter Default value RejectPartCondition AcceptPartCondition R A Set of missing headers to be used as a filtration condition e F Example MissingHeader To From Default value MissingHeader R Actions to be applied to filtered messages Action ae P F eee In addition to one mandatory action you can specify several optional actions Mandatory actions are pass tempfail discard reject Optional actions are quarantine redirect notify add header score Default value Action reject notify Ta 2 i aX Dr Web MailD 311 When a message is blocked reject by the plug in
289. e Removing screen you can review results of the uninstallation steps in real time Installation and Uninstallation 40 Welcome Removal Complete Select Software D Confirm TEE Running post remove commands 5 Removing Please remove entry about smb_spider in vfs objects from Removal of drweb smbspider is complete Dr Web Updater Copyright Doctor Web Ltd Removing restoring installed files Checking configuration files Removing empty installation directories G Removal of drweb updater is complete m gi J gt Dr WEB 4i Next gt Figure 15 Removing screen 5 Click Close to exit setup Using Console Uninstaller Console uninstaller starts automatically when graphical uninstaller fails to start To uninstall from console 1 Once the console uninstaller starts a dialog window opens user hostname Mann Mpaska Bug NMonck Tepmunan This script will help you remove Dr Web packages Do you wish to continue YES no If you want to uninstall Dr Web for UNIX mail servers enter yes otherwise enter no Press ENTER 2 Review the list of components available for removal Installation and Uninstallation 41 user hostname Man Mpaska Bug Monck TepmnHan CnpaBKa X 10 Dr Web VadeRetro antispam 6 0 0 2 a X 11 Dr Web Mail Daemon CommuniGate Pro connector 6 0 0 2 X 12 Dr Web Mail Daemon common files 6 0 0 2 X 13 Dr Web Mail Daemon Dr Web plugin
290. e Ss special symbol cannot be used You can use the following prefixes o value as well as for Lookups the value is directly specified after this prefix For example you can use this prefix when the value contains symbol Ta J i ax Dr Web MailD o odbc oracle these prefixes are similar to those for Lookups In SQL expressions it is possible to specify values to be saved in the following format name lt type gt where name name of the saved object each parameter has its own list of possible names type data type which is used for saving the parameter value in the storage postgres mysql sqlite firebird syntax is similar to the previous one with the following difference data type char lt length gt cannot be used for string data it is necessary to use varchar long SQL data type For interaction with databases in the corresponding DBMS the odbc oracle postgres mysql sqlite firebird prefixes are used with the parameters from the corresponding lt DATASOURCE gt sections of the Dr Web MailD configuration file Example odbc insert into plugin stat values plugin name lt varchar_ long gt size lt int gt num lt int gt Please note that quotation marks are required in this example because the query text contains commas Sections of Main Configuration File Dr Web MailD configuration file as any other configuration file of Dr Web for UNIX mail servers components
291. e address is accidentally repeated in the list In this case the total message score is increased by 5000 points each time the address from the Return Path and From fields is specified in the list for example if the address is found 3 times in the list the score will be increased by 15 000 points 2 If the sender s domain equals to the recipient s domain and the domain is specified in the black list as a wildcard lt domain gt the sender address is checked and message score is changed The same behaviour happens if the sender s address equals to the recipient s address and is specified in the black list Please note that the parameter value is LookupLite 304 Ta J 1 ax SpamThreshold 4MCJIOBOeE S3HAaAYeHNneE UnconditionalSpamThreshold numerical value Action actions UnconditionalAction actions R Dr Web MailD Default value BlackList The parameter value is a threshold for the total message score If the score of a message is greater than or equal to the specified threshold the message is identified as spam by Vaderetro plug in and X Drweb SpamState header is set to Yes If the message score is greater than or equal to the SpamThreshold parameter value but is less than the value of the UnconditionalSpamThreshold parameter see below the action specified in the Action parameter is applied and the text specified in the SubjectPrefix parameter is added to the message s
292. e administrator The notifications contain general statistics on the suite operation The template is contained in the report msg file e Service notifications on a message delivery failure DSN Notifications of this type have a certain format and are generated to notify the message sender on a Ta 1 ax Dr Web MailD delivery failure DSN is always sent to the message sender and has an empty FROM header The used template is contained in the dsn msg file In each case the Dr Web for UNIX mail servers component which requested notification sends information on the reason to the drweb notifier plug in All templates except for DSN templates support the following two message types by default HTML and plain text Type of the notification message is selected according to the html parameter value specified in the message processing Rules Note that MailD notifications and periodic administrator reports are sent from the address specified in the FilterMail parameter at that notifications as well as DSN are checked on matching the Rules Note that MailD notifications are dispatched to the message recipients message senders and the administrator by Notifier as a message sent from the address specified in the FilterMail parameter value Service notifications DSN always have an empty From field Name of a template file can be changed depending on certain criteria For that purpose the NotificationNamesMap parameter is used in
293. e and startup privileges Notification type defines where notifications on component failure are sent When MAIL value is specified notifications are sent by mail when LOG value is specified information is only logged to the file Startup privileges defines a group and a user whose privileges are used by the component Example of mmc file for Dr Web Daemon Application DAEMON FullName Dr Web R Daemon Path opt drweb Depends AGENT Components name args MaxStartTime MaxStopTime NotifyType User Group drwebd a local var drweb ipc agent foreground yes 30 10 MAIL drweb drweb EndComponents EndApplication Example of mmc file for Dr Web MailD Application MAILD FullName Dr Web R MailD Path opt drweb Depends AGENT Components name args MaxStartTime MaxStopTime NotifyType User Group drweb notifier local var drweb ipc agent 30 30 MAIL drweb drweb drweb sender local var drweb ipc agent 15 30 LOG drweb drweb drweb maild local var drweb ipc agent 120 30 MAIL drweb drweb drweb receiver local var drweb ipc agent 15 30 MAIL root drweb EndComponents EndApplication Ta yan A A Dr Web MailD Dr Web MailD Dr Web MailD is a group of interacting software modules These modules execute receiving processing scan for viruses and spam and resending to end user MUA or MTA of email messages Dr Web MailD can operate as e a proxy server for SMT
294. e command line of drweb zmailer module are described in Command line parameters section Integration with Courier 352 Aq P A yan Dr Web MailD 353 Configuring Courier To connect Dr Web MailD to Courier mail system do the following 1 Set privileges for drweb courier module with the following commands chown COURIER USER drweb bin dir drweb courier chmod 6771 sbin dir drweb courier where COURIER US ER is a user with whose privileges Courier is started Also ensure that read write and execution permissions are set for all directories and subdirectories in svar dir directory for the drweb group Copy drweb courier module or create a symbolic link to Courier filters directory by default itis usr local libexec filters Register drweb courier module in the Courier mail system as global usr local sbin filterctl start drweb courier Later to disable the filter use the following command usr local sbin filterctl stop drweb courier 4 Create or edit enablefiltering file to set services to perform check esmtp or uucp if more than one is specified they are separated with white spaces 5 Ensure that the BaseDir and SocketDirs parameters in the Courier section of the Dr Web MailD configuration file correspond to the configuration of the used Courier mail system For more information use the following command man courierfilter 6 Enable filtering
295. e data addresses of all its recipients to consider the data while checking the message for spam It is to be sent in reverse direction in reply to the checked messages with the Reply to header If the value is set to ves reply cache storage is used Default value UseReplyCache R Time period to store data on a message in reply cache if the sender s address is in the ProtectedNetworks list Maild section of the main Dr Web MailD configuration file ProtectedNetworkReplyCacheLifeTime time If an added address is already in reply cache the entry is updated Default value ProtectedNetworkReplyCacheLifeTime R Value that must be added to the current message score if the ReplyToProtectedNetworkScoreAdd message sender is in reply cache numerical value The added value can be negative to decrease the score If you want to disable this function specify 0 as a value of this parameter Moreover if reply cache is disabled that is UseReplyCache No the sender will never be found there and any value specified for this parameter in fact is not used Default value ReplyToProtectedNetworkScoreAdd When a message is blocked reject by the plug in in the synchronous mode Dr Web MailD response to a client contains SMTP code 55 or 250 depending on the ReturnReject parameter value in the Receiver section and a text message which content is determined by values of the parameters described below Their
296. e interaction is restricted to the value of the IPCTimeout parameter defined in the General section of the configuration file When operating in the synchronous mode this parameter also restricts time limit for interaction between the MailD core and Sender components The drweb milter module uses the maximum value out of those set for the IPCTimeout and ProcessingTimeout parameters in Milter section 2 When operating in the asynchronous mode the received email message is saved to the internal queue of Dr Web MailD After that Receiver immediately responses with the 250 SMTP code indicating that the email message is queued Dr Web MailD transmits the message to Sender which dispatches it further In case of channel latency or if the component cannot connect to the target mail server Sender delays dispatching of the message In this mode time limit restricted by the ILPCTimeout parameter value must be commensurate with the average time of message processing by all of the plug ins 3 When operating in the synchronous mode Receiver does not respond to the sender until the 120 Ta J i ax Dr Web MailD email message is processed by all of the plug ins and dispatched further by Sender If the time exceeds the value ofIPCTimeout 1 second drweb milter uses the greater value out of the IPCTimeout and ProcessingTimeout parameters and Sender did not dispatch the message the component skips all attempts to connect to the target
297. e main menu Login awe ae A webmin is H Search System hostname Operating system Ubuntu Linux 9 04 GY System Information Webmin version 1 480 Refresh Modules Time on system Wed Aug 26 17 04 30 2009 Logout Kernel and CPU Linux 2 6 28 15 generic on i686 System uptime 2 days 4 hours 33 minutes CPU load averages 0 10 1 min 0 14 5 mins 0 20 15 mins Real memory 1002 62 MB total 686 21 MB used Virtual memory 2 86 GB total 478 05 MB used Local disk space 180 56 GB total 15 51 GB used Figure 26 Dr Web console for UNIX Mail Servers module If you use Webmin 1 680 or later you should also add the following line to its configuration file usually this is the file etc webmin config no content security policy 1 Basic Configuration To open general settings of Dr Web Console for UNIX mail servers click Module configuration link on the top pane of the corresponding tab On the open page you can specify the used mail system Dr Web Console for UNIX mail servers 360 path to the configuration file path to the init script and mail sending script default email address inserted to the From field of notifications on Dr Web for UNIX mail servers and operation mode Configuration For module Dr Web console for Unix mail servers Configurable options for Dr Web console for Unix mail servers Dr Web console for Unix mail server settings MailD MTA postfix MailD platform linux
298. e message select a root MIME object that is a whole message Ta yas A A Y Dr Web MailD 314 e mime lt SEGMENT gt mime lt SEGMENT gt lt name gt lt regular expression gt select MIME objects or their content from the specified segment Difference between syntax with brackets and syntax with a dot is the following argument in brackets selects actual_objects that contain elements in the specified segment argument with a dot only elements of these objects certain headers text of the prologue body content and others You can set the following values as a lt SEGMENT gt o headers header area of the MIME object o prologue prologue area of the MIME object o body body area of the MIME object content o epilogue epilogue area of the MIME object You can specify the following additional parameters o lt name gt name of the search header Specify only if the value of lt SEGMENT gt is set to headers o lt regular expression gt template for search for example template that matches the header or text of the element Example The following command selects content of all video fragments from the message select mime headers Content type x video The following command selects information on type of data from all video fragments value from the header select mime headers Content type x video In a header for compatibility w
299. e modules Modules can also be installed from RPM files if supported by your operating systern j Systern Information Install Module Refresh Modules Install from G a Logout From local file rr From uploaded file O6s0p_ C From fip or http URL Standard module from www webmin com Third party module from z Ignore iepondandat AO YARIN Choose File Mozilla Firefox 6 xJ Grant access to Grant access only to users and groups Qa u i Grant access to all Webmin users install Module Directory of bin 4kB 04 aug 2009 09 56 boot 4 kB O7 Aug 2009 11 21 Retum to Webmin configuration 0 pren A SOT TRADED a sev 369kB 24 Aug 2009 12 31 drweb 4 kB 20 aug 2009 12 18 a 12kB 26 Awg 2009 16 28 E home 4kB 01 Ju1 2009 16 18 B intrd img 722MB O7 Aug 2009 11 21 GB intrdengolg 721MB 08 Ju1 2009 20 21 S za rom ly Figure 25 Webmin modules 3 After you click an item from the list path to this item is added to the field below If you click the item twice the folder opens With the second click on the previously selected file navigation window closes and the full path to the selected file appears in From local file text field You may also click OK after you select a required file 4 After you select an installation package file click Install Module 5 When the installation completes a link to the new Dr Web Console for UNIX mail servers module appears in the Servers section of th
300. e original address Rule settings are output in the following order at first user settings and after them group settings in the order reversed to the group sequence When compiling the rules activity settings for the group and users is considered Output format client id1l1 emaill A activel S statl name namel aliases aliasl alias2 groups groupl group2 rules 1 rulell 2 rulel2 custom tagl anfol tag2 info2 client id2 email2 A active2 S stat2 name name2 aliases aliasl2 alias22 alias for email2 groups group3 rules 1 rule21 2 rule22 custom tag21 info21l tag22 info22 groupN may be enclosed in single quotation marks if the group name contains spaces Output format for alias client idl emaill aliases alias for email email search range START NUMBER email part of email name part of name ignore alias nonalias search by address or part of the address It outputs the addresses starting with START numeration begins with 0 in quantity of NUMBER elements If the START and NUMBER values are not specified all found addresses are output If START or NUMBER are negative an error is output If values of START or NUMBER exceed the number of found addresses their values are treated as not limited thus for unlimited START addresses are output from the first one in the list for unlimited NUMBER all addresses in the list are output o part of email substring i
301. e selected as a delimiter is inserted into the notification 284 Ta yas A A Y Dr Web MailD 285 Loop processing consists of the following steps 1 For each selected NAME the following text is generated lt def NAME LIST_VAL gt TEXT DELIM where LIST VAL next value selected from LIST and TEXT text specified in the loop body 2 For this text a syntax analyzer is called and the outcome of its operation is placed immediately after the lt for gt label 3 This operation is performed for each selected value from LIST 4 Loop construction is removed from the generated notification and syntax analyzer starts parsing the result text Example lt def RCPTS root localhost test mydoamin com gt lt for RCPT RCPTS gt lt a href mailto RCPT gt S RCPTS lt a gt lt for gt The result text is the following lt a href mailto root localhost gt root localhost lt a gt lt a href mailto test mydoamin com gt test mydoamin com lt a gt All key words def if and for are case insensitive Template Example The following example demonstrates a template used for generation of reports on plug in operation The template supports both HTML and PLAIN formats Ta J i aX Dr Web MailD 286 From DrWeb PRODUCT lt SFILTER MAILS gt To R_MATLS Subject Report from Dr Web PRODUCTS per period of R_PERIODS Content Type multipart mixed boundary 001 Dr
302. e specified in this parameter first action is mandatory others are optional Mandatory action can be one of the following pass discard reject tempfail Ta J 1 ax MaxMimeParts numerical value MaxNestedMimeParts numerical value LicenseLimit actions EmptyFrom actions Dr Web MailD 145 Additional actions can be the following quarantine redirect add header score If reject action is specified and value of the UseCustomReply parameter is set to yes the SMTP response is taken from the ReplyMaxScore parameter see below After all actions are applied message check is considered finished Default value MaxScoreAction reject Maximum number of MIME parts in a message If the value is set to 0 check is not performed If the number of MIME parts in a message exceeds the specified threshold value its processing is aborted and actions specified in the ProcessingError parameter are applied to the message see below Default value MaxMimeParts 1000 Maximum number of nested MIME parts in the message If the value is set to 0 check is not performed If the number of nested MIME parts in a message exceeds the specified threshold value its processing is aborted and actions specified in the ProcessingError parameter are applied to it see below Default value MaxNestedMimeParts 100 Actions applied to messages that were not scanned because of license limitations M
303. e width 100 gt lt tr gt lt if RP BLOCKED OBJECTS WITH NUM AND PERCENTS gt lt if RP BLOCKED OBJECTS NUM 0 gt lt td valign top gt lt table width 300 cellpadding 5 cellspacing 0 class statistic id statistic2 gt id RP_NAMES lt tbody gt lt tr gt lt th colspan 2 class Statisticheader gt lt if RP BLOCKED OBJECTS NUM 1 gt SLC544S lt if gt lt if RP_ BLOCKED OBJECTS NUM 1 gt LC545 SRP BLOCKED OBJECTS NUMS SLC546S8 lt if gt lt th gt lt tr gt lt tr gt lt td gt S RP_BLOCKED OBJECTS WITH NUM AND PERC ENTSS lt td gt Xa Wy Dr Web MailD 287 lt tr gt lt tbody gt lt table gt lt td gt lt if gt lt if gt lt if RP SENDERS ENVELOPE WITH NUM AND PERCENTS gt lt if RP_SENDERS_ ENVELOPE NUM 0 gt lt td valign top gt lt table width 300 cellpadding 5 cellspacing 0 class statistic id statistic gt lt tbody gt lt tr gt lt th colspan 2 class sStatisticheader gt lt if RP SENDERS ENVELOPE NUM 1 gt SLC547S lt if gt lt if RP SENDERS ENVELOPE NUM 1 gt LC545 SRP SENDERS ENVELOPE NUMS LC548 lt if gt lt th gt lt tr gt lt tr gt lt td class re
304. e working directory It enables you to restore any component to its previous state if any problem occurs during an update To restore component to its previous state use the restore lt components gt command line parameter where lt components gt is a comma separated list of components to be restored Example update pl restore drweb Restoring backup for component drweb Updates for component drweb are frozen Run command updater unfreeze drweb to start updates again Backup for component drweb has been restored Dr Web R restore details Following files has been restored var drweb bases drwtoday vdb var drweb bases dwntoday vdb var drweb bases dwrtoday vdb var drweb bases timestamp var drweb updates timestamp A Restored components are automatically frozen To enable updates for a restored component unfreeze it Configuration Dr Web Updater settings are stored in the Updater section of the configuration file drweb32 ini by default which is located in setc_ dir directory Ta 1 ax UpdatePluginsOnly logical Section Daemon Scanner ProgramPath path to file SignedReader path to file LzmaDecoderPath path to directory LockFile path to file CronSummary Logica DriFile path to file Dr Web Updater Section Updater If yes value is specified Dr Web Updater does not update Dr Web Daemon and Dr Web Scanner It updates on
305. eaders and content It is also possible to select a part of a message for individual processing The following figure shows hierarchy structure of a message with nested objects H Hears Header value Header value Body e a oe Prologue Part 1 Content headers Content e Part N Content headers Content e Epilogue Figure 19 Hierarchy structure of a message with nested objects Message consists of the following parts 1 At the top level a message is divided into Headers and Body 2 If the message body content is of multipart MIME type the body is a composite object with the following parts o Prologue text inserted into the body before the first nested MIME object This text is not displayed in MUA supporting MIME multipart and is usually absent o Epilogue text inserted into the body after the last nested MIME object This text is not displayed in MUA supporting MIME multipart and is usually absent o If the message body consists of several parts each of these parts is treated as a separate MIME object with its own set of headers usually they are content headers such as Content type Content description Content disposition and others its own content and in some cases a prologue and epilogue MIME objects can also be composite that is be of the multipart type Otherwise a message body is treated as a whole object that does not contain nested parts a prolog
306. earch to addrl search to addr2 searches for email messages with envelopes that contain addr1 or addr2 addresses Example drweb qcontrol search from from drweb com search to to drweb com search headers Subject SPAM search inbody spam finds all quarantined email messages sent by from drweb com or sent to to drweb com or topic of which contains the SPAM string or body of which contains the word spam Note that if parameters of the utility contain a search criterion and a list of file identifiers the search will be performed within these files the search conditions are combined in a conjunction AND drweb qcontrol stat search from ai 5 def backup outputs statistics on all archived messages to the console the messages which identifier corresponds to the specified def backup template sender of whichis ai 5 1 def backup 5 00014F95 DW SHOT PRODUCT 1LXzgl from ai 5 to to drweb com time 2008 8 14 15 1 46 Ta 1 ax Dr Web MailD 240 drweb lookup Lookup Validation The drweb lookup utility allows validation of Lookup search results specified in the Dr Web MailD settings The utility is launched with the following command drweb lookup parameters lt query gt where lt query gt different types of Lookup used for the search and parameters command line parameters The following command line parameters are available In help Description Output short help i
307. eb Daemon operation is performed independently of it Running Dr Web Scanner You can run Dr Web Scanner with the following command bin_dir drweb If bin dir directory is added to the PATH environment variable you can run Dr Web Scanner from any directory However doing so as well as making a symbolic link to Dr Web Scanner executable file in directories like bin usr bin etc is not recommended for security reasons Dr Web Scanner can be run with either root or user privileges In the latter case virus scanning can be performed only in those directories where the user has read access and infected files will be cured only in directories where the user has write access usually it is the user home directory SHOME There are also other restrictions when Dr Web Scanner is started with user privileges for example on moving and renaming infected files When Dr Web Scanner is started it displays the program name platform name program version number release date and contact information It also shows user registration information and statistics list of virus databases and installed updates Dr Web R Scanner for Linux v6 0 1 February 19 2010 Copyright c Igor Daniloff 1992 2010 Support service http support drweb com To purchase http buy drweb com Program version 6 0 0 10060 lt API 2 2 gt Engine version 6 0 0 9170 lt API 2 2 gt Loading var drweb bases drwtoday vdb Ok virus records 1533 Loading v
308. eb Engine version 6 0 2 or later e Installed Perl 5 8 0 or later for Dr Web Updater Dr Web for UNIX mai servers hardware requirements are the same as requirements for the command line interface of the compatible operating system Installation requires 190 megabytes GUI installer of Dr Web for UNIX mail servers requires X Window System Execution of interactive configuration script in graphical mode requires xterm or xvt terminal emulators In addition to that the following packages must be installed in your system e base64 unzip e crond For successful installation of Dr Web for UNIX mail servers in FreeBSD OS version later than 8 0 the compat7x library is required Depending on the range of problems to be solved by Dr Web for UNIX mail servers and operational load meeting additional hardware requirements can be necessary 17 Ta N ax Introduction 18 Compatibility with Linux Distributions Dr Web for UNIX mail servers solution is compatible with x86 and x86 64 Linux distributions Requirements for kernel versions and glibc library depend on the type of the installation package e Universal package for UNIX systems Linux x86 o kernel version 2 4 x glibc version 2 2 not recommended and later OR o kernel version 2 6 x glibc version 2 3 and later e Universal package for UNIX systems Linux x86 64 o kernel version 2 6 x glibc version 2 3 recommended and later e Native RPM distribut
309. eb MailD 208 Default value DB Name of the host used by MySQL database Default value Host localhost Port used to connect to MySQL database It is also required to specify a prefix that indicates the socket type TCP or UNIX Example When TCP socket is used Port tcp 1234 When UNIX socket is used Port unix path to socket Default value Port Number of simultaneous connections to the MySQL database When the parameter value is set to 0 connections are created as a query to the database is performed it usually takes additional time Connections opened in advance can service database queries in turn without consuming time for reconnection Default value Connections 4 Maximum number of strings received in response to a single database request When the parameter value is set to 0 maximum number of received strings is not limited The parameter value can also be locally overridden in a Lookup Default value SizeLimit 10 Path to libmysqlclient so library Library must be built with thread support Default value Lib usr lib libmysgqlclient r so List of domains for which request to database is not required This parameter often allows to improve total performance and considerably reduce server load Please note that the parameter value is LookupLite The parameter value can also be locally overridden in a Lookup Default value SkipDomains Ta i ax Dr
310. ebugging Log File Conificate Authorty Start at boottime j Yes C No Change this option to control whether Webmin is started at boot time or not If t is not Currently started at boot and Yes is chosen a new init script will be created Reston Webmin Click this button to re start the Webmin server process This may be necessary if you have recently upgraded Pert Submit OS Information Clicking this button will send information about your operating system and Perl version to the Webmin developers This data will be strictly anonymous and will provide information about which operating systems to best focus the development of Webmin on Retresh Modules Re check all Webrnin modules for installed servers and update those that appear in the Urrused modules category Figure 24 Webmin configuration To install required modules 1 Click the Browse button near the From local file text field on the Webmin Modules page A new browser window opens to provide navigation through folders and files 2 Choose the corresponding installation package from the list Sbin_dir web drweb maild web wbm gz_ by default Ta 1 ax Dr Web Console for UNIX mail servers 359 Login Module Index i oe Webmin Modules Webmin Configuration Sines 9 Install Clone Delte Export Search a Webmin modules can be added after installation by using the form to the mght Modules are typically distributed in vbr files each of which can contain one or mor
311. eceived from GROUP LIST Or RULES http www communigate com CommuniGatePro Transfer html add the following setting to the rule Submit Address not in GROUP LIST RULES To set the rule select the checked field type and comparison operator from the drop down list and enter the checked value in the text field 2 When a message is uploaded through PIPE the authenticated flag can be lost Thus if some plug ins are assigned to the AfterQueueFilters queue add the following setting to the rule Any Recipient not in alldomains main domain all where main domain is the main domain of the CGP server For information on advanced settings for example enabling or disabling filtering for a certain user refer to the documentation distributed with CGP Configuring Dr Web MailD When interacting with CGP drweb cgp sender module of Dr Web MailD performs functions of Sender The module is started with privileges of the mail group to enable writing to the cgp directory drweb cgp receiver module of Dr Web MailD performs functions of Receiver The module is started by CGP mail system with root privileges To assure proper operation of Dr Web MailD in this configuration explicitly specify the name of the user with whose privileges other Dr Web MailD modules are started This name can be set in the ChownToUser parameter from the CgpReceiver settings section in the Dr Web MailD configuration file or you can specify an
312. ecify the personal UUID as the parameter value md5 sum of license key file is usually used as UUID Default value UUID Location of Dr Web license key files or demo key files Paths in the list are separated by commas if the list contains more than one path Ta i ax Update Section The Update section contains parameters of Dr Web for UNIX mail servers update via Dr Web Enterprise Server CacheDir path to directory Timeout numerical value RootDir path to directory Dr Web Agent 100 Default value LicenseFile bin dir drweb32 key Update Directory where Dr Web Agent temporarily stores downloaded update files Default value CacheDir svar _dir updates cache Maximum time in seconds for Dr Web Agent to process downloaded update files If 0 is specified time for process is unlimited Default value Timeout 120 Path to the root directory Default value RootDir For more information see Administrator Manual for Dr Web ESS Running Dr Web Agent Please note that if at the post install script runtime you select the Configure Services option in the conversation all services including Dr Web Agent will be started automatically When Dr Web Agent starts with the default settings the following actions are performed e Dr Web Agent searches and loads its configuration file If the configuration file is not found Dr Web Agent terminates If the param
313. eck operation of MTAs that receive messages from Dr Web MailD check time required to receive MTA response on attempt of drweb sender module to establish connection as well as where an error occurs while message delivery For Pipe delivery method o Check operation of the local MTA that receives messages from Dr Web MailD Its daemon that is responsible for local message delivery must be configured correctly If during Dr Web MailD operation number of messages in delivery queue increases located in the var dir msgs out directory it is recommended to send SIGUSR2 signal to drweb sender module when it is not peak usage time Moreover you can implement cluster solution using internal proxying of requests from Sender and Receiver to several MailD core instances Recommendations on configuring Dr Web MailD if the processed traffic primarily consists of large messages 1 It is recommended to avoid using Dr Web Modifier as well as any filtering based on content analysis that is avoid setting values to the RejectPartCondition AcceptPartCondition and MissingHeader parameters of Dr Web HeadersFilter plug in as well as to the RegexForChechecked parameter to Drweb plug in and etc It is recommended because search within MIME objects can significantly reduce message processing Vaderetro Dr Web Modifier and Drweb plug ins store both message body and headers in RAM memory while processing so it is recommended to assign the plug ins to After
314. ected Quarantine folder that serves for isolation of infected or suspicious files if the corresponding action is specified in Dr Web for UNIX mail servers settings Svar dir lib anti virus engine implemented as a loadable library drweb32 d11 Directory of the enable files depends on Dr Web for UNIX mail servers installation method Installation using the universal package for UNIX systems Files are stored in the setc_dir directory and named as follows drwebd enable drweb monitor enable Installation using the native DEB packages Files are stored in the etc defaults directory and named as follows drwebd drweb monitor Installation using native RPM packages Files are stored in the etc sysconfig directory and named as follows drwebd enable drweb monitor enable 19 Ta J i ax Introduction Configuration Files General format of configuration files All Dr Web for UNIX mail servers settings are stored in configuration files which you can use to configure all suite components Configuration files are text files so they can be edit in any text editor They have the following format beginning of file Section 1 name Parameterl valuel valueK ParameterM valuel valueK Section X name Parameterl valuel valueK ParameterY valuel valueK end Of file Configuration files are formed according to the following rules
315. ection drweb milter module transfers drweb maild module commands and waits for response In the solution given above drweb milter module works as a proxy between the Postfix system interface and drweb maild module Note features of operation through Milter in the synchronous and asynchronous modes Postfix and drweb milter can operate on different computers but drweb milter and drweb maild must operate on the same computer Configuring Mail Postfix Configuring Operation in After Queue Mode To configure interaction between Dr Web MailD and Postfix in the after queue mode add the following lines to the main cf configuration file of the Postfix system content _filter scan lt ADDR REC gt receive override options no_address mappings where _ADDR_REC_ is the address of the listening module drweb receiver the Address 340 Ta yan A A Dr Web MailD parameter of the Receiver section of the Dr Web MailD configuration file for example 127 0 0 12 8025 To the master cf configuration file of Postfix system the following lines must be added scan unix n lt NN gt smtp o smtp _send_xforward_command yes lt ADDR SEN gt inet n n lt NN gt smtpd o content filter o receive override options no unknown recipient _checks no header body checks o smtpd helo restrictions o smtpd client restrictions o smtpd sender restrictions o smtpd recipient restrictions permit mynetworks
316. ection is established Dr Web Agent receives key files and settings from Dr Web Enterprise Server After all settings and key files are received Dr Web Agent is fully operational If Dr Web Agent operates in the Standalone mode meta configuration files amc that manage Dr Web Agent interaction with other Dr Web modules are loaded Location of meta configuration files is set in the MetaConfigDir parameter in the Agent section of the Dr Web Agent configuration file When meta configuration files are successfully loaded Dr Web Agent is ready to operate Interaction with Other Suite Components Interaction with other suite components is performed by Dr Web Agent metaconfiguration files amc files These files contain configuration parameters that are sent to the respective Dr Web modules by Dr Web Agent The files reside in the directory specified in the MetaConfDir parameter by default etc _dir agent Usually one file contains configuration parameters of one component and name of the file matches to the name of the Dr Web for UNIX mail servers component Each module is described in the Application section with the corresponding name At the end of the section EndApplication must be specified The following parameters must be present in the module description e id identifier of the module in Dr Web ESS e ConfFile path to the module configuration file e Components description of the modules At the end of this section EndComponen
317. ection of Dr Web Agent configuration file Yetc dir agent conf set the following parameter values e UseEnterpriseMode Yes e PublicKeyFile svar dir drwcsd pub public encryption key used to access Dr Web Enterprise Server Administrator must move this file from the corresponding directory of Dr Web Enterprise Server to the specified path 102 Ta i ax Dr Web Agent e ServerHost IP address or host name of Dr Web Enterprise Server e ServerPort Dr Web Enterprise Server port 2193 by default For Dr Web Monitor In the Monitor section of the Dr Web Monitor configuration file etc_dir monitor conf set the following parameter values e UseEnterpriseMode Yes Automatic Creation of New Account by ES Server When a new account is created automatically 1 On the first run in the Enterprise mode Dr Web Agent sends a request for the account details station ID and password to Dr Web Enterprise Server 2 If Dr Web Enterprise Server is set to the Approve access manually mode used by default for details see the administrator manual for Dr Web ESS system administrator must confirm registration of a new station via Dr Web Control Center web interface in one minute 3 After the first connection Dr Web Agent records the hash of the station ID and password into the pwa file This file is created in the directory specified in the CacheDir parameter of the EnterpriseMode section default value is svar d
318. ection of the Dr Web MailD configuration file for example usr exim bin exim and specify Exim as a value of the MailerName parameter from the same Sender section Connecting to Exim Using Local_Scan Function A Working with Dr Web MailD in this mode requires Exim mail system version 4 50 or later Note that the steps describe how to configure connection using the Local scan function assuming that the Exim configuration file was not changed that is the file does not contain adjustments for using special transport described in the previous section Thus if the file was previously preconfigured for that purpose it is required to revert the Exim configuration file to its initial state by removing settings for the router and transport Preparation of the system has several stages First you must recompile Exim with support of the local_scan function e Copy Sbin_dir doc maild local_scan local_scan c file to exim Local directory e TO Makefile of Exim system which is located in exim Local directory add parameters specified in bbin dir doc maild local_ scan Makefile sample If the corresponding parameters are already specified in Makefile you can uncomment and edit them e In Makefile of Exim system you must also specify the name of a user whose privileges are used to start Exim the name must be the same as specified for Dr Web MailD User name is defined by the EXIM_USER parameter By default EXIM_USER drweb Ta J i
319. ed configuration files files with access privileges for applications managed by Dr Web Enterprise Server files with registration information on Dr Web Enterprise Server etc Default value CacheDir Svar _ dir agent The StandaloneMode section contains parameters of Dr Web Agent operation in the Standalone mode StatisticsServer text value StatisticsUpdatePeriod numerical value StatisticsProxy hostname IP address StatisticsProxyAuth text value UUID text value LicenseFile paths to files StandaloneMode Address URL of the virus statistics server If the value is not specified statistics is not sent Default value StatisticsServer stat drweb com 80 update Period in minutes for statistics updating Value cannot be less than 5 Default value StatisticsUpdatePeriod 10 IP address or host name of proxy server for sending virus statistics Please note that if the parameter value is not set the value of http proxy environment variable is used Example StatisticsProxy localhost 3128 Default value StatisticsProxy Authentication string lt username gt lt password gt to access proxy server Example StatisticsProxyAuth test testpwd Default value StatisticsProxyAuth Unique user ID for the statistics server http stat drweb com Please note that this parameter is mandatory for sending statistics Thus if you want to enable this option sp
320. ed by syslogd system service Default value SyslogFacility Daemon Logging priority log verbosity level when syslogd system service is used There are the following levels allowed e Error e Alert S Warning OC ENEO 2 Notice Default value SyslogPriority Info Enables or disables limit for log file size if LogFileName value is not specified to syslog If limit is enabled Dr Web Daemon checks the size of a log file on startup or on receipt of HUP signal If the log file size is greater than MaxLogSizevalue the log file is overwritten with an empty file and logging starts from scratch Ta 1 ax MaxLogSize numerical value LogScanned logical LogPacked logical LogArchived logical LogTime logical LogProcessInfo logical RecodeNonprintable logical RecodeMode Replace QuotedPrintable Dr Web Daemon Default value LimitLog No Maximum log file size in Kbytes Used only with LimitLog Yes Set this parameter value to 0 if you do not want a log file to be unexpectedly modified on startup Default value MaxLogSize 512 Enables or disables logging of information about all scanned objects regardless whether they are infected or not Default value LogScanned Yes Enables or disables logging of additional information about files packed with DIET PKLITE and other utilities Default value LogPacked Yes Enables or disables loggin
321. ed or suspicious file deleted renamed moved The actual value returned by Dr Web Scanner is equal to the sum of codes for the events that occurred during scanning Obviously the sum can be easily decomposed into separate event codes For example return code 9 1 8 means that known viruses were detected including viruses in archives mail archives or containers curing and others actions were not executed no other threat events occurred during scanning If no threat events occurred during scanning Dr Web Scanner returns the exit code 0 Dr Web Scanner has one feature in some cases when no threats were found during scanning it can return the exit code 128 instead of exit code 0 This case is similar to the case no threats found exit code 0 Ta 1 ax Dr Web Daemon Dr Web Daemon Dr Web Daemon is a background anti virus module drwebd designed to perform scanning for viruses on request received from other Dr Web components It can scan files on the disk or data transferred through a socket Requests for anti virus scanning are sent using a special protocol via UNIX or TCP sockets Dr Web Daemon uses the same anti virus engine Dr Web Engine and virus databases like Dr Web Scanner and is able to detect and cure all known viruses Dr Web Daemon is always running and has simple and intelligible protocol for sending scanning requests which makes it a perfect solution to be used as an anti virus filter for file servers D
322. ed to avoid setting the ReturnReject parameter value to No when configuring proxying if the server has several clients serving different subnetworks and message non delivery might occur Integration with Cyrus SASL To enable SASL authentication via Cyrus SASL saslauthd service do the following 1 Configure and start Cyrus SASL saslauthd service 2 Configure Dr Web MailD to use Cyrus SASL the settings are specified in the SASL section and the Cyrus SASL section o Enable SASL authentication and use of cyrus driver Use yes Driver cyrus o Specify the path to the 1ibsas1 library as the Lib parameter value o Specify the path to the configuration file that manages authentication via saslauthd service as the Path parameter value for example etc sasi2 maiid without the conf extension This file must be located in the directory where saslauthd searches for configuration The directory used by Cyrus SASL to find the configuration file depends on the Cyrus SASL version and OS distribution e Cyrus SASL version 2 x searches for the file in usr lib sas12 directory e Cyrus SASL version 2 1 22 and newer also searches for the file in etc sas12 directory Cyrus SASL of any version starts file search from the usr lib sasi2 directory If the configuration file is found in this directory the search stops 3 Create the authentication configuration file in the given example etc sas12 maild conf and specify requi
323. ed to the etc dir software conf directory with the following names configuration file name N e Operational copies of configuration files are installed to the corresponding directories e Other files are installed If a file with the same name already exists in the directory e g after inaccurate removal of previous package versions it is overwritten with the new file and a copy of the old one is saved as file name O If a file with the file name O name already exists in this directory it is replaced with the new file Ta J 1 ax Installation and Uninstallation 29 e If you select the Run interactive postinstall script check box in the corresponding window of the GUI installer then after installation of the components completes the post install script is initialized for Dr Web for UNIX mail servers basic adjustment A Please note that if the used Linux distribution features SELinux installation can be interrupted by the security subsystem If such situation occurs set SELinux to Permissive mode To do this enter the following command setenforce 0 and restart the installer After the installation completes configure SELinux security policies to enable correct operation of anti virus components You can remove the drweb mail product name version number OS name directory and run file after successful completion of installation Using GUI Installer To install with GUI 1 Enter the followin
324. ed to validate a peer s certificate o cipher list string a list of allowed encryption algorithms Use the man ciphers command to get information on the format of encryption algorithm list OpenSSL must be installed Thread pool options The options have combined value Parameters are separated by commas At first number of threads in a pool is defined o auto number of threads in a pool is automatically detected depending on the current system load o N non negative integer Only N threads in a pool are active and new threads cannot be created o N M positive integers M N At least N threads in a pool are active and new threads can be created as required until their number reaches value if it is necessary to set a constant number of threads in the pool set M N After that the following additional parameters can be specified o timeout time if a thread is not active during the specified time period it is closed This parameter does not affect the first n threads which wait for requests indefinitely Default value 2m o stat yes no statistics on threads in a pool It is saved each time SIGUSR1 system signal is received or upon Dr Web MailD shutdown to the directory specified in the value of the BaseDir parameter from the General section Default value no o log level Quiet Error Alert Info Debug log verbosity level for threads in a pool If the value is not explicitly specified val
325. efault path etc sasldb2 is used If you set the value to sqi configure the following parameters sql engine sql hostnames sqiliuses sql passwd sql database sal select Defines the used DBMS Allowed values e mysql MySQL e pgsql PostgreSQL e sqlite SQLite Defines the address for DBMS connection hostname or hostname port When several DBMS servers are used specify several addresses separated by commas Note For MySQL DBMS specify the localhost value to connect via the UNIX socket or specify the IP address 127 0 0 1 to connect via the TCP socket Defines the username for database connection Defines the user password Defines the database name Defines the SELECT SQL statement used for retrieving user password as plain text Important note Do not enclose the SQL statement in quotes To specify a macro see below use a single quotation character For SQL statements the following macros can be used they will be replaced with the corresponding data received from the client e Su Username e r Realm domain to which the user belongs It can be either KERBEROS realm or FQDN of the host where SASL application is launched or email domain that is part of an email address following the at sign If you set the value to 1dapdb configure the following parameters of LDAP usage ldapdb_uri ldapdb_id ldapdb_ pw ldapdb_mech LDAP URI to be used You can specify the following pref
326. efault value UseCustomReply No Custom message used as an SMTP reply when Infected reject Or Incurable reject actions are applied and also when UseCustomReply yes You can specify only the text part of the message Text must be quoted if it contains white spaces Example JDO So AOR Tes par OIE Spia Default value ReplyInfected DrWEB anti virus Message is rejected because it contains a virus Custom message used as an SMTP reply when Adware Dialers Jokes Riskware Hacktools reject actions are applied and also when UseCustomReply Yes You can specify only the text part of the message Text must be quoted if it contains white spaces Example 590 3s 7s MWESIE oere OIE eyo Default value ReplyMalware DrWEB anti virus Message is rejected because it contains a malware Custom message used as an SMTP reply when Suspicious reject action is applied and also when UseCustomReply Yes You can specify only the text part of the message Text must be quoted if it contains white spaces Example S50 So 750 Wesxic jose O aey Default value ReplySuspicious DrWEB anti virus Message is rejected because it contains suspicious COMecninnay Custom message used as an SMTP reply when SkipObject reject action is applied and also when UseCustomReply Yes You can specify only the text part of the message Text must be quoted if it contains white spaces Example 550 So OR Tex
327. ely in enterprise mode 4 If standalone mode was previously used switch operation of Dr Web Agent and Dr Web Monitor components to enterprise mode by specifying appropriate settings in their configuration files as described in the Configuring Components to Run in Enterprise Mode section 5 Restart Dr Web Monitor by using the following command service drweb monitor restart Gathering Virus Statistics Dr Web Agent receives statistics on computer threats from the controlled modules and sends it either to the official Doctor Web statistics website http stat drweb com if the Internet connection is available or to Dr Web ESS if Dr Web Agent is operating in the Enterprise mode Dr Web Agent needs the unique user identifier UUID to connect to this website By default MD5 hash of the key file is used as a UUID Also you can get a personal UUID from Doctor Web Technical Support In this case specify your UUID explicitly in the Dr Web Agent configuration file StandaloneMode section 105 T ax A AN Dr Web Agent A Statistics is gathered only for those Dr Web modules that receive settings from Dr Web Agent Instructions on how to set up interaction with Dr Web Agent are given in the sections describing the modules On the statistics website at http stat drweb com you can view aggregate statistics on computer threats both for a given server and for all servers supported by Dr Web Anti virus for UNIX or
328. ems It can send checked email messages as well as notifications and reports generated by Dr Web MailD modules 119 Ta yan A A Dr Web MailD Processing modes Dr Web MailD uses two modes of message processing 1 Synchronous mode before queue message received from the sender with the Receiver component is processed by plug ins on the fly without sending the message to the MailBase storage In this mode messages are processed by the plug ins specified in the BeforeQueue list The Receiver component does not send a response to the sender until processing ends or time out is expired If the message is regarded as malicious or suspicious the sender gets the error code in response from the Receiver 2 Asynchronous mode after queue Message received from the sender by the Receiver component is saved to the MailBase storage before the message processing starts Then Receiver responds to the sender with notification that the message was correctly accepted After that the message is processed by plug ins specified in the AfterQueue list If the message is regarded as malicious or suspicious the sender receives DSN with the report on the check results If some plug ins are specified in the BeforeQueue list and others in the AfterQueue list messages are processed in the synchronous mode and then in the asynchronous mode Note that if Dr Web HeadersFilter and Dr Web Modifier plug ins are used that is if local rules
329. en when problems with network or power supply occur If a stalled message is found Receiver queues it for processing Default value StalledProcessingInterval 10m OneCommandTimeout time Timeout to execute a single command Ta i ax OneMessageTimeout time AddReceivedHeader logical ReturnReject logical GreetingString string RelayDomains Lookup Dr Web MailD Default value OneCommandTimeout 5m Timeout to receive a single message Default value OneMessageTimeout 10m Adds a Received header to all received messages Default value AddReceivedHeader Yes Receiver behaviour after the Reject action is applied to the message that is processed in the synchronous mode When the parameter value is set to yes the component returns SMTP 55 error When the parameter value is set to No the component returns successful SMTP 250 response but the sender receives DSN if not disabled The return response is extended with the Reply lt Reason gt string the string is set in the settings of a plug in which performed the reject action but only if it is allowed by its UseCustomReply Yes setting where lt Reason gt is the reject action cause Otherwise the following standard message is output The message has been rejected by the Dr Web MailD Note that if Dr Web MailD is not operating in SMTP LMTP proxy mode and is integrated with MTA it is recommended to set the paramet
330. ent to check if the received host name is in the ProtectedDomains list If so an A request is sent to check if the connection IP address is in the received address list If so address is either marked as Trusted or if SCORE is specified its value is added to the score of each message transferred in the current session and to the score of the sender s IP address If the IP address of the connection is in the white list defined by the WhiteNetworks parameter see below the address is either marked as Trusted or if SCORE is specified its value is added to the score of each message transferred in the current session and to the score of the sender s IP address Checks if the domain of the IP address is in the white list defined by the WhiteDomains parameter see below DNS PTR request is made If the domain is in the list the address is either marked as Trusted or if SCORE is specified its value is added to the score of each message transferred in the current session and to the score of the sender s IP address Checks if the IP address of the connection is in the black lists of RBL DNSBL servers specified in the DNSBLList parameter see below At first availability of RBL DNSBL servers is checked by sending a test request to resolve 127 0 0 2 IP address as required by the specification If a server operates correctly it must return positive response If not the server is marked as inaccessible which is logged If the serve
331. ept the License Agreement installation starts On the Installing screen you can review the installation process in real time Welcome 4 Install Type Installing Dr Web Bases v6 0 0 3 Select Software Running post install commands la Confirm Installation of drweb agent is complete License x Dr Web Bases k Installi Copyright Doctor Web Ltd We By using this parameter you automatically confirm and accept the Soi Finish Backing up old versions of files to be installed Dr WEB Creating installation directories Installing software Updating file permissions 2 Running post install commands x E3 gt 4 Bac Next gt Figure 8 Installing screen This report is logged at the same time in the install 1log log file located at the 32 drweb mail product name version number OS name directory If you selected Run interactive post install script once component installation completes the post install script for Dr Web for UNIX mail servers basic configuration initializes Installation and Uninstallation This installation script will help you to configure Drlleb for Mail server Antivirus Antispam Do you want to continue YES no yes Enter list of plugins to process message before placing it to queue DB Possible values headersfilter modifier Values are delimited with commas default modifier Enter list of plugins to process me
332. er Mail Servers e drweb postfix as Dr Web Anti spam for Postfix Mail Servers e drweb postfix av Dr Web Anti virus for Postfix Mail Servers e drweb postfix av as Dr Web Anti virus and Anti spam for Postfix Mail Servers e drweb gmail as Dr Web Anti spam for Qmail Mail Servers e drweb qmail av Dr Web Anti virus for Qmail Mail Servers e drweb qmail av as Dr Web Anti virus and Anti spam for Qmail Mail Servers e drweb sendmail as Dr Web Anti spam for Sendmail Mail Servers e drweb sendmail av Dr Web Anti virus for Sendmail Mail Servers e drweb sendmail av as Dr Web Anti virus and Anti spam for Sendmail Mail Servers e drweb cgp as Dr Web Anti spam for CommuniGate Pro Mail Servers e drweb cgp av Dr Web Anti virus for CommuniGate Pro Mail Servers e drweb cgp av as Dr Web Anti virus and Anti spam for CommuniGate Pro Mail Servers e drweb exim as Dr Web Anti spam for Exim Mail Servers e drweb exim av Dr Web Anti virus for Exim Mail Servers e drweb exim av as Dr Web Anti virus and Anti spam for Exim Mail Servers e drweb zmailer as Dr Web Anti spam for ZMailer Mail Servers e drweb zmailer av Dr Web Anti virus for ZMailer Mail Servers e drweb zmailer av as Dr Web Anti virus and Anti spam for ZMailer Mail Servers All the following commands to add repositories import keys install and remove packages must be run with administrator privileges root If it is ne
333. er changing any parameter value you can immediately undo the change by clicking or restore the default value by clicking The latter is always available even after changes are saved 366 To revise all changes click Preview On the open page you can select the changes that you want to Dr Web Console for UNIX mail servers save by selecting the corresponding check box in the Save column Configuration 4 Te ates BB 2r Web Maib is running Parameter Old value New value Save Use secure hash no yes v Accept control messages only from trusted networks yes no M License limint action pass pass quarantine notify v Processing errors action pass pass quarantine v Scan encoded headers headersfilter yes no M Before queue plug ins vaderetro modifier vaderetro modifier headersfilter v Hostname Firebird localhost host M Response size limit ODBC 0 4 v Dr Web MailD version Dr Web Web Interface version Cancel Changes Orn Save if Apply and Save Settings Figure 36 Preview screen e If you want to discard the changes click Cancel e If you want to make additional changes click Continue Editing to return to the previous page e Click Save to save the changes or Apply and Save to save and apply them immediately 367 Dr Web Console for UNIX mail servers Basic Settings Tab configuration oe BB r Web MailD is running fe ES eS eS er Ea eS Hostname of Dr Web computer more gt gt
334. er of received strings is not limited Default value SizeLimit 10 Ta J 1 ax Lib path to file SkipDomains LookupLite OnError ignore exception PostgreSQL Section In the PostgreSQL section settings database are specified ConnectionsString string Dr Web MailD 206 Path to the 1ibFBclient so library Default value Lib usr lib libFBclient so List of domains for which request to the database is not required This parameter often allows to improve total performance and considerably reduce server load Please note that the parameter value is LookupLite The parameter value can also be locally overridden in a Lookup Default value SkipDomains Sets the mode of error handling errors that occur in Lookup when connecting to the specified data source Allowed modes e ignore ignore the error and continue message processing the error is only logged e exception generate an exception which is handled as a message processing error The handling method corresponds to the ProcessingError parameter value set for the module in operation of which this error occurred The parameter value can also be locally overridden in a Lookup Default value OnError ignore for interaction between Dr Web MailD and PostgreSQL String with settings for connection to PostgreSQL database The string can be empty in this case default parameters are used or it can contai
335. er value to No This ensures correct notification of the sender if a message was rejected Otherwise if the parameter value is set to yes MTA can send notification on success before the message is checked and rejected If ReturnReject No it is recommended to specify an additional not ify action as during SMTP session Receiver after rejecting a message replies with 250 code that indicates successful message processing or enable DSN with the SkipDSNOnBlock parameter in the Maild section But it is recommended to enable DSN only if the number of rejected messages is not large otherwise high load on MTA which sends DSN can occur Default value ReturnReject Yes Greeting line that is output on connection of a new SMTP client Shost macro is replaced with the Hostname parameter value from the General section 2v7er macro is replaced with the current version of the drweb receiver module Default value GreetingString Shost Dr Web SMTP receiver v ver ready List of domains that are allowed to relay messages If you specify a usual domain list for which Dr Web MailD is a mail relay their subdomains are ignored That is mail arriving from their subdomains are not relayed Ta J N ax RestrictionStat logical DelayRejectToRcpt logical Dr Web MailD It is possible to specify a list of subdomains by using regular expression or rfile Please note that the parameter value is Lookup
336. eration are set in etc dir plugin headersfilter conf configuration file Description of the configuration file structure and parameter types is provided in Configuration Files Parameters are described in the order they appear in the main configuration file In the Headersfilter section general settings for Dr Web HeadersFilter plug in are specified Filtration parameters are defined by the filter rules which are described below Rules are analyzed in the same order as they are listed in the section that is a rule which is set first in the list is analyzed first Rules are analyzed until a suitable rule is found and the plug in executes the action which is set for this rule If Reject filter rule is applied to a message the message is not processed further If Accept filter rule is applied to a message other rules are ignored and the message is processed by other plug ins of Dr Web MailD if some plug ins did not process the message headersfilter section R Scan headers before decoding Scankncodeddeadsts For example Yes value for the ScanEncodedHeaders Moguscaal bree parameter and RejectCondition Subject iso 8859 5 condition allow to filter out messages Subject field of which is encoded with iso 8859 5 Please note that if yes value is specified all encoded headers are scanned twice before and after decoding and scanning stops if any of the rules is activated Default value ScanEncodedHeaders Yes
337. erformed if such a check is enabled by the MaxCompressionRatio parameter Value of this parameter must be greater than 0 Default value CompressionCheckThreshold 1024 MaxFileSizeTokxtract numerical Maximum size of a file enclosed in an archive in Kbytes If a file value size exceeds the specified value the file is skipped Default value MaxFileSizeToExtract 40960 MaxArchiveLevel Maximum allowed archive nesting level numerical value f k a P If an archive nesting level exceeds the specified value an archive is not scanned Default value MaxArchiveLevel 8 MessagePatternFileName path to Path to template for a license expiration message file Ta ww ys MailTo email address Dr Web Daemon 83 You can configure output of an expiration message according to your needs To do this use the following variables in the template The specified variables are substituted with the corresponding values e SEXPIRATIONDAYS number of days left until license expiration e SKEYFILENAME path to license key file e SKEYNUMBER license number e SKEYACTIVATES license activation date e SKEYEXPIRES license expiration date If there is no user defined template standard message in English is output Default value MessagePatternFileName Setc_dir templates drwebd msg tmpl Email address of an administrator where the following information is sent messages about lice
338. ers o wrong_per valid rcpts D a ratio between the number of invalid message recipients declined after the RCPT TO command and the number of valid recipients It is the main parameter defining filter operation If no valid recipients are found this value is considered equal to 1 If this parameter value is set to 0 the filter is totally ignored Default value 10 0 Default values for general parameters are o min_msgs 0 o min_errors 0 o min_wrong_rcpts 20 o min_conn 0 o block_period 2h o score 0 e errors filter allows filtration of IP addresses according to the amount of errors that occurred during SMTP session established from the certain IP address Specific parameters o errors per _msg D a ratio between the number of errors occurred during the SMTP session and the number of messages passed to MailD core If no messages were passed this number is considered equal to 1 If the parameter value is set to 0 this check is ignored Default value 0 o errors per _conn D a ratio between the number of errors occurred during the SMTP session and the number of connections from this IP address The filter is applied only when the parameter value is not 0 and at least one connection was established from this IP address Default value 2 0 If both parameters are specified the errors _per_msg parameter is checked first and the errors _per_conn parameter is checked after it If values of both parameters are set to 0 the f
339. es the reaction is applied to the whole complex object and not to the included malicious object only Action Parameters These parameters determine which actions are applied to infected or suspicious objects Se leale Defines an action applied to infected files and boot sectors If an additional modifier is not specified Dr Web Scanner cures infected objects and deletes incurable files unless another action is specified in the ic parameter Additional modifiers allow to set another action instead of curing but the new action can be applied only to infected files In this case action for incurable files must be set with ic parameter ieleja e Defines an action applied to incurable files If an additional modifier is not specified Dr Web Scanner only informs the user about the threat p leal Defines an action applied to suspicious files If an additional modifier is not specified Dr Web Scanner only informs the user about the threat adw d m r i Defines an action applied to adware If an additional modifier is not specified Dr Web Scanner only informs the user about the threat d1is d m r i Defines an action applied to dialers If an additional modifier is not specified Dr Web Scanner only informs the user about the threat jok d m r i Defines an action applied to joke programs If an additional modifier is not specified Dr Web Scanner only informs the user about the threat rsk d m r i Defines an action app
340. essages are to be checked for example when Drweb plug in scans a large number of messages in the paranoid mode or a large number of Rules are checked for matching the more threads each component create All created threads are organized in pools which behavior is controlled by parameters of the PoolOptions type These parameters also set a number of threads in each pool both minimum t_min and maximum t_max values By default the auto value is set for all thread pools created by all of the modules The auto value specified for a pool sets the following values for t_ min and t_max e For drweb receiver and drweb sender modules t_min 2 t_max 500 e For other modules drweb maild drweb milter drweb notifier and others t_ min 2 t_max 1000 Restriction on the thread number set for drweb receiver not only prevents the module from creating more active threads than specified but also influences the module behaviour during SMTP sessions If the number of connections from clients exceeds the allowed limit of threads in a pool the module creates maximum number of threads and all other connections for which a processing thread cannot be created are queued Once an active thread becomes free it starts processing a queued connection As processing of connections is asynchronous the same thread can process several connections simultaneously Queue length of client connections is always restricted to the maximum allowed number of threads in the dr
341. eters in the EnterpriseMode section are set correctly and Dr Web for UNIX mail servers is operating within Anti virus network Dr Web Agent starts in the Enterprise mode Otherwise if parameters in the Standalone section are set correctly Dr Web Agent starts in the Standalone mode If the parameters in the Standalone section are not set Dr Web Agent terminates Socket for interaction of Dr Web Agent with other Dr Web modules is created If a TCP socket is used several connections can be established loading continues if at least one connection is established If a UNIX socket is used it can only be created if the user whose privileges are used to run drweb agent has read and write access to its directory If a socket cannot be created Dr Web Agent terminates Further loading process depends on the selected operation mode Ta J i ax Dr Web Agent If Dr Web Agent operates in the Enterprise mode e Dr Web Agent connects to Dr Web Enterprise Server If the server is unavailable or authorization process fails during the first connection attempt Dr Web Agent terminates If Dr Web Agent worked previously with this server and now the server is temporary unavailable for example if any connection problem occurs Dr Web Agent uses backup copies of configuration files received from the server earlier These files are encrypted and must not be edited by a user An attempt to edit the files makes them invalid e If the conn
342. everal matching rules with different parameter values true cont html yes true cont html no Value of the html parameter is set to yes Behaviour described above is relevant for all parameters except for those with additive semantics A subsequent value for such parameter does not conflict with the previous one but is added to it As a result all found parameter values are joined in a single list of values At that when a stop directive is specified Rule search stops and the values gathered by that moment are assigned to the parameter In the present document parameters with additive semantics are marked with the A icon in their descriptions Moreover some parameters are of the cloning type These parameters are processed for every receiver separately that is if different values of the parameter are specified for different message recipients a separate copy of the message is created for each of them and corresponding settings are applied to each copy In the present document parameters that support cloning are marked with the icon in the description Parameters used in Rule SETTINGS Parameters used in the SETTINGS part of a Rule are divided into the following categories e parameters used in Rules only e parameters which values are specified in the Dr Web MailD configuration file or configuration files of other modules or plug ins In the present document parameters that can be used in Rules are marked with R icon 1
343. except for file paths and file names in UNIX are case Ta 2 ww ys BeforeQueueFilters list O2 plug ims MaxSizeBeforeQueueFilters size AfterQueueFilters list of plug ins MaxSizeAfterQueueFilters size PluginsBaseDir path to directory Dr Web MailD 157 insensitive Default value Settings List of plug ins which process a message before it is queued or moved to the database in the synchronous mode before queue Default value BeforeQueueFilters Maximum size of a message to be processed by plug ins that are listed in the BeforeQueueFilters parameter Used only when the max_size parameter value is not explicitly specified for a plug in in the Settings parameter or Rules When the parameter value is set to 0 maximum size is not limited Default value MaxSizeBeforeQueueFilters List of plug ins which process a message after it is put to the queue or to the database in the asynchronous mode after queue Default value AfterQueueFilters Maximum size of a message to be processed by plug ins that are listed in the AEterQueueFilters parameter value Used only when the max_size parameter value is not explicitly specified for a plug in in the Settings parameter or Rules When the parameter value is set to 0 maximum size is not limited Default value MaxSizeAfterQueueFilters 0 Path to the directory where plug ins work files are stored For examp
344. f Dr Web MailD Default value MaildPidFile var_ dir run drweb maild pid Path to the directory with dws files Default value BlacklistPath svar dir dws Path to Dr Web Agent configuration file Default value AgentConfPath Svar dir agent conf Path to the libvaderetro so library used by Vaderetro plug in Default value PathToVadeRetro var dir lib libvaderetro so Number of days left before license expiration during which Dr Web Updater is attempting to update license key file Default value Ta J 1 aX Dr Web Updater 91 ExpiredTimeLimit 14 ESLockfile Path to the lock file ees If the lock file exists Dr Web Updater can not be automatically initialized by cron daemon Default value ESLockfile var_dir run es_ updater lock Updating Procedure Updating is performed in the following stages 1 Dr Web Updater reads the configuration file drweb32 ini by default or specified with the ini command line argument 2 Dr Web Updater uses parameters from the Updater section of the configuration file see the description above as well as the following parameters EnginePath VirusBase UpdatePath and PidFile 3 Dr Web Updater selects Dr Web GUS server for downloading updates The server is selected in the following way e Reading of the files which contain lists of update servers The filenames are specified in the DrlFile and CustomDr1File parameters If both files
345. f processing the requests in milliseconds e sixth line contains information on the current number of threads in a pool and number of busy threads RFC Standards Dr Web MailD operates according to requirements of the following RFC documents 23 Requirements for Internet Hosts Application and Support 1652 SMTP Service Extension for 8bit MIME transport 1830 SMTP Service Extensions for Transmission of Large and Binary MIME Messages 1870 SMTP Service Extension for Message Size Declaration 1894 An Extensible Message Format for Delivery Status Notifications 2033 Local Mail Transfer Protocol 2034 SMTP Service Extension for Returning Enhanced Error Codes 2045 2049 Multipurpose Internet Mail Extensions 2222 Simple Authentication and Security Layer SASL 2231 MIME Value and Encoded Word Extensions 2245 Anonymous SASL Mechanism 2289 A One Time Password System 2444 The One Time Password SASL Mechanism 2505 Anti Spam Recommendations for SMTP MTAs 2646 The Text Plain Format Parameter 2821 Simple Mail Transfer Protocol 2822 Internet Message Format 2831 Using Digest Authentication as a SASL Mechanism 2945 The SRP Authentication and Key Exchange System 3174 US Secure Hash Algorithm 1 SHA1 Ta yan A A Dr Web MailID 132 Adjustment and Startup Dr Web for UNIX mail servers can be started with default settings but if you want to ensure optimal performance you may adjust it according to your specific requirements
346. failed directory This directory stores all messages that failed to be sent including deferred ones As an parameter value the sender is specified and then the recipient Note that when a message is sent from the database Dr Web MailD uses message files instead of envelope files the latter have the same ID but the extension is envelope To extract the list of recipients from the message the t parameter is used in this case specify only the message sender cat absGRj JOtolUbye drweb inject t f sender domain Message Processing Rules Purpose of Message processing rules Message processing Rules allow adjustment of settings used for message processing and message delivery depending on conditions Each condition checks some of message parameters such as sender and recipient addresses names of viruses or other threats detected in the message its size and others You can also specify different combinations of settings check and thus change the check procedure You can specify general Rules for all processed messages as well as Rules connected with certain users their aliases and groups General Rules of message processing are set in the Dr Web MailD configuration file in the Rules section Rules of message processing connected with users and user groups are set in the built in database Storing rules in the built in database is rational if the number of users with individual settings is great and therefore processing
347. failed to be processed e DTA number of attachments with adware e DTD number of attachments with dialers e DTJ number of attachments with jokes e DTR number of attachments with riskware e DTH number of attachments with hack tools wr time in milliseconds that plug in spent on message processing For blocked messages the list contains the following fields e BLOCK 12 name of the blocking object for example virus It is enclosed in quotes in same way as it is done for groups see above e TYPE 12 type of the blocked object Name is used from NAME see above Available values DI DTH F S U e FROM sender of the message from the envelope e IP IP address of the message sender Examples 1 Request for statistics on all processed messages for all plug ins gt stat client Command format corresponds to the description statistics output format is described above 2 Request for statistics on unblocked messages for all plug ins gt stat client ignore block Example of statistics output 20120307T145754 P 1 C 1 PS 194562 CS 194562 headersfilter 20120311T163250 R 4 F 4 RS 39848 FS 39848 headersfilter 20120311T164250 R 1 F 1 RS 539 FS 539 headersfilter 20120311T165400 P 1 F 1 PS 539 FS 539 WT 32 drweb 20120311T165400 R 1 Q 1 C 1 DE 1 RS 539 QS 539 CS 539 WT 13 headersfilter 20120311T165727 P 1 F 1 PS 539 FS 539 WI 32 E D drweb 20120311T16
348. fected file in a mailbox Report Delete Move Rename Ignor Default value ActionInfectedMail Report Sets one of the following actions upon detection of an infected file in an archive ZIP TAR RAR etc Report Delete Move Rename Ignor Default value ActionInfectedArchive Report Ta 2 ww ys ActionInfectedContainer action LogFileName syslog file name SyslogFacility syslog label SyslogPriority log level LimitLog logical MaxLogSize numerical value LogScanned logical LogPacked logical Dr Web Command Line Scanner 65 Sets one of the following actions upon detection of an infected file in a container OLE HTML PowerPoint etc Report Delete Move Rename Ignor Default value ActionInfectedContainer Report Logging parameters Log file name You can specify syslog as a log file name to use syslogd system service for logging In this case you must also specify the SyslogFacility and SyslogPriority parameters Default value LogFileName syslog Log type label which is used by syslogd system service Default value SyslogFacility Daemon Log verbosity level when syslogd system service is used The following levels are allowed e Error e Alert O Warning SETTED e Notice Default value SyslogPriority Info Enables or disables limit of log file size if LogFileName value is not set to syslog
349. ferent formats some DBMS separate fields with a whitespace some with a comma or semicolon 2 Lookups with the sqlite prefix are used for interaction with SQLite version 3 x See also notes on features of working with SQLite DBMS e cdb the value is an alphanumerical name of the key in the CDB database CDB database does not support the SQL query input language that is why driver emulates the single SQL command for operating with lookups select from tablename where key string where tablename must be changed to the name of any file specified as a source item in the CDB section of Dr Web MailD configuration file You can use special symbols in Lookup queries Example cdo skipdomains regex inbox select from my file where key s Note that the SkipDomains parameter locally overridden in this Lookup is of the LookupLite type that is Lookup for whoch only file and value prefixes are allowed e berkeley enables interaction with Berkeley DB Format of the query is similar to that of cdb prefix Parameters from the Berkeley section of Dr Web MailD configuration file are used You can use special symbols as in the Lookup queries Local overriding of parameters in Lookup queries After a prefix you can optionally specify a list of values for the SkipDomains and OnError parameters to be used in this Lookup The local values are specified in the following format NA
350. file T CONNECTIONNAME DESCRIPTION ADDRESS PROTOCOL TCP HOST localhost PORT 1521 CONNECT DATA SERVER DEDICATED SERVICE NAME CONNECTIONNAME As the connection string the ConnectData parameter value it is possible to specify either GI user password CONNECTIONNAM or user pasword DE localhost PORT 1521 CONNECT_DATA SERVICE NAME CONNECTIONNAME E SCRIPTION ADDRESS PROTOCOL TCP HOST SERVER DEDICATED 3 If the specified host or database are not accessible connection is attempted to be established until timeout occurs the timeout value is specified for the connect timeout parameter in the connection string After that an error is fixed and handled according to the action set for the OnError parameter AAN ia N cA add ODBC Section In the ODBC section settings for interaction between Dr Web MailD and databases via ODBC are specified Lib path to file ConnectData SHETSaLiMGy SizeLimit SHETeSL IgG SkipDomains LookupLite OnError ignore exception Dr Web MailD Path to the library that supports ODBC version 3 0 or later Library must be built with thread support UnixODBC is recommended The library is searched according to the standard rules used by dl
351. file for example usr exim bin exim and set Exim as a value of the MailerName parameter from the same section There is no need to start drweb receiver module separately because when operation through local_scan function is performed Receiver component is embedded into Exim If Dr Web MailD is started using Dr Web Monitor comment the line in etc_dir monitor maild exim mmc file which is responsible for drweb receiver startup drweb receiver local var_dir ipc agent 15 30 MAIL drweb drweb After all changes are made restart Dr Web MailD and Exim mail system All settings that configure operation of Dr Web MailD with Exim are collected in the Receiver and Sender sections of the Dr Web MailD configuration file and are described in the following sections of the current current Manual Receiver section and Sender section When Dr Web MailD is interacting with the Exim mail system the following processes must be running e drweb notifier drweb sender e drweb maild e drweb receiver Also it is additionally necessary to make that the Dr Web Monitor component has been launched with the root privileges to provide this specify root value for User and Group parameters in the Ta J 1 ax Dr Web MailD Monitor section of monitor conf configuration file Known Issues If on Exim startup the following error occurs transport drweb transport cannot find transport driver lmtp it means that Ex
352. first eight symbols are used prefix is the prefix depending on values of the following parameters FilenamesMode n FilenamesPrefix e Time of saving a message to the database Ta J 1 ax Dr Web MailD 155 e Value of the From header enclosed in angle brackets e List of recipients addresses Addresses in the list are separated by commas and enclosed in angle brackets e Message body Example SQLInsertCommand INSERT INTO mail export id filename put_time sender rcpts body values oo RaZoR RT Default value SQLInsertCommand SQLRemoveCommand A command to delete messages from the DBI storage cy It is used when time limit for storing messages in Quarantine is specified The only parameter specified in request is time all messages older than the specified value are deleted The value element in the request must be replaced with a question mark 2 Example SQLRemoveCommand DELETE FROM mail export WHERE put _time lt Default value SQLRemoveCommand SQLSelectCommand A command used to access messages in the DBI storage for string example to request a message from Quarantine using control message The only parameter used in the request is a relative file name in Quarantine Value element in request must be replaced with a question mark 2 Sequence and types of returned fields are fixed corresponds to the format of the table used in the storage see below 1 id message number
353. first value in the SendingIntervals list is not 0 in the asynchronous mode processed messages and notifications are sent with the delay equal to the first value in the list If the SendingIntervals list have only one value equal to 0 Sender does not attempt to send stalled messages These messages are immediately moved to out failed directory See also the warning at the end of this section Default value SendingIntervals 0s 30s 60s 10m 30m 2h Gia lel lel 182 Ta yan A A Dr Web MailD 183 Method Method used by Sender to deliver messages Surp LP Ee e SMTP messages are sent via SMTP protocol e LMTP messages are sent via LMTP protocol e PIPE messages are sent via PIPE to some external mail program Default value Depends on the distribution MailerName Name of the MTA working with Dr Web for UNIX mail servers SMTP Sendmail Postfix CommuniGate Qmail Exim Zmailer Courier This parameter is used when Method pipe Default value Depends on the distribution Address MTA address used by the Sender component to send messages ee If Method pipe specify the full path to the MTA used to receive messages If the Method parameter has another value specify the address of the socket used for sending messages If Dr Web for UNIX mail servers solution operates in SMTP LMTP proxy mode then in addition to standard address types you can use mx HOSTNAME whe
354. g Drweb Plug In To connect the Drweb plug in to Dr Web for UNIX mail servers add a drweb string plug in name Ta J N aX Dr Web MailD 292 to the list of plug ins for message processing in the Dr Web MailD configuration file If you want messages to be processed by Drweb plug in before they are imported to the database add the plug in name to the list of the BeforeQueueFilters parameter values from the Filter section of the Dr Web MailD configuration file Example BeforeQueueFilters drweb vaderetro If you want messages to be processed by Drweb plug in after they are imported to the database add the plug in name to the list of the AfterQueueFilters parameter values from the Filter section of the Dr Web MailD configuration file Example AfterQueueFilters drweb Setting Drweb Plug In All main settings that regulate plug in operation are set in etc dir plugin drweb conf configuration file Description of the configuration file structure and parameter types is provided in Configuration Files Parameters are described in the order they appear in the main configuration file In the Antivirus section general settings for the Drweb plug in are specified Antivirus section Socket for interaction between anti virus plug in and Dr Web Address Daemon ee It is possible to specify several sockets for interaction with Dr Web Daemons that are located on different servers At that feature of balancing lo
355. g command drweb mail product name version number OS name install sh The setup program launches On the Welcome screen click Next At any step you can return to the previous one by clicking Back To continue installation click Next To abort installation click Cancel Welcome gt Install Type This program allows you to install the following software Select Software Dr Web Agent 6 0 0 3 Dr Web Bases 6 0 0 3 Boost third party C libraries needed for Dr Web 6 0 0 2 Dr Web Common Files 6 0 1 2 m Dr Web Antivirus Daemon 6 0 1 3 Dr Web EPM Library for X11 epm gui 6 0 0 1 Dr Web EPM Dr Web uninstaller 6 0 0 1 Google performance analysis tools needed for Dr Web 6 0 0 1 Essential third party libraries needed for Dr Web on x86 systems 6 0 0 5 Dr Web VadeRetro antispam 6 0 0 2 E Confirm License installing Finish Dr WEB 4 Next Cancel Figure 2 Welcome screen 2 On the Install Type screen select the installation type typical configuration for Dr Web for Mail Gateways or certain MTA Dr Web for lt MTA gt Full installation with all the necessary components selected by default or custom configuration Installation and Uninstallation 30 Welcome Install Type Select Software Confirm License installing Finish Select the installation type Dr Web for CGP Full installation Dr Web for Courier Full installation Dr Web for Ex
356. g of additional information about files archived with various archiving utilities Default value LogArchived Yes Enables or disables logging of time for each record The parameter is not used if LogFileName syslog Default value LogTime Yes Enables or disables logging PID of the scanning process and filter address host name or IP address from which scanning has been activated This data is logged before each record Default value LogProcessInfo Yes Enables or disables transcoding of characters that are undisplayable on a given terminal see also the description of the following two parameters Default value RecodeNonprintable Yes Decoding mode for RecodeNonprintable Yes non printable characters if When RecodeMode Replace all non printable characters are substituted with the RecodeChar parameter value see below When RecodeMode QuotedPrintable all non printable characters are converted to Quoted Printable encoding Default value RecodeMode QuotedPrintable Ta 1 ax RecodeChar MEAN pene ate vor Socket address list SocketTimeout numerical value ClientsLogs gieiing IHSE Dr Web Daemon Sets a character to replace all non printable characters if RecodeMode Replace Default value RecodeChar List of sockets to be used for communication with Dr Web Daemon separated by commas Example Socket inet 3000 127 0 0 1 local
357. ge number of attachments their processing by the plug ins takes_considerable_time In this case it is not recommended to assign the plug ins to BeforeQueueFilters queue as it can slow down interaction with external MTA when transmitting messages Moreover in this case a problem can occur while checking messages due to incorrect timeout value too small specified in the IpcTimeout parameter The problem can cause message loss it will not be deleted and the sender will not be notified on that If Dr Web MailD is integrated with an MTA it is recommended to use synchronous mode plug ins must be assigned to BeforeQueueFilters list Otherwise if it is operates as a SMTP LMTP proxy it is recommended to use asynchronous mode plug ins must be assigned to AfterQueueFilters list Both parameters are presented in the Filters section a Increase timeout values o IPC subsystems managed by the IpcTimeout parameter in the General section o Maximum allowed time to wait for a thread to close used on restart and shutdown of Dr Web MailD operation managed by the MaxTimeoutForThreadActivity parameter in the General section o Time to wait for Dr Web MailD components to start or shutdown in the maild_ lt mta gt mmc control file of Dr Web Monitor Increase the ulimit n values Estimate load on the thread pools by gathering and analyzing statistics see above If required adjust the limits for the corresponding thread pools Mou
358. ging Maild ProtectedNetworks Maild ProtectedDomains Maild IncludeSubdomains SASL Receiver2 drweb sender3 General Logging Sender3 drweb receiver3 General Logging Maild ProtectedNetworks Maild ProtectedDomains Maild IncludeSubdomains SASL Receiver3 drweb sender4 General Logging Sender4 drweb receiver4 General Logging Maild ProtectedNetworks Maild ProtectedDomains Maild IncludeSubdomains SASL Receiver4 drweb sender5 General Logging Sender5 drweb receiver5 General Logging Maild ProtectedNetworks Maild ProtectedDomains Maild IncludeSubdomains SASL Receiver5 In the example drweb receiver and drweb sender are the new names of the components used for interaction with Dr Web Agent Receiver and Sender are the new names of the corresponding section in the configuration file Other parameters must be copied from the section with the original component settings Detailed description of amc files syntax can be found in Dr Web Agent description e copy the main section with component settings to the conf file rename this section specify the name that was set on the previous step and adjust all other settings in the new section for the second component e start or restart Dr Web Agent to enable it to read the new configuration e start the new component with the following command line parameters unique id component section Example drweb receiver u
359. gt lt if N n gt N stars with n lt if gt lt if N n123 gt WRONG lt if gt In a notification generated from such a template the following strings are inserted N is not empty N starts with n 3 Loop You can use loops in the templates A loop is specified as follows lt for NAME LIST DATA DELIM gt TEXT lt for gt where e NAME name of a macro that is used as a local variable in the loop body Each time the loop iterates another value retrieved from LIST is assigned to the variable e LIST macro used as a list of values for the local variable in the loop Macro value can be a list In this case any macro can be specified at that if its value cannot be a list the value is separated with commas and transformed into the list e DATA regular expression to check and select values from the list each time the loop iterates e DELIM delimiter inserted in the notification body between text fragments generated each time the loop iterates If the values in square brackets are not specified the construction is treated as lt for NAME LIST gt that is all values from LIST are used Otherwise each value form LIST is compared with the expression specified in DATA and if the result is true corresponds a does not correspond the next value is assigned to the NAME macro and the loop iterates If DELIM is specified the corresponding valu
360. gt in Japanese language Note that the from root domain ru cont NotifyLangs ru rule is not applied in this example as when sending notifications to lt root domain ru gt the address is treated as the notification recipient s address so notifications are generated with the use of the default language file in English language If it is required to use Russian language for notifications specify the following Rule to root domain ru cont NotifyLangs ru Rules with implicit SETTINGS part As mentioned above SETTINGS part of a rule can be absent If so parameters are requested directly from the server with the use of Lookup specified in the CONDITION part It can be useful for example when working with LDAP or databases Example to regex drweb com amp amp ldap drwebRules sub mail s cont In this Rule if a recipient is in the drweb com domain and sender or all the recipients satisfy the LDAP condition mail Ss parameters in the SETTINGS part are substituted from the drwebRules field of the LDAP request Values are substituted for every new message and then are cashed while the message is checked thus a user can change settings in hot mode without server restart Note that Lookup to LDAP is enclosed in quotation marks because of the brackets used in the Lookup Fields returned by drwebRules must be correct SETTINGS strings that is lt parameter gt lt value gt lt parameter gt lt value gt F
361. gt name of the module e lt parameters gt optional command line parameters e lt agent_socket gt socket used for receiving module configuration from Dr Web Agent component General Parameters In the current version of Dr Web for UNIX mail servers the modules support the following command line parameters n help Description Show information about supported command line parameters on the screen and exit y version Description Show module version on the screen and exit level lt log verbosity level gt Description Verbosity level for logging information on module startup default value is info E timeout lt number of seconds gt Description Maximum wait time for receiving configuration from Dr Web Agent ecompenent lt components name gt Description Name of the component that requests configuration from Dr Web Agent Note that this command line parameter is not supported by drweb zmailer log name lt components name gt Description Name of the component that performs logging Ta 1 ax Dr Web MailD 124 check only Description Start the component in the configuration check mode To provide correct operation Dr Web Agent must be previously started If configuration test is successful the following message is output to the console Options Ok If configuration test failed the following message is output Options ERROR Note that this command line parameter is n
362. gulartext gt RP_SENDERS_ENVELOPE WITH NUM AND PERCENTS lt td gt lt tr gt lt tbody gt lt table gt lt td gt lt if gt lt if gt lt if RP_CLIENT IP WITH NUM AND PERCENTS gt lt if RP CLIENT IP _NUM 0 gt lt td valign top gt lt table width 300 cellpadding 5 cellspacing 0 class sStatistic id statistic gt lt tbody gt lt tr gt lt th colspan 2 class Statisticheader gt lt if RP CLIENT IP NUM 1 gt SLC566S lt if gt lt if RP_CLIENT IP_NUM 1 gt LC545 RP CLIENT IP NUM LC565S lt if gt lt th gt lt tr gt lt tr gt xta class regulartext gt RP_CLIENT IP WITH NUM AND PERCENTSS lt td gt lt tr gt lt tbody gt lt table gt lt td gt lt if gt lt if gt lt tr gt lt table gt lt td gt lt tr gt lt tr gt lt td class body gt LC550 lt td gt lt td align right class body gt RP PASS SRP PASS SIZES lt td gt lt tr gt lt tr gt lt td class body gt LC551 lt td gt lt td align right class body gt RP_ REJECTS SRP_REJECT SIZES lt td gt lt tr gt lt tr gt lt td class body gt LC552 lt td gt lt td align right class body gt RP_DISCARD SRP_DISCARD_ SIZES lt td gt lt tr gt Ta 2 i aX Dr Web MailD 288 lt tr gt lt td class body gt LC553 lt td gt lt td align right class body gt RP
363. has already finished transferring all recipients and is ready to send the body of the message restrictions are specified in the DataRestrictions parameter Restrictions are set as values of Restrictions parameters separated by commas They are checked in sequential order from left to right Restriction checking is performed only after all other checks sequencing of commands validity of their parameters and others until the message is considered as trusted After that restriction check stops SessionRestrictions restrictio These checks are performed immediately after the connection was melee established INTRO 173 Ta 2 1 ax HeloRestrictions mest TesLGicalein Iai sic SenderRestrictions FAS Cres Gie soi Iai sic RecipientRestrictions restriction Listi DataRestrictions ASE ies Gie sein Ika E Dr Web MailD 174 The following restrictions are checked O trust protected network O trust protected domains O trust_white networks O trust _white domains O reject clnsioll G reject olack networks reject black cdemeine Default value SessionRestrictions trust protected network These checks are performed on HELO EHLO session stage The following restrictions are checked O reject _unknown_hostname O reject oire H Default value HeloRestrictions Checks performed on FROM session stage The following restrictions can be checked e reject _unknown_sndrs S re
364. he AfterQueue queue in the asynchronous mode 3 For the EmptyFrom parameter the action pass cannot be specified Instead of this action you can specify continue That starts message processing because this event can occur only before the message is processed Please note that if the mandatory action of the ProcessingErrors parameter is discard reject or tempfail do not set a small value to the IpeTimeout the General section parameter because checking of message content can take considerable time Occurrence of timeout before the check completes is regarded as an error Thus in accordance with the action specified in ProcessingErrors the message is to be deleted during its processing which can lead to loss of the message the message will not be delivered to the recipient and the sender will not be informed on that 148 re ROK Dr Web MailD 149 x lt 4 MailBase Section In the MailBase section settings for Dr Web MailD internal database are specified The database stores received messages until they are processed and sent if the processing plug ins operate in the asynchronous mode The section contains the following parameters MaxStoredMessages Maximum number of messages to be stored in the mail database numerical value s i When the parameter value is set to 0 maximum number of messages is not limited If amount of messages in database exceeds the number set to this parameter old messages are dele
365. he condition is true for any message As the stop directive is specified afterwards all subsequent rules are not used Example 2 sender test amp amp size gt 10k cont scan no This condition is true if the message sender is test and the message size is greater than 10 KB In this case the message is passed without further check Note the usage of quotation marks they are necessary in this example Example 3 ropt ldap sub mail s OR auth stop This Rule is applied if at least one of the recipients specified in TO is not found in LDAP by mail field and the sender is not authorized Rule SETTINGS SETTINGS part of a rule is a sequence of Parameter Value pairs plugin_name param value plugin_name param value where plugin_name if specified name of the plug in which parameter values are used param parameter name value parameter value If the plug in name is not specified the rule configures parameters of the main Dr Web MailD configuration file section name is not specified For example AdminMail root domain directive means that the value of the AdminMail parameter in the Notifier section of Dr Web MailD configuration file is changed At least one Parameter Value pair is required List items are separated by commas so if value contains a comma enter a backslash before the character to escape it Example 1 sender a drweb com cont headersfilter Action pass vaderet
366. he parameter value to 0 otherwise log file size can exceed several Mbytes after detection of malware or mail bombs in messages Default value ReportMaxSize 50k R If the value is set to Yes X Anti Virus and X Anti Virus AddXHeaders Code headers are added to scanned messages lo gpac ana Default value AddXHeaders Yes Ta 2 aw ax Paranoid logical Dr Web MailD If Yes value is specified messages are scanned in the paranoid mode With this mode enabled messages are sent to Dr Web Daemon segment by segment as well as all in one piece Such strategy allows to increase efficiency of virus detection but it also increases scan time Please note that if a message contains an object to which action pass is applied then duplication of statistical information on this object may occur if a virus is detected when processing the attachment or the message itself Besides some additional actions notify redirect may be applied twice Default value Paranoid No R A List of regular expressions used by an anti virus plug in to check RegexsForCheckedFilename list of regular expressions LicenseLimit actions Infected actions Suspicious actions file names in a report provided by Dr Web Daemon after a message scan Names of archived files start with the gt symbol number of gt symbols depends on the archive nesting level If any part of a file name matches a regular
367. he plug ins can be not required drweb zmailer Receiver Module for integration with the Zmailer post system Zmailer receiving messages that are to be processed drweb qmail Receiver Module for integration with the Qmail post system Qmail receiving messages that are to be processed drweb courier Receiver Module for integration with the Courier post system Courier receiving messages that are to be processed drweb cgp sender Sender Module for integration with the CommuniGate Pro post CommuniGate Pro system dispatching processed messages drweb cgp receiver Receiver Module for integration with the CommuniGate Pro post CommuniGate Pro system receiving messages that are to be processed 122 Ta 2 N ax Dr Web MailD 123 drweb milter Receiver Milter Module for integration with post systems via the Milter protocol Utilities drweb inject Utility for force dispatching of messages Utility for Lookup validity check Utility for Quarantine management drweb lookup drweb qcontrol drweb qp Utility for Quarantine management meant for interaction with DBI The utility cannot be started manually All modules described in the table above are located in the sbin_dir directory Command Line Parameters Like every UNIX program Dr Web MailD modules support command line parameters The command line format is as follows lt module name gt parameters lt agent_socket gt where e lt module_name
368. he repeated character Between NAME and VAL white spaces must not be specified If several NAME VAL pairs with the same NAME are specified the NAME macro is treated as a list when processing the template If according to the template the macro cannot be a list but is specified several times in the command either its first value is used or all of the values are combined using commas which is incorrect in most cases After the command output an empty line is always added Macros Initialization Method In the list of macros for initialization any of these macros can be used For all macros except for those described below their default value is used Values of macros used in the reports are not set automatically the macros with the RP_ name These macros must be explicitly initialized in a command If a macro necessary for notification generation is not specified the corresponding error is output to the Notifier log Apart from macros you can also use the following indicators as initialization parameters e FROM sets a sender in the envelope also used for searching parameter values in Rules that have sender in the conditional part For DSN templates the sender is always empty The method to determine a message sender is described below If several values are specified the first one is used e RCPTS sets message recipients also used for searching parameters in Rules that have rcpt in the conditional part
369. he same type as exported data Fields in the query must be ordered like in the database It is not necessary to use all available values in the query List of values that can be used in the query e size lt int gt total size of scanned messages in bytes e num lt int gt total number of scanned messages e q num lt int gt total number of messages saved in Quarantine e r num lt int gt total number of redirected messages e n_num lt int gt total number of messages for which notifications were sent e pass num lt int gt total number of passed messages e reject num lt int gt total number of rejected messages e discard num lt int gt total number of discarded messages e tempfail num lt int gt total number of temporarily failed messages e date lt timestamp gt mail database timestamp e q size lt int gt total size of messages saved in Quarantine e r size lt int gt total size of redirected messages e n_ size lt int gt total size of messages for which notifications were sent e pass size lt int gt total size of passed messages e reject size lt int gt total size of rejected messages e discard size lt int gt total size of discarded messages e tempfail size lt int gt total size of temporarily failed messages e work time lt int gt plug in operation time in milliseconds ms Example ExportStatStorage odbc insert into g stat values ssize lt sint g
370. he synchronous mode the message is sent in the asynchronous mode see below According to the results a string on successful or failed sending of the generated notification is output o async generate a message from the template and send via Sender in the asynchronous mode that is Sender receives the message for processing but can send it later If the used Sender does not support the asynchronous mode the message is sent in the synchronous mode see above Sender must support operation at least in one of the modes According to the results a string on successful or failed sending of the generated notification is output Ta J 1 ys Dr Web MailD If the mode is not specified it is set to show e client id Client identifier for notification processing If the is specified the identifier is treated as empty Thus the notify command allows to operate with one Client only e options list of macros required to be initialized for the template assigned values are used when generating a message The list format is a set of the following pairs NAME VAL where NAME macro name without the surrounding and VAL assigned value enclosed in single quotation marks The macro name and macro value are case insensitive If the vaL value does not have empty spaces the enclosing quotes can be omitted If the VAL value is enclosed in quotes and the character is included in the value the character must be escaped with t
371. he system all packages which names start with drweb this is a standard pattern for a Dr Web package name Please note that this command removes from the system all packages which name corresponds to the pattern not only those of Dr Web for UNIX mail servers 3 The third variant of the command removes from the system all unused packages which were automatically installed for resolving dependences of some removed packages Please note that this command removes all unused packages from the system not only those of Dr Web for UNIX mail servers You can also use alternative package managers for example Synaptic aptitude to install or remove the packages Moreover it is recommended to use alternative managers such as aptitude to resolve a package conflict if it occurs ALT Linux PCLinuxOS apt rpm 1 Installation To add the repository to you system add the following line to the etc apt sources list file 32 bit version rpm http officeshield drweb com drweb altlinux stable i386 drweb 64 bit version rpm http officeshield drweb com drweb altlinux stable x86 64 drweb Ta 1 ax Installation and Uninstallation 44 To install Dr Web for UNIX mail servers apt get update apt get install lt package name gt 2 Uninstallation In this case uninstallation process is the same as for Debian and Ubuntu see above You can also use alternative package managers for example Synaptic aptitude to ins
372. he time interval Output format and time format are described below Ta AN ash Dr Web MailD 231 o DATE2 upper limit of the time interval If the parameter is not set the current time is used Time format is described below If the period is not set then all available statistics is output e ignore ignore total block filtration of output statistics e total do not output general statistics on checked messages e block do not output statistics on blocked messages If this parameter is not set statistics of all types is output e plugin plugin name outputs information on the specified plug in where name is the name of the plug in If the plugin parameter is not set information on all plug ins is output If a non existing plug in is specified an error is output and command is canceled If is specified general statistics is output If several similar parameters are specified statistics is output only for the last specified parameter The following commands are available stat client period ignore plugin The command is used for receiving statistics Optional parameters can be set in random order stat group client group period ignore plugin The command is used for receiving statistics on the group specified instead of client group e If the group does not exist an error is output and the command is aborted Optional parameters can be set in random order stat email client email
373. heck the message due to violation of the license restrictions malware Detection of a malicious attachment rule Blocking a message by a Rule either a MailD core message processing Rule or a rule used by or Dr Web Modifier or Dr Web HeadersFilter plug ins skip Skipping an attachment while scanning e g password protected archive or encrypted file virus Detection of a virus in an attachment Note that e Notifications of some types are sent only to certain recipients For example by default notification on Skip event is sent only to the message sender sender _skip msg If required notifications on this event can be dispatched to others if the template is copied and renamed rcpts_skip msg and admin_skip msg for recipients and administrator respectively However it is also recommended to modify these templates so that they contain information suitable for a certain recipient Templates available by default are listed in the table below e If several events occur during check of one message Notifier sends a separate notification for each event to all recipients for whom that is allowed e It is possible to disable notifications of certain types to certain recipients depending on condition validation results To do that use the notify setting in MailD core rules of message processing e Periodic MailD notifications on total operation of the suite reports for the administrator Notifications of this type are sent by Notifier to th
374. hecked and the message score is not changed The same behaviour happens if the sender s and recipient s addresses are equal and specified in the white list 3 If the sender s domain lt domain1 gt is not equal to the recipient s domain lt domain2 gt and both of the domains are presented in the white list as wildcards lt domainl gt and lt domain2 gt respectively then the sender s address is checked and the message score is decreased by 10 000 points The same behaviour happens if the sender s and recipient s addresses are different and both are specified in the white list Please note that if FullCheck Yes this parameter might have no effect if a message is considered spam according to its content analysis results the scores assigned by this parameter are ignored and will not be subtracted from the total message score see above Please note that the parameter value is LookupLite Example hello myneighbourhood co uk mycompany com Default value WhiteList Black list of senders Similar to the WhiteList parameter Specified domains must be FQDN If the sender s address from is found in the black list the message score is increased by 5000 points If the addresses from both fields Return Path and From are specified in the black list the message score is increased by 10 000 points Please note the following features of black list processing 1 Black list is not sorted so it is possible that the sam
375. hives and containers When you run Dr Web Scanner with default parameters no cure actions and no actions for incurable and suspicious files are performed To enable these actions specify the corresponding command line parameters explicitly Configuration Dr Web Scanner can be used with default settings but it could be convenient to configure it according to your needs Dr Web Scanner settings are stored in the configuration file drweb32 ini by default which is located in setc dir directory To use another configuration file specify the full path to it as a command line parameter for example Sbin_dir drweb ini bin_dir etc drweb ini For general principles of the Dr Web for UNIX mail servers configuration files organization see Configuration files Scanner Location of drweb32 a11 module anti virus engine Dr Web Engine EnginePath path to file This parameter is also used by Dr Web Updater Default value EnginePath tbin dir lib drweb32 d11 VirusBase list of file masks Masks for loading virus databases This parameter is also used by Dr Web Updater Multiple values are allowed separated by commas By default virus databases files has a vdb extension Default value VirusBase var dir bases vdb UpdatePath path to directory TempPath path to directory This parameter is used by Dr Web Updater update p1 and is mandatory Default value UpdatePath var dir updates
376. hose products which can interact with Dr Web Monitor and reside in reside in the directory specified in the MetaConf Dir parameter by default etc _dir monitor The files contain information on component composition location of binary files their launch order and startup options Usually one file contains information on one component and name of the file matches to the name of the Dr Web for UNIX mail servers 114 Ta 2 i ax Dr Web Monitor 115 component Each component is described in the Application section with the corresponding name At the end of the section EndApplication must be specified The following parameters must be present in the component description e FullName full name of the component e Path path to the binary files e Depends names of the components which must be started before the described component For example AGENT component must be started before Dr Web Daemon therefore in the mmc file for Dr Web Daemon Depends parameter has the AGENT value If there are no dependencies this parameter can be skipped e Components list of binary files of modules started together with the component Modules are started in the same order as they are specified in this parameter For each module the following information must be specified space separated command line parameters can be enclosed in quotation marks timeouts for startup and stop StartTimeout and StopTimeout notification typ
377. iaioa General v Tables Summary data Infection o Errors T Run SpIDer Guard for Linux Statistics E Change SpIDer Guard for Linux configuration Begin end E Stop SpIDer Guard for Linux F Run Dr Web Scanner for Linux E Change Dr Web Scanner for Linux configuration Viruses F Using Dr Web MailD Control Centre for Linux Status YJ Using Dr Web Icap Daemon Control Centre for Linux Jobs J Using Dr Web Samba SpIDer Control Centre for Linux Summary statistics Virus bases All network installations Y Configuration Permissions Schedule Emails list Update restrictions Dr Web for IBM Lotus Domino Dr Web MailD for Linux Dr Web Daemon for Linux Dr Web Scanner for Linux SpIDer Guard for Linux Dr Web Icap Daemon for Linux Dr Web NSS Daemon Dr Web Samba SpIDer for Linux Dr Web Components Monitor for Unix Figure 61 User permissions configuration e In the Components section select components to be available for the workstation user to change For example to allow the workstation user to adjust Dr Web for UNIX mail servers configuration select the Using Dr Web MailD Control Centre for Linux checkbox and click Ta J AN ax Dr Web Console for UNIX mail servers Save e To disable the workstation user to adjust Dr Web for UNIX mail servers configuration clear the Using Dr Web MailD Control Centre for Linux checkbox and click Save In this
378. ical operators for union or intersection of sequential selections Specify several selection arguments in the select operator and join them with the following logical operators e and leave only those elements in the selection that satisfy the specified criterion e nand leave only those elements in the selection that do NOT satisfy the specified criterion e or add elements that satisfy the specified criterion to the previous selection e nor add elements that do NOT satisfy the specified criterion to the previous selection Note that join and intersection operators are used only in selections that contain MIME objects but are not used in selections that contain actual elements as the operators cannot be applied to the select mime lt SEGMENT gt syntax Example Select elements written in html and containing the lt script word select mime headers Content type html and mime body lt script Actually these are two sequential selections The first selection contains all MIME objects that contain html word in the Content type header The second selection leaves only those elements that contain lt script in any case Example select mime headers Content type html nand mime body lt script According to the first criterion all MIME objects that contain html word in the Content type header are selected According to the second criterion all MIME objects that contain lt script in an
379. ication of all message scores in the current session Message score is used in e Vaderetro plug in that compares the score to the spam thresholds e conditions of message processing rules with the score prefix e conditions of Dr Web Modifier plug in using add_score n set score commands if a message score becomes greater than the MaxScore parameter value from the MailD section of the Dr Web MailD configuration file the message check is aborted and action specified in the MaxScoreAction parameter is applied some restrictions that allow to apply different actions to the message depending on its current score e drweb receiver to block whole sessions if total message score exceeds the MaxSessionScore parameter value from the Receiver section e score filter from Reputation IP Filter that allows filtration of IP addresses which have too large total score Reputation IP Filter Reputation IP Filter is a technology for gathering statistics on each IP address connected to Dr Web for UNIX mail servers According to the statistics Reputation IP Filter can either temporarily block an IP address or take other actions This technology allows successful detection of spammers and resistance to DHA attacks Reputation IP Filter is enabled if either at least one filter is specified in the ReputationIPFilter setting similar parameter in the Receiver section or the MaxConcurrentConnection parameter value in the same section is not set t
380. ider Dr Web Samba SpIDer e mail Dr Web MailD e drwebdc console client for Dr Web Daemon e kerio Dr Web for Kerio Internet Gateways 81 Ta 2 1 ax Dr Web Daemon 82 e lotus Dr Web for IBM Lotus Domino Example drwebdc var drweb log drwebdc log SmMORSMS EOGI mail var drweb log drwebmail log Default value MaxBasesObsolescencePeriod Period in hours after last update during which virus databases numerical value are considered up to date When this period is over a message notifying that databases are obsolete is output If value is set to 0 database obsolescence is not checked Default value MaxBasesObsolescencePeriod 24 The following parameters can be used to reduce scanning time in archived files some objects in archives are not checked Actions applied to skipped depend on the ArchiveRestriction parameter value of the corresponding modules MaxCompressionRatio numerical Maximum compression ratio that is a ratio between size of value unpacked file and its size within an archive The parameter can have only natural values If the ratio exceeds the specified value file will not be extracted and therefore will not be checked Value of this parameter must be not less than 2 Default value MaxCompressionRatio 5000 CompressionCheckThreshold numerical Minimum size of a file enclosed within an archive in Kbytes for value which compression ratio check is p
381. ied with Dr Web MailD and resides in bin dir directory To use drweb gp Perl not older than 5 0 and installed Perl DBI and File Temp modules are required To use DBI set Yes value for the MoveToDBI parameter and configure DBISettings DBIUsername and DBIPassword correspondingly to enable access to DBI storage Moreover you need to configure the following SQL commands to perform required actions o SQLInsertCommand this command adds a mail message to the DBI storage o SQLRemoveCommand this command removes a mail message from the DBI storage It is used when limitation on time to a message in Quarantine is set o SQLSelectCommand this command provides access to the message stored in the DBI storage It is used when a message is requested for example via the control message from Quarantine 215 Ta J i ax Dr Web MailD Possible problems If you encounter an error of the following type maild ERROR Error in system call for opt drweb drweb qp Level debug SyslogFacility Daemon BaseDir var drweb ProcessMail 1 MoveToDBI 0 StoredTime 86400 SQLInsertCommand MDClient def gt dev null 2 gt amp 1 amp try to increase the maximum available amount of memory for drweb maild process for example using ulimit m command Using Control Email Messages Access to Quarantine can be gained via special control email messages These messages in the Subject field contain commands
382. if the group name contains white spaces email get rules emails list receive Rules for all the addresses from the emails list list If an address is not in the list an error is output but the execution continues If an alias is transmitted settings for the original recipient are output For every nonexistent address an error is output Output format client idl emaill 1 rulel 2 rule2 client id2 email2 1 rule21 2 rule22 email insert rule client email index RULE insert a new Rule before the Rule with index ordinal number for the email address specified in client email If an email address does not exist an error is output Numeration index starts with 1 If the index value exceeds the maximum number of rules for the specified email the new RULE is added to the end of the rule list At that next ordinal number is assigned to the new rule as index Example When adding a rule with the index 10 to the list consisting of only 2 rules the new one is added to the end of the list and index 3 is assigned to it If the index is less or equal to 0 an error is output If the RULE is empty that is the rule is not specified an error is output After successful modification the rules for the current group are output in the email get rules format email remove rule client email index remove the rule with index ordinal number specified for the email address in client email Numeration index starts with 1
383. ignated the parameter can have only one value Example of assigning several values to a parameter 1 Separating values by commas Parameter Valuel Value2 Value 3 20 Ta 2 1 ax Introduction 21 2 Setting of each parameter value separately Parameter Value2 Parameter Valuel Parameter Value 3 If a parameter is not specified in a configuration file this does not mean that the parameter does not have any value In this case the parameter value is assigned by default Only a few parameters are optional or do not have default values which is mentioned separately Parameter description rules used in this Manual Each parameter in this manual is described as follows Status in the Description Mail Processing Rules ParameterName Parameter type Special remarks Possible values Whether more than one value is possible Important remarks Default value ParameterName value nothing Status can be designated by one of following icons R The parameter can be used in the SETTINGS part of Mail Processing Rules The parameter is used to temporarily change its value while processing an email message which corresponds the conditional part of the rule The parameter when used in Mail Processing Rules is additive meaning that if more than one rule is true for the email message the parameter value results from joining all values of the rules The parameter when used
384. iguration of simultaneous usage of several Receiver Sender components via the web interface 384 Dr Web Console for UNIX mail servers 385 w Configuration 4 3 E ES eS ee ES eoo eS Dr Web MailD is running vy Common Use secure hash Add SecureHash header to all outgoing messages Yes zi more gt gt Secure hash SecureHash header contents itt EDIT THIS more gt gt v Advanced Pool settings Thread pool settings Current values auto minimum mail co O minimum maximum timeout seconds I stack_size mail co GB a loglevel quiet m stat no xl Submit directory Directory where drweb cgp sender module submits messages that will be sent by CommuniGate Pro var CommuniGate Submitted MTA Submit filenames mode Naming convention for file names of submitted td messages more gt gt Submit filenames prefix Prefix for file names of submitted messages drweb submit more gt gt Submit file permissions Permissions for created notifications or cured Read Write Execute lace ne Owner v v SUID bit Group v v O SGID bit Others Sticky bit Access privileges 0600 Save Apply and Save Settings Figure 55 Mail sending settings On this tab you can specify actions to be applied to outgoi
385. il addresses delimited by the symbol in this case the message is delivered to the first address connection to which was established Note that the order in which addresses are specified is of importance because the first match is searched If the matching DOMAIN string cannot be found for a message in the list the address specified in the Address parameter is used for the message dispatch Thus the value of this parametr must not be empty see a not below in the Router usage subsection Note that if data sources used in Lookup are inaccessible and the message cannot be delivered as the destination address is unknown this message is lost and Sender repeats an attempt to send the message at time interval specified in StalledProcessingInterval Example Router main server com gt mx main server com inet 25 backup server com In this case messages addressed to recipients from main server com domain are sent to addresses indicated in MX record for main server com If delivery fails system tries to deliver the message to backup server com on port 25 Please note that the parameter value is Lookup Default value Router 185 Ta J i ax Dr Web MailD Router usage Router parameter allows using Lookups except for regex wildcards and rfile types Example Router mysql select address from senders where user u This query searches for a local part of the recipients address The search is pe
386. ild is running Note that if the parameter is not specified drweb zmailer is running with root rights which can cause interoperability problems with drweb maild if it is not running with root rights ipclevel lt verbosity level gt Description Log verbosity level for IPC library used by drweb zmailer Available values quiet error alert info debug f ECE lt syslog flag gt Description Used syslog label if the syslog service is enabled Available values daemon mail local0 local7 19 basedir lt directory path gt Description Path to the home directory where Dr Web MailD plug ins are located iE lt identifier gt Description Similar to the unique id parameter specified for other components see above MailD core treats this parameter as a Receiver identifier log filename lt log file name gt Description Name of the used log file or syslog if the syslog service is enabled i LS lt path to the file gt Description Path to the file which must be processed on the plug in startup pash lt value gt Description The SecureHash parameter value from the Sender section of Dr Web MailD configuration file interface lt O 1 gt Description Version of the used smtpserver 0 for 2 99 55 version or earlier 1 for 2 99 56 version or later e HSE OPAC LOM SETE LONE Description Action applied if an internal error occurs in the plug in during message processing
387. ile each time SIGUSR1 system signal is received e stop timeout time in seconds maximum time to wait for a running process to stop Default value ProcessesPool auto timeout 120 stat no stop timeout 1 Enables receiving only a license key file from Dr Web Agent without configuration At that Dr Web Scanner uses the local configuration file If the value is set to No and the address of a Dr Web Agent socket is specified Dr Web Daemon sends operational statistics to Dr Web Agent information is sent after scanning of every file 76 Ta J 1 ax ControlAgent address MailCommand Siete ines NotifyPeriod numerical value NotifyFile path to file NotifyType Ever Everyday Once FileTimeout numerical value StopOnFirstiInfected logical Dr Web Daemon Default value OnlyKey No Dr Web Agent socket address Example ControlAgent inet 4040 127 0 0 1 local1 var dir ipc agent Dr Web Daemon receives from Dr Web Agent a license key file and configuration if OnlyKey No Moreover in this case the socket is used for sending statistics on Dr Web Daemon operation to Dr Web Agent Default value ControlAgent local var dir ipc agent Shell command used by Dr Web Daemon and Dr Web Updater for sending notifications on new updates to the user administrator via email If the period before the key file or one of the key files expiration
388. ilter is ignored Default values for general parameters o min_msgs 0 o min_errors 100 o min_wrong_rcpts 0 o min_conn 50 o block_period 2h o score 0 score filter filters IP addresses according to the average score assigned to all messages and sessions from this IP address It is included into the general Unified Score system and allows for example blocking of spammers on the stage when SMTP connection is established Specific parameters o score_per_msg D a ratio between the general score for the certain IP address a sum of all scores of messages sent from the given IP address and scores of all sessions initiated from it and the number of messages passed to MailD core If no messages were passed this 261 Ta J i ax Dr Web MailD 262 number is considered equal to 1 If the parameter value is set to 0 this check is ignored Default value 0 o score_per_conn D a ratio between general score for the certain IP address and the number of connections from this IP address The filter is applied only when the parameter value is not 0 and at least one connection from this IP was established Default value 100 0 If both parameters are specified the score _per_msg parameter is checked first and the score _per_conn parameter is checked after it If values of both parameters are set to 0 the filter is ignored Default values for general parameters o min_msgs 0 o min_errors 0 o min_wrong_rcpts 0 o
389. im Full installation Dr Web for Postfix Full installation Dr Web for QMail Full installation Dr Web for Sendmail Full installation Dr Web for ZMailer Full installation 4Back Next gt Cancel Figure 3 Install Type screen for MTA Welcome Install Type Select Software Confirm License installing Finish Dr WEB Select the installation type Dr Web for Mail Gateways Antispam Antivirus Custom Configuration _Cancel_ Figure 4 Install Type screen for Dr Web for Mail Gateways If you selected Custom Configuration then select necessary components on the Select Software screen Installation and Uninstallation 31 Welcome Install Type Select the software you want to install Select Software Available Software Confirm O Dr Web Agent v6 0 0 3 new a i i Dr Web Bases v6 0 0 3 new Z License O Boost third party C libraries needed for Dr Web v6 0 0 2 new Installing Dr Web Common Files v6 0 1 2 new uae O Dr Web Antivirus Daemon v6 0 1 3 new Finish vi Dr Web EPM Library for X11 epm gui v6 0 0 1 new ial Google performance analysis tools needed for Dr Web v6 0 0 1 ne lt gt ta Select none Dr WEB 4Back Next Cancel Figure 5 Select Software screen A If installation of a component requires some other components to be previously installed all corresponding dependencies are se
390. im is built without LMTP transport support You can either switch to SMTP transport for details refer to documentation on Exim MTA for example at http www exim org or recompile Exim with LMTP transport support If the latter variant is used you must add or uncomment the following line in Local Makefile file of the Exim system TRANSPORT_LMTP yes Integration with Qmail Operation principle of Qmail is based on replacement proxying of the mail system Via the interface set for qmail queue module the main executable file of Qmail system the filter receives a message checks it and if the message is not infected the filter moves it to qmail queue Operation in this mode has the following limitation UNIX sockets which drweb qmail listens for scan requests are set in the ListenUNIXSockets parameter in the Qmail section of the Dr Web MailD configuration file must be located in certain directories To display a list of paths run the qmail queue with help command line parameter For integration with Dr Web MailD Qmail version not earlier than 1 03 is required To avoid possible loss of incoming mail filter must be installed only when Qmail is stopped Integration of Dr Web MailD with Qmail can be performed both manually refer to the instructions below and with the use of the configure_mta sh configuration script that resides in the directory bin dir maild scripts It can configure interaction as mentioned in the in
391. imiter Please note that this parameter is not modified upon uninstalling a Dr Web component You must manually remove the uninstalled component from this parameter value Otherwise Dr Web Monitor will not be able to run and start other Dr Web components Default value RunAppList AGENT If the value is set to yes Dr Web Monitor receives the list of modules to be started from Dr Web Agent rather than from the RunAppList parameter value Default value UseEnterpriseMode No Time intervals between attempts to restart components that are not responding in seconds This parameter can have multiple values separated by commas First attempt to restart a component is made after a period of time specified in the first parameter value second attempt using the second parameter value and so on Default value RecoveryTimeList 0 30 60 Command to send reports Please note that if you want to send reports to other addresses not only to root localhost you need to specify the addresses in the command Default value InjectCmd usr sbin sendmail t Socket used by Dr Web Monitor to interact with Dr Web Agent parameter value must be the same as the Address parameter value from Dr Web Agent configuration file Default value AgentAddress local var dir ipc agent Maximum time to wait a response from drweb agent module in seconds If Dr Web Agent does not respond during this time period Dr Web Monitor consi
392. in Receiver to the identifier set in Sender that will receive notifications generated for the message Format of mapping lt regular expression gt lt Sender ID gt where lt regular_expression gt regular expression to which Receiver ID corresponds and lt Sender ID gt ID of Sender which is notified If mapping is not found all notifications are sent to the default Sender component with an empty identifier Example MsgIdMap id 12 sender notifications In this case reports on messages generated by Receiver components with id1 or id2 identifiers are sent to Sender with the sender notifications identifier This parameter is used when several pairs of Sender and Receiver components operate simultaneously Default value MsgIdMap Prefix added to the output path to a file in Quarantine This parameter allows accessing quarantined files using the third party server For example if you install an HTTP server on the same host where Dr Web for UNIX mail servers runs and set the following value to the parameter QuarantinePrefix http mailhost quarantine this prefix will be included in paths to quarantined files for example http mailhost quarantine headersfilter drweb quarantine 2kqtvl Default value QuarantinePrefix For details on notifications notification templates and notification generation rules refer to the Notification Templates section Quarantine Section In the Qu
393. in domain com address to Address of the message recipient Lookup rcpt Example xrcpt ldap sub mail ss All message recipients must be found in the LDAP by the mail field block Object that caused a plug in to block the message Lookup A message is considered blocked if reject action was applied to it In this case the plug in that blocked the message returns a list of strings describing the reasons for blocking there can be more than one reason For example Drweb plug in in the event of virus or another known threat detection returns the threat name If the message was blocked for a different reason for example due to SkipObject event the plug in returns a value of the lt parameter gt lt value gt configuration string in the format lt parameter gt lt value gt execution of which caused the block For example HeadersFilter plug in can inform that a message was blocked due to the missing header lt header gt specified in the MissingHeader parameter If so the plug in response is as follows MissingHeader lt header gt Examples ID block filer vi ruses mx Name of the object or reason that caused the message block must be specified in the list from the file it is implied to be the name of the detected threat Z Wolkerehes hacen S RIP Y Description of a reason that caused the message block must contain the skip substring for example action applied upon SkipObject event client
394. in the Maild section see the note on Lookup usage mentioned above If no message processing Rule contains client ip parameter in the conditional part set the GetIpFromReceivedHeader parameter value in the Maild section to No 268 Ta J i ax Dr Web MailD Set the following parameter values SkipDSNOnBlock Yes in the Maild section SendSDN No in the Sender section and try to avoid notify and redirect optional actions in plug in settings Disable Quarantine remove quarantine action from plug in settings if the action is specified Limit the maximum size of messages checked by plug ins by setting required values to the MaxSizeBeforeQueueFilters and MaxSizeAfterQueueFilters parameters in the Filters section Values of the StalledProcessingInterval parameters in the Sender section and Receiver section must not be less than the defaults 10m If during Dr Web MailD operation delay in sending messages occurs and number of queued connections increases for the drweb sender thread pool do one of the following depending on the delivery method set in the Method parameter in the Sender section For smMTP delivery method o Decrease the timeout value set in the OtherCmdsTimeout parameter in the Sender section o If value of the Router parameter in the Sender section is specified avoid using Lookup that contact external DBMS and LDAP see the note on Lookup usage mentioned above o Ch
395. ing This section is optional and can be absent e Logging contains logging settings This section is optional and can be absent The following sections contain settings of SASL authentication if it is used If SASL authentication is not used both sections can be absent If SASL is used both sections are mandatory e SASL contains settings of SASL authentication e Cyrus SASL contains settings of the cyrus sas1 SASL driver in the current version only this Ta J i ax Dr Web MailD driver can be used The following sections contain parameters of interaction with different mail systems MTA Receiver contains settings for Receiver which operates directly via the SMTP LMTP protocol and also interacts with the Exim Zmailer and Postfix if Postfix does not use the Milter protocol mail systems This section is optional and can be absent However this section is mandatory if Dr Web for UNIX mail servers operates in SMTP LMTP proxy mode or interacts with Exim Zmailer or Postfix if Postfix does not use the Milter protocol Sender contains settings for Sender which operates directly via the SMTP LMTP protocol and also interacts with all mail systems except Communigate Pro This section can be absent if Dr Web for UNIX mail servers interacts only with Communigate Pro Please note that both sections Receiver and Sender are mandatory if Dr Web for UNIX mail servers operates in SMTP LMTP proxy mode or
396. ing to TAI International Atomic Time Ssec usec drweb submit XXXXXX template is used e Rand48 renaming files with Lrand48 command drweb submit _XXXXXXxxX template is used Default value SubmitFilenamesMode std Milter Section In the Milter section parameters for managing operation of drweb milter module are specified This module is responsible for interaction between Dr Web for UNIX mail servers and Postfix and Sendmail MTAs via Milter protocol This section is included in the Dr Web MailD configuration file only if the software version is designed for operation with MTAs mentioned above Address Socket address to establish connection via Milter protocol dd peace It must comply with definition specified in settings of mail system in sendmail cf configuration file of Sendmail MTA and in main cf configuration file of Postfix MTA Path to the PID file cannot be used as a value of this parameter Example Address local var_dir ipc drweb milter skt In the current version this parameter cannot be changed with SIGHUP signal restart of Dr Web MailD is required Default value Address inet 3001 127 0 0 1 Timeout Timeout for drweb milter to connect to MTA time pa Specified value must be greater than any Timeout parameter value in the MTA configuration file Default value Timeout 2h PendedConnections numerical Maximum queue length for pending connections drweb milter value waits for MTA
397. interaction between Dr Web MailD and Courier MTA In the current version this parameter cannot be changed with SIGHUP signal restart of Dr Web MailD is required Default value SocketAccess 0660 In the CgpReceiver section settings for interaction between Receiver and CommuniGate Pro mail transfer system are specified This section is included in Dr Web MailD configuration file only if the software version is designed for operation with the MTA mentioned above ProcessingTimeout time PoolOptions pool options ProcessingErrors action ChownToUser enei Timeout for the Receiver component to wait for a message to be scanned It is recommended to set this parameter value greater than the value of the SendTimeout parameter from the MailBase section Default value ProcessingTimeout 40s Thread pool settings Default value PoolOptions auto Action applied to messages that caused scanning errors Only one of these actions can be specified tempfail discard pass reject Default value ProcessingErrors reject Set owner for a message file received from CommuniGate Pro MTA As drweb cgp receiver module runs with Administrator privileges root you can either leave this parameter value empty and start the whole Dr Web for UNIX mail servers system with Administrator privileges or you can set this parameter value to the name of a specific user whose privileges are used to run Dr Web for UNIX
398. interacts with Exim Zmailer or Postfix if Postfix does not use Milter protocol Only the Sender section is mandatory if Dr Web for UNIX mail servers interacts with Qmail Courier or other mail system which uses Milter protocol for example Sendmail or Postfix Courier contains settings of interaction with Courier mail system This section is optional and can be absent However this section is mandatory if Dr Web for UNIX mail servers is integrated with Courier mail system CgpReceiver contains settings of Receiver which interacts with the Communigate Pro mail system This section is optional and can be absent However this section is mandatory if Dr Web for UNIX mail servers is integrated with the Communigate Pro mail system CgpSender contains settings of Sender which interacts with the Communigate Pro mail system This section is optional and can be absent However this section is mandatory if Dr Web for UNIX mail servers is integrated with the Communigate Pro mail system Please note that both CgpReceiver and CgpSender sections are mandatory if Dr Web for UNIX mail servers interacts with the Communigate Pro mail system otherwise both sections can be absent Milter contains settings of interaction with mail systems which use the Milter protocol This section is optional and can be absent However this section is mandatory if Dr Web for UNIX mail servers is integrated with any mail system which uses Milter
399. ion Please note that the parameter value is LookupLite Default value SpamTrap List of protected recipients addresses It is used in reject unknown rcpts restriction It allows to discard messages with invalid recipients that are not in the list and to resist DHA attacks when used with anti dha filter in Reputation IP Filter It is recommended to specify this parameter with reject unknown rcpts restriction and use it with anti dha filter Please note that the parameter value is Lookup Default value ProtectedEmails List of protected senders addresses It is used in reject _unknown_sndrs restriction It allows to discard messages form invalid unknown senders and to resist DHA attacks when used with anti dha filter in Reputation IP Filter It is recommended to specify this parameter together with reject _unknown_sndrs and use it with anti_dha filter Please note that the parameter value is Lookup Default value ProtectedSenderEmails Reputation IP Filter settings Reputation IP filter allows assigning a score to the IP address according to the gathered statistics on connections as well as Ta J 1 ax Dr Web MailD 181 blocking this IP address temporarily if its total score is greater than some threshold value The following filters are available anti_dha errors_filter score_filter Filters are listed using comma as a delimiter and are checked in order they were specified
400. ion packages rpm apt urpmi yum zypper o kernel version 2 6 18 and later glibc version 2 5 and later e Native DEB distribution packages apt o kernel version 2 6 26 and later glibc version 2 7 and later Performance of Dr Web for UNIX mail servers was tested on the following distributions ALT Linux 4 0 5 0 5 0 CIT 6 0 ru CIT 6 0 ru Arch Linux all ASPLinux 12 0 14 0 Debian Soll 5 0 4 0 6 0 Fedora 14 0 Gentoo all Mandriva Linux higher than 2009 CS4 2010 x Mandrake 10 x 10 x openSUSE 10 3 Wil 10 3 11 0 PCLinux 2010 2010 RedHat Enterprise Linux RHEL 4 0 6 0 50 16 0 Suse Linux Enterprise Server 9M LLO 10 0 11 0 Ubuntu 7 04 11 04 7 04 11 04 Compatibility with MSVS OS Dr Web for UNIX mail servers is compatible with the following versions of MSVS OS e MSVS 3 0 80001 12 rev 0 1 2 3 e MSVS 3 0 80001 14 rev 0 1 2 e MSVS 3 0 80001 08 e MSVS 3 0 80001 16 e MSVS 3 0 FSTEK Other Linux distributions that meet the requirements mentioned above are also supported but they were not tested If you encounter any compatibility problems with the used Linux distribution please Ta J 1 ax Introduction contact technical support at http support drweb com request Package File Location Dr Web for UNIX mail servers solution is installed to the default sbin dir etc dir and var _ dir directories OS independent directory tree is created in the fo
401. ion parameters In the redirect text field of the Action parameter section you can specify an email address where filtered messages are to be redirected 372 rE os Dr Web Console for UNIX mail servers 373 A h Anti Virus Tab This tab contains general settings of Drweb anti virus plug in included in Dr Web for UNIX mail servers Dr Web MailD version fo Configuration A Dr Web MailD is running SS BE ee ee eee Ee Y Common Socket address Socket for interaction between antivirus plug in and drwebd more gt gt pid var drweb run drwebd pid x Timeout for drwebd to execute a command more gt gt seconds Heuristic analysis Heuristic analyzer settings fa Infected Action to be applied to messages infected with known virus Main action cure T A Additional actions x quarantine x notify redirect addheader _ E addscore C Processing errors Action to be applied to messages causing plug in 5 5 errors during scan Main action reject E more gt gt Additional actions quarantine x notify x rediet add header addscore e Size limit Maximum size of a message to scan o Log verbosity level Plug in log verbosity level info m Apply and Save Settings Figure 42 Anti virus settings In the redirect text field
402. ions applied to the whole message reject redirect generate MailD notifications and others e Actions applied to the selected elements of the message deletion signing replacement or modification of text and others e Actions changing the message score for anti spam a If a set of selected elements is empty actions specified in the rule are not applied are ignored 2 1 Actions applied to the whole message The following action operators applied to a whole message are available e pass accept pass the message If Dr Web Modifier is processing a message with the use of global rules and receives this command the processing stops Otherwise if Dr Web Modifier receives the command when using local rules the plug in starts using global rules for the processing reject reject the message and notify the sender discard reject the message without notifying the sender notify lt report name gt notify the administrator at that message processing does not stop After this command specify the notification template name used to generate the notification otherwise errors will occur during message processing Templates are located in the directory specified in the TemplatesBaseDir parameter value in the Notifier section of the Dr Web MailD configuration file Example GlobalRules select message notify rule In this case only MailD notification is sent As any action operator must be preceded by a selecti
403. ip IP address of the message sender if receiving information on the Lookup Aq P A X Dr Web MailD 245 client port server unix socket server ip server port id auth size score Note that e If the parameter name is not specified in the Boolean term the any parameter is sender s IP address was specified in the Maild core settings Note that you cannot use CIDR format here Example ciment Horn 0 0 1 The message must be sent from the local machine Port of the client that sent the message Example client port 1234 The message must be sent from the 1234 port Absolute path to the Unix socket file used for receiving the connection Example server unix socket var drweb ipc sockl1l IP address of the interface used by Receiver to get the message Note that you cannot use CIDR format here Port of the server which accepted the connection Unique identifier of Receiver that got the message if the identifier was set in the Receiver settings Indicates whether the client which sent the message obtained authorization Note that the parameter does not have an argument Example auie lane Size of the message Specify a comparison operator before the size e Not equal e Equal e lt Less than e gt Greater than e lt Less or equal e gt Greater or equal If a comparison operator is not specified the default lt opera
404. ir agent 4 Data from this file is used every time Dr Web for UNIX mail servers connects to Dr Web Enterprise Server 5 If you delete the password file repeated registration request will be sent to Dr Web Enterprise Server on the next Dr Web Agent startup Manual Creation of New Account by Administrator To create a new account manually 1 Create a new account on Dr Web Enterprise Server specify the station ID and password for details see the administrator manual for Dr Web ESS 2 Start Dr WebAgent with the newpwd command line parameter or p and enter the station ID and password Dr Web Agent records the hash of station ID and password into the pwd file This file is created in the directory that is specified in the CacheDir parameter of the EnterpriseMode section default value is svar dir agent 3 Data from this file is used every time Dr Web for UNIX mail servers connects to Dr Web Enterprise Server 4 If you delete the password file retry registration on the next Dr Web Agent startup Configuring Components via Dr Web Control Center embedded in Enterprise Security Suite You can configure Dr Web for UNIX mail servers and Dr Web Daemon anti virus module included in the standard installation package via Dr Web Control Center The standard installation package Dr Web Enterprise Security Suite includes basic configuration files for Dr Web for UNIX mail servers and Dr Web Daemon for Linux FreeBSD a
405. is periodically checked by CGP Value of the SubmitDir parameter of the Dr Web MailD configuration file must be equal to var CommuniGate Submitted Otherwise messages checked by Dr Web MailD cannot reach their recipients 6 After the var CommuniGate Submitted directory is checked and the message is received CGP goes to step 2 o if the settings are correct the message is not checked again o if the settings are inaccurate the message is returned to CGP after check of the SecureHash header o if the settings are incorrect an infinite checking loop can occur Known Issues In Linux operating systems after command line is altered and updated with the Helpers setting the previous filter process remains in the zombie status until CGP restart Description When drweb cgp receiver is started the following messages are displayed usr libexec 1d elf so 1 Shared object libstdc so 6 not found required by libboost_thread so Solution The system cannot find necessary libraries located in the Sbin dir 1lib directory It is required to copy libstdc so 6 and libgcec_s so 1 libraries or make symbolic links to them from bin dir 1lib to the system library directory Integration with Sendmail For interaction between Dr Web MailD and Sendmail system the latter must support Milter API If the used Sendmail copy does not support the API rebuild the system to add Milter API to the supported libraries For details refe
406. is verified If so the next address in the list is checked step 2 If not LDAP request is executed Note that if the message is sent to one recipient and the domain is in the list of skipped domains this rule forms no settings for the message 4 If the request result is positive content of description field is used as a setting concatenated on the left to the settings retrieved earlier then step 2 is executed Otherwise if the request result is negative user name is not found in the data source the Rule condition is false for the message this Rule is rejected and all settings retrieved from LDAP are discarded Remaining requests to LDAP are not performed 5 If LDAP request fails that is considered as a message processing error Processing of this message stops and according to OnError exception setting action specified in the ProcessingErrors Maild section parameter is performed For more information on how errors are handled in Rules see below As the cont directive is specified and no errors occurred viewing of other rules continues Note that if Ta J i ax Dr Web MailD the message is sent to several recipients and different parameter values are retrieved for them from LDAP the setting values are either determined after cloning of the message or substituted with parameter values from the configuration file as described above in the Processing messages with several recipients paragraph Joining Rule set
407. it Maximum number of nested MIME parts in the 100 message more gt gt MailBase settings Apply and Save Settings Figure 50 Advanced Engine settings In the MailBase section you can configure mail database settings Ta ax Dr Web Console for UNIX mail servers Backup database var drweb msqs db maildb backup Backup period o Deletion period Additional timeout Body size limit KB M Pool size Messages storage limit 100000 Send timeout 30 seconds Apply and Save Settings Figure 51 MailBase settings v MailBase settings Mail database backup file name more gt gt Time period for database backup more gt gt Maximum period of time for message to be stored in mail database more gt gt Additional time for message processing more gt gt Maximum size of message stored in mail database more gt gt Maximum mail database size in bytes more gt gt Maximum mail database pool size more gt gt Maximum number of messages stored in mail database more gt gt Timeout for plugin to perform an asynchronous check of a message more gt gt 381 gt Configuration Dr Web Dr Web Web Int Pid o Dr Web Console for UNIX mail servers vy Common Send reports Yes zi Reports schedule
408. it had before the installation Such copies are usually named file name 0O License key files and log files are saved to their corresponding directories Using GUI Uninstaller To uninstall with GUI 1 Enter the following command Sbin_dir remove sh On the Welcome screen click Next At any step you can return to the previous stage by clicking Back To continue installation click Next To abort uninstallation click Cancel Welcome L gt This program allows you to remove the following software Co Dr Web Agent 6 0 0 3 E EE Dr Web Bases 6 0 0 3 See pian Boost third party C libraries needed for Dr Web 6 0 0 2 z Dr Web Common Files 6 0 1 2 Dr Web Antivirus Daemon 6 0 1 3 Dr Web EPM Library for X11 epm gui 6 0 0 1 Dr Web EPM Dr Web uninstaller 6 0 0 1 Google performance analysis tools needed for Dr Web 6 0 0 1 Essential third party libraries needed for Dr Web Dr WEB 4 Next Cancel Figure 12 Welcome screen 2 On the Select Software screen select components to remove Installation and Uninstallation 39 Welcome Select Software Select the software to remove Confirm Installed Software Removing Dr Web Agent v6 0 0 3 fa Dr Web Bases v6 0 0 3 Boost third party C libraries needed for Dr Web v6 0 Dr Web Common Files v6 0 1 2 Dr Web Antivirus Daemon v6 0 1 3 Dr Web EPM Library for X11 epm gui v6 0 0 1 p M Dr Weh FPM Dr Web unins
409. ited Default value MaxConnections 0 Maximum number of simultaneous connections from one IP address 194 Ta J 1 ax DisablePlainText logical DoS Blackhole logical MaxCommandLength size MaxCachedHeadersPerMail size MaxLettersPerUser numerical value MaxDiskPerUSer size Dr Web MailD If 0 is specified as a value of this parameter the number of connections is not limited Default value MaxConnectionsPerIp 0 Do not allow the client to send login and password as plain text in an unencrypted format It requires OpenSSL to be configured in advance Default value DisablePlainText no Enables to drop connection without sending an error message to a client if there are too many simultaneous connections from one IP address Default value DoS _ Blackhole no Maximum size of a command for the IMAP protocol Each command is a string sent from a client to the server Maximum possible size of this command is about 1000 bytes according to the current RFC Please note that if this parameter value is small less than 10 bytes clients commands are not processed Default value MaxCommandLength 1000b Maximum amount of memory to be allocated to store frequently used headers IMAP filter caches main message headers in random access memory to speed up access to them If 0 is specified as a value of this parameter amount of allocated memory is not controlle
410. ith Vaderetro plug in you can also use instructions to compare with integer gt and lt a backslash is not required to escape the symbols The compared header is considered matching the selection criterion if this header contains an integer for example X Drweb SpamScore 30 satisfying the condition Example select mime headers X Drweb SpamScore lt 50 This command selects items that contain the x Drweb SpamsS header which value is an integer less than 50 Note that a backslash is not required to escape the lt symbol If a modification rule is specified as follows select mime headers X Drweb SpamScore lt 50 elements with X Drweb SpamScore lt 50 header are selected Ta 1 ax Dr Web MailD 315 Note that you cannot select a composite MIME object with select mime lt SEGMENT gt command except when the object is root a message For example if a message has the structure as presented in the figure below the select mime headers command selects the following objects with headers Message root object message Nested 1 Nested 2 Container object is not selected as it is composite includes Nested 1 and Nested 2 objects and it is not root not a message Message Container Nested 1 Nested 2 Content headers Content Body multipart e sender lt regular expression gt recipient lt regular expression gt Selects the whole message
411. ith empty FROM and TO fields because according to RFC 5321 specification Dr Web MailD must always be able to receive DSN and MSN notifications that have empty FRoM fields lt gt If SASL authentication was successful the IP address is marked as Trusted However if SCORE is specified it is also checked whether the IP address score is less than the specified value Skip all other checks on this SMTP session stage if the client has successfully passed SASL authentication If SCORE is specified a client that has successfully passed SASL authentication is checked unless the current score is less than the specified parameter value Checks if the recipient is specified in the ProtectedSenderEmails list see below If the sender s address is not in this list mail from this address is blocked or if SCORE is specified an error is logged and the ScoRE value is added to the message score It is recommended to use this action together with anti_dha Reputation IP Filter If the recipient host name has neither DNS A record nor DNS MX record mail to this address is blocked or if SCORE is specified an error is logged and the SCORE value is added to the message score Ta J 1 ys Dr Web MailD 178 reject unauth destination SCORE reject_unknown_rcpts SCORE pass_sasl_ authenticated SCORE Actions for DataRestrictions restriction reject spam trap SCORE reject milti recipient bounce SCORE
412. itor starts all other Dr Web for UNIX mail 48 Ta i ax Starting Dr Web for UNIX mail servers 49 servers components Sender Receiver Notifier etc In case of installation from native packages in Solaris During Dr Web for UNIX mail servers installation the SMF service management system attempts to run Dr Web Monitor If Dr Web Monitor cannot find a licence key file for example on the first installation of Dr Web for UNIX mail servers it stops its operation and SMF goes into the maintenance state To run Dr Web Monitor reset the maintenance state e Enter the following command sves p lt FMRI gt where FMRI is a unique identifier of a controlled resource In this case a unique identifier of Dr Web Monitor is required e Force termination of the process from svcs p output list pkill 9 lt PID gt where PID is a number of the process listed above e Restart Dr Web Monitor with the following command svcadm clear lt FMRI gt While installing Dr Web for UNIX mail servers from native packages in Solaris run Dr Web for UNIX mail servers with the SMF service management system sveadm enable lt drweb monitor gt sveadm enable lt drweb daemon gt To stop the service svcadm disable lt service name gt The drwebd module can be launched in one of the following two modes 1 with the init script standard launch 2 with the Dr Web Monitor In the second mode set the ENABLE parameter
413. ivalent to the expression append text text line Note that prepend text append text prepend html append html commands insert into the selected objects not only the text but the MIME object with text content to the start or end of the selected objects respectively and the modified objects become composite Thus adding of text information always results in reset of the selected objects list To continue message processing after the text is inserted repeat the select operation e addheader Adding of headers into selected MIME objects Example select message addheader foo bar This command adds a header with the foo name and bar value to the message Name and value of the header are separated by a colon It is required to consider text encoding both for text search and text insertion Text is always inserted in the same encoding as one of the configuration file except for prepend_text append _text prepend html n append_html commands using for insertion either encoding specified in the command or encoding set in the Encoding parameter of the plug in configuration file To use another encoding explicit encoding of string values is required 2 3 Actions changing message scores You can check or change score of a message A message has a score assigned to it and originally set to 0 When processing the message plug ins can change this score With add_score and set_score commands this score can be changed increased
414. ixes e ldapi connecting via the UNIX socket e ldap connecting via the TCP connection e ldaps establish a secured TCP connection TLS is used Login for authentication on the LDAP server proxy authentication Password as plain text for authentication on the LDAP server proxy authentication Authentication mechanism used by LDAP server 275 Ta J 1 ax Dr Web MailD 276 ldapdb rec Path to the file containing personal settings of local LDAP client libldap For example in this file it is possible to define the client TLS certificate used for optional i o secured connection ldapdb_starttls TLS usage policy Two values are allowed try and demand optional When try value is specified the LDAP client module tries to establish a secured connection and if this attempt fails switches to unsecured mode When demana value is specified and a secured connection cannot be established connection to LDAP server is refused Examples 1 The simplest configuration saslauthd is used pwcheck_method saslauthd mech list plain login 2 Using sasldb datasource pwcheck method authprop auxprop plugin sasldb mech list plain login cram md5 sasldb path etc sasldb2 3 Using PoslgreSQL database pwcheck method auxprop auxprop plugin sql mech list PLAIN LOGIN CRAM MD5 DIGEST MD5 NTLM sql engine pgsql sql hostnames 127 0 0 1 192 0 2 1 sql_ user username sql passwd secret sql
415. ject _unknown_domain O trust sasl eAwielaeme reste 7 pases sasl authenticated Default value SenderRestrictions trust _ sasl authenticated Checks performed on RCPT session stage All recipients are checked in order they are declared The following restrictions can be checked e reject _unknown_domain O veject unauta destination 9 eject _unknown_rcpts O pass sasl authenticate Default value RecipientRestrictions reject _unauth_ destination Checks performed on DATA stage of session The following restrictions can be checked e reject spam trap O reject multi recipient Dounce 7 pass sasl authenticated Default value DataRestrictions Result of blocking can be different depending on the stage of SMTP session When blocking is performed according to restrictions from the SessionRestrictions parameter INTRO stage the whole session is blocked that is an error is returned on any user command On other SMTP stages only a certain SMTP command is blocked Ta J i ax Dr Web MailD Each restriction can have an optional parameter score value SCORE except for set_score and add_score restrictions where the score value is the only mandatory parameter Depending on the restriction type score is processed in different ways e restriction can be applied if the current message score is less than the value specified in the parameter e restriction can be applied if the current message score is grea
416. keley firebird support service of the corresponding Lookups o control interactive management service o parser notification templates parser service o MRS service of receiving messages via SMTP LMTP o smtp service of sending messages via SMTP o lmtp service of sending messages via LMTP o pipe service of sending messages through the pipe o queue service of processing internal queue e level log verbosity level The following values are available FATAL ERROR WARN INFO DEBUG e sid session identifier of a message to which that log line is related The number must be specified in hexadecimal notation e mta id identifier of a message inside MTA from which this message is received It is output only if Dr Web MailD is not operating in SMTP LMTP proxy mode and the identifier was received from MTA e text text of a log message A When any module is started its log verbosity level is set to INFO by default After configuration is received from Dr Web Agent this level is changed according to the specified settings To enable DEBUG logging during module initialization for example to gain information on parameters received from Dr Web Agent use the 1evel1 command line parameter set its value to debug Internal Statistics Dr Web MailD can collect internal statistics of the following kinds 1 Statistics on SMTP restrictions appliance 2 Statistics on operation of dynamic thread pools and connec
417. l The parameter value has a special format described in Special parameters types Lookup parameter value expressed as strings In these strings search objects separated by commas are specified LookupLite light Lookup can contain only an explicit value or Lookup with the file prefix Storage interface for access to data store objects It differs from the Lookup parameter in the list of allowed prefixes and in the fact that the s macro cannot be used 22 Ta yan A A Introduction 23 For details on the Lookup LookupLite and Storage types see Lookup e TLSSettings settings of the secure connection which uses TLS or SSL protocol TLSSettings have a special format described in Special parameters types e strings list parameter value expressed as a list of strings separated by commas If the parameter value corresponds to the file path to file format the text values are taken from the specified file in the path to file part In this file each text value must be specified in a separate line If an error occurs when reading the file information on the error is logged and program loading continues e log level parameter value expressed as a string which contains the verbosity level of logging into the file or syslog system service e value parameter has the type that is not described in the previous items of the list In this case all available values are provided Behaviour
418. lD configuration file You can specify separate Rules as well as rule sets To create a separate rule click Create new rule button To edit a rule either newly created or an old one click it Dr Web Web Interface v t configuration 4 T 2r Web maib is running il id I 1337 1x AND a NOT block file with regular expressions J rfile add condition Action Continue Stop quarantine zl yes Ono x Create new setting Apply and Save Settings Figure 46 Rule editing When editing a rule specify parameters in all of the following sections Conditions Actions and Settings Conditions can contain logical operators Please note that the rule editor included in the current version of Dr Web Console for UNIX mail servers has the following restrictions 1 complex rules containing associations are not supported 2 rules that override the SkipDomains parameter value for a Lookup are not supported Such rules can be edited only in the configuration file or via web interface of Dr Web ESS Control Center in the enterprise mode However such rules are not displayed correctly in the Rule editor included in Dr Web Console for UNIX mail servers 376 7 ax A AN Dr Web Console for UNIX mail servers 377 Please note that local filtering rules of Dr Web Modifier plug in must be specified according to the same principle as the modifier
419. lD version 5 0 and later use the special quarantine migration pl script located in the sbin dir maild scripts directory After startup the script determines default settings and prompts to start migration to the new Quarantine version Migration is performed fully automatically After migration the script outputs information on the operation results start and end time and number of processed skipped messages and those that caused errors Interactive Management During Dr Web for UNIX mail servers operation interactive management of some of its modules can be performed 216 Ta J i ax Dr Web MailD To enable interactive management 1 Set Yes as a value of the Control parameter in the Maild section of the Dr Web MailD configuration file 2 Connect to the address set in the ControlAddress parameter of the same section of the Dr Web MailD configuration file and start entering required commands use any text client for example telnet Interaction is performed row wise the user inputs a string and drweb maild responds to it So multiline commands are not supported and complex Rules must be entered line by line An empty line indicates the end of the output from drweb maild Several interactive connections can be established simultaneously Both IPv4 and IPv6 protocols are supported Dr Web MailD always opens listening socket at lt value of BaseDir parameter gt ipc ctl regardless of the Control parameter val
420. ld The following levels are available Quiet Error Alert Info Debug syelogtaciili lt syellog flag gt ty Description Set the subsystem type used by syslog service for message output if this service is used for logging see the next parameter description The following types are available Daemon Mail LOCO sss hoecal7 lLog lt file name gt filename Description Set the name of the log file or syslog if this service is to be used for logging sendmail lt path to file gt Description Set the path to the executable file of drweb inject utility used for sending messages by default if the parameter is not specified the bin dir drweb inject path is used S socket lt path to file gt Description Set the path to the Dr Web MailD control socket by default if the parameter is not specified the var _dir ipc ct1 path is used agent lt path to file gt Description Set the path to the Dr Web Agent socket to receive configuration by default if the parameter is not specified the var _dir ipc agent path is used If the switch is specified without a path configuration from Dr Web Agent is not requested timeout lt time period gt Description Set the maximum allowed time to wait for response from Dr Web Agent when requesting configuration 2 Commands Commands are used to apply actions to messages selected from Quarantine by the specified criteria Ta yan A A Dr Web MailD
421. le Vaderetro plug in searches for the file of the used VadeRetro library in this directory Default value PluginsBaseDir var dir plugins In the current version only the following parameters can be specified for plug ins Specify the plug in name in the Settings parameter in the following way lt plugin name gt lt parameter gt If the parameter is used in Rules of message processing specify as follows lt plugin name gt lt parameter gt section text value max size size Name of the configuration file section where plug in parameters are specified as a rule a plug in configuration file consists of one section If the section name is not specified the section with the plug in name is used Maximum size of a message to scan When the parameter value is set to 0 maximum size is not limited Its default value depends on the queue BeforeQueueFilters Ta J 1 ax log_level log level log_ipc_level log level syslog facility syslog label log filename syslog path to file path_to_lib path to file Dr Web MailD 158 Or AfterQueueFilters which the plug in is assigned to and is defined by the value of the MaxSizeBeforeQueueFilters or MaxSizeAfterQueueFilters parameters Using the parameter in Rules in the configuration file Rules Rule that is true for all messages true cont plugin name max_size size Example Rules For email messages f
422. le to replace a malicious attachment with the text Path to the directory where the language files are located must be the same for Notifier and the plug ins Path to this directory is specified in value of the LngBaseDir parameter see above Pattern of a language file name is as follows lt plug in gt _ lt language gt 1ng where e lt plug in gt name of the plug in that uses this file as a string source drweb modifier and others 289 Ta yas A A Y Dr Web MailD e lt language gt name of the language used in the file Language files used by Notifier do not have the lt plug in gt _ prefix in their names Language file has the following structure e In the first line short name of the used language is given for example en ru e In the second line name of the used encoding is given for example koi8 r e In the third line number of bits in CTE is given 7bit or 8bit e Other lines contain strings of the N text type where N number identifier of the string and text the used text e Also a language file can contain empty strings and comments starting from symbol These strings are ignored Please note that only short names of languages from the first line of a language file can be used as a value of the NotifyLangs parameter see above Example of a language file language name LANG en coding system CHARSET UTF8 Content Transfer Encoding 7bit 8bit 8bit 1
423. leName Path to the log file syslog path to file r z You can specify syslog as a log file name and logging will be performed by syslogd system service In this case you must also specify the SyslogFacility parameter Default value FileName syslog Monitor Section The Monitor section contains main settings of Dr Web Monitor Monitor RunForeground Yes value forbids Dr Web Monitor to operate in daemon mode logical ae e This option can be used by some monitoring utilities for example daemontools Ta 1 ax User text value Group text value PidFileDir path to directory ChDir path to directory MetaConfigDir path to directory Address address Timeout numerical value TmpFileFmt text value Dr Web Monitor Default value RunForeground No Name of the user whose privileges are used by Dr Web Monitor Please note that when Dr Web Maild solution operates in SMTP LMTP proxy mode or integrated with CGP MTA or Exim MTA value of this parameter must be set to root Default value User drweb User group name used to run Dr Web Monitor with certain user privileges Please note that when Dr Web MailD solution operates in SMTP LMTP proxy mode or integrated with CGP MTA or Exim MTA value of this parameter must be set to root Default value Group drweb Path to the directory of a file where information on Dr Web Monitor proces
424. lected for installation automatically For example if you select to install Dr Web Antivirus Daemon then Dr Web Bases and Dr Web Common Files are installed automatically During installation packages for different mail transfer agents can conflict with each other drweb maild smtp and various drweb maild lt MTA gt For example if you try to install Dr Web Mail Daemon Exim Connector and Dr Web Mail Daemon Postfix Connector simultaneously you will receive an error message and suggestion to select only one of them Click to Select all to select all components Click Install None to clear selection 3 On the Confirm screen review and confirm the list of components to install Welcome Install Type Confirm your software selections below Select Software Selected Software Confirm Dr Web Agent v6 0 0 3 new a iceman Dr Web Bases v6 0 0 3 new Boost third party C libraries needed for Dr Web v6 0 0 2 new Installing Dr Web Common Files v6 0 1 2 new Dr Web Antivirus Daemon v6 0 1 3 new Dr Web EPM Library for X11 epm gui v6 0 0 1 new Dr Web EPM Dr Web uninstaller v6 0 0 1 new Google performance analysis tools needed for Dr Web v6 0 0 1 new Essential third party libraries needed for Dr Web on x86 systems v6 0 rislah VindoaD stra anticn am 116 00 9 inaw lt i gt Finish Dr WEB 4 Back Cancel Figure 6 Confirm screen Click Next to confirm
425. lem 4 3 0 usr libexec ld elf so 1 Shared object libstdc so 6 not found required by libboost_ program options so Solution The system cannot find necessary libraries which are located in bin dir lib directory It is necessary to copy or create a symbolic link libstdc so 6 and libgec_s so 1 from bin dir 1lib to the system library directory 350 Ta J i ax Dr Web MailD 351 Integration with ZMailer A drweb zmailer module is compatible only with ZMailer v 2 99 55 or later Dr Web MailD can interact with ZMailer in two modes e As a content filter at the stage of SMTP connection Advantages it is possible to block the message at the stage of SMTP connection Disadvantages decreased performance when system load is high only SMTP traffic is checked e As a content filter at the routing stage Advantages stable performance when system load is high all mail coming through ZMailer is checked including local mail and mail transferred via UUCP protocol Disadvantages message cannot be blocked when it is received i e reject and tempfail actions are similar to discard usage of SecureHash is necessary to increase performance and avoid cycling of messages drweb zmailer module is used as Receiver component of Dr Web MailD when interacting with ZMailer To assure proper operation of drweb zmailer and filters it is recommended to install patches if possible To install patches do the following
426. lename parameter matches any file name in Dr Web Daemon report In addition to one mandatory action you can specify several optional actions Mandatory actions are pass discard reject tempfail Optional actions are quarantine redirect notify add header score Please note that when communication with Dr Web Daemon is performed via the TCP socket a different format of file names is used in reports Example 127 0 0 1 17078 gt var drweb msgs db 6 00007976 msg 1 part Ok That is they do not start with the gt symbol but with an IP address and the number of the scanning process So regular expressions in the value of the RegexsForCheckedFilename parameter must be created with consideration of this difference Default value BlockByFilename reject quarantine notify Ta J i ax Dr Web MailD 298 When a message is blocked reject by Drweb anti virus plug in in the synchronous mode Dr Web MailD response to a client contains SMTP code 55 or 250 depending on the ReturnReject parameter value in the Receiver section and a text message which content is determined by values of the parameters described below Their values must be enclosed in quotation marks UseCustomReply logical ReplyInfected text value ReplyMalware text value ReplySuspicious text value ReplySkipObject text value R R Use custom messages as an SMTP reply if a message is rejected D
427. leted or rejected This component sends to MTA or MDA processed email messages including notifications reports and DSN Messages are sent either directly to the mail system or to mail servers via SMTP LMTP protocol Sender functions also can be performed by different executable modules drweb sender drweb cgp sender and others depending on the mail system integrated with Dr Web for UNIX mail servers Usually the used Sender components is paired with the used Receiver component Sender can receive and process requests from Maild core Notifier and Monitor for sending messages and notificatiins The component creates special service email messages of two main types e MailD Notifications email message sent from the address specified in the FilterMail parameter value The message contains information on Dr Web MailD operation for example on virus detection in a received message e DSN delivery status notification automatic email message created by MTA The message contains information on any problem occurred during message processing This message always has an empty FROM header as required All notifications are created during Dr Web MailD operation Requests for notifications can be received either from a plug in for example if a virus is found in a message or from other components if configured accordingly For example MailD core can send a request for creation of general statistic report and Sender can send a req
428. lied to potentially dangerous programs If an additional modifier is not specified Dr Web Scanner only informs the user about the threat hcek d m r i Defines an actionapplied to hacktools If an additional modifier is not specified Dr Web Scanner only informs the user about the threat Additional modifiers indicate actions that is applied in order to avert threats e Add d to delete objects e Add m to move objects to Quarantine e Add r to rename objects that is replace the first character of extension with e Add i to ignore threats available for minor threats only such as adware etc that is apply no action and do not list such threats in the report If malicious objects are detected within complex objects such as archives containers packed or mail files the action is applied to the whole complex object and not to the included malicious object only Ta yan A A Dr Web Command Line Scanner Interface Parameters These parameters configure Dr Web Scanner output eee oe ee Instructs to output information on the product and engine versions and exit SSID IES Dr Web Scanner ae Instructs to output information about the license and its owner in UTF8 encoding only go Instructs to run Dr Web Scanner in batch mode when all questions implying answers from a user are skipped and all decisions implying a choice are taken automatically This mode is useful for automatic scanning of files for example during a
429. llowing directories bin dir directory with executable modules of Dr Web for UNIX mail servers and Dr Web Updater perl script update pl bin dir doc documentation on the product All documentation is available in both Russian and English languages and represented in KOI8 R n UTE 8 text files bin dir lib directory with various service libraries and supporting files for Dr Web for UNIX mail servers component operation for example ru_scanner dwl file of Dr Web Scanner language resources sbin dir scripts bin dir maild scripts directories with additional scripts Dr Web for UNIX mail servers autoconfiguration script migration script for transfer of configuration from older Dr Web versions bin dir web Dr Web for UNIX mail servers web interface module for connection to Webmin etc_dir directory with Dr Web for UNIX mail servers configuration and enable files that manage startup of components operating in daemon mode etc_dir agent directory with additional configuration files for Dr Web Agent etc_dir monitor directory with additional configuration files for Dr Web Monitor etc dir maild templates directory where notification templates are located Notifications are generated and sent to recipients on detection of malicious objects in an email message or if an error occurs during operation of Dr Web Daemon or its modules var dir bases directory with virus databases vdb files svar _dir inf
430. login e mutual auth require mutual authentication Default value SecurityOptions noanonymous MTA Connections This section provides you with description of parameters that configure interaction between Dr Web for UNIX mail servers and different MTAs The configuration file must contain sections with parameters which specify interaction between Dr Web for UNIX mail servers and used MTA If Dr Web for UNIX mail servers operates in mail filtering mode the configuration file must also contain the POP3 or IMAP section depending on the used protocol Depending on the MTA Dr Web MailD uses different modules that perform functions of Sender and Receiver components The following table lists MTAs that can be integrated with Dr Web for UNIX mail servers For every MTA the corresponding modules and sections of the configuration file are specified Sendmail drweb milter Milter or any MTA that drweb sender Sender uses Milter protocol drweb receiver Receiver before queue drweb sender Sender drweb receiver Receiver Postfix after queue drweb sender Sender drweb milter Milter Milter drweb sender Sender X drweb receiver Receiver Exim drweb sender Sender CommuntGate drweb cgp receiver CgpReceiver Pro drweb cgp sender CgpSender x drweb courier Courier Courier drweb sender Sender 168 A yan Aq A Dr Web MailD 169 drweb zmailer Receiver Zmailer drweb sender Sender
431. lters mode It is recommended to set this parameter value greater than the value of the ProcessingTimeout parameter of the Milter section in the Dr Web MailD configuration file milter _default_action tempfail this parameter defines action of Postfix if any errors occur during interaction with drweb milter module milter protocol 6 the required version of Milter protocol milter _mail_macros _ this parameter allows Dr Web MailD to retrieve the IP address and host name of the sender milter_end_of data_macros i auth type this parameter allows to retrieve information on authorization and the message ID to add information on the message to drweb milter log Note features of operation through Milter in the synchronous and asynchronous modes Configuring Dr Web MailD If the suite is started using Dr Web Monitor component drweb milter module must be started as a Receiver component For that in the etc dir monitor maild postfix mmc file uncomment the string which is responsible for startup of drweb milter module It is also recommended to comment the string which is responsible for startup of drweb receiver module As a result drweb postfix mmc contains strings similar to the following ones drweb receiver local var_dir ipc agent 15 30 MAIL drweb drweb drweb milter local var_ dir ipc agent 15 30 MAIL drweb drweb In is also required to configure operation of drweb sender module Specify the following par
432. lue SkipDomains OnError Sets the mode of error handling errors that occur in Lookup ignore exception when connecting to the specified data source Allowed modes e ignore ignore the error and continue message processing the error is only logged e exception generate an exception which is handled as a message processing error The handling method corresponds to the ProcessingError parameter value set for the module in operation of which this error occurred The parameter value can also be locally overridden in a Lookup Default value OnError ignore Ta J N aX Dr Web MailD 210 CDB database is a read only storage of alphanumerical key alphanumerical value pairs You may use tinycdb package to create a database file Each file is represented as a single table name of the table is the name of the corresponding file without the full path to it path to table cdb gt table cdb CDB database does not support SQL query language so the driver emulates the single SQL command to unify operation with Lookup select from tablename where key string where tablename is a filename Berkeley Section In the Berkeley section settings for interaction between Dr Web MailD and Berkeley database are specified Databases Path to the Berkeley database file path to file p Default value Databases Environment Path to the directory where Berkeley database lock files are pa
433. ly the plug ins Default value UpdatePluginsOnly No Specifies the section of configuration file where Dr Web Updater takes the settings such as a path to the key file paths to virus databases and others Possible values Scanner Daemon Value of this parameter can be temporarily overriden by the what command line parameter The specified value is used until the next start of the script Default value Section Daemon Path to the executable file of Dr Web Daemon or Dr Web Scanner It is used by Dr Web Updater to get the product version Default value ProgramPath bin dir drwebd Path to the program which is used to read digitally signed files Default value SignedReader bin dir read_ signed Path to the directory that contains a program used for unpacking of Izma archives Default value LzmaDecoderPath bin dir Path to the file used to prevent sharing of certain files during their processing by Dr Web Updater Default value LockFile var_ dir run update lock If you specify yes Dr Web Updater outputs an update report for each session to stdout This mode can be used to send notifications to administrator by email if Dr Web Updater is run by the cron daemon Default value CronSummary Yes Path to the file dr1 with the list of Dr Web GUS servers Dr Web Updater selects a server from this list in random order to download updates For details on downloading updates see U
434. m 3Fid 3D3 e remove this command instructs to delete selected objects of any kind except for a root MIME object message that is this command cannot delete a whole message Example In the following rules remove command cannot be used GlobalRules select mime body text remove pass GlobalRules select mime body script remove pass prepend text append_text prepend html append html These commands add fragment of plain text or html format to the selected MIME objects The command has an optional argument 7b encoding In this argument encoding means name of the added text encoding and 7b prefix indicates use of 7 bit encoding context transfer encoding CTE 7bit If the 7b prefix is not specified the CTE 8bit encoding is used If encoding is not specified the encoding set in the Encoding parameter in the plug in configuration file is used Example select message append html lt h1l gt checked by anti spam lt h1 gt Apart from that you can use Dr Web Modifier language file as a source of data in certain 318 Ta 2 1 ys Dr Web MailD 319 encoding To use lines from the 1ng file specify them in the n format where n is the ordinal number of the string in the 1ng file For details on language files usage see description of the Notifier section Example Let 1ng file have the following line 782 text line then append_text 782 expression is equ
435. m gt lt item gt lt vname gt Trojan Botnetlog 9 lt vname gt lt dwvlid gt 438003 lt dwvlid gt lt place gt 4 lt place gt lt percents gt 7 86446592583328 lt percents gt lt item gt lt item gt lt vname gt Trojan DownLoad 36339 lt vname gt lt dwvlid gt 435637 lt dwvlid gt lt place gt 5 lt place gt lt percents gt 7 31494163115527 lt percents gt lt item gt lt drwebvirustop gt In this file the following XML attributes are used e period duration in hours of the statistics collection process e top number of the most frequently detected threats shown in the statistics table number of rows e updatedutc last statistics update time e vname threat name e place place of the virus in the statistics e percents percentage of the total number of detections A Value of the period parameter and size of the sample cannot be changed by user To get personalized threat statistics Visit one of the following webpages e For statistics in HTML format go to http stat drweb com view lt UUID gt Page with the personalized statistics is similar to the aggregate statistics page Ta J i ax Dr Web Agent 108 e For the file with the personalized threat statistics in XML format go to http stat drweb com xml lt UUID gt The lt UUID gt in both cases stands for the MD5 hash of your license key file unless you have a personal UUID received from Doctor Web
436. marked as trusted Default value MaxMsgSize 10m MaxJunkCommands Maximum number of RSET NOOP and VRFY commands per numerical value session If this number exceeds the specified value an error counter activates Current value of the error counter is set to 0 each time the message is successfully processed by the drweb maild module If the parameter value is set to 0 this restriction is not checked Default value MaxJunkCommands 100 MaxHELOCommands Maximum number of HELO EHLO and LHLO commands per numerical value session If this number exceeds the specified value an error counter activates The score is reset after every successful processing of the message by drweb maild If the parameter value is set to 0 this restriction is ignored Ta 1 ax Dr Web MailD Default value MaxHELOCommands 20 Please note that some of the restrictions mentioned above are checked even if an IP addresses are marked as Trusted The following table describes behavior of restrictions for Trusted clients and texts of SMTP replies that are sent if a message does not satisfy the restriction MaxRecipients a52 A 573 LOOM Many mrae Olas No MaxConcurrentConnection 421 4 7 0 Too many concurrent SMTP connections from this IP address please try No again later MaxMailsPerSession 421 4 2 1 too many messages in this N connection o MaxReceivedHeaders 554 5 7 0 MailD error Too many received Y headers N S Max
437. means of special transport Advantages recompilation of Exim is not required and system can operate with relatively old versions of Exim Disadvantages system performance is reduced e Connection by the means of Exim local scan function In this case Receiver unlike other components receives its configuration data from the configuration file of Exim mail system unlike other components which receive configuration settings from Dr Web Agent component Advantages system performance is increased Disadvantages recompilation of Exim is required and Exim version must be 4 50 or later Note that the initialization script included in Dr Web MailD and located in the bin dir maild scripts directory allows to preconfigure Dr Web MailD and Exim to interact using special transport Configuring Exim Initial configuration is identical for both connection methods First it is necessary to add drweb user to the list of trusted users in the MAIN CONFIGURATION SETTINGS section of the Exim configuration file Ree EPH EEE EEE EEE E TE FE TE EE EEE REE E EH E EREE H MAIN CONFIGURATION SETTINGS Rae EEE EEE EEE EEE EE EE EEE EEE E E E EREE trusted_users drweb Please note that if Exim performs mail delivery immediately after receipt of messages from drweb sender and serious delays occur in this delivery e g when SMTP protocol is used then timeout specified as the PipeTimeout parameter value in the Sender section of the Dr
438. meout time You can specify one of the following verbosity levels for statistics gathering e off disables statistics gathering which allows to increase performance of the suite As a result statistics cannot be exported and no reports are sent e low enables gathering of statistics on operation of the whole suite As a result statistics can be exported and reports are sent e medium to the statistics gathered on the 1ow level statistics on groups is added You can enable or disable statistics collection for a certain group e high to the statistics gathered on the medium level statistics on each user listed in the internal database is added You can enable or disable statistics gathering for a certain user You can access statistics via the controlsocket or the web interface Statistics collected on the low level is also included in reports if this option is enabled Default value Detail low Sending reports to the statistics server or Dr Web Control Center if Dr Web MailD is working as a part of the Anti virus network in central protection mode Default value Send Yes Time interval to send statistics to server Default value SendPeriod 10m Timeout for the statistics server to response Default value Timeout 30s It is possible to export statistics with Dr Web MailD using the Storage type To enable export of statistics via the Storage type 1 Specify yes as a value of the ExportStat p
439. message processing Rules The parameter value defines how the name of a notification transmitted to Notifier is mapped to a new value from which a new template name is formed according to the above mentioned pattern It is reasonable to map a name to the one that Notifier can recognize otherwise the required file cannot be found Such a situation is treated as an error and is processed according to the ProcessingError parameter value Note that the NotificationNamesMap parameter allows to configure selection of different user template files only for generating notifications of the second and third types that is only for periodic reports and DSN Example Rule buh NotificationNamesMap report rl dsn dl Rules to regex buh domain org cont rule buh After this message processing Rule is applied notifications of the second type periodic reports and DSN are generated from the report _rli msg and dsn_d1 msg files respectively when mail messages are received from the buh domain org domain Please note that Dr Web MailD is supplied with a standard dsn msg template for DSN notifications and an additional dsn_ for exchange msg template The latter is a special DSN template used only if a target MTA is an MS Exchange mail server required due to implementation features of MS Exchange that is not fully compliant with RFc 3464 This special DSN cannot be used with other MTAs If it is required to use dsn_for exchange msg change the standard
440. min_conn 100 o block_period 2h o score 0 Example ReputationIPFilter errors filter score 20 score filter The first filter sets a score equal to 20 to all messages in sessions established from IP addresses which generate too many errors during the SMTP session The second filter blocks all IP addresses which have too large average scores in comparison to the number of connections established from them Example ReputationIPFilter errors filter errors per msg 0 05 errors per conn 1 min _msgs 0 min errors 10 min wrong rcpts 3 min_conn 50 score filter score per msg 20 score per conn 30 min wrong rcpts 3 anti dha wrong per valid rcpts 0 02 min wrong rcpts 20 In this example errors filter filter is triggered when one of the following conditions is true e ratio between the number of errors occurred during the SMTP session and the number of messages passed to drweb maild equals to 0 05 errors per msg 0 05 ratio between the number of errors occurred during the SMTP session and the number of connections from this IP address equals to 1 errors per conn 1 number of errors registered on the stage of SMTP session is greater than 10 min errors 10 number of invalid recipients declined after the RCPT TO command transferred by the SMTP client equals to 3 min wrong repts 3 e minimum number of connections from the IP address equals to 50 min conn 50 score filter filter is triggered if e ratio between the general
441. mon with the privileges of the mail system user If the system is configured correctly Dr Web Daemon does not require root superuser privileges If required name of the user with whose privileges Dr Web Daemon must run is set as the User parameter value in Dr Web Daemon settings In addition you can configure user and their group used on module startup For that purpose edit mmc file of Dr Web Monitor if it is used for management of Dr Web for UNIX mail servers components Processed Signals Dr Web Daemon can receive and process the following signals e SIGHUP reload the configuration file e SIGTERM correct termination of Dr Web Daemon e SIGKILL force termination of Dr Web Daemon if any problem occurs e SIGUSR1 save process pool statistics to the log file Please note that SIGUSR1 signal must be sent to its parent process only because child processes are terminated after receiving of SIGUSR1 Log Files and Statistics Daemon Log Since Dr Web Daemon is a resident program information on its operation can be obtained only from a log file Log file contains details on processing of all scanning request sent to Dr Web Daemon You can specify the log file location in a value of the LogFileName parameter Dr Web Daemon can log information to different files depending on a client that sent the request You can specify different log files for every Dr Web clients for example Dr Web for UNIX mail servers in the
442. mum number of recipients is not limited If an IP address from which connection is established is marked as trusted this restriction is not checked Default value MaxRecipients 100 171 Ta yan A A Dr Web MailD 172 MaxConcurrentConnection numerical Maximum number of concurrent SMTP connections from a single value IP address When the parameter value is set to 0 maximum number of SMTP connections from a single IP address is not limited Default value MaxConcurrentConnection 5 MaxMailsPerSession numerical Maximum number of messages per single session number of value MAIL FROM commands When the parameter value is set to 0 maximum number of messages per single session is not limited Default value MaxMailsPerSession 20 MaxReceivedHeaders numerical Maximum number of Received headers value 3 When the parameter value is set to 0 maximum number of Received headers is not limited Receiver always checks this restriction even if an IP address is marked as trusted Default value MaxReceivedHeaders 100 MaxErrorsPerSession numerical Maximum number of errors per single session value j When the parameter value is set to 0 maximum number of errors per single session is not limited Default value MaxErrorsPerSession 10 MaxMsgSize Maximum message size transmitted in DATA command yas Receiver always checks this restriction even if an IP address is
443. n Dr Web MailD 296 optional actions Mandatory actions are pass remove discard reject Optional actions are quarantine redirect notify add header score Default value Riskware reject quarantine notify Actions to be applied to messages containing programs used to gain unauthorized access to computer systems In addition to one mandatory action you can specify several optional actions Mandatory actions are pass remove discard reject Optional actions are quarantine redirect notify add header score Default value Hacktools reject quarantine notify Actions to be applied to messages containing objects which cannot be scanned by Dr Web Daemon due to the following reasons e attachment includes a password protected or corrupted archive a symbolic link a file in a nonstandard format or an encrypted file e message scan is aborted due to timeout for details refer to the description of the SocketTimeout and FileTimeout parameters in the main configuration file drweb32 ini In addition to one mandatory action you can specify several optional actions Mandatory actions are pass remove discard reject Optional actions are quarantine redirect notify add header score Default value SkipObject pass Actions to be applied to messages containing archives which cannot be scanned by Dr Web Daemon due to any of the following restriction exceedings e archive c
444. n e use the encoding and CTE specified in file header 290 Ta i ax Dr Web MailD 291 Plug Ins At the current moment the following plug ins of Dr Web MailD are available e Drweb anti virus plug in This plug in is used for checking email messages for viruses threats and other malware e Vaderetro anti spam plug in This plug in is used for checking email messages for spam attributes e Dr Web HeadersFilter Plug in which filters email messages by values of their headers e Dr Web Modifier Plug in which allows modification of email message parts Each plug in is presented as a shared library a file with so extension Plug in libraries exist in bin dir maild plugins directory Library files of each plug in has the name of the following pattern lib lt name gt so where lt name gt name of the plug in For example file of Drweb plug in library is named libdrweb so Each plug in uses its own configuration file Plug in configuration files exist in the etc _dir directory Plug in configuration files are named according to the following pattern plugin lt name gt conf where lt name gt name of the plug in For example configuration file of Drweb plug in is named plugin drweb conf If necessary you can configure each plug in to use configuration files and dynamic libraries name of which does not correspond to the pattern To do this adjust the settings in the of the Filters section of the main Dr
445. n reject quarantine redirect 2 Similarly to the first example but copies of the message are to be sent only to the specified addresses to the address set as the AdminMail parameter Notifier section value nothing is sent Action reject quarantine redirect adminl domain admin2 domain admin3 domain Dr Web HeadersFilter Plug In Dr Web HeadersFilter plug in filters messages according to their headers When filtration rules are set regular expressions Perl syntax can be used Connecting Headersfilter Plug In To connect Dr Web HeadersFilter plug in to Dr Web for UNIX mail servers in the Dr Web MailD configuration file add headersfilter string to the list of plug ins which process messages If you want messages to be processed by Dr Web HeadersFilter before they are moved to the database you must add the name of this plug in to the list of the BeforeQueueFilters parameter values from the Filter section of the Dr Web MailD configuration file Example BeforeQueueFilters drweb headersfilter If you want messages to be processed by Dr Web HeadersFilter after they are moved to the database you must add the name of this plug in to the list of the AfterQueueFilters parameter values from the Filter section of the Dr Web MailD configuration file Example AfterQueueFilters headersfilter Ta J i ax Dr Web MailD Setting Headersfilter Plug In All main parameters that regulate plug in op
446. n After making necessary changes click o on the navigational menu at the top of the page In the open window set Central Protection Mode parameter value to Yes or Auto Central Protection Mode parameter can have one of the following three values e No in this mode Dr Web Console for UNIX mail servers interacts with local configuration file and does not have access to the configuration received by Dr Web Agent from Dr Web Enterprise Server Changes made to the configuration in this mode take effect only after Dr Web Agent is set to operate in the Standalone mode e Yes in this mode Dr Web Console for UNIX mail servers receives configuration from the Dr Web Agent socket If Dr Web Agent is operating in the Stanalone mode the following warning is output to the Dr Web Console for UNIX mail servers Unable to connect to Dr Web Agent at local var_dir ipc agent e Auto Dr Web Console for UNIX mail servers operation mode is set according to the mode of Dr Web Agent If there is a problem connecting to Dr Web Enterprise Server the following behaviours of Dr Web Console for UNIX mail servers are possible e If Dr Web Enterprise Server is unavailable upon the initial connection or authorization process fails Dr Web Agent terminates In this case check the settings and try to restart Dr Web Agent and Dr Web Console for UNIX mail servers e If connection to Dr Web Enterprise Server was established earlier but now the server is 389 AT
447. n Quarantine can be set with the StoredTime parameter You can also limit the size of Quarantine MaxSize parameter and the number of messages in it MaxNumber parameter If several restrictions are specified all of them are applied simultaneously MaxSize and MaxNumber restrictions are checked each time a new message is saved to Quarantine StoredTime restriction is checked at certain intervals specified in the PulseTime parameter drweb gqp utility deletes old messages from Quarantine and moves them to the external DBI database It works with Perl version 5 0 or later Path to drweb qp must be specified in the PathToDrwebQp parameter The drweb qp utility is started at certain intervals specified in the PulseTime parameter If the PulseTime parameter value is set to 0 and usage of contto messages is disabled the utility does not start Using DBI It is possible to store quarantined messages not only in the file system but also in a DBI storage To use this feature DBI storage must be pre configured For detailed description of DBI modules setup and adjustment for operation with databases refer to documentation on DBI To enable successful transfer of messages to the database the database must be created with the use of SQL ASCII symbol set Interaction with DBI is performed only via an external utility path to which is specified in the PathToDrwebQp parameter Quarantine section By default drweb qp is used The utility is suppl
448. n anti virus network or managed remotely In this mode configuration files and key files reside on local drives and Dr Web Agent is fully controlled from the protected computer e Enterprise mode or central protection mode when protection of the computer is managed from the central protection server In this mode some features and settings of Dr Web for UNIX mai servers may be modified and blocked for compliance with a general for example company security policy Licence key file for operation in this mode is received from the central protection server Your personal key file on the local computer is not used d Note that drweb agent can operate in enterprise mode only with Dr Web ESS 6 If you want to ensure connection to the central protection server Dr Web ESS 10 install and configure the new agent version implemented as drweb agent10 module For details on how to install and configure drweb agent10 refer to the Migration to Dr Web ESS 10 section To use central protection mode 1 Contact the anti virus network administrator of your company for a public key file and parameters of connection to the central protection server 2 In the Dr Web Agent configuration file by default setc dir agent conf adjust the following parameters in the EnterpriseMode section e Set the PublicKeyFile parameter value to location of a public key file received from anti virus network administrator usually Svar dir drwcsd pub This file inclu
449. n be found for example at http www postfix org FILTER_README html Dr Web MailD can also interact with Postfix server in the before queue mode as well but it is not recommended to use this mode if system load is high For more information on how to configure operation in before queue mode refer for example to the following web page http www postfix org SMTPD_PROXY_README html Operation Using Milter Protocol Interaction with Postfix system via Milter protocol is organized in the following way e Through the transport connection defined by the transport address of drweb milter which acts as a Receiver component Postfix system receives internal commands from Milter API and a message itself The message is transferred in segments depending on the stage of the mail session helo mail from rcpt to etc These segments are saved by drweb milter module to the temporary directory Through Milter API drweb milter transmits instructions to the Postfix system about actions to be applied to the message Milter API is a multithreaded library which allows to process several mail sessions simultaneously In the interaction solution described above Postfix system is a client and drweb milter is a server therefore in the mail cf configuration file of Postfix system it is required to specify address of drweb milter module and Postfix system selects the appropriate client address for this connection e Through another transport conn
450. n one or more parameter settings separated by white space Parameters are specified in the following format keyword value Spaces around the equal sign are optional To specify an empty value or a value containing spaces enclose it in single quotes If the string is empty default parameters are used For details refer to http www postgresql org docs 9 3 static libpq connect html In addition is recommended to use the connect timeout parameter that specifies wait time for a connection to be established Examples ConnectionString host localhost port 5432 user ai password qwerty dbname drweb ConnectionString hostaddr 127 0 0 1 port 5432 dbname mailddb user mailddbuser password Str0OngPaSSw0rd connect _timeout 5s Default value ConnectionsString Ta J 1 ax SizeLimit integer Lib path to file SkipDomains LookupLite OnError ignore exception Dr Web MailD 207 Maximum number of strings received in response to a single database request When the parameter value is set to 0 maximum number of received strings is not limited Default value SizeLimit 10 Path to libpq so library Default value Lib usr lib libpq so List of domains for which request to database is not required This parameter often allows to improve total performance and considerably reduce server load Please note that the parameter value is LookupLite The parameter value can also be
451. n the email address or alias used for the search If part of email is not specified all known addresses or aliases are output Output format is similar to the one of email info output User unique identifier in part of email must be fully specified o part of name substring in the user name if the name contains a single quotation mark another single quotation mark must be specified before it if substring contains no spaces enclosing quotation marks can be omitted Only users whose names contain the specified substring are output o ignore defines type of records to be ignored aliases search is performed among usual addresses nonalias usual addresses search is performed among aliases If email and name are specified simultaneously only those users are output that satisfy both 224 Ta J i ax Dr Web MailD 225 restrictions As the user name is not saved for aliases it is meaningless to use the substring for alias and user name simultaneously when searching e email count range START NUMBER email part of email name part of name ignore alias nonalias processing is performed similar to email search but only the number of found addresses is output Commands for Alias Management You can manage aliases with the following commands e aliases get emails list output list of aliases for all addresses from the emails list list If emai ls list contains nonexisting addresses or
452. n the key files or at least in one of them Limitations on operation of a certain plug in are composed of restrictions specified in all used key files During operation of the suite various plug ins must have the same limitations In case there are several key files with different limitations operation of the plug ins is restricted to the minimal permission specified in the used key files Example Let us assume that three license key files are used In the first key file limitation for Drweb plug in is set to 10 000 letters per day In the second key file limitation for Vaderetro plug in is set to 15 000 letters per day In the third key file limitation for Drweb plug in is set to 10 000 letters per day Thus Dr Web for UNIX mail servers will be able to work with both plug ins mentioned in key files but total limitation on operation of these plug ins will be set to 15 000 letters per day as for Vaderetro in spite of the fact that Drweb plug in can actually process 20 000 letters per day 54 Ta yan A A Dr Web Command Line Scanner 55 Dr Web Command Line Scanner Command line Dr Web Scanner provides you with detection and neutralization of malware on the local machine The component is presented by the drweb module Dr Web Scanner checks files and boot records specified on its startup For anti virus checking and curing Dr Web Scanner uses Dr Web Engine and virus databases but does not use the resident module Dr W
453. n the stage of SMTP session After the value is exceeded a corresponding filter is activated If the value is set to 0 this parameter is ignored e min_wrong_rcepts U minimum number of invalid recipients declined after the RCPT TO command transferred by the SMTP client After the value is exceeded the filter is activated If the value is set to 0 this parameter is ignored e min_conn U minimum number of connections from the IP address After the value is exceeded the filter is activated If the value is set to 0 then this parameter is ignored e block_period T sets blocking time for the IP address if it falls within the limits of the filter T is of a time type If the value is set to 0 IP address is not blocked even if it falls within the filter limits e score I a score to be assigned to all messages in the current session Also it is added to the 260 Ta 2 i ax Dr Web MailD general score of the IP address If the score value is not equal to 0 this parameter will be applied instead of the block_period parameter and a score will be assigned to the IP address instead of blocking Each of the filters has a set of unique parameters and specific set of default values for general parameters e anti dha resistance to DHA attacks directory harvest attack To use this filter specify the full range of protected addresses as a value of the ProtectedEmails parameter in the Receiver section Specific paramet
454. nBlock logical Dr Web MailD You can specify only text part of the reply lt Text gt M550 So7o0 Text must be enclosed in quotation marks if it contains white spaces Default value ReplyProcessingError DrWEB maild Message is rejected due to software error Reply that is sent when MaxScoreAction action is applied and if e MaxScoreAction reject e UseCustomReply yes You can specify only text part of the reply lt Text gt W550 SKO Text must be enclosed in quotation marks if it contains white spaces Default value ReplyMaxScore Dr Web MailD Message is rejected due to score limit exceed Instructs MailD core to use Received header value as a client s IP address if this address is not identified by Receiver Note that in some cases Receiver cannot define client s IP address based on the analysis of Received header Default value GetIpFromReceivedHeader Yes Enables drweb maild MailD interactive management component core Default value Control No Socket address used by interactive management subsystem of drweb maild module Default value ControlAddress inet 3009 127 0 0 1 Thread pool settings for the interactive management socket of the drweb maild Default value ControlPoolOption auto Skip DSN dispatch when the program failed to pass return code to Receiver after applying Reject or Tempfail actions Default value SkipDSNOnBlock
455. nal actions more gt gt quarantine rediet sd addheader ___ addscoe ___ J Save Apply and Save Settings Figure 49 General Engine settings On this tab you can specify an email address where messages filtered by a plug in are to be redirected Ta 2 ww ax Dr Web Console for UNIX mail servers 380 To do this enter the required address in the corresponding redirect filed You can also enable management of drweb maild by the means of control email messages To configure pool options and custom replies specify required values in the corresponding fields Input pool options Thread pool settings for processing before queue Current values auto O minimum O minimum 2 maximum 20 timeout seconds I stack_size b a loglevel quiet ga stat no x Pid file Path to pid file of drweb maild process var drweb run drweb maild pid m Use custom reply Custom messages in SMTP sessions No m more gt gt Get IP from header Ls EEE ponie we as Client ons if Yes x it is nol ntified yy Receiver component Skip DSN on blocking Whether to send DSN report when program fails to z pass return code to Receiver component after No performing Reject or Tempfail actions Mime parts limit Maximum number of MIME parts in a message 1000 more gt gt Nested mime parts lim
456. nces remain in the system 2 The second variant of the command removes from the system all packages names of which start with the drweb string this is a standard pattern for a Dr Web package name Please note that this command removes from the system all packages which name corresponds to the pattern not only those of Dr Web for UNIX mail servers You can also use alternative package managers for example PackageKit Yumex to install or remove the packages Zypper package manager SUSE Linux 1 Installation To add the repository use the following command zypper ar t YUM http officeshield drweb com drweb el5 stable i386 drweb Ta 1 ax Installation and Uninstallation or zypper ar t YUM http officeshield drweb com drweb el5 stable x86 64 drweb To install Dr Web for UNIX mail servers use the following commands zypper refresh zypper install lt package name gt 2 Deinstallation To remove Dr Web for UNIX mail servers use the following command zypper remove lt package name gt To remove all installed packages from Dr Web use the following command in some systems it is required to escape the character with a backslash zypper remove drweb Removal with the use of zypper has the following features 1 The first variant of the command removes only the lt package name gt package but other packages which could be automatically installed on the package installation to
457. nd Solaris When you configure certain components via the web interface Dr Web Control Center values of the corresponding parameters change in these configuration files on Dr Web Enterprise Server After that every time the components start Dr Web Agent requests configuration from Dr Web Enterprise Server 103 A yaN Aq A Dr Web Agent 104 Export of Existing Configuration to ES Server You can export configuration from the local computer to Dr Web Enterprise Server automatically when Dr Web Agent is operating in the Enterprise mode To export configuration use the command line parameter export config or e A You must specify the name of the component DAEMON MAILD Example Sbin_dir drweb agent export config MAILD Starting the System To start the system 1 In Dr Web Control Center open Dr Web Monitor settings and select the Daemon and Maild check boxes to start the corresponding components 2 Start Dr Web Monitor on the local computer For Linux and Solaris etc init d drweb monitor start For FreeBSD usr local etc rc d 00 drweb monitor sh start Integration with Dr Web ESS 10 Dr Web for UNIX mail servers 6 0 2 includes two versions of the Dr Web Agent e Dr Web Agent implemented as drweb agent module in enterprise mode can interact only with Dr Web ESS server version 6 e Dr Web Agent implemented as drweb agent10 module in enterprise mode can interact only with Dr Web
458. nd among home users from all over the world and in government enterprises small companies and nationwide corporations Dr Web antivirus solutions are well known since 1992 for continuing excellence in malware detection and compliance with international information security standards State certificates and awards received by the Dr Web solutions as well as the globally widespread use of our products are the best evidence of exceptional trust to the company products We thank all our customers for their support and devotion to the Dr Web products A N T A A v A Y Table of Contents Introduction Terms and Abbreviations System Requirements Compatibility with Linux Distributions Package File Location Configuration Files Logging Allowed Actions Installation and Deinstallation Installation from Distribution Package for UNIX Systems Using GUI Installer Using Console Installer Removing Distribution Package for UNIX Systems Using GUI Uninstaller Using Console Uninstaller Installing from Native Packages Configuration Scripts Starting Dr Web for UNIX mail servers For Linux and Solaris OS For FreeBSD OS Configuring SeLinux Security Policies Registration Procedure Dr Web Command Line Scanner Running Dr Web Scanner Command Line Parameters Configuration Exit Codes Dr Web Daemon Command Line Parameters Running Dr Web Daemon Dr Web Daemon Testing and Diagnostics Scan Modes Processed Signals 12 15 17 18 19 20 23
459. nd is equal to the if found command except for the fact that if score checks only the score and does not check presence of selected elements that is this command ignores results of the previous selection The lt op value gt argument must be specified on a single line without space characters that is lt 100 but not lt 100 It must consist of a symbol of comparison and an integer value For if score the following comparisons are available e if score lt N f score is less than N e if score gt N f score is bigger than N e if score N f score equals to N N argument can be a 32 bit integer value in the range 2 b to 2 b You should also consider that score can get too large value that exceeds the limit and thus causes incorrect operation of plug ins processing the message Thus it is recommended not to set an unreasonably large value to score for example do not set 2 000 000 000 Jump statements e goto N unconditionally jump forward N commands in the action list e goto y N if the condition is true jump forward N commands in the action list if the set of elements is not empty e goto n N if the condition is true jump forward N commands in the action list if the set of elements is not empty The argument denotes a number of commands to be skipped To specify the argument use a positive integer Examples GlobalRules select mime headers Subject word1 word2 wordN if found notify rule qua
460. nded diagnostics For TCP socket drwebdc nHOSTNAME pPORTNUM sv sb v For UNIX socket drwebdc uSOCKETFILE sv sb v Ta ww ys Dr Web Daemon 72 More detailed report can help to identify the problem dwlib fd connect failed Connection refused dwlib tcp connecting to 127 0 0 1 3300 failed dwlib cannot create connection with a DrWeb daemon ERROR cannot retrieve daemon version Error 12 You can test Dr Web Daemon with the special eicar com program included in the installation package Use any text editor to transform readme eicar into eicar com see instructions within the file For TCP socket drwebdc n lt HOST gt p lt PORT gt eicar com For UNIX socket drwebde u lt SOCKETFILE gt eicar com The following result are output Results daemon return code 0x20 known virus is found If the results were not output check Dr Web Daemon log file to see whether the file was scanned If the file was not scanned run extended diagnostic see above If file was scanned successfully Dr Web Daemon is fully operational A When scanning very large archives some issues with timeout expiration may occur To fix this increase values of the FileTimeout and SocketTimeout parameters Please note that Dr Web Daemon cannot scan files larger than 2 Gbytes Such files will not be sent for scanning Scan Modes Dr Web Daemon has two scan modes e scan of chunks received from the s
461. nding of SIGHUP signal to Dr Web Monitor the signal makes Sender reread its configuration but also restart of CGP mail system which runs Receiver and makes the component reread the changed parameter value Default value UseSecureHash No Content of Xx DrWeb Hash header An arbitrary string of symbols not less then 10 symbols can be used as the parameter value For better security it is strongly recommended to change the default parameter value Default value SecureHash EDIT THIS v Thread pool settings Default value PoolOptions auto Directory where drweb cgp sender module submits messages for CommuniGate Pro MTA to send them Default value SubmitDir var CommuniGate Submitted Permissions for created notifications or saved messages Default value SubmitFilesMode 0600 Prefix for file names of submitted messages File name format SubmitDir SubmitFilenamesPrefix XXXXXX It is possible to use s macro which is replaced with a message identifier given to the message by CommuniGate Pro MTA and based on the file name Usage of this macro can simplify log file Ta J 1 aX Dr Web MailD 190 analysis Default value SubmitFilenamesPrefix drweb submit s_ SubmitFilenamesMode std tai Naming convention for files of submitted messages zanda e std renaming files with mks temp command drweb submit XXXXXX template is used e Tai renaming files accord
462. nerated by Dr Web MailD after all attempts to send a message failed and by the integrated MTA if timeout for message processing expired Thus the sender can receive two Ta 1 ax Router Lookup Dr Web MailD DNS about the problem from Dr Web MailD and from MTA DSN is transmitted to Sender for delivery if it cannot be transmitted directly to MTA for example when the domain name in the sender address is not full and the return code cannot be transmitted to Receiver Default value SendDSN No Message routing rules depending on recipients when the suite operates in SMTP LMTP proxy mode Messages addressed to different recipients can be sent via different routes In this parameter you can specify addresses for sending messages to different domains Parameter values are specified in DOMAIN ADDRESS format where e DOMAIN is a string that must be included in receiver envelopes Envelope has lt user host gt format Case insensitive partial match is searched For example if localhost substring is searched lt test localhost gt and lt yy localhost localdomain gt envelopes matches it and if localhost gt substring is searched only lt test localhost gt envelope matches e ADDRESS is an address where a message is sent to if DOMAIN substring is found in the envelope ADDRESS format is similar to the one of the Address parameter in this configuration file It is possible to specify several ema
463. nformation on the command line parameters to the console and exit y version Description Output information on the utility version and exit level lt verbosity level gt Description Set the logging verbosity level The following levels are available Quiet Error Alert Info Debug il ipc level lt verbosity level gt Description Set the verbosity level for IPC records interaction with drweb maild The following levels are available Quiet Error Alert Info Debug gyslog acility lt syslog lacs Description Set the subsystem type used by syslog service for message output if this service is used for logging see the next parameter description The following types are available Daemon Mail tocalo saan Trocal log filename lt file name gt Description Set the name of the log file or syslog if the syslog service is to be used for logging a agent lt file path gt Description Set the path to the Dr Web Agent socket to receive configuration by default if the parameter is not specified the var dir ipc agent path is used If the switch is specified without a path configuration from Dr Web Agent is not requested AE timeout lt time period gt Description Set the maximum allowed time to wait for response from Dr Web Agent when requesting configuration g query lt searched string gt Description String that is a search object If the is specified the utility reads a sear
464. ng messages and set timeouts for command execution and message processing by Dr Web Daemon component and plug ins Note that Dr Web Console for UNIX mail servers does not allow management of stalled messages that reside in the out failed directory for details on stalled messages refer to the description of the Sender parameters For detection of such messages review the directory If it contains such messages you can send it to its recipients by the means of drweb inject utility or delete them using standard OS tools Dr Web Console for UNIX mail servers um Configuration 2S ES eS Sa Eee Ee ee Callback pool settings Current values auto O minimum block minimum allow a maximum allow a timeout block days hd stack_size allow a b a loglevel info z stat no m Listen address inet 5200 0 0 0 0 gt allow admin Dr Web I Dr Web Web In Web MailD is running Settings of auxiliary thread pool more gt gt A list of socket addresses used to receive requests from clients more gt gt allow admin Client TLS settings TLS SSL settings for client communications over IMAP more gt gt Server TLS settings TLS SSL settings for server communications over IMAP more gt gt Server address Address used by the filter to connect to IMAP
465. ng the desired result update the hardware increase RAM memory and number of available CPU cores As a temporary solution you can define the DW_FORCE_EXIT environmental variable set any value In this case Dr Web Monitor does not send notifications to the administrator if the components stop responding upon their shutdown and terminates operation of the whole complex and after that shuts down used for compatibility with earlier Dr Web MailD versions Description On Dr Web MailD startup Dr Web Monitor abnormally terminates MailD core operation and send an email notification to the administrator The record in the Dr Web Monitor log is as follows for example monitor DEBUG DEBUG component drweb maild not answer monitor DEBUG Component stopPid drweb maild lt comp name drweb maild argv local var drweb ipc agent start 120 stop 30 log 2 user drweb drweb fd 1 pid 7194 gt monitor DEBUG kill TERM pid 7194 name drweb maild Solution The error occurs because MailD core creates too many threads and the component requires more time to start than it is specified in Dr Web Monitor startup settings To solve the problem e Restrict the minimum number of active threads in MailD core pools It is strongly recommended to do the following in order to provide stable operation of the software suite Ta J 1 aX Dr Web MailD e Estimate the amount of mail traffic at peak usage time
466. ning timeout specified in the plug in settings the Timeout parameter is too large MailD core and Notifier components return an error and Dr Web Monitor component restarts these components and send a notification email message to the administrator The record in Dr Web Monitor log file is as follows for example monitor ERROR component drweb maild terminated by signal 6 Aborted monitor DEBUG component drweb maild cannot stop monitor DEBUG send notification From lt email address gt 012To lt email address gt Command usr sbin sendmail t Solution The error occurs because MailD core and Notifier components create a large number of active threads for traffic processing and upon receipt of SIGHUP signal the threads are not able to terminate correctly during a time period specified in the MaxTimeoutForThreadActivity parameter value That is a sign that the hardware and software complex which is processing mail traffic is overloaded at least at traffic peaks To solve the problem e Increase timeout value in the MaxTimeoutForThreadActivity parameter or limit the number of active threads in pools of these components It is strongly recommended to take the following actions for stable operation of the software suite e Estimate the volume of processed traffic at its peaks for that purpose use log files and statistics e Optimize usage of Dr Web MailD system resources e If optimization is not possible or it does not bri
467. nique id id2 component drweb receiver2 section Receiver2 drweb sender unique id id2 component drweb sender2 section Sender2 To create a new copy of conf file requires more effort but allows adjustment of different section settings e create a copy of original conf file and adjust parameters it is not required to rename the sections Ta J i ax Dr Web MailD e create a new amc file that contains only information on the new component You must also specify the path to the new conf configuration file created on a previous step e start or restart Dr Web Agent to enable it to read the new configuration e start the new component with the following command line parameters unique id component Example drweb receiver unique id id2 component drweb receiver2 drweb sender unique id id2 component drweb sender2 Dr Web Monitor can be configured to use new components for both ways of initialization To do that add the corresponding lines about new components startup to the mmc file of Dr Web MailD Detailed description of mmc file syntax is provided above in the Dr Web Monitor description Optimizing Operation and Use of System Resources Thread pool control As Dr Web MailD modules use multithread model when receiving processing or delivering a message each of the modules create a certain number of processing threads The more mail traffic is to be processed and the more m
468. note that submit cf and submit mc files are read only by default so you must change access permissions providing write access before making any changes to these files Moreover you must add nobodyreturn value to the O PrivacyOptions parameter Ta yan A A Y Dr Web MailD 337 Example privacy flags O PrivacyOptions goaway noetrn nobodyreturn Or in sendmail_src cf cf feature msp m4 define confPRIVACY FLAGS goaway noetrn nobodyreturn restrictgrun If the filter is not available you can enable the following flags F e R fail to deliver e T delay delivery If neither F R nor F T is specified the message is passed without check You may also add the following lines to sendmail mc For versions 8 14 0 and later INPUT MAIL FILTER drweb milter S ADDRESS _ F T T C 1m S 5m R 5m E 1h define confMILTER LOG LEVEL 6 Timeout must be set according to the values of timeouts specified for Sendmail O Timeout datablock xXX the default value is 1 hour xx gt 1h After you make changes to sendmail cf configuration file recompile it __ ADDRESS ___ String is a string that specifies the address of transport used to connect to drweb milter The string format and value are the same as those used in the Address parameter from the Milter section of the Dr Web MailD configuration file For TCP sockets address must be specified in the following format inet P
469. nse expiration virus databases obsolescence etc Default value MailTo Ta J i ax Dr Web Updater Dr Web Updater You can use Dr Web Updater to enable automatic updates of virus databases and content specific black and white lists of Internet resources for Dr Web for UNIX mail servers Dr Web Updater is implemented as a console script update pl written in Perl and you can find the module in the directory with Dr Web for UNIX mail servers executable files Dr Web Updater requires installed Perl 5 8 0 or later Dr Web Updater settings are located in the Updater section of the drweb32 ini configuration file in Setc_ dir directory To use an alternative configuration file specify the full path to it with a command line parameter on the startup To run the script use the following command sbin dir update pl parameters For details on allowed parameters see Command Line Parameters In the standard mode updates are downloaded and installed automatically under the drweb user Do not start updating under the root superuser as this results in changing the ownership of updated files to root superuser and may cause an error on attempt to update them automatically in the future Updating Anti Virus and Virus Databases To provide reliable protection Dr Web for UNIX mail servers requires regular updates to virus databases Dr Web for UNIX mail servers virus databases are stored as files with the vdb extension Upd
470. nsfer Systems This chapter provides you with information on features of Dr Web for UNIX mail servers integration with different mail transfer systems Three methods of Dr Web for UNIX mail servers integration are available They are shown in the following picture the fourth integration method presented in the picture is combined MTA MTA Dr Web MTA MDA MailD SMTP Milter Native MTA MDA MTA mail POP3 IMAP filter MUA MUA MTA MTA SMTP Milter Native Dr Web POP3IMAP ee POP3 IMAP POP3 IMAP proxy Combined MUA MUA Picture 20 Methods to integrate Dr Web for UNIX mail servers with mail systems Note that all methods to integrate Dr Web for UNIX mail servers directly with mail systems use only only components mail processing Dr Web MailD 1 SMTP LMTP proxy integration Basic integration method which is universal and applicable to all cases It is suitable for integration with any MTA as the method uses only standard mail protocols SMTP LMTP In this case Dr Web MailD is a proxy between an external MTA which sends mail correspondence to the server and an internal MTA MDA which is responsible for further storage of checked email messages and interaction with recipients MUA or transmitting messages to other mail systems When required you can also use this mode in order to organize checking of messages in SMTP Callback mode note that for this the additional settings are required
471. nsmitting messages for checking options to drweb maild Threads in the pool receive check requests from drweb proxy client create a unique ID for this message and pass the message to the drweb maild for checking After the check is finished drweb proxy client receives the original or modified message Default value ReceiverPoolOptions auto SenderPoolOptions pool Settings for a pool of threads transmitting messages to drweb options proxy client to send them via the Sender component Threads in a pool accept requests sending messages from various components and then transmit these requests for processing to drweb proxy client Processing results are returned to components which requested sending of a message Default value SenderPoolSettings auto Statistics During Dr Web MailD operation statistics of the following two types can be gathered e General statistics e Statistics on blocked messages General statistics contains information on general performance of the Dr Web software for the specified period number and size of checked messages number of messages detected as spam and so on Statistics on blocked messages contains information on certain messages where malicious content was detected All statistics is saved to the internal database of Dr Web for UNIX mail servers General statistics is collected in the internal cache and saved to the database every 5 minutes Statistics on blocked messages is saved di
472. nt var _dir msgs and Svar _dir infected directories to the tmpfs file system with the following command mount t tmpfs tmpfs lt directory gt where lt directory gt mounted directory Mount directories to the tmpfs file system with caution Note the following information e The system must have sufficient RAM memory e If power loss occurs both external queues and content of Quarantine will be lost For all parameters that contain Lookup use Lookup to files file rfile regular expressions regex or lists as contacting external DBMS and LDAP while processing each message considerably reduces processing speed and success of the processing depends on stability of connection to DBMS and or LDAP server Set the value of the MoveAll parameter in the Quarantine section to No especially if var dir msgs and var_dir infected are not mounted to tmpfs Set the value of the SyncMode parameter in the MailBase section to No Increase the memory available for the internal DB For that purpose increase the MaxPoolSize parameter value in the MailBase section which reduces the number of disk access requests Disable use of statistics and reports by setting the following parameter values Detail off and Send no in the Stat section and Reports section respectively Configure logging to files instead of syslog Specify protected networks and domains as a list in the ProtectedNetworks and ProtectedDomains parameter values
473. ntine between the midnight of the previous day and the midnight of the current day o this week select all messages moved to Quarantine for the current week 363 Dr Web Console for UNIX mail servers 364 o this month select all messages moved to Quarantine for the current month o custom period select all messages for an arbitrary time period You can use the calendar to specify boundaries of the required period December 2009 January 2010 4 February 2010 wk Mo Tu We Th Fr Sa Su wk Mo Tu YWYe Th Fr Sa Su wk Mo Tu We Th Fr Sa Su Dr Sy ER tse a ME a IG aed e ae a et Ta le 15 16 T7 15 16 1 18 1972072 18 19 20 27 22 23 24 22 23 24 25 26 27 28 25 26 27 28 29 30 31 ior T T e e S R S 8 91011 12 13 3 5 1 2 3 4 5 Figure 32 Calendar Calendar window opens automatically after you select the custom period option from the drop down menu or when you click the button Specify the boundaries of the required time period and click OK After the calendar window closes the selected boundary values will appear in the corresponding fields You can also specify the exact time value or time interval for the message search A If you specify the time interval only those messages will be selected which were moved to Quarantine during the specified time period including the boundaries So if you want to select messages received at a certain time specify the same time values as period boundaries in the corresp
474. number if TCP socket is enabled by the Socket parameter If more than one Socket parameter is specified this file contains information on all the sockets one per line This file is created every time Dr Web Daemon starts Default value PidFile var_dir run drwebd pid File where Dr Web Daemon busy flag is stored This file is created by a Dr Web Daemon child process upon receipt of the scan command and is removed after successful command execution Filenames created by each Dr Web Daemon child process are appended by a dot and ASCII representation of the PID for example var run drwebd bsy 123456 Default value BusyFile var_dir run drwebd bsy Settings of dynamic process pool At first specify the number of processes in the pool e auto number of processes is set automatically depending on system load e N nonnegative integer Pool will have at least N active processes additional processes will be created if necessary e N M positive integer M gt N The pool will have at least N active processes additional processes will be created if necessary but maximum total number of processes cannot exceed M Then specify optional secondary parameters e timeout time in seconds timeout for closing an inactive process This parameter does not affect the first N processes which wait for requests indefinitely e stat yes no statistics on processes in a pool If yes it is saved to the log f
475. number of objects is output Depends on the RP_NAMES macro value Number of senders included in the statistics on blocked objects If the macro value is 0 senders of blocked objects are not output If the value is set to 1 all senders of blocked objects are output In other cases the specified number of senders is output Depends on the RP_NAMES macro value The number of IP addresses included in the statistics on blocked objects If the value is 0 no IP address is output If the value is set to 1 all IP addresses are output In other cases the specified number of IP addresses is output Depends on the RP_NAMES macro value Total size of messages for which the plug in specified in the RP_ NAMES macro applied the tempfail action Number of messages for which the plug in specified in the SRP NAMES macro applied the pass action Number of messages for which the plug in specified macro applied the reject action n the RP_NAMES Number of messages for which the plug in specified macro applied the discard action n the RP_NAMES Number of messages for which the plug in specified macro applied the tempfail action n the RP_NAMES Number of messages for which the plug in specified macro applied reject or tempfail action n the RP_NAMES Number of messages for which the plug in specified macro applied the quarantine action n the RP_NAMES Number of messages for which the plug in specified macro applied the
476. o 0 By default the ReputationIPFilter parameter value is set to score filter and therefore an IP filter is enabled and IP addresses are filtered according to the average score assigned to all messages and sessions from these IP addresses see below All information on IP addresses is stored in RAM and saved to files when the drweb receiver 259 Ta J i ax Dr Web MailD process terminates File reading occurs only on drweb receiver startup Files are saved and loaded only if at least one filter is specified in the ReputationIPFilter parameter If no IP connection is established information cannot be gathered and saved Information on the connections is saved to ipv4 bin and ipv6 bin files for IPv4 and IPv6 addresses respectively to the directory specified in the BaseDir parameter from the General section If an error occurs during file saving or reading the error is logged Data saved to these files is binary and depends on the operating system thus it is not recommended to use these files on another system Reputation IP Filter checks an IP address immediately after check of SessionRestrictions if the address is not marked as trusted for details on Restrictions and trusted flag refer to the description of the Receiver section Thus if it is necessary to prevent block of a certain IP address by Reputation IP Filter mark this address as trusted in the SessionRestrictions parameter If an IP address was mistakenly
477. o large time required to start the component can exceed the StartTimeout parameter value specified in the Dr Web Monitor settings for the component startup In this case Dr Web Monitor abnormally terminates operation of both the component and the whole Dr Web MailD software suite on startup Similarly if too large number is specified as t_ max value maximum number of threads in a pool errors can occur on termination of Dr Web MailD suite when the period required for its components to shut down exceeds the timeout value In this case operation of the suite is terminated abnormally by Dr Web Monitor It is not recommended to increase the maximum limit of threads as a reserve because if that number is too large about 1000 for drweb receiver and drweb sender modules and about 2000 for others that may cause a delay in creation of new threads and lead to time out errors while message processing Such situation can cause processing errors and message loss If so decrease the number of threads If it is impossible do the following 1 Increase the time out value of the IPC subsystem controlled by the IpcTimeout parameter in the General section for example to 10 minutes 2 Increase the maximum allowed time to wait a thread to close which is used on Dr Web MailD startup and shutdown controlled by the MaxTimeoutForThreadActivity parameter in the General section for example to 3 minutes 3 Increase the time out value to wait Dr
478. ocket remote scan mode e scan of files on the disk local scan mode In the remote scan mode client sends data to be scanned to Dr Web Daemon through a socket Dr Web Daemon can scan both anonymous memory and memory mapped objects with only one difference in logging This mode enables scanning of files without read access but is less efficient than the local scan mode Local scan mode is easier to use and provides better performance since client sends to Dr Web Daemon only a file path instead of the file For the reason that clients can be located on different computers the path must be specified in relation to the actual location of Dr Web Daemon Local scan mode requires careful configuration of user privileges Dr Web Daemon must have read access to each file that is to be scanned To perform Cure and Delete actions to files in mailboxes you must also permit write access Usage of Dr Web Daemon with mail servers requires special attention because mail filters usually work as the mail system and use its privileges In the local scan mode a mail filter usually creates a file with the message received from the mail system and provides Dr Web Daemon a path to it At this Ta J i ax Dr Web Daemon 73 step carefully specify access permissions to the directory for filters to create appropriate files We recommend either to include a user whose privileges are used by Dr Web Daemon into the mail subsystem group or run Dr Web Dae
479. od of integration with MTA selected during Dr Web MailD installation and adjustment Full list of the modules and their roles Sender Receiver in terms of Dr Web MailD is provided in the Used Modules section Dr Web Notifier Dr Web Monitor and Dr Web Agent components are working on each host General operation scheme with the use of a proxy is as follows N 2 M 3 MTA MTA MTA iver oaa Server1 A A Noe Proxy server Proxy server Proxy server MailD core MailD core MailD core Dr Web cluster for UNIX mail servers Figure 18 Diagram of Dr Web MailD operation using a proxy As it appears from the scheme both Proxy client and Proxy server can interact with an arbitrary number of complementary components residing on different hosts This is implemented using a special balance system A certain weight is assigned to each socket address specified in a value of the ProxyServersAddresses Or ProxyClientsAddresses parameters from the ProxyClient and ProxyServer sections respectively So addresses are specified in the following format ADDRESS1 WEIGHT1 ADDRESS2 WEIGHT2 where ADDRESS has a basic address type and WEIGHT is an optional numeric value from a range of 0 to 100 defining a weight of this address This WETGHT determines a relative work load on a certain host in the network The greater the value is specified the greater the load is on a certain server The ProxyServersAd
480. of message processing or Rules that override their parameter values are specified it is recommended to assign the plug ins to the AfterQueueFilters queue if Dr Web MailD operates as the SMTP LMTP proxy If Dr Web MailD is integrated with any MTA assign all plug ins to the BeforeQueueFilters queue but increase the IPC timeout value IPCTimeout parameter from the General section in the configuration file If these plug ins are not used for message processing it is recommended to remove them from all of the queues in the Filters section In both modes if a message is not rejected i e if discard reject or tempfail actions were not applied to it it is transmitted to the Sender component for delivery to the recipient When transmitted in the synchronous mode the message is also synchronously sent that is Receiver waits either for sending results from the Sender component or time out occurrence Time out is used to ensure the correct interaction with external MTAs Please note that best modes for Dr Web MailD operation depend on e type and intensity of processed mail traffic e MTA integrated with Dr Web MailD e method of interaction with the integrated MTA Thus before you change the default settings please read the description of integration with the selected MTA in the corresponding part of this Manual Features of interaction between Receiver MailD core and Sender in different modes 1 Time limit of Receiver and MailD cor
481. of 755 Note that Dr Web Console for UNIX mail servers does not allow management of stalled messages that reside in the out failed directory for details on stalled messages refer to the description of the Sender parameters For detection of such messages review the directory If it contains such messages you can send it to its recipients by the means of drweb inject utility or delete them using standard OS tools Toolbar Toolbar items except for the e Report spam button become active when a quarantined message is selected from the list Total messages selected 2 T st Sender Recipient Subject r yo yo anonhost test maildesk With a big stick you will be the king ofthe beach K yo yo anonhost test maildesk Give us a call to get a diploma K yoyoganonhost test maildesk OAHHOHECTEO SAKOHHNOCE T yoyo anonhost test maildesk Npeanoxenne no pexname O i yo yo anonhost test maildesk 15 axuy S40 Fpynn npeanpuarni OCT npogam r yo yo anonhost test maildesk AOkyMEHTbI ANA npekpawenna Aoropopa 5 yo yo anonhost test maildesk noru r yo yo anonhost test maildesk Doctorate degree can be yours O yoyo anonhost test maildesk Homenxnatypa gen oTfena Kaqpoe O yo yo anonhost test maildesk Oprah certified wieght loss solution Acai Berri Dale a 28 04 10 12 27 28 0410 12 27 28 0410 12 27 2810410 12 27 28 0410 12 27 28 0410 12 27 28104110 12 27 28 04 10 12 27 28 04 10 12 27 28104110 12 27 9820
482. of message processing by the plug in It is strongly recommended to use the auto mode that is specified by default The local mode can be used only if the scanning Dr Web Daemon operates on the local host it is determined by the address type specified in the Address parameter If at least one of the addresses is remote it is not recommended to set ScanType local Important If the ScanType parameter has local or auto value then setting ScanFiles ByType in the Dr Web Daemon settings causes Dr Web Daemon to pass email messages without any check Default value ScanType auto R Heuristic analyzer allows Dr Web Daemon to detect unknown HeuristicAnalysis viruses ogi ea When Heuristic analyzer is disabled only known viruses information on which is stored in virus databases is detected Enabling of Heuristic analyzer can result in emergence of false alarms because of the similarity between operation of a legitimate program and virus activity Usage of Heuristic analyzer can also slightly increase scan time Default value HeuristicAnalysis Yes If the values is set to Yes a socket with the enabled TCP_NODELAY TCP_NODELAY parameter will be created ea Do not change the default parameter value No if you do not have network problems Default value TCP_NODELAY No R Maximum size of Dr Web Daemon log file pace ae 7 When ReportMaxSize 0 log file size is not limited It is not recommended to set t
483. of the modules if configuration file parameters are ill defined e If any parameter value is incorrect the respective Dr Web for UNIX mail servers module outputs an error message and terminates e If any unknown parameter is found when loading a configuration file Dr Web for UNIX mail servers logs the corresponding message and continues operation in the normal mode A Some parameters can use regular expressions as values that is mentioned in the description of the corresponding parameter Regular expression syntax of Perl is used by default For information on regular expressions see a corresponding article for example on the Wikipedia website Regular expressions article Logging All Dr Web for UNIX mail servers components keep records about their operation in the logs You can set a log mode for each component output of information into the file or to syslog You can also select a log verbosity level for example set high level of verbosity the Debug option or disable logging the Quiet option To set the verbosity level use the LogLevel parameter You can also specify additional parameters for certain plug ins to configure their verbosity log level for example keeping records of IPC subsystem operation is modified by the LPCLevel parameter If the LogLevel configuration parameter is not available for a plug in it is not allowed to adjust its log mode In this case the default log mode has a verbosity level similar to De
484. om Quarantine by the file identifier the only parameter is the identifier Example drweb qcontrol sql remove command DELETE FROM mail export WHERE filename LIKE 3 Message search The drweb qcontrol utility provides a simple interface for searching quarantined messages The following search criteria are available e search from address search by sender in a message envelope e search to address search by recipient in a message envelope e search headers header name value search in headers of the top level where header name is the name of the target header full compliance is required If value is not specified a header is searched only by its name Otherwise the value is searched within the headers as a substring Searched header name and its value are case insensitive e search inbody string performs a search of the specified substrings in the message body which is treated as a unit without MIME decoding Searched value is case insensitive Note that if special symbols are used in values of the search headers or search inbody parameters the symbols are to be escaped with a backslash Example drweb qcontrol search inbody stat Outputs statistics on email messages satisfying the specified criteria of search in the body Each of the criteria is checked independently that is they are combined in a disjunction OR Example drweb qcontrol s
485. ompression ratio exceeds the MaxCompressionRatio parameter value e size of packed object exceeds the MaxFileSizeToExtract parameter value e archive nesting level exceeds the MaxArchiveLevel parameter value All these restrictions are defined in Dr Web Daemon settings In addition to one mandatory action you can specify several optional actions Mandatory actions are pass remove discard reject Ta J 1 ax ScanningErrors actions R ProcessingErrors actions BlockByFilename actions Dr Web MailD 297 Optional actions are quarantine redirect notify add header score Default value ArchiveRestriction reject quarantine notify Actions to be applied to messages causing Dr Web Daemon errors during scan In addition to one mandatory action you can specify several optional actions Mandatory actions are pass remove discard reject tempfail Optional actions are quarantine redirect notify add header score Default value ScanningErrors reject quarantine Actions to be applied to messages causing Dr Web Daemon errors during scan In addition to one mandatory action you can specify several optional actions Mandatory actions are pass discard reject tempfail Optional actions are quarantine redirect notify add header score Default value ProcessingErrors reject Actions to be applied when one of regular expressions from the RegexsForCheckedFi
486. on operator use select message operator which selects a whole message and returns non empty result The required admin prefix and msg extension are substituted automatically by Dr Web Notifier tempfail notify the sender on server failure redirect redirect the message to the specified address quarantine move the message to Quarantine stop stop processing modification rules Action of the last performed command pass accept reject or another is applied to the message The accept command is the same as pass stop combination except for the fact that stop command stops full processing and accept stops only processing with local modification rules For global modification rules accept is equal to pass The reject discard and tempfail commands are resolving that is they stop message processing regardless of other commands specified in the modification rule 2 2 Actions applied to the selected mail elements These actions are applied only to content of selected elements unless otherwise specified e replace lt replacement expression gt lt regular expression to be replaced gt replace _all lt new text gt These actions replace text in the selected elements The old text must match the lt regular expression to be replaced gt and the new text is specified in lt replacement expression gt 317 Ta J i ax Dr Web MailD Example Search and renaming of executable files in attachments
487. oncrete module set is defined by the installed Dr Web for UNIX mail servers distribution kit and integrated mail system Dr Web MailD features Dr Web MailD uses a developed system of Message processing Rules that allows for advanced control of e email messages processing and their internal routing e statistics generating e sending notifications MailD notifications and DSN For mail processing rules and all Lookup configuration parameters you can use data retrieved from text files and relational databases using LDAP The following database management systems DBMS are supported e Oracle e MySQL PostgreSQL SQLite Firebird e CDB Berkeley Dr Web MailD can also use ODBC API to connect to any data source via the corresponding ODBC driver Work with each data source is made independently of others with the use of connection settings specified for this source only Mail processing rules and parameters of the Lookup type can simultaneously use data retrieved from different sources Dr Web MailD can also organize and use built in database of mail users and their groups where a mail user is a sender or recipient of a processed email message In the built in database you can specify mail processing rules for a specific user or a user group as well as rules for individual or group statistics gathering A Operations with the built in database are performed only via Interactive Management Interface To prevent s
488. onding fields e Size numerical value By default it is treated as a message size in bytes but you can set another unit KB or MB using the corresponding drop down list If this criterion is used only those messages are selected which size is greater than or equal to the specified value If the Size value is set to 0 this criterion is ignored when searching e Status reason why the message was moved to Quarantine The following statuses are available for filtering o virus message was considered infected by the virus and moved to Quarantine by Dr Web for UNIX mail servers anti virus module o Spam message was considered spam and moved to Quarantine by the Dr Web for UNIX mail servers anti spam module o rule message was sent to Quarantine according to the internal message processing rules o processing error an error emerged during processing of this message so it was moved to Quarantine After all selection criteria are specified click Apply To return to the defaults click Reset List of Messages If the Quarantine folder contains messages their list displays in tabular form on the Quarantine tab Ta J 1 aX Dr Web Console for UNIX mail servers Total messages selected 2 T st Senger Recipient Subject Date a Size I yo yo anonhost test maildesk With a big stick you will be the king ofthe beach 28 0410 12 27 2KB V yo yo anonhost test maildesk Give us a call to get a diploma 2
489. one to three additional actions for each parameter when configuring Dr Web MailD and its plug ins The main action is the first in the list When configuring Dr Web Scanner only one action can be specified Different parameters can have different available actions they are listed in each parameter description You can use the following actions when configuring the settings o Cure try to cure the infected object o Remove delete the infected object o Discard reject the email message without notifying the sender and delete the message o Continue ignore the problem and continue email message processing o Pass pass the email message to its recipient without further processing o Reject reject the email message delete it and notify the sender o Tempfail notify the sender that the email message cannot temporarily be delivered and delete the message 24 Ta J 1 ax Introduction The following additional actions are available o Quarantine move the email message to the Quarantine folder o Redirect address address redirect the email message to the address specified within the brackets If no address is specified the message is redirected according to the RedirectMail parameter value in the MailD section of Dr Web MailD configuration file You can specify several addresses separating them by the character o Notify send a report about detected threats message processing is not s
490. onfiguration on the Server1 host with the following command etc init d drweb monitor check for Linux and Solaris usr local etc rce d 00 drweb monitor sh check for FreeBSD If the configuration is correct you can restart Dr Web MailD and all the mail will be transferred for check to the Server2 11 You may also disable Dr Web Daemon and Dr Web Updater on the Server1 if there are no more Dr Web products on the system These modules are no longer necessary You can also apply this algorithm when m and or N are greater than 1 just connect additional hosts as it is described above and edit values of the corresponding parameters ProxyClientsAddresses from the ProxyServer section and ProxyServersAddresses from the ProxyClient section in the configuration files on those hosts Specify WEIGHT values for addresses with respect to their resources 273 Ta 2 1 ax Dr Web MailD Note the following operation aspect of the proxy server if Proxy client is functioning on several hosts and Receiver on one of these hosts has the ReturnReject No setting In this case if the proxy server rejects a message received from this client the server generates DSN and sends it to a randomly selected proxy client If it serves a subnetwork different to the one from where the message was transmitted the DSN might be not delivered to the message sender due to the address being unavailable from this subnetwork Thus it is recommend
491. ons pool options BaseDir path to directory SocketDirs path to directory time Timeout for the drweb courier module to wait for a message to be scanned It is recommended to set this parameter value greater than the value of the SendTimeout parameter from the MailBase section Default value ProcessingTimeout 40s Action applied to messages that caused scan errors Only one of these actions can be specified tempfail discard pass reject Default value ProcessingErrors reject Settings for a pool of threads that process requests Default value MainPoolOptions auto Settings for a pool of threads that process responses from the drweb maild module Default value ReplyPoolOptions auto Courier MTA installation directory Default value BaseDir usr lib courier List of paths used to create UNIX sockets for interaction with the Courier MTA UNIX socket is created in the first directory of the list other Ta i ax SocketAccess permissions CgpReceiver Section Dr Web MailD 188 directories are checked for UNIX sockets with the same names as the drweb courier module Such UNIX sockets are deleted when found In the current version this parameter cannot be changed with SIGHUP signal restart of Dr Web MailD is required Default value SocketDirs var lib courier allfilters var lib coprieor TLlrerg Permissions for UNIX socket files used for
492. open system call please refer to the corresponding documentation In the current version this parameter cannot be changed with SIGHUP signal restart of Dr Web MailD is required Default value Lib ConnectData Oracle connection parameters SEN i Tercio The following two formats are supported e USER PASSWORD CONNECTION Oracle syntax e DSN value UID value PWD value ODBC syntax To start working with Oracle specify DSN that references to the required database To see the rules of setting ConnectData value with the use of Oracle syntax refer to the notes under the table In addition it is recommended to use the connect timeout parameter in the ConnectData string this parameter specifies connection timeout The parameter value can also be locally overridden in a Lookup Default value ConnectData SizeLimit Maximum number of strings received in response to a single numerical value database query When the parameter value is set to 0 maximum number of received strings is not limited The parameter value can also be locally overridden in a Lookup Default value SizeLimit 0 SkipDomains List of domains for which query to database is not required LookupLit Ps EE This parameter often allows to improve total performance and considerably reduce server load Please note that the parameter value is LookupLite Ta J 1 ax Dr Web MailD 202 The parameter value can also be
493. open system call please refer to the corresponding dlopen documentation In the current version this parameter cannot be changed with SIGHUP signal restart of Dr Web MailD is required Default value Lib usr lib libodbc so ODBC connection parameters The following two formats are supported e USER PASSWORD DSN Oracle syntax e DSN value UID value PWD value ODBC syntax To start working with ODBC specify at least DSN In addition it is recommended to use the connect timeout parameter in ConnectData string this parameter specifies wait time for the connection to be established This parameter value can also be locally overridden in a Lookup Default value ConnectData Maximum number of strings received in response to a single database request When parameter value is set to 0 maximum number of received strings is not limited This parameter value can also be locally overridden in a Lookup Default value SizeLimit 0 List of domains for which query to database is not required This parameter often allows to improve total performance and considerably reduce server load Please note that the parameter value is LookupLite This parameter value can also be locally overridden in a Lookup Default value SkipDomains Sets the mode of error handling errors that occur in Lookup when connecting to the specified data source Allowed modes e ignore ignore the error and continue message pro
494. ops regardless whether the required value is found or not According to the results the parameter value is determined in the following way e If the searched parameter is found in one matching Rule its value from the SETTINGS part is used note that when several Rules match the same parameter the resulting value depends on the parameter semantics For details see Message processing rules e If no Rule is specified no Rule is matching or no matching Rule contains the required parameter value it is retrieved from the corresponding section of the configuration file e If the parameter is not specified in the configuration file the default value is used Thus order of specifying user groups is important because it determines options to be applied to the given address If a message is sent to more than one recipient and for different recipients different values of the same parameter are specified one of the following is possible 1 The message is cloned and for each copy the corresponding parameter value is applied 2 If the parameter does not allow cloning the value is taken from user settings or global settings specified in the configuration file or the settings specified by default d When searching the value all the rules for a certain user or user group are viewed as a single list user rules are at the top of the list group rules at the end of it Thus when viewing the lists for different message recipients
495. or decreased to decrease a message score specify a negative number in the add_score command Example set_score 10 Sets a message score to 10 Example add_score 11 Increases a message score by 11 The score argument can be 32 bit number in the range 2 b to 2 b You should also consider that score can get too large value that exceeds the limit and thus causes incorrect operation of plug ins that are processing the message Thus it is recommended not to set an unreasonably large value to a score for example do not specify 2 000 000 000 as a parameter of an add_score action 2 4 Applicability of actions to different message objects Table 1 shows effects of actions depending on the selected objects they are applied to Ta J N T gt i 19 Dr Web MailD Table 1 Actions applied to selected elements of different types gt late SISi E Els v CT w _ x vo u c a v _ 9 olel ul eZiule2z 8 o s5 5 F i gt ta a lt o lt o v o 8 tl le 3 S J J T a ov a lt a v f Oo a i i SiS SF Ss 2S 2 3 3818 a a 8 8 3 3 2 2 2 e a a alalalaulal s 2 Sie ele mime headers i i 4 i i i 4 4 i4 mime prologue 4 4 4 i mime epilogue 4 4 4 4 mime body 4 te te e ey ef be oe st mime headers
496. or example if stored in a database table they must be of the following type Example test1 drweb com VadeRetro SubjectPrefix spam modifier localrules select message append text Some Text test2 drweb com headersfilter MissingHeader Date headersfilter MissingHeader From headersfilter MissingHeader To Also note that if SETTINGS part is specified in the Rule and CONDITIONS part contains Lookup that retrieves settings from a data source these settings are to be joined concatenated to the SETTINGS on the left first settings retrieved from the source are specified and then those which are set directly in the SETTINGS part of a Rule It is important to note in case of a conflict between different values of the same parameter inserted into the Rule from different sources 255 Ta J 1 ax Dr Web MailD 256 Example a Let us assume that a table in the database access to which is configured using ODBC is of the following type test1 drweb com modifier LocalRules select message append text text from DB b In the configuration file the following Rule is specified to odbc select Rules from table where Address s cont modifier LocalRules select message append text text from rule modifier LocalRules quarantine In this case when the Rule is matching the following SETTINGS are applied for the message sent to testl drweb com modifier LocalRules select mes
497. or handling If an error is found in the line with a Rule the error is logged and the Rule is ignored Moreover when Lookup is used the error is handled according to the OnError parameter value set for the data source or overridden directly in the Lookup Note that Lookup values and values of certain variables are not handled immediately they are parsed when they must be used Thus errors in these elements can be detected only during message processing when a Rule with an error is ignored Moreover if during rule analysis a Lookup expression returns incorrect results all the results are rejected and ignored even if some of the results are correct Rule validation To validate Rules run drweb maild module with special command line options that specify different properties of a message and the plug in outputs to console all the settings from the Rule that are to be applied to the message Available parameters are listed in the Command line parameters section the Module Specific Parameters subsection Example of a Rule validation command drweb maild auth Thu May 29 16 03 44 2009 3081324208 maild rules DEBUG notify Thu May 29 16 03 44 2009 3081324208 maild rules DEBUG all block Thu May 29 16 03 44 2009 3081324208 maild rules DEBUG archive from allow admin allow Thu May 29 16 03 44 2009 3081324208 maild rules DEBUG Thu May 29 16 03 44 2009 3081324208 maild rules
498. ore than one action can be specified in this parameter first action is mandatory others are optional Mandatory action can be one of the following pass discard reject tempfail Additional actions can be the following quarantine redirect notify add header score Default value LicenseLimit pass Actions applied to messages that have an empty From header An empty From header is typical when sending DSN they must have an empty FROM header to meet the protocol requirements spammers also often leave this header empty More than one action can be specified in this parameter first action is mandatory others are optional Mandatory action can be one of the following continue discard and reject Additional actions can be the following quarantine redirect add header score Default value EmptyFrom continue Action applied to messages which invoked errors during scanning Ta J N ax Dr Web MailD 146 ProcessingErrors More than one action can be specified in this parameter first actions action is mandatory others are optional Mandatory action can be one of the following pass discard reject tempfail Additional actions can be the following quarantine redirect notify add header score Please pay attention to the features of errors handling presented below Default value ProcessingErrors pass RulesLogLevel Log verbosity level for Rule processor
499. ot supported by drweb zmailer Example drweb maild t 30 local var_dir ipc agent This command starts Dr Web MailD with 30 seconds time out for receiving configuration from Dr Web Agent via the local var_dir ipc agent socket Module Specific Parameters Different modules of Dr Web MailD also support additional command line parameters that are specific for a certain module The exceptions are drweb notifier and drweb proxy client modules that can be used only with the parameters mentioned above 1 drweb maild The following command line parameters are specific for drweb maild and are used to check correctness of message processing Rules S sender lt mail address gt Description Sender s address from the message envelope F recipient lt mail address gt Description Recipient address from the message envelope To set several recipients specify the parameter several times 19 l9LOCIk lt object name gt Description Name of the blocking object found in the message for example virus name To set several blocking objects specify the parameter several times client ip lt IP address gt Description IP address of the client which sent the message server ip lt IP address gt Description IP address of the server interface that received the message elent POTE lt port number gt Description Port of a client from which the message was received server port lt port number gt Description
500. ot with the starting script but from the console e by wrapping the startup of drweb receiver into the script wrapper which sets the required value to this environment variable e by changing the start script for drweb monitor etc init d drweb monitor and adding the corresponding strings that change the system environment variable Note that in the last case the environment variable will be defined not only for drweb receiver but for all Dr Web processes run by Dr Web Monitor If that does not fix the problem leave the made changes and do the following e increase the ulimit n values e add or adjust if already exist the following lines in the etc systen file 65335 65335 set rlim fd max set rlim fd _ cur If this error occurs on other OS FreeBSD or Linux increase the limit by the number of file descriptors for the process user and increase the ulimit n values General recommendations on how to enhance performance To enhance performance on heavy load it is recommended to Use asynchronous mode of message processing that is assign the plug ins to the queues as follows BeforeQueueFilters headersfilter vaderetro AfterQueueFilters drweb modifer Ta 1 ax Dr Web MailD Plug ins assigned to BeforeQueueFilters queue can interact with drweb receiver module synchronically and process messages before they are moved to the database But if most of the messages have a large attachment or lar
501. other aliases an error is output but the execution continues If the same address is found more than once an the error is output Output format client idl emaill aliasl alias2 alias3 client id2 email2 alias21 alias22 alias23 e aliases set client email emails list set the list of aliases for email address specified in client email If client email does not exist or is alias an error is output If emails list is not specified all aliases related to client email are deleted If the list contains at least one registered address or alias for another address an error is output and the execution stops If client id is specified for the address in emails list it must match client id from client email address Otherwise an error is output If client id is not specified in emails list in alias the id is treated as equal to client id which is set in client email Commands for Group Management You can manage user groups with the following commands e groups set client group settings create or update the group with the group name set in client group If the group does not exist it will be created For parameters that are not specified in the settings their default values are used e groups remove client group remove the group with the group name specified in client group If the specified group does not exist an error is output For every user who is a member of the removed group it is deleted from the user gr
502. oup list e groups rename client group group rename the group specified in the first parameter to the name specified in the second parameter If the specified group does not exist or the group with the new name already exists an error is output and no action is taken e groups get rules group list receive the rules or settings for all groups from the group list list If a group from group list does not exist an error is output but the execution continues Output format client idl groupl 1 rulel 2 rule2 client id2 group2 ITs rules 2 rule22 e groups insert rule client group index RULE insert a new rule before the rule with the index ordinal number for a group with the group name specified in client group If the group with the specified name does not exist an error is output Numeration index starts with Ta J i ax Dr Web MailD 1 If the index value exceeds the maximum number of rules for the specified group the new RULE is added at the end of the rule list At that next ordinal number is assigned to the new rule aS index Example When adding a rule with the index 10 to the list consisting of only 2 rules the new one is added to the end of the list and index 3 is assigned to it If the index is less or equal to 0 an error is output If the RULE is empty that is the rule is not specified an error is output After successful modification the rules for the current group are ou
503. p For example if you start Dr Web Scanner with the following command drweb lt path gt ha heuristic analysis enabled by default will be disabled For the cu ic and sp parameters the negative form disables any action specified with additional modifiers that is information on detection of infected or suspicious object is logged but no action is performed to avert threats The al and ex parameters have no negative form but specifying one of them cancels actions of the other By default if Dr Web Scanner configuration is not customized and no parameters are specified Dr Web Scanner is started with the following parameters ar ha fl ml sd al ok 60 Ta J i ax Dr Web Command Line Scanner Default Dr Web Scanner parameters including scan of archives packed files files of email programs recursive search heuristic analysis and others are sufficient for everyday diagnostics and can be used in most typical cases You can also use hyphen postfix to disable required parameters as it is shown above with an example of heuristic analysis Disabling scanning of archives and packed files significantly decreases anti virus protection level because viruses are often distributed as archives especially self extracting ones attached to an email message Office documents are potentially susceptible to infection with macro viruses e g Word Excel and can also be dispatched via email within arc
504. pam distribution and DHA attacks Dr Web MailD features special technologies one that determines reputation of a client s IP addresses score management of both connection and message scores and SMTP restriction management that allows to filter a suspicious client at the connecting and mail transfer stage These technologies improve effectiveness of spam filtering and reduce load on the protected mail system When an email message is quarantined the sender or recipient can manage it using special contro email messages Control messages can be sent from the user s MUA in response to notifications on moving the message to Quarantine If volume and intensity of mail traffic is high Dr Web MailD allows organizing solution work in the cluster mode In this mode the program components are located on several servers with load distribution in order to increase performance To provide users with this option special proxy modules Proxy client and Proxy server are included in the solution The proxy modules provide transparent remote interaction of the Sender and Receiver components with MailD core Ta J i ax Dr Web MailD If required interaction with several MTA MDA can be provided due to the mechanism of simultaneous work of paired Sender and Receiver components at that the components can be of different types Message Processing Algorithm of mail processing 1 Receiver gets email messages from MTA and transmits them
505. pass_sasl_ authenticated SCORE During check A requests and sometimes MX requests are sent Recommendations on how to use reject _unknown_ domain together with other restrictions for this session stage are similar to the recommendations described above for SenderRestrictions Stage but they are actual for To field If the recipient s domain is neither in the RelayDomains list nor in the ProtectedDomains list see the Maild section mail sent to this address is blocked or if SCORE is specified an error is logged and the SCORE value is added to the message score If mail for subdomains of protected domains is also received that is the IncludeSubdomains parameter is set to Yes it is required to set both reject_unauth_ destination and reject_unknown_ domain restrictions on the RCPT stage Otherwise Dr Web MailD will receive messages for all subdomains of the protected domains even if these subdomains do not exist Checks if the recipient is in the ProtectedEmails list see below If the recipient s address is not in this list mail to this address is blocked If SCORE is specified an error is logged and the SCORE value is added to the message score It is recommended to use this action with anti_dha Reputation IP Filter Skip all other checks on this SMTP session stage if the client has successfully passed SASL authentication If SCORE is specified a client that has successfully passed SASL authentication is
506. path gt argument without any parameters specified it scans the specified directory using the default set of parameters for details see below The following example shows a command to check the user home directory bin dir drweb Once scanning completes Dr Web Scanner displays all detected threats infected and suspicious files in the following format path file infected virus VIRUS NAME After that Dr Web Scanner outputs summary report in the following format Report for aE e Scanned 34 32 Cured 0 Infected H 5 5 Removed 0 Modifications 0 0 Renamed 0 Suspicious 0 0 Moved 0 Scan time 00 00 02 Scan speed 5233 KB s Numbers separated by slash mean the following the first number total number of files the second one number of files in archives You can use readme eicar file included in the distribution package to test Dr Web Scanner Open this file in any text editor and follow the instructions from the file to transform it into eicar com program When you check the program with Dr Web Scanner the following message must be output sbin dir doc eicar com infected by Eicar Test File Not a Virus This program is not a virus and is used only for testing of anti virus software Dr Web Scanner has numerous command line parameters In accordance with UNIX conventions the parameters are separated from a path by a space character and start with a hyphen To get a full list of paramete
507. pdating Process This file is signed by Doctor Web and must not be modified by a user The file is updated automatically Default value DrlFile var_ dir bases update drl Ta yan A A Dr Web Updater 89 CustomDrlFile Path to the file dr1 with the alternative list of Dr Web GUS peth to fiile servers Dr Web Updater also selects a server from this list in random order to download updates For details on downloading updates see Updating Process This file is signed by Doctor Web and must not be modified by a user It is updated automatically Default value CustomDrlFile svar dir bases custom dr1l FallbackToDrl Allows using the file specified by Dr1File when connection to logical one of the servers listed in CustomDr1File failed If the parameter value is No the file specified in Dr1File is not used If the file specified in CustomDr1File does not exist the file specified in Dr1File is used regardless of the FallbackToDr1l parameter value For details on downloading updates see Updating Process Default value FallbackToDrl Yes DrlDir Path to the directory that contains dr1 files with lists of Dr Web path to directory GUS servers for each plug in These files are signed by Doctor Web and must not be modified by a user Default value DrlDir bvar dir drl Timeout Maximum wait time for downloading updates from the selected numerical value Dr Web GUS server in seconds
508. pecial Parameter Types This chapter provides you with detailed description of the following special parameter types e TLS SSL settings TLSSettings settings for connection secured using the TLS and SSL protocols e Thread pool settings pool options settings of a thread pool For description of the Lookup LookupLite and Storage special parameters see Lookup TLS SSL settings TLSSettings Settings for connection secured using the TLS and SSL cryptographic protocols Settings are defined as a sequence of PARAMETER VALUE pairs separated by commas File path specified as VALUE is case sensitive because it is a convention for UNIX like systems The current version supports the following settings o use_sslv2 yes no enable or disable use of the SSLv2 protocol By default the use of SSLv2 is disabled because this protocol is insecure o use_sslv3 yes no enable or disable use of the SSLv3 protocol SSLv3 is enabled by default o use_tlsv1l yes no enable or disable use of the TLSv1 protocol TLSv1 is enabled by default o private_key file path to the file absolute path to a private key file The key must be specified in the PEM format Key encryption is supported The parameter is required for server configuration Default parameter value is not set o private_key password string password for the key specified in the private_key file parameter Default parameter value is not set
509. pecified in the BusyTimeout parameter As a result the process is aborted with the following error Database is locked Avoid using GUI for SQLite as graphical interface can lock the databases for future use If an external process locked the database for a long time statistics export errors can occur A conflict may also occur if Dr Web MailD is configured to export different types of statistics into the same SQLite database file and the specified time is too small If the SQLite database that provides settings for several parameters using Lookup of sqlite type was not accessible over a period of time and then connection to the database was reestablished it is necessary to send a SIGHUP signal to drweb maild module in order to reconnect Dr Web MailD and SQLite Firebird Section In the Firebird section settings for interaction between Dr Web MailD and Firebird database are specified Host Firebird database hostname hostname Default value Host localhost Database Name of the Firebird database string 2 Default value Database User Firebird database user name string s Default value User Password Firebird database password string 2 Default value Password Charset Firebird character set string 2 Default value Charset us ascii SizeLimit Maximum number of strings received in response to a single integer database request When the parameter value is set to 0 maximum numb
510. pecifying a rule see Rules of message processing Parameters that must be used for processing of a certain message are searched downwards according to the order they are specified in the Rules section Thus the order you set them is important more specific rules must be mentioned before more general rules for details see Message processing If specified Rules are associated with users that is they have sender s or recipient s email addresses as a condition and number of users with individual rules is high using of the rules for setting specific processing parameters is ineffective as complexity of search is proportional to the number of the Rules Therefore it is recommended to store individual user settings in the local database In this case search of true rules is performed more effectively and moreover memory usage is optimized Parameter values that are frequently used in Message processing rules SETTINGS part can be organized into named groups Each of the groups with lt NAME gt name is present in the main Dr Web MailD configuration file as a section Rule lt NAME gt Note that all sections with named setting groups must be specified above the Rules section ew N a add Stat Section Dr Web MailD In the Stat section parameters of gathering statistics on Dr Web MailD operation are specified Detail tore low medium high Send elognac ala SendPeriod time Ti
511. put Information for each group is separated with a new line If the symbol is specified instead of tag information on all tags is output Output format client idl groupl tag info client id2 group2 tag2 info2 groups set custom tag client group info setting of the info text connected with the tag for client group group If the group is not found an error is output If info is 226 Ta J i ax Dr Web MailD not specified the tag with all the information related to it is deleted Working with Quarantine You can manage Quarantine via the control socket using special commands In these commands the following common notions are used e id relative path from the directory specified in the Path parameter in the Quarantine section to the file with the text body For example if the Path parameter value in the Quarantine section is var drweb infected default value then lt id gt drweb E 00020EBE maild xeAX4u path refers to the message which body is located in the fie var drweb infected lt id gt drweb E 00020EBE maild xeAX4u where o lt id gt the def string o drweb name of the plug in that blocked the message Drweb in this case If the message is blocked by Maild core the value is set to maila If the message is moved to archive the value is set to backup e id like the same as id but in identifiers of this type special symbols can be u
512. r force which initiates dispatch of messages with send yes Exports specified messages from the database to external files Description of the parameters is similar to that of the get command except for the following two additional parameters e dir name path to the directory where files are stored If this path is not specified the value of the BaseDir parameter from the General section of the Dr Web MailD configuration file is used e env if specified the envelope is also exported to file in the following format o first line the sender address o second line receiver addresses separated by commas Name of the message file is created from the number of the message and em1 extension Name of the envelope file is created from the number of the message and 218 Ta yan A A Dr Web MailD 219 remove IE ici aiclil iez plugin_name send_and_ remove el axel jiez plugin_name Faoneemsenci ignore send error version stop reload envelope extension Example export 00002D94 vaderetro t env Success export body to t 00002D94 em1 t 00002D94 envelope and envelope to Removes specified messages from the database Description of the parameters is similar to that of the get command Example remove 00002D93 Success remove record 00002D93 Sends and removes specified messages from the database Value of the force_send parameter is
513. r Web Daemon Running Dr Web Daemon When Dr Web Daemon is started with the default settings the following actions are performed Search and load of the configuration file If the configuration file is not found loading of Dr Web Daemon terminates Path to the configuration file can be specified on startup with the ini command line parameter path to your drweb32 ini otherwise the default value etc dir drweb32 ini can be used On startup correctness of several configuration parameters is checked and if a parameter value is incorrect the default parameter value is set Creation of a log file A user account under which Dr Web Daemon is started must have appropriate privileges to write to the log file directory Users do not have write permission for the default log directory var log Therefore if the User parameter is specified adjust the LogFileName parameter and provide alternative log file directory Load of a key file from the location specified in the configuration file If the key file is not found loading of Dr Web Daemon terminates If the User parameter is specified Dr Web Daemon attempts to change its privileges Load of Dr Web Engine drweb32 d11 If Dr Web Engine is damaged or not found because of errors in the configuration file initialization of Dr Web Daemon terminates Load of virus databases in arbitrary sequence from the location specified in the configuration file If virus databases are damaged or a
514. r Web for UNIX mail servers is a ready made solution for integrating Dr Web Daemon with UNIX mail servers Note that Dr Web Daemon cannot scan the contents of the encrypted files because in this case it is necessary to know the password that been used for encryption So these files will be passed without the scan and for the client application the special return code will be returned Command Line Parameters To run Dr Web Daemon use the following command drwebd parameters where the following parameters are available p F help help Description Show information about supported command line parameters on the screen and terminate the module a lt Agent socket address gt Description Start Dr Web Daemon in the central protection mode under control of the specified copy of Dr Web Agent a lt path to file gt Description Module must use the specified configuration file foreground lt yes no gt Description Operation mode of Dr Web Daemon If yes is specified Dr Web Daemon is a foreground process Otherwise no Dr Web Daemon is a background process Clagelx com lly lt command line parameters for checking gt Description Check Dr Web Daemon configuration correctness on startup If any command line parameter is specified correctness of the value is also checked only key Description On startup Dr Web Daemon receives from Dr Web Agent only the license key file 69 Ta J i ax D
515. r is available an A request to DNSBL is sent If the DNSBL server sent a positive response the session terminates or if SCORE is specified its value is added to the score of each message transferred in the current session and to the score of the sender s IP address and the error is logged Please note that if all specified RBL DNSBL servers are inaccessible the IP address is considered untrusted reject_dnsbl is not applied to it and a record that all of the servers are unavailable is logged If the IP address of the connection is in the black list defined by the BlackNetworks parameter see below the session terminates or if SCORE is specified an error is logged and the SCORE value is added to the score of each message transferred in the current session and to the score of the sender s IP address Checks if the sender s domain is in the black list defined by the BlackDomains parameter see below PTR request is made If the domain is in this list the session terminates or if SCORE is specified an error is logged and the SCORE value is added to the score of each message transferred in the current session and to the score of the sender s IP address Ta J 1 ys Dr Web MailD 177 reject_unknown_hostname SCORE reject diff ip SCORE Actions for SenderRestrictions reject_unknown_domain SCORE trust sasl authenticated SCORE pass_sasl_ authenticated SCORE reject_unknown_sndrs SCORE
516. r the text inserted with Encoding append text and prepend text commands directly from Teee modification rules Default value Encoding koi8 r When a message is blocked reject by the plug in in the synchronous mode Dr Web MailD response to a client contains SMTP code 55 or 250 depending on the ReturnReject parameter value in the Receiver section and a text message which content is determined by values of the parameters described below Their values must be enclosed in quotation marks R Use custom messages as an SMTP reply specified in the UseCustomReply ReplyRuleFilter parameter when messages are rejected by logical Dr Web Modifier Default value UseCustomReply R Custom message used as an SMTP reply when the message is ReplyRuleFilter rejected by Dr Web Modifier text Default value ReplyRuleFilter If UseCustomReply No or the corresponding string is not specified the following standard message outputs The message has been rejected by the Dr Web MailD Ta yan A A Y Dr Web MailD 324 Examples Examples of setting rules for Dr Web Modifier by the example of global rules 1 Select elements what satisfy two certain conditions If these elements are present remove the message Otherwise find all executable files attached to a message and delete them After that add the specified text to the end of the message GlobalRules select mime headers Content type text and mim
517. r the value the greater the load on the server Mail received from the Receiver component working on the same host as drweb proxy client is transmitted for scanning to the corresponding socket addresses There must be at least one valid server address specified Addresses are selected according to the algorithm described in Using Internal Proxy Default value ProxyServersAddresses inet 8088 SERVER IP 211 Ta J i ax Address list of addresses MailPoolOptions pool options SenderPoolOptions pool options ProxyServer Section In the ProxyServer section settings of the drweb proxy server module Proxy server component are specified Address list of addresses ProxyClientsAddresses list of ACdBeSS Ssh Dr Web MailD List of socket addresses used by Sender to receive send requests from drweb proxy server components drweb proxy server components send mail to these addresses according to the value set for the ProxyClientsAddresses parameter from the ProxyServer section Default value Address inet 8066 0 0 0 0 Settings for a pool of threads processing requests from the Receiver component Thread pool processes requests from the Receiver component and sends messages to remote drweb proxy server components for check According to the check results the message is either returned to Receiver or sent via the Sender component Default value MailPoolOptions auto
518. r to the corresponding documentation on the used Sendmail system Note To check whether the Sendmail copy supports Milter API use the following command sendmail bt d0 lt dev null If the output text contains milter string your copy of Sendmail supports Milter API Dr Web MailD is fully compatible with Sendmail versions 8 12 3 and later When working with earlier versions some problems can occur see Known Issues Detailed integration instructions provided in this documentation are suiteble for Sendmail version 8 14 0 or later Aq P AN A v Dr Web MailD 336 Interaction between Sendmail MTA and Dr Web MailD is performed via Milter API drweb milter module is used as Receiver and is implemented as follows e Through the transport connection defined by drweb milter transport address ADDRESS Sendmail system receives internal commands from Milter API and a message itself The message is sent in segments depending on the stage of the mail session helo mail from rept to etc Therefore the message is saved by drweb milter module to the temporary directory Through Milter API drweb milter transmits instructions regarding the message to the Sendmail system Milter API is a multithreaded library several mail sessions can be processed simultaneously In the interaction scheme given above Sendmail system is a client and drweb milter is a server therefore in the sendmail cf configuration file drweb milter
519. rameters Default value RecodeNonprintable Yes Decoding mode for non characters if RecodeNonprintable Yes printable When RecodeMode Replace all non printable characters are substituted with the RecodeChar parameter value see below When RecodeMode QuotedPrintable all non printable characters are converted to the Quoted Printable encoding Default value RecodeMode QuotedPrintable Sets character for characters if RecodeMode Replace replacing non printable Default value RecodeChar The following parameters can be used to reduce time of scanning archives by skipping some objects in an MaxCompressionRatio numerical value CompressionCheckThreshold numerical value archive Maximum compression ratio that is ratio between size of unpacked file and its size within an archive If a ratio exceeds the specified value the file will not be extracted and therefore will not be checked An email message with such an archive is considered as a mail bomb Parameter can have only natural values If the value is set to 0 compression ratio will not be checked Default value MaxCompressionRatio 5000 Minimum size of a file enclosed within an archive in Kbytes If a file size is less than the specified value the compression ratio will not be checked if such a check is enabled by the MaxCompressionRatio parameter Ta ww ys MaxFileSizeToExtract numerical value
520. rantine reject endif When one of wordi word2 or wordN words is found in the message header the message is copied to Quarantine after that a MailD notification is send to the administrator and the message is rejected GlobalRules select mime headers Subject word1 word2 wordN if found reject notify rule quarantine endif In this example notify and quarantine commands are not executed as after the reject command the message is rejected and its processing stops reject command is determining GlobalRules select mime header Content type executable goto n 1 reject This command set allows rejecting messages with executable files attached 321 Ta J i ax Dr Web MailD GlobalRules select mime headers X DrWeb SpamState yes if found select mime headers Content type image remove endif This command set allows removing pictures from a message marked as spam by Vaderetro plug in Examples of changing message score The following example shows how to set 10 to a score of a message that satisfies the specified condition select lt gt if found set_score 10 endif In the following example if a message score is greater than 100 the message is rejected Otherwise its score is decreased by 5 select lt gt if score gt 100 reject else add_score 5 endif For details on modification rules for the Dr Web Modifier plug in see Examples Rules for escaping
521. raphical uninstaller It requires drweb libs package to be previously installed e drweb boost147 containes common libraries for Dr Web Agent and Dr Web Monitor It requires drweb 1libs package to be previously installed e drweb updater contains update utility Dr Web Updater for Dr Web Engine and virus databases It requires drweb common and drweb 1libs packages to be installed e drweb agent contains Dr Web Agent executable files and its documentation It requires drweb common and drweb boost147 packages to be installed e drweb agent es contains files required for communication between Dr Web Agent and 26 Ta J i ax Installation and Uninstallation Dr Web ESS server version 6 in central protection mode It requires drweb agent drweb updater and drweb scanner packages to be installed drweb agent10 contains executable files and documentation for the updated Dr Web Agent designed for operation with Dr Web ESS server version 10 drweb agent10 es contains files required for communication between the updated Dr Web Agent and Dr Web ESS server version 10 in central protection mode drweb daemon contains Dr Web Daemon executable files and its documentation It requires drweb bases and drweb libs packages to be previously installed drweb scanner contains Dr Web Scanner executable files and its documentation It requires drweb bases and drweb libs packages to be installed drweb monitor contains Dr Web Monitor
522. ration even if the section is present in the file Sections with proxy parameters e ProxyClient contains settings of an internal proxy client that provides interaction of Receiver and Sender with the MailD core main module e ProxyServer contains settings of an internal proxy server MailD core module uses it for processing queries from internal proxy clients Please note that if a section is not present in the configuration file parameters from these section have default values These default values are specified in this manual in the description of each parameter It is strongly not recommended to add sections and parameters to the configuration file which was automatically generated upon product installation if the sections and parameters are described in the current_document but absent in the file This is due to the fact that the parameters are specific for a certain mail system and adjustment of their values after integration with another file system can prevent Dr Web for UNIX mail servers from working correctly General Parameters This chapter provides you with description of the configuration file sections which contain general parameters of Dr Web for UNIX mail servers and its main Dr Web MailD components Generally all these sections are always present in the configuration file General Section In the General section general settings of Dr Web MailD are specified BaseDir Main working directory It
523. re gt gt auto O minimum minimum maximum 20 timeout seconds stack_size zi loglevel stat Sender pool settings Settings of thread pool used for processing Current values requests from drweb proxy server components to send mail via the Sender component auto more gt gt O minimum minimum maximum 20 timeout minutes stack_size b a loglevel quiet a stat yes ga Apply and Save Settings Figure 58 Proxy settings On this tab you can configure operation of the internal proxy which enables different Dr Web for UNIX mail servers components residing on different hosts interact with each other Templates This section contains templates of MailD notifications that are sent to various recipients upon detection of malicious objects in mail messages and occurrence of errors during Dr Web Daemon component or plug ins operation Dr Web Console for UNIX mail servers Select a template for editing or review admin_archive msg admin_cured msg admin_error msg admin_license msg admin_malware msg admin_rule msg admin_virus msg dsn msg filter_report msg rcpts_malware msg rcpts_virus msg report msg sender_archive msg Dr Web MailD version Dr Web Web Interface version Z Templates ol Dr Web MailD is running y Templates From DrWeb SPR
524. re HOSTNAME is the name of the host When this type is used the suite receives all MX records and sends a message according to them If only mx prefix is specified without a hostname the software receives and uses MX records of the recipient s domain from the TO filed in the message envelope This parameter can have multiple addresses separated by commas for sending messages Value of this parameter cannot be empty and must be specified even if routing is used see description of the Router parameter Example Address inet 25 10 4 0 90 inet 25 10 4 0 91 imer gt COA Om 92 In this example if MTA with 10 4 0 90 address stops responding Sender attempts to send an email message to 10 4 0 91 In case of unsuccessful transmission the message is sent to 10 4 0 Silo When number of addresses is large it is recommended to increase values of the MaxTimeoutForThreadActivity and IpcTimeout parameters the General section to at least 5 minutes as to allow Sender to switch to the last address in case previous address the does not respond Default value Depends on the distribution PipeTimeout Timeout to receive response using pipe time Default value PipeTimeout 2m Options Optional parameters for the external mail program which is string initialized when pipe method is used Default value Options Ta yan A A Dr Web MailD 184 InPoolOptions Thread pool settings for processing mes
525. rectly to the database and can be exported if necessary Log verbosity levels can be set in the Detail parameter from the Stat section You can set one of the following values e off value disables statistics gathering which allows to increase Dr Web for UNIX mail servers performance As a result export of statistics and sending reports are of no use e low value enables gathering of statistics on operation of the whole suite As a result it is possible to export statistics and send reports e medium value allows gathering statistics on groups for which the function is not disabled in their settings Access to group statistics can be gained either via the control socket or via the web interface e high value allows gathering statistics on all users listed in the internal database except for those who disabled this option in their settings Access to user statistics can be gained either via the control socket or via the web interface 213 Ta J 1 ax Dr Web MailD Exporting Statistics Statistics can be exported not only via the Dr Web Agent component as well as by means of Dr Web MailD via Storage type Both these options can be enabled simultaneously Please note that export of statistics via Dr Web Agent is disabled by default When all statistics is exported via Dr Web Agent it either sends the data to Doctor Web statistics server see the StatisticServerHost StatisticServerPort and UUID parameters in the S
526. red parameters The file structure is as follows lt parameter gt value pairs specified one per line If the parameter can have several values they must be separated by white spaces The following parameters are mandatory o pwcheck method password authentication method The name of a module used for authentication must be specified here Allowed values are saslauthd saslauthd daemon auxprop An auxiliary module which retrieves external data storages databases LDAP for authentication data retrieving o mech list List of authentication mechanisms to be used Allowed values are plain login cram md5 digest md5 and ntlm Note that for saslauthd only plain and login mechanisms can be used The saslauthd daemon can retrieve authentication data from the system file etc shadow also it can use PAM and IMAP server data For details on how to configure 274 Ta 2 N ax Dr Web MailD saslauthd to use a necessary data source refer to Cyrus SASL documentation o When required to use data stored in a database or LDAP set the pwcheck method parameter value to authprop and specify the data source as the auxprop plugin parameter value The following values are allowed sasldb database Berkeley DB for Cyrus SASL sasldb sql ldapdb If you set the value to sasldb specify the path to the used database as the sasldb path MySQL PostgreSQL and SQLite relational DBMS LDAP parameter value If not specified the d
527. redirect action n the RP_NAMES Number of messages for which the plug in specified in the SRP NAMES macro applied the notify action Total size of messages for which the plug in specified in the RP_ NAMES macro applied the pass action Total size of messages for which the plug in specified in the RP_ NAMES macro applied the reject action Total size of messages for which the plug in specified in the RP_ NAMES macro applied the discard action Total size of messages for which the plug in specified in the RP_ NAMES macro applied the reject or tempfail actions Total size of messages for which the plug in specified in the RP_ NAMES macro applied the quarantine action Total size of message for which the plug in specified in the RP_ NAMES Ta 2 1 ax Dr Web MailD 283 macro applied the redirect action SRP_NOTIFY SIZES Total size of messages for which the plug in specified in the RP_NAMES macro applied the notify action RP_BLOCK_PERC Total per cent of messages blocked by the plug in specified in the SRP NAMES macro SRP_BLOCK_SIZES Total per cent of messages blocked by the plug in specified in the SRP_NAMES macro SRP_CHECK TIME SUMS Total time required to check messages by the plug in specified in the RP_NAME macro RP_CHECK TIME AVR Average time required to check messages by the plug in specified in the SRP NAMES macro RP_CHECKED_MSGS Tot
528. registration valid email address and detailed description of your problem The request will be considered by Dr Web for UNIX mail servers technical support service engineers If the request is approved a license key file will be provided via automatic support system or dispatched via email Path to a license key file of the certain component must be specified as a Key parameter value in the corresponding configuration file drweb32 ini Example Key bbin dir drweb32 key If a license key file specified as a Key parameter value failed to be read wrong path permission denied or is expired blocked or invalid the corresponding component terminates its operation If the license expires in less than two weeks Dr Web Scanner outputs a warning message on its startup and Dr Web Daemon notifies the user via email Messages are sent on every startup restart or reload of Dr Web Daemon for every license key file installed To enable this option set up the MailCommand parameter in the Daemon section of the drweb32 ini configuration file If you want to use a key file from another location specify the full path to it as a LicenseFile parameter value in the StandaloneMode section of the Dr Web Agent configuration file see StandaloneMode section description Dr Web for UNIX mail servers provides you with the possibility to use several license key files simultaneously List of plug ins licensed to the user includes all plug ins mentioned i
529. reject 0o mynetworks 127 0 0 0 8 o smtpd authorized xforward hosts 127 0 0 0 8 where lt ADDR SEN gt is the address to which drweb sender module is connected for sending messages the Address parameter of the Sender section of the Dr Web MailD configuration file for example 127 0 0 1 8026 It is recommended that lt NN gt number maximum number of processes executed by Postfix server is the same as the number of threads in pools of drweb receiver and drweb sender modules the PoolOptions parameter in the Receiver section and OutPoolOptions in the Sender section of the Dr Web MailD configuration file To remove this limitation specify minus sign instead of the lt NN gt number During installation of Dr Web for UNIX mail servers all of the described changes are made to Postfix configuration files automatically with the use of configure _mta sh script So Dr Web for UNIX mail servers and Postfix are set for operation in the after queue mode by default After applying the changes to restart Postfix Configuring Operation Using Milter Protocol A To operate in this mode Postfix system version 2 3 3 or later is required By default Dr Web for UNIX mail servers and Postfix are configured to interact in the after queue mode So new settings that configure operation via Milter protocol must be specified in the Postfix configuration files instead of the existing ones change the content_filter parameter to the sm
530. required component enter the respective number and press ENTER 5 Review the License Agreement To scroll the text press SPACEBAR user hostname Bug Monck TepmnHan The present License agreement is concluded between you either a legal entity or home user and Doctor Web the right holder that possesses intellectual property rights with regard to usage of Dr Web R software software including usage of technologies and software from other vendors where corresponding rights are acquired under law of the Russian Federation and International Law as follows 1 All terms and conditions provided herein regulate usage of the software which is an object of the intellectual property rights of the right holder If you do not agree with at least one term or condition stipulated herein do not use the software Violation of the terms of the present License agreement is considered an unauthorized use of the software and entails civil administrative and criminal responsibility 2 If you are a legal owner of the Software s copy you receive the To continue the installation you need to accept the License Agreement If you agree to the terms enter Y or Yes Otherwise the installation aborts 6 The installation process starts immediately You can review results of the installation steps in the console in real time Installation and Uninstallation 37 user hostname Npaska Bng NMonck TepmnHan Creating installation direc
531. rformed in user column of senders table in MySQL database If the local part is found the message is sent to the address specified in the matching row of the address column Example Router ldap description sub cn d domainl com inet 25 example com inet 1025 example com inet 2025 example com mail com mx inet 25 mail backup domain2 com mx mail ru inet 25 mail backup file path to routers list In this example messages are transmitted for delivery the following way 1 Recipient s domain name is searched using LDAP cn attribute is used If the domain name is found redirection settings are taken from the description field 2 Messages addressed to recipients from domainl com are sent to example com on port 25 If delivery fails system tries to deliver the message to the same address on port 1025 and then on port 2025 3 Messages addressed to mail com are sent to addresses corresponding to MX record of mail com 4 Messages addressed to domain2 com are redirected to addresses specified for MX record of mail com or to the port 25 of mail backup server 5 If address of the recipient does not match any of the previously described addresses matching is checked in the path to routers list file Please note that only one address is assigned to one domain therefore expressions of this type are not allowed Router domain domain2 25 host Before using Lookup as a value of the Router parameter check
532. rking with Quarantine Commands for Quarantine Management Receiving Statistics 181 187 188 189 190 192 193 196 198 198 203 204 205 206 207 209 210 211 211 212 213 214 214 215 216 216 216 217 219 222 225 225 227 227 230 Ta 2 AN ax Commands for Working with Statistics Statistics Output Examples Checking Notification Generation Dr Web MailD Utilities drweb qcontrol Quarantine Management drweb lookup Lookup Validation drweb inject Sending Mail Message Processing Rules Rule Format Special Cases Error Handling and Rule Validation Unified Score Reputation IP Filter Simultaneous Use of Several Receiver Sender Components Optimizing Operation and Use of System Resources Using Internal Proxy Integration with Cyrus SASL Notification Templates Used Macros Control Constructions Template Example Language Files Plug Ins Drweb Anti Virus Plug In Connecting Drweb Plug In Setting Drweb Plug In Examples Vaderetro Anti Spam Plug In Installing Vaderetro Plug In Setting Vaderetro Plug In Examples Dr Web HeadersFilter Plug In Connecting Headersfilter Plug In Setting Headersfilter Plug In Examples 230 232 233 234 236 236 240 241 242 243 253 258 259 259 263 265 270 274 276 279 283 285 289 291 291 291 292 299 300 301 302 308 308 308 309 311 Ta gt BY ax N Dr Web Modifier Plug In Connecting Modifier Plug In Setting Modifier Plug In Examples Work wi
533. rks and domains 33 Ta i aX Installation and Uninstallation Protected domains localhost Language s for reports en Press 1 to Save updated configuration 2 to go Back to editing 3 to Cancel or 5 to Redisplay 1 1 General Hostname localhost Notifier AdminMail postmaster localhost Maild RedirectMail postmaster localhost Notifier FilterMail DrWEB MAIL DAEMON localhost Filters AfterQueueFilters headersfilter Filters BeforeQueueFilters modifier Maild ProtectedNetworks 127 0 0 0 8 Maild ProtectedDomains localhost Notifier NotifyLangs en Monitor RunAppList MAILD fetc drweb monitor conf patched Ok fetc drweb maild_postfix conf patched OK Do you want to configure MTA for Drlleb for Mail server Antivirus Antispam YES no yes Welcome to the Dr Web InstallShield Wizard The InstallShield Wizard will configure POSTFIX Perform MTA configuration Please enter yes or no yes Error the Postfix configuration file etc postfix master cf was not found Info you can specify the MTA_CONFIG_PATH environment variable Please refer to documentation on POSTFIX adjustment residing in opt drweb doc maild directory Do you want to configure services YES no yes Configuring startup of drwebd Already running Configuring startup of drweb monitor Already running Configuration completed succesfully Press Enter to finish i Figure 10 Configuring MTA and starting services automatic
534. ro max size 100k When this rule is applied to the a drweb com sender Action pass parameter value is used for Dr Web HeadersFilter plug in and the maximum size max_size of the message checked by Vaderetro plug in is set to 100k After that search of matching subsequent Rules continues as the cont directive is specified 246 Ta J 1 ax Dr Web MailD Example 2 to a drweb com cont drweb ProcessingErrors pass redirect err drweb com Note that one ProcessingErrors parameter for Drweb plug in is set and this parameter has two values separated by commas pass redirect err drweb com Thus it cannot be enclosed in quotation marks as a configuration parser treats it as one value and does not split them into substrings when parsing the ProcessingErrors parameter The comma is escaped Rule processing is performed in the following order up to down and left to right so e If the value of the same parameter in one Rule SETTINGS part is specified several times the successive parameter value substitutes the previous one e If several Rules are matching where different values are specified for the same parameter in the SETTINGS part the first assigned value is set and the subsequent values are ignored Example 3 one Rule with several values for the same parameter true cont html yes html no Value of the html parameter the parameter description is provided below is set to no Example 4 s
535. rom admin domain com set max size of the Drweb plug in to 100k from admin domain com cont drweb max_size 100k R Log verbosity level used for plug ins The following levels are allowed e Quiet O jmrerm ie e Alert SETTES Debug Default value of this parameter is the same as the Level parameter value in the Logging section IPC library log verbosity level The following levels are allowed e Quiet SPECTORT e Alert S WiMe Debug Default value of this parameter is the same as the IpcLevel parameter value from the Logging section Log type label which is used by syslogd system service Default value of this parameter is the same as the SyslogFacility parameter value in the Logging section Path to the log file name You can specify syslog as a log file name and logging will be carried out by syslogd system service Path to the dynamic link library of a plug in if the library name does not correspond to Lib lt plugin_name gt so naming rules or the library is not located in the directory specified in the LibDir parameter Path to the library can be absolute or relative The relative path is specified from the directory set in the LibDir parameter Default value path_to lib LibDir lib lt plugin_ name gt so Ta J 1 ax Dr Web MailD If most part of message traffic consists of large messages with large attachments or with a large number of attachments these messages are pro
536. rotectedDomains Maild IncludeSubdomains SASL Receiver EndComponents EndApplication Integration with Dr Web Enterprise Security Suite There are two possible situations which require integration of Dr Web for UNIX mail servers with Dr Web Enterprise Security Suite e Setup and initial configuration of Dr Web for UNIX mail servers in the existing Anti virus Network operated by Dr Web ESS e Embedding of working UNIX server with already installed and configured Dr Web for UNIX mail servers in the Anti virus Network operated by Dr Web ESS To enable Dr Web for UNIX mail servers to work in Dr Web ESS environment configure Dr Web Agent and Dr Web Monitor components for operation in the Enterprise mode and register the suite on Dr Web Enterprise Server According to the connection policy for new working stations for details see Dr Web Enterprise Security Suite administrator manual Dr Web for UNIX mail servers can be connected to Dr Web Enterprise Server in two different ways e when a new account is automatically created by the central protection server e when a new account is created by administrator manually Configuring Components to Run in Enterprise Mode To start the components in the Enterprise mode after installation it is necessary to adjust parameter values in the local configuration files of Dr Web Agent and Dr Web Monitor For Dr Web Agent In the EnterpriseMode s
537. rs run Dr Web Scanner with either h or help parameters The Console Scanner basic parameters can be divided into the following groups e Scan area parameters e Diagnostic parameters e Action parameters e Interface parameters Scan Area Parameters These parameters determine where to perform a virus scan path lt path gt Sets the path to be scanned Symbol can be skipped in this case a path for scanning is separated from the path parameter by a space You can specify several paths in one path parameter paths will be combined into one list You can also specify paths without the path parameter If in the startup options the lt path gt parameter is specified with following prefix disk lt path to device file gt 57 T aX A AN lt file gt sd EL mask Dr Web Command Line Scanner the boot sector MBR of the corresponding device is checked and cured if necessary Device file is a special file located in the dev directory and named as sdX or hdX where x is a letter of the Latin alphabet a b c For example hda sda Thus to check MBR of disk sda specify the following disk dev sca Instructs to scan objects listed in the specified file Add a plus if you do not want the file with the list of objects to be deleted when scanning completes The file can contain paths to directories that must be periodically scanned or list of files to be checked regularly
538. rule true cont SenderAddress inet 10025 CLIENT IP redirects all incoming messages to the port 10025 of the host which sent the message In the current Dr Web MailD version this parameter is supported only by drweb sender module with SMTP LMTP send method 250 Ta ww ax Dr Web MailD A Default parameter values listed in the table above are set in the Rule configuration file section for which the name is not specified To ensure proper functionality of the CLIENT IP and CLIENT PORT macros used in the SenderAddress parameter specify the following parameter values e Inthe Receiver section RealClients e Inthe Maild section GetIpFromReceivedHeader yes 2 Parameters from the main configuration file which can be used in Rules Maild Notifier Filters 3 Plug in parameters that can be used in Rules RedirectMail MaxScore MaxScoreAction LicenseLimit EmptyFrom ProcessingErrors UseCustomReply ReplyEmptyFrom ReplyProcessingError ReplyMaxScore AdminMail FilterMail NotifyLangs lt plug in gt use This parameter allows or restricts using of the specified plug in when checking messages It is of Logic type yes no Note that this parameter can be used only in Rules and is not specified in the configuration file lt plug in gt max_size lt plug in gt log level lt plug in gt log ipc level lt plug in gt syslog facility lt plug in gt path_to_ lib Drweb He
539. ruses When you start Dr Web Scanner with default parameters no cure actions and no actions for incurable and suspicious files are performed To enable these actions specify the corresponding command line parameter explicitly The following actions are recommended e cu cure infected files and system areas without deleting moving or renaming infected files e icd delete incurable files e spm move suspicious files e spr rename suspicious files When Dr Web Scanner is started with cu action specified it tries to restore the original state of an infected object It is possible only if a detected virus is a known virus and cure instructions for it are available in virus database even in this case a cure attempt may fail if the infected file is seriously damaged by a virus When an infected file is found within an archive the file is not cured deleted moved or renamed To cure such a file manually unpack the archive to the separate directory and instruct Dr Web Scanner to check it When Dr Web Scanner is started with icad action specified it removes all infected files from the disk This option is suitable for incurable irreversibly damaged by a virus files The spr action instructs Dr Web Scanner to replace a file extension with another one by default that is the first extension character is replaced with the character Enable this parameter for files of other operating systems detected heuristically a
540. rver the admin account Thus Administrators with full rights can e Add new and delete already existing administrator accounts e Adjust settings for all administrators of Anti virus network Group administrators and administrators with read only rights can e Adjust some of their account settings 393 Ta N ys Contacts 394 Contacts Dr Web for UNIX mail servers solution is constantly improved You can find news and the latest information on available updates on the website at http www drweb com Sales department http buy drweb com Technical support http support drweb com Please include the following information in the problem report e full name and version of your operating system e versions of Dr Web for UNIX mail servers modules e configuration files of all modules e log files of all modules Doctor Web 2014
541. rweb notifier e drweb cgp sender drweb maild Also it is additionally necessary to make that the Dr Web Monitor component has been launched with the root privileges to provide this specify root value for User and Group parameters in the Monitor section of monitor conf configuration file Operation Principles Dr Web MailD interacts with CGP in the following way 1 CGP receives an email message 2 CGP checks the settings and after that if required sends the message for check to helper functions of which are performed by drweb cgp receiver 3 Upon receipt of the message drweb cgp receiver searches for SecureHash header o if the header is found drweb cgp receiver returns OK status and passes the message to CGP for further processing o otherwise the message is passed for check to drweb maild 4 drweb maild applies plug ins to the message and the plug ins can modify it for example add headers o if no virus is detected and the message was not changed OK status is returned to CGP o if during processing the message was changed DISCARD status is returned to CGP and further message processing is performed by drweb maild as the helper protocol does not allow to return a modified message 334 A yaN Aq A Dr Web MailD 335 5 The message is passed to Sender and after adding of SecureHash header if UseSecureHash yes the message is moved to the submit directory var CommuniGate Submitted that
542. s e address with less weight weight must be not less than 1 and goes to step 2 If there are no more not tried addresses with weight not less than 1 the algorithm goes to step 4 4 Attempts to send the message to backup addresses in accordance with the order they are specified If no address from the backup list is accessible an error is returned WEIGHT values should be selected and assigned according to the resources available on each server that is assign greater WEIGHT values to hosts with more resources When messages are passed for check to the drweb maild module and processed by plug ins from the BeforeQueue queue all processed mail is returned to the client that sent it for processing If messages are processed by plug ins assigned to AfterQueue the address of the client that receives already processed mail will be selected according to the weights of client addresses in ProxyClientsAddresses Duplicated messages see the Rules description and messages generated by drweb maild reports and notifications will be also sent to the client selected from the ProxyClientsAddresses list regardless of the queue in which the plug ins reside For messages sent to the client selected from the ProxyClientsAddresses list settings specified in Rules if there are any will be applied for example value of the SenderAddress parameter Note that when a proxy interacts with Qmail Courier MTAs and other MTA using Milter protocol
543. s read errors write errors adware dialer joke riskware hacktool a O O eS ep a oy AE O ey Gb GS wy Ta eS O plugin_name lt varchar long gt name of the plug in which blocked the message sender lt varchar_long gt sender s address enclosed in angle brackets client_ip lt varchar_long gt IP address of the client that loaded the message into the mail database if available date lt timestamp gt timestamp of loading the message into the mail database client_id lt varchar_long gt the unique identifier of the Client for which saving into the mail database is performed always de f string Example ExportBlockObjectsStorage odbc insert into viruses values number lt int gt q_name lt varchar long gt virus_name lt varchar long gt virus_code lt int gt plugin_name lt varchar long gt sender lt varchar long gt client_ip lt varchar long gt date lt timestamp gt s llicime ickwamelmaie llores 162 Ta yan A A Dr Web MailD 163 Default Value ExportBlockObjectsStorage ExportStatStorage string Export of statistics on number of processed messages Export is performed e on shutdown e after a period of time specified in the SendPeriod parameter value If statistics is empty no messages were processed nothing is exported Names of the table and fields in the database can be arbitrary but they must be of t
544. s handle connections from clients Each connection requires a new thread otherwise some clients are disconnected while waiting for a free thread Default value PoolOptions auto Settings of an auxiliary thread pool Threads handle end of message processing signals from drweb maild Default value CallbackPoolOptions auto Maximum number of incoming connections If O is specified as a value of this parameter the number of incoming connections is not limited Default value MaxConnections 0 Enables to drop connection without sending an error message to client if there are too many simultaneous connections from one IP 197 Ta J 1 aX Dr Web MailD 198 address Default value DoS_Blackhole no DisablePlainText Do not allow the client to send login and password as plain text logical in an unencrypted format It requires OpenSSL to be configured in advance Default value DisablePlainText no MaxConnectionsPerIp numerical Maximum number of simultaneous connections from one IP value address If 0 is specified as a value of this parameter the number of incoming connections is not limited Default value MaxConnectionsPerIp 0 MaxCommandLength Maximum size of a command for the POP3 protocol ao Each command is a string which is sent from the client to the server Maximum possible size of this command is about 1000 bytes according to the current RFC Please note that if
545. s identifier PID is written upon the module startup Default value PidFileDir svar dir run Change of working directory upon Dr Web Monitor startup If this parameter is set Dr Web Monitor changes directory to the one specified in this parameter value Otherwise working directory is not changed Default value ChDir Path to the directory where metaconfiguration files reside These files contain settings defining Dr Web Monitor interaction with other Dr Web components Metaconfiguration files are provided by Dr Web developers and do not require editing Default value MetaConfigDir etc_dir monitor Socket used by Dr Web Monitor to receive control signals from other Dr Web components Default value Address local var_dir ipc monitor Maximum time in seconds to establish connection between Dr Web Monitor and other Dr Web components Default value Timeout 5 Name templates for Dr Web Monitor temporary files Template format path_to_file XXXXXX where x is a random symbol letter or digit used in temporary file names 112 Ta 2 1 ax RunAppList text value UseEnterpriseMode logical RecoveryTimeList numerical values InjectCmd SHETeaLinGy AgentAddress acllicess AgentResponseTime numerical value Dr Web Monitor Default value TmpFileFmt var dir msgs tmp monitor XXXXXX List of modules started by Dr Web Monitor use comma as a del
546. s must include special header files and libraries SDK The following SDK are available e SDK for development of new modules that perform functions of Receiver Sender components and provide support to new MTAs e SDK for development of new plug ins for mail processing Use of the API for new modules allows to connect them to the product as the standard modules and plug ins Both of the SDK include header files to be used examples with the source code and documentation These SDK are not provided with the product but they can be downloaded from the repository of Doctor Web company If you encounter any problem please contact technica support 12 Ta N ys Introduction Dr Web for UNIX mail servers includes the following components e Dr Web Scanner console anti virus scanner that provides detection and neutralization of viruses on the local machine and in the shared directories Dr Web Daemon a background that performs functions of an external anti virus filter Dr Web Monitor a resident component that runs and terminates other Dr Web modules in the required order Dr Web Agent a resident component that helps to configure and manage Dr Web components gathers statistics and provides integration with Dr Web Enterprise Security Suite Dr Web ESS By default the solution includes Dr Web Agent designed for integration with Dr Web ESS 6 0 If you want to integrate the suite with Dr Web ESS 10 0 install the upd
547. s suspicious Renaming helps to avoid accidental execution of such files in these operating systems and therefore prevents infection The spm action instructs Dr Web Scanner to move infected or suspicious files to the Quarantine directory svar _dir infected by default This option is of insignificant value since infected and suspicious files of other operating systems cannot infect or damage a UNIX system Moving of suspicious files of a UNIX system may cause system malfunction or failure Thus the following command is recommended for day to day scanning drweb lt path gt cu icd spm ar ha fl ml sd You can save this command to the text file and convert it into simple shell script with the following command chmod a x filename Dr Web Scanner default settings could be adjusted in the configuration file Command Line Parameters You can run Dr Web Scanner with the following command sbin dir drweb lt path gt parameters where lt path gt is either the path or paths to scanned directories or mask for checked files If a path is specified with the following prefix disk lt path to device file gt files of the devices are 56 Ta yan A A Dr Web Command Line Scanner located in the dev directory Dr Web Scanner checks the boot sector of the corresponding device and cure it if necessary The path can start with an optional parameter path When Dr Web Scanner is started only with the lt
548. sage append text text from DB select message append text text from rule quarantine Note that the modifier LocalRules parameter has additive semantics and new values do not reset the previous ones but are added separated by commas If the message has other recipients except testl drweb com for which other modifier LocalRules values are specified in the database or the values are not specified at all all modifier LocalRules values from the database are ignored for all of the recipients Only the settings set in the Rule are used the same value for all the recipients select message append text text from rule quarantine When necessary you can override OnError and SkipDomains settings of the used data source Example to ldap onerror exception skipdomains file etc drweb skipdomains list 2 description sub cn u cont According to the specified condition all names of the message recipients username part in the username domain address according to the used u macro must be taken from LDAP However SkipDomains Setting is also specified in the Lookup and instructs to skip domains without request domain part in the address that are found in the etc drweb skipdomains 1list file Thus the rule is processed as follows 1 List of recipients is retrieved from the message field To 2 Address of another recipient is taken 3 Domain membership to the list of domains to be skipped without request
549. sages in before queue pool options mode Note that this parameter is deprecated and is not used anymore Default value InPoolOptions auto OutPoolOptions Threads pool settings for processing messages in after queue pool options mode Default value OutPoolOptions auto The following parameters are specified only in solutions for Exim and Postfix MTAs and in SMTP LMTP proxy mode HeloCmdTimeout Timeout to execute HELO EHLO commands time Default value HeloCmdTimeout 5m MailFromCmdTimeout time Timeout to execute MAIL command Default value MailFromCmdTimeout 5m ReptToCmdTimeout Timeout to execute RCPT command time Default value ReptToCmdTimeout 5m DataCmdTimeout Timeout to execute DATA BDAT commands time Default value DataCmdTimeout 2m DataBlockTimeout Timeout to send a message time Default value DataBlockTimeout 3m EndOfDataTimeout Timeout to receive confirmation of message delivery time Default value EndOfDataTimeout 10m OtherCmdsTimeout Timeout to execute other commands via SMTP LMTP time Default value OtherCmdsTimeout 2m SendDSN Enables disables sending of DSN reports if a message delivery logical problem occurs Please note that if Dr Web MailD operates via Sender with MTA Exim Postfix Zmailer and sending of DSN is enabled it is necessary to be aware of the following situation In this mode DNS can be ge
550. se64 Q quoted printable e lt coded_text gt encoded string value Note that if the result value must be treated as a regular expression escape regular expression symbols for example inquiry character with double backslash Example Suppose it is required to search messages that contain the word Tect entered in the Russian language using the Cyrillic script in CP1251 encoding After the text is translated into base64 transport encoding the string is as follows 8uxx8go To get strings in the required encoding use special tools for example iconv and base6 4 The following example translates the tect character string from uTF 8 encoding to CP1251 and then presents the string with the use of base64 echo rect iconv f utf 8 t cp1251 base6 4 Example of usage in plug ins 1 To enable Dr Web Modifier to select a header that includes tect in cP1251 encoding specify the following condition in the modification rule select mime headers Subject cp1251 B 8uxXx8go 2 To enable Vaderetro to add the word Tect in CP1251 encoding to message headers specify the following SubjectPrefix cp1251 B 8uxx8go 3 To enable Dr Web HeadersFilter to reject messages containing in subject the word Tect in CP1251 encoding specify the following RejectCondition Subject cp1251 B 8uxx8go 325 A AN v Aq A Dr Web MailD 326 Integration with Mail Tra
551. sed zero or more random symbols one random symbol Example def 00014F7F all messages with 00014F7F number saved to Quarantine def drweb all messages saved by Drweb plug in Message body is saved to the database in the decoded form in UTF8 encoding and all control characters ASCII 0 21 and 127 except for tabs are replaced with spaces Execution results are output with an empty string at the end Commands for Quarantine Management You can manage Quarantine with the following commands e quarantine search range START NUMBER sort SORT_ TYPE sender EMAIL SUBSTR rcpt EMAIL SUBSTR period DATE1 DATE2 size SIZE subject SUBJECT SUBSTR id id like order ascent descent searches messages in Quarantine by the specified criteria Messages are output starting with START numeration begins with 0 and in the quantity of NUMBER elements If START and NUMBER are not specified all found messages satisfying other criteria are output If the NUMBER value is set to 0 all elements are output The following parameters are used o SORT TYPE type of the sorting Possible values e date by default sort by date of moving messages to Quarantine e size sort by message size e sender sort by sender address e subject sort by message subject o EMAIL SUBSTR substring for search in the rcpt or sender fields o period period for which messages
552. selection or click Back to make changes 4 Review the License Agreement To proceed you need to accept it If necessary use the Language list to select a preferred language of the agreement Russian and English languages are available Installation and Uninstallation Welcome License Agreement Install Type Select language Select Software Dr Web R SOFTWARE USAGE LICENSE AGREEMENT a Confirm The present License agreement is concluded between you either a legal E 2 entity or home user and Doctor Web the right holder that License possesses intellectual property rights with regard to usage of Dr Web R Installing Finish Dr WEB software software including usage of technologies and software from other vendors where corresponding rights are acquired under law of the Russian Federation and International Law as follows 1 All terms and conditions provided herein regulate usage of the software which is an object of the intellectual property rights of the right holder If you do not agree with at least one term or condition stipulated herein do not use the software Violation of the terms of the present License agreement is considered an unauthorized use of the f EFTTA l ies S H eee Tr eas eee A SSS a ar pacar eee eel ea ay ee apse Accept and install Cancel installation 4Back Next Cancel Figure 7 License Agreement screen 5 After you acc
553. ser must copy it manually to the sbin_ dir directory License key file is sent to a user via email usually after registration on the website website location is specified in the registration card supplied with the product Visit the website fill in the web form with your customer data and submit your registration serial number printed on the registration card After that your license is activated and a key file is created according to the specified serial number The key file is sent to the specified email address It is recommended to keep the license key file until it expires and use it to reinstall or restore Dr Web for UNIX mail servers If the license key file is damaged or lost it can be recovered by the same procedure as during license activation In this case you must use the same product serial number and customer data that you provided during the registration only the email address can be changed in this case a license key file will be sent to the new email address If the serial number matches any entry in Dr Web for UNIX mail servers database the corresponding key file will be automatically dispatched to the specified email address 53 Ta J i ax Registration Procedure One serial number can be registered no more than 25 times If you need to recover a lost license key file after its 25th registration send a request for license key file recovery at http support drweb com request stating the data input during
554. server inet imap 127 0 0 1 Filter errors action Main action reject fa Action to be applied to a message when some error emerges before the message is passed to the drweb maild module minimum allow a minimum allow a maximum mail co timeout days x stack_size GB E loglevel quiet m stat no z Preview Apply and Save Settings more gt gt Pool settings Settings of main thread pool Current values more gt gt auto Figure 56 IMAP settings On this tab you can specify IMAP filter settings to check mail received via the IMAP protocol 386 Dr Web Console for UNIX mail servers 387 r Web MailD Dr Web Web Interface w Configuration k Jr Web MailD is running a eS Ee Eee ee o Settings of auxiliary pool Settings of auxiliary thread pool Current values more gt gt auto O minimum 10000 O minimum 7331__ maximum block timeout allow a days M stack_size allow a MB M loglevel alert E stat no zi Listen address A list of socket addresses used to receive requests from clients inet 5110 0 0 0 0 i block Client TLS Settings TLS SSL settings for client communications over POP3 more gt g
555. server sends to the user MDA POP3 server can run on the local computer as well as on a remote computer Functions of the component are performed by drweb pop3 module Its settings are specified in the POP3 section of the main Dr Web MailD configuration file Every time a connection is established POPS filter retrieves the user name from the USER username command and saves the name during the session If authentication is successful the filter performs transmission of the messages from the server to the client At that all commands and data are transmitted literally except for a server response to the RETR command message retrieval Response from MDA to this command is transmitted to MailD core for analysis and then MUA receives the processed response The filter is disabled by default To enable it uncomment the following string in the mmc file of Dr Web Moritor maild_ lt MTA gt mmc drweb pop3 local var drweb ipc agent 15 30 MAIL drweb drweb When Dr Web MailD is operating in the POP3 IMAP proxy mode the following modules must be running in the system this is specified in mmc file of the Dr Web Monitor e drweb notifier drweb sender e drweb maild drweb pop3 or drweb imap depending on the intercepting user protocol Note that a part of the lt MTA gt file name depends on the name of the MTA associated with Dr Web for UNIX mail servers Integration with CommuniGate Pro Configuring CommuniGate Pro
556. ses match this parameter You can specify several address types separated by colons The following modifier values recipient s address types are available e sender notifications sent to the message sender e rcpt notifications sent to the message recipients e admin notifications sent to the administrator e any Or a modifier is not specified notifications sent to the addresses of any type Examples notify block orf notify block any block notifications of all types notify Virus block sender admin block notifications sent to the administrator and message sender upon a virus detection If for a notification of a certain type lt type gt no notify lt type gt rule is found it is assumed that the corresponding notification is disabled Note that this parameter does not manage DSN Ta J i ax NotificationNamesMap namel file namel name2 file name2 SenderAddress addressl address2 Dr Web MailD Allows mapping of used template names to the new ones For example the parameter can be used to generate notifications of different types depending on the envelope As the parameter value the following information is specified e nameN name of the requested notification for which a new template file is set For the list of names see the notify parameter description Besides that you can also specify report for general report templates and dsn for DSN e file nameN part of a new templ
557. similar to the value of the force parameter of the send command If the message was successfully sent with the send_and_remove command or dispatch of this message is not required that is the message was sent before the message is deleted If the ignore send error parameter is specified the message is deleted regardless whether the dispatch was successful or not Outputs the current product version Stops the product operation Sends SIGHUP signal to drweb maild process User Group and Alias Management User Group Alias concepts User in Dr Web for UNIX mail servers is an owner of one or more mailboxes whose mail correspondence must be processed according to special settings If a user has more than one mailbox their addresses are called aliases at that one of the addresses is treated as primary You can specify individual Rules of message processing for a user similar to the way general Rules are specified in the Rules section of the configuration file User address or any alias is considered to be the user identifier All user addresses are treated as a unit so the same settings are applied to them and their statistics is aggregated Users can be joined in user groups which can also have their own rules of messages processing Each user can be included in any number of groups You can set the following two flags for a user or a group e Activity flag A determine if the user group is active If yes speci
558. ssage after placing it to queue DB Possible values headersfilter Values are delimited with commas default theadersfilter Enter email address to send notifications to default postmaster localhost Enter email address to send notifications from def ault DrWEB MAIL DAEMON localhost Enter list of protected networks e g 127 0 0 0 8 Values are delimited with commas default 127 0 0 0 8 Enter list of protected domains Values are delimited with commas default localhost Enter language s to use in reports Possible values enljalru Values are delimited with commas default en Configuration Plugins directory opt drweb maild plugins lng files directory etc drweb maild 1ng Before queue plugins modifier After queue plugins headersfilter Administrator email address postmaster localhost Filter email address DrWEB MAIL DAEMON localhost Protected networks 127 0 0 0 8 Protected domains localhost Language s for reports en Press 1 to Save updated configuration i to go Back to editing 3 to Cancel or 5 to Redisplay 1 Figure 9 Interactive post install script After initialization of the script you can specify a path to the key file set an order of mail processing by the plug ins and automatically enable services necessary for Dr Web for UNIX mail servers proper operation for example Dr Web Daemon Dr Web Agent Dr Web Monitor You can also specify the list of protected netwo
559. ssages e File Stat module with interface to embedded stat functions e File Find module with interface to perform search through directory tree e Encode CN module used for Chinese character encoding e Encode HanExtra extra sets of Chinese encodings e Switch module for switch case statement usage If some modules are missing it is recommended to install them from the command line For that root privileges are required Names of the modules can differ but they are usually included into the following packages perl1 Convert BinHex perl I0 stringy perl MIME tools per1 XML Parser perl XML XPath To install the modules in rpm systems it is recommended to choose noarch rpm packages Web interface layout and appearance can differ depending on the Webmin version and the used browser Due to peculiarities of Webmin implementation Dr Web Console for UNIX mail servers web interface cannot be correctly displayed in Internet Explorer 7 If problems with display of webpages occur try to use Internet Explorer 8 or 9 or later or use another browser Installation To start working with Dr Web Console for UNIX mail servers do the following e install Webmin e install Dr Web Console for UNIX mail servers plug in located in bin dir web Webmin configuration and installation of modules is performed with the use of Webmin web Ta i ax interface Dr Web Console for UNIX mail servers
560. ssed archive tar bz2 tbz If additional modifiers d m or r are not specified Dr Web Scanner only informs the user on detected malicious or suspicious files in archives Otherwise it applies the specified actions to detected threats Instructs to scan files within containers HTML RTF PowerPoint If additional modifiers d m or r are not specified Dr Web Scanner only informs the user on detected malicious or suspicious files in containers Otherwise it applies the specified actions to detected threats Instructs to scan contents of mail files If additional modifiers a m or r are not specified Dr Web Scanner only informs the user on detected malicious or suspicious objects Otherwise it applies the specified actions to detected threats Scan executable files packed with LZEXE DIET PKLITE EXEPACK without output of the compression type Enables heuristic analysis to detect unknown threats 58 Ta ww ys G Dr Web Command Line Scanner 59 For some parameters you can use the following additional modifiers Add d to delete objects to avert the threat Add m to move objects to Quarantine to avert the threat Add r to rename objects to avert the threat that is replace the first character of the file extension with Add n to disable logging of the archive container mail file or packer type If malicious objects are detected within complex objects such as archives containers packed or mail fil
561. statistics only on messages which were blocked by Drweb anti virus plug in gt stat client ignore total plugin drweb 5 Request for statistics only on messages which were passed by Drweb anti virus plug in gt stat client ignore block plugin drweb Checking Notification Generation You can check how Notifier generates notifications from templates For that purpose use the notify command in the interactive management interface Command format The command has the following syntax notify type mode options where e type notification type which is the same as the name of the used template file It is allowed to use any type except for report msg e mode notification mode which can be one of the following o show generate a message from a template and output the notification text Format of the output command SIZE lt FROM gt lt RCPT1 gt lt RCPT2 gt BODY where SIZE size of the BODY in bytes If BODY is not finished with a new line character the character is added but not included in SIZE FROM message sender from the envelope RCPT message recipients from the envelope BODY message body For description of the procedure how recipients and sender are determined see below o sync generate a message from the template and send via Sender in the synchronous mode that is Sender delivers the message before the result is returned If the used Sender does not support t
562. striction reject e count of messages which senders received Tempfail SMTP status upon applying of this restriction tempfail Please note that statistics is not aggregated Each saved record contains statistics on applied restrictions between previous and current moments of saving Statistics on restriction appliance is collected only if Dr Web MailD is operating in SMTP LMTP proxy mode Statistics on operation of thread pools and connections Statistics on operation of thread pools and connections is collected if the corresponding option for the pool is enabled for example the InPoolOptions and OutPoolOptions parameters in the Maild section of Dr Web MailD configuration file and the stat parameter value is yes Example InPoolOptions auto stat yes Note that for Sender and Receiver components statistics is collected unconditionally because additional parameters Such as timeout stat and others are not specified for their pools and even if so they have no effect Aggregated statistics is saved to the log file as a message of Debug verbosity level upon receipt of SIGUSRI1 signal or Dr Web MailD shutdown Note that if the set log verbosity level is less detailed than Debug statistics is not logged Statistics record looks as in the following example size 50 active 0 pending 0 min 50 max 500 threshold 50 Ta yan A A Dr Web MailD 130 where e size current size of the pool number of
563. structions below but cannot add users to the corresponding groups Thus if you used the script for integration configuration do not forget to add users to the groups see below Configuring Qmail To connect Dr Web MailD to Qmail mail system do the following 1 Open the directory with Qmail executable files lt qmail dir gt usually they reside in the var qmail bin directory and rename the qmail queue file to qmail queue original Note that if you moved the qmail queue original file to another location or defined another name different from qmail queue original it is required to specify a new path to this file in the main configuration file of Dr Web MailD To do this set the new file path as a value of the QmailQueue parameter in the Qmail section 348 Ta J i ax Dr Web MailD 2 Instead of the renamed file create the following symbolic link in the same directory qmail queue gt bin dir qmail queue 3 Set rights for users whose privileges are used to run the files The most convenient configuration is the one when Dr Web MailD and qmail queue operate under the drweb account To enable proper functioning of the configuration assign the following rights for Sbin dir qmail queue and qmail dir qmail queue rws x x X drweb qmail SIZE DATE bin dir qmail queue rws x x X qmailq qmail SIZE DATE qmail dir qmail queue original You can also do that using the following commands
564. sues Description When UNIX socket is used for communication between the filter and Sendmail Milter API library distributed with Sendmail could not remove prior to version 8 12 2 the file used for the socket Solution For versions 8 12 x the following patch is available Listener 8 12 0 1 patch For versions 8 11 Ta J i ax Dr Web MailD 339 and later this file must be removed manually or via script which manages filter operation The issue is resolved in Sendmail version 8 12 2 Description When demo key is used in the local scan mode the size value of a message which is transmitted to the next server is doubled after passing through the filter the message itself either remains unchanged or a small banner is added to it Solution This issue is resolved in Sendmail version 8 12 3 and later Description When the filter operates on computers with high load the following entries can be found in the log Milter drweb milter select read interrupted system call Solution This issue is resolved in Sendmail version 8 12 3 and later Description When the filter operates on computers with high load the following entries can be found in the log Milter drweb milter select read timeout before data write Milter drweb milter to error state Solution The problem is that Sendmail cannot establish connection with the filter within the specified timeout In versions 8 11 and l
565. sures high processing speed and constantly improving quality of message analysis which is possible due to dynamic updates of the library code through Dr Web Updater component File of VadeRetro dynamic library which is used by Vaderetro anti spam plug in is located in the var dir lib directory and named as libvaderetro so as well as a file of the plug in dynamic library Please note that both files of VadeRetro library and Vaderetro plug in are named equally but they are different libraries File of the Vaderetro plug in dynamic library is located in the bin dir maild plugins directory On startup Dr Web MailD temporarily renames file of VadeRetro library by adding a cache extension to the file name It is done to avoid update conflict when updating VadeRetro library through Dr Web Updater component Depending on the analysis results each message processed by the VadeRetro library receives a score an integer in the range from 10000 to 10000 The less is the value the higher is the probability that the message is not spam Threshold value which determines whether to classify a message as spam is defined by the SpamThreshold parameter from the vaderetro configuration file If the evaluation score given to a message is higher than or equal to the SpamThreshold parameter value the message is classified as spam At the final stage of analysis VadeRetro library can add the following headers to the message e X Drweb SpamScor
566. t Server TLS settings TLS SSL settings for server communications over POP3 more gt gt Server address Address used by the POP3 filter to connect to POP3 server inet pop3 127 0 0 1 allow admin Filter error action Action to be applied to message when some error cl A Py emerges before the message is passed to the Main action reject Zl drweb maild module more gt gt Pool settings Settings of main thread pool Current values more gt gt auto minimum allow a O minimum allow a maximum allow a timeout allow a minutes stack_size MB M loglevel x stat no m Save Apply and Save Settings Figure 57 POP3 settings On this tab you can specify POP3 filter settings to check mail received via the POP3 protocol rE Wr Dr Web Console for UNIX mail servers 388 Proxy Tab Dr Web MailD v Dr Web Web Interface v Dr Web MailD is running configuration 4 Ao A v Client Address List of socket addresses used by the Sender component to receive requests from drweb proxy pela server components to send mail inet 8066 0 0 0 0 gt ERA List of socket addresses used by drweb proxy Proxy servers server components more gt gt inet 8088 SERVER IP Main pool settings Settings of a thread pool processing requests from Receiver component Current values mo
567. t onune int 1C NUMEIDE gt 3 MN MNES sn MUMKGMES SPSS MUM int JreJeCE num lt int gt discard num lt int gt tempfail num lt int gt d ate lt timestamp gt Default value ExportStatStorage Ta N ys Dr Web MailD 164 ExportPluginStatStorage string Export of statistics on number of processed messages by each of the plug ins Statistics are exported only for plug ins that are specified in the Names parameter value of the Reports section or for all working plug ins if the parameter value is not specified Export is performed e on shutdown e on SIGHUP signal e when sending a report to Administrator e after a specified period of time if reports are not sent too often If statistics are empty no messages were processed nothing is exported Names of the table and fields in the database can be arbitrary but they must be of the same type as exported data Fields in the query must be ordered like in the database List of values that can be used in the query e the same as for the ExportStatStorage parameter e plugin_name lt varchar long gt name of the plug in for which statistics are exported Example ExportPluginStatStorage odbc insert into plugin stat values plugin name lt varchar long gt size lt int gt num lt int gt q num lt int gt r_num lt int gt n_num lt int gt pass num lt int gt reject num lt int gt discard num lt int gt tempfail num lt int gt
568. t transmitted by a client if only the user part UID is transmitted The result string is used as a login that saslauthd searches for authorization If the value is not set the Hostname parameter value from the General section is used instead If Hostname value is also not specified value returned by gethostname function is used Default value ServerHostname SASL realm the server belongs to FQDN that is automatically added as domain to the user part of address transmitted by a client The result string user domain is used as a login that saslauthd searches for authorization If the value is not set and the client did not transmit Realm Domain value when authenticating FQDN is taken from the ServerHostname parameter Note that you need to specify r option for the saslauthd Ta 1 ax Dr Web MailD daemon to enable correct processing of the user domain string while authentication Default value ServerRealm SecurityOptions List of security settings separated by commas tri s eae The following security settings are allowed e noplaintext disable authentication mechanisms susceptible to attacks for example PLAIN LOGIN e noactive protection from active non dictionary attacks during authentication exchange e nodictionary disable authentication mechanisms susceptible to passive dictionary attacks e noanonymous disable authentication mechanisms that allow anonymous
569. t SMTP session stages MAIL FROM RCPT TO values of all special symbols are determined o s full address of user domain o d domain domain part of the address o u user name user part of the address Prefixes You can use the following prefixes to specify a data source e value specify the requested value after this prefix This is default prefix and can be skipped You can use this prefix when for example the value contains symbol e file the value is a file path Each value in the file must be set in a separate line That allows rapid searching because assortment and binary search can be used Please note that for parameters having special restricted type LookupLite allowed only these two prefixes and other prefixes presented below are prohibited regex the value is a regular expression compatible with Perl regular expressions the object is searched by a substring absolute matching is not required rfile the value is a file path The file contains a set of regular expressions compatible with Ta yas A A Dr Web MailD 136 Perl regular expressions and each of them must be set in a separate line The object is searched by a substring absolute matching is not required Please note that contents of files used as data source of file and rfile types are not checked in advance Before using the files ensure that files are of the text type contain only text lines files do
570. t be always available The list of available Sender components is generated on the startup and is refreshed upon receipt of SIGHUP signal Routing of messages generated by drweb notifier is managed by the MsgIdMap parameter from the Notifier section of Dr Web MailD configuration file This parameter allows defining to which Sender reports are to be sent in response to messages from certain Receivers Unique identifier for Receiver Sender is set via unique id command line parameter When components are started with this parameter they create in svar dir msgs in out directory a number of subdirectories for their message queues and in svar _dir ipc directory a special UNIX socket is created for Sender When the second copy of the component for example drweb receiver is started an additional adjustment is required that is to specify the way this second copy receives configuration A component can receive configuration in the following ways create a new copy of the conf file 263 Ta 2 i ax Dr Web MailD 264 e modify the existing copy of the conf file it is easier but less flexible To modify an existing conf file e create a new amc file for Dr Web Agent and add information on a new copy of the component The file name is arbitrary Example Application MAILD id 40 ConfFile etc drweb maild_smtp conf Components drweb sender2 General Logging Sender2 drweb receiver2 General Log
571. tall or remove the packages Mandriva urpmi 1 Installation Download a repository key from http officeshield drweb com drweb drweb key and save it to the disk After that import the key with the following command rpm import lt path to repository key gt Open the following file http officeshield drweb com drweb drweb i386 urpmi media or http officeshield drweb com drweb drweb x86_64 urpmi media After you open a file you will be offered to add a repository to the system Alternatively you can add the repository via console using one of the following commands urpmi addmedia drweb http officeshield drweb com drweb mandriva stable i386 or urpmi addmedia drweb http officeshield drweb com drweb mandriva stable x86_ 64 To install Dr Web for UNIX mail servers urpmi update drweb urpmi lt package name gt 2 Deinstallation To remove Dr Web for UNIX mail servers urpme lt package name gt To automatically remove unused packages from the system urpme auto orphans lt package name gt Removal with the use of urpme has the following features 1 The first variant the command removes only the lt package name gt package but other packages which could be automatically installed on the package installation to resolve dependences remain in the system 2 The second variant of the command removes the lt package name gt package and all unused packages which were automatically inst
572. taller v6 0 0 1 m lt gt Dr WEB lt Back Next gt Cancel Select none Figure 13 Select Software screen All corresponding dependencies are selected to be uninstalled automatically If you installed Dr Web for UNIX mail servers on the computer with another Dr Web product installed from EPM packages then the setup lists all Dr Web modules for both Dr Web for UNIX mail servers and the older product Please pay attention to the actions you perform and selection you make during uninstallation to avoid accidental removal of useful components Click Select All to select all components To clear selection click Select None When you complete selection click Next 3 On the Confirm screen review and confirm the list of components to remove Welcome Select Software Confirm software selected for removal Confirm Software to Remove Removing Dr Web Agent v6 0 0 3 fa Dr Web Bases v6 0 0 3 Boost third party C libraries needed for Dr Web v6 0 0 Dr Web Common Files v6 0 1 2 Dr Web Antivirus Daemon v6 0 1 3 Dr Web EPM Library for X11 epm gui v6 0 0 1 Dr Web EPM Dr Web uninstaller v6 0 0 1 Google performance analysis tools needed for Dr Web v6 q7 gt Ee lt bh oan me m J LJ Dr WEB 4 Back Cancel Figure 14 Confirm screen Click Next to confirm selection or click Back to make changes 4 On th
573. tandaloneMode section of Dr Web Agent configuration file etc_dir agent conf or sends it to the Dr Web central protection server corresponding settings can be found in the EnterpriseMode section of Dr Web Agent configuration file agent conf To enable statistics export via the Storage type at first set Yes as an the ExportStat parameter value in the Stat section then set a value for at least one of the following parameters in the Stat section and set the commands for the statistics export e ExportBlockObjectsStorage list of objects to export statistics on blocked messages e ExportStatStorage export of statistics on all messages processed by Dr Web for UNIX mail servers e ExportPluginStatStorage export of statistics on messages processed by each plug in For detailed description of each parameter specified above refer to the Stat Section Please note that when statistics is exported via Dr Web Agent two types of statistics are formed and sent separately e Statistics on all detected and processed threats viruses and other malicious objects e Statistics on processed messages and operations on them These two types of statistics are gathered separately So if an email message which contains 5 different infected objects was processed statistics of the first type has 5 records about actions applied to each object for example cure and statistics of the second type has only one record about an action
574. tarts all modules and loads if necessary some extra components of these modules If Dr Web Monitor fails to start a module it repeats an attempt later Number of attempts and time period between them are defined by Dr Web Monitor settings After all modules are loaded Dr Web Monitor permanently controls their operation If any module or one of its components operates abnormally Dr Web Monitor restarts the application Maximum number of attempts to restart a component and a period of time between them are defined by Dr Web Monitor settings If any of the modules starts to operate abnormally Dr Web Monitor notifies the system administrator Dr Web Monitor can interact with Dr Web Agent by exchanging control signals Operation Mode If necessary Doctor Web solutions can be used to connect to a corporate or private Anti virus network managed by Dr Web Enterprise Security Suite To operate in the central protection mode it is not required to install additional software or uninstall your Dr Web solution To provide you with this option Dr Web Monitor can operate in one of the following modes e Standalone mode when a protected computer is not included in an anti virus network and is managed locally In this mode configuration files and key files reside on local drives Dr Web Monitor is fully controlled from the protected computer and all modules start in accordance with the settings specified in the Dr Web Monitor configuration file e En
575. ted groups starting from the primary group of the station and further until the root group is reached If no custom settings are found the workstation inherits configuration of the Everyone group 391 Ta 2 N ax Dr Web Console for UNIX mail servers 392 Example The structure of a hierarchical list is as follows Netw ork Everyone Groupi Group Group3 Groupt Station1 Group4 is the primary group for Station1 To determine the settings to be inherited by Station1 the search is performed in the following order Station1 gt Group4 gt Group3 gt Group2 gt Groupl gt Everyone You can edit configuration inherited from the primary group in two ways e Using Dr Web Control Center interface To edit configuration select Network on the main menu then click the workstation name in the hierarchical list On the control menu on the left pane select the component you want to configure You need the corresponding permissions to perform this operation The configuration process is similar to the one via Console When necessary changes are made click Save to save them Dr WEB Control Center Y Preferences iti neighborhood Help Network gt aacae904 0df7 4fcc beb2 7dc9ff664254 hostname_1 gt Dr Web MailD for Linux ff 82 OS tel S aacae904 0df7 4fcc beb2 7dc9ff664254 hostname_1 Custom settings have been specified Charts
576. ted until the specified quantity is reached Already sent messages are deleted immediately others are sent at first and then deleted Default value MaxStoredMessages 100000 MaxStorageSize Maximum size of the mail database in bytes numerical value eka aan t When parameter value is set to 0 maximum size is not limited If database size exceeds the limits old messages are deleted until the specified size is reached see description of the MaxStoredMessages parameter Default value MaxStorageSize 0 MaxPoolSize Maximum mail database pool size maximum number of memory numerical value pages size of a page 8 KB If the parameter value is set to 0 the pool size is set up automatically according to available physical memory In the current version this parameter cannot be changed when reloading by STGHUP signal Default value MaxPoolSize 0 SendTimeout Timeout for plug in to perform an asynchronous scan of a time message When timeout is exceeded it is assumed that an error occurred during the message check Actions to be applied in this case are specified in the ProcessingErrors parameter of the Maild section Default value SendTimeout 30s FrozenTimeout Additional time for message processing DES If the time specified in the SendTimeout parameter is not enough for a plug in to process a message the time can be extended by the value of the FrozenTimeout parameter Note that
577. ter than the value specified in the parameter e if restriction is applied the corresponding parameter value is added to the message score Depending on the SMTP session stage restrictions can affect either a score that is added to the one of every message in the current session for SessionRestrictions and HeloRestrictions stages or an individual message score for other stages Each stage of the check could have its own specific restrictions as well as restrictions that are actual for all stages The latter include the following restrictions sleep time Suspend the SMTP connection for the specified period in seconds SCORE i ia An aaa s i If SCORE is specified this restriction is applied only to messages the current score of which is greater than the parameter value reject Return the permanent SMTP error code 5 SCORE tps If SCORE is specified the permanent error is returned only when the current message score is greater than the parameter value tempfail Return the temporary SMTP error code 4 SCORE aN i If SCORE s specified then temporary error is returned only when the current message score is greater than the parameter value mark trust Set Trusted flag SCORE AGE r All other restrictions after this parameter are to be skipped If SCORE s specified Trusted flag is set only when the current message score is lower than the parameter value set_score Changes the current mess
578. ter value determines the text of the header e In this case messages received from the mail system are transmitted for delivery bypassing the check if they both were queued via PIPE and contain the X DrWeb Hash header with the value specified in the SecureHash parameter The drweb cgp receiver module transmits the messages for final delivery after the value is cleared by substituting characters with white spaces Messages without such header are transmitted for check Note that Dr Web MailD operating as a content filter cannot remove headers so if a message was repeatedly checked its end users receive the message with an empty filled with white spaces x DrWeb Hash header which does not influence display of the message content A Note that this parameter is used by both Sender and Receiver so after the parameter value is changed sending a SIGHUP signal to Dr Web Monitor component is not enough that instructs only Sender to reread its configuration To instruct Receiver to reread the changed value restart CGP as this mail system runs the component All settings that manage operation of Dr Web MailD with CGP are collected in the CgpReceiver and CgpSender sections of the Dr Web MailD configuration file and are described in the CgpReceiver and CgpSender sections respectively When Dr Web MailD is working with CGP the following modules must be running in the system this is specified in mmc file of the Dr Web Monitor e d
579. terprise mode or central protection mode when protection of the local computer is managed from the central protection server In this mode some features and settings of Dr Web for UNIX mail servers can be modified and blocked for compliance with a general security policy for example corporate security policy A key file for operation in this mode is received from the central protection server Your personal key file on the local computer is not used To enable central protection mode 1 Contact anti virus network administrator of your company for a public key file and parameters of connection to the central protection server 2 In Dr Web Monitor configuration file by default etc dir monitor conf set the UseEnterpriseMode parameter value to Yes In the central protection mode some features and settings of Dr Web for UNIX mail servers can be modified or blocked for compliance with the general security policy A key file for operation in this mode is received from the central protection server Your personal key file on the local computer is not used For Dr Web for UNIX mail servers to fully support the central protection mode also enable Dr Web Agent to operate in the Enterprise mode For details see Operation Mode of Dr Web Agent To enable standalone mode 1 Ensure that all modules that you want Dr Web Monitor to start are listed in the RunAppList parameter in the Monitor section of Dr Web Monitor configuration file by default
580. th String Values Integration with Mail Transfer Systems Working in SMTP Proxy Mode SMTP Callback Mode Working with POP3 IMAP Mail Clients Integration with CommuniGate Pro Configuring CommuniGate Pro Configuring Dr Web MailD Operation Principles Known Issues Integration with Sendmail Configuring Sendmail Configuring Dr Web MailD Known Issues Integration with Mail Postfix Main Operation Principles Operation in After Queue and Before Queue Modes Operation Using Milter Protocol Configuring Mail Postfix Configuring Operation in After Queue Mode Configuring Operation Using Milter Protocol Configuring Dr Web MailD Integration with Exim Configuring Exim Connecting to Exim Using Special Transport Connecting to Exim Using Local_Scan Function Configuring Dr Web MailD Known Issues Integration with Qmail Configuring Qmail Configuring Dr Web MailD Known Issues 311 322 323 324 325 326 328 329 330 332 332 333 334 335 335 336 338 338 339 339 339 340 340 340 341 342 343 343 344 345 347 348 348 348 349 350 Ta Ti ax Integration with ZMailer Content Filter at SMTP Session Stage Content Filter at Routing Stage Additional Settings Integration with Courier Configuring Courier Configuring Dr Web MailD Known Issues Dr Web Console for UNIX mail servers Installation Basic Configuration User Interface Quarantine Toolbar Filter Panel List of Messages Navigation Pane Configuration Basic Settings Tab
581. th this query the following addresses are marked as protected e all addresses from the setc_ dir email ini file e localhost address e all addresses found with the ldap sub mail s LDAP query except for those that are listed at home trusted domains these addresses are not queried Example 3 Router mysql select routerinfo from maild where email S s foo inet 234 foo ru With this query it is checked whether the certain address is listed in the email column of the maild table in MySQL database If the address is in the database the message is dispatched to the address found in routerinfo column otherwise it is sent to the inet 234 foo ru address for all recipients with foo in the address Lookups can be also used in Rules Example 4 rcopt ldap rules sub mail s cont This query allows receiving the rules field for all mail LDAP fields that contain the receiver address The rules field contains settings to be applied to this recipient Please note that all CONDITIONs must be enclosed in quotation marks as a CONDITION part can contain special symbols for example round brackets Ta J 1 ax Dr Web MailD 139 Thus if you write the following rcpt ldap rules sub mail s cont an error will occur Mon Jun 29 18 53 01 2009 3081262768 ldap rules sub Mon Jun 29 18 53 01 2009 3081262768 condition ropt ldap rules sub mail s cont maild rules ERROR
582. th to directory stored Default value Environment SizeLimit Maximum number of bytes received in response to a single integer database request Values must be within the following range from 1024 to 65536 Other values are converted to the closest valid value Default value SizeLimit 1 Lib Path to the 1ibdb so library Ha co cil a on Pe Saar During installation usr lib libdb so symbolic link to the library is usually created If not it is necessary to specify the right library version that is usr lib libdb 4 5 so Default value Lib usr lib libdb so SkipDomains List of domains for which query to the database is not required LookupLite This parameter often allows to improve total performance and considerably reduce server load Please note that the parameter value is LookupLite The parameter value can also be locally overridden in a Lookup Default value SkipDomains OnError Sets the mode of error handling errors that occur in Lookup ignore exception when connecting to the specified data source Ta 1 ax Dr Web MailD Allowed modes e ignore ignore the error and continue message processing the error is only logged e exception generate an exception which is handled as a message processing error The handling method corresponds to the ProcessingError parameter value set for the module in operation of which this error occurred The parameter val
583. th to the file is etc syslogd conf To set a flag for syslog messages specify SyslogFacility parameter value in configuration files You can specify one of the following parameter values o Daemon label of a resident system service daemon message o Local0 Local7 label of a user application message 8 values are reserved Localo to Local7 o Kern label of a system kernel message o User label of a user process message o Mail label of a mail system message Note that if information is logged into syslog an additional parameter SyslogPriority can be specified in configuration files SyslogPriority defines a verbosity level of logging into syslog and is modified by one of the values available for the LogLevel parameter If you select the mode of logging into the file SyslogPriority is ignored Otherwise information is logged into syslog with the less verbosity level Example Let us assume that logging of component operation is defined by the following parameter values LogLevel Debug SyslogPriority Error If mode of logging into syslog is selected the log verbosity level is Error that means only records about errors are to be logged and the Debug value is ignored Allowed Actions You can configure Dr Web for UNIX mai servers components to apply specified actions to objects that are detected to be malicious suspicious or potentially dangerous You can specify one main action and
584. the database add the plug in name to the list of the AfterQueueFilters parameter values from the Filter section of the Dr Web MailD configuration file Example AfterQueueFilters vaderetro 301 Ta yan A A Dr Web MailD 302 Setting Vaderetro Plug In All main parameters that regulate plug in operation are set in setc_ dir plugin vaderetro conf configuration file Description of the configuration file structure and parameter types is provided in Configuration Files Parameters are described in the order they appear in the main configuration file In the VadeRetro section general settings for vaderetro plug in are specified Vaderetro section Path to the VadeRetro anti spam library PathToVadeRetro oa to filel It is possible to enable dynamic updates with Dr Web Updater component It will download a new library version replace the old library with it and send SIGHUP signal to drweb maild process Default value PathToVadeRetro Svar dir lib libvaderetro so R The parameter determines strategy of message check for spam If FullCheck the parameter is set to No a message is checked for spam only if logical the total sum of positive message scores for example scores given is the message sender is specified in the white list is under the threshold set in the VadeRetro library Otherwise if the parameter value is set to yes a message is checked for all spam attributes regardless of the
585. the Server2 and enable startup of Proxy server drweb proxy server 6 Specify the IP address of Server1 as a value of the ProxyClientsAddresses parameter from the ProxyServer section in the Dr Web MailD configuration file on the Server2 This address must be the same that is specified as a value of the Address parameter from the ProxyClient section Mail will be sent to it 7 Check validity of configuration on the Server2 host with the following command etc init d drweb monitor check for Linux and Solaris usr local etc rc d 00 drweb monitor sh check for FreeBSD If the configuration is correct you can start Dr Web MailD on the Server2 8 Specify IP address of the Server2 as a value of the ProxyServersAddresses parameter from the ProxyClient section in the Dr Web MailD configuration file on the Server1 This address must be the same that is specified as a value of the Address parameter from the ProxyServer section Requests for message checks will be sent to in 9 Disable startup of MailD core drweb maild component by commenting out the corresponding line in the mmc file from the etc dir monitor directory on the Server1 and enable startup of Proxy client drweb proxy client Note that at attempt to start simultaneously on the same host Proxy client and MailD core components Dr Web Monitor will finish its operation and no components will be initialized Information about this error will be logged 10 Check validity of c
586. the disk For stable Dr Web MailD operation it is required to have more RAM memory than total amount of messages processed per second and multiplied by the average time required for processing in seconds At that limitation on the number of threads in a pool specified in component pool settings restricts the total number of messages per second The average time required for processing one message in seconds depends only on server capacity with constatnt settings for plug ins processing Rules etc Thus the average time must be estimated with the use of Dr Web MailD logs for the current architecture To provide stable operation pools of drweb receiver drweb milter drweb maild and drweb sender modules must have the same number of threads However if drweb sender uses routing configured by the Router parameter value this module must have more threads in its pool than other modules If a time period of 5 seconds specified in IpcTimeout is not enough for message processing balance the load and decrease the number of threads in pools see above Using Internal Proxy Internal proxy included in Dr Web MailD allows to achieve several goals in management of computing resources 1 Dr Web for UNIX mail servers efficiency may improve greatly when Receiver and Sender components are working separately from MailD core component drweb maild module so that mail processing and mail checking operations are performed on different hosts 2
587. the drweb32 ini configuration file In the Standalone mode alternative path to the key file must be specified as a value of the LicenseFile parameter in agent conf a configuration file of Dr Web Agent 3 Configure the software by making necessary changes to the configuration files For details on configuration parameters see the corresponding sections of this Manual 4 Set 1 as a value of the ENABLE variable in the drwebd enable file to run Dr Web Daemon If it is not required to run Dr Web Daemon on the local machine properly configured Dr Web Daemon is working on another local network computer the value of the ENABLE variable must be 0 its default value 5 Set 1 as a value of the ENABLE variable in the drweb monitor enable file to run Dr Web Monitor Location of the enable files depends on Dr Web for UNIX mail servers installation type Installation from universal package for UNIX systems Files are saved to the etc_dir directory and named as follows drwebd enable drweb monitor enable Installation from native DEB packages Files are saved to the etc defaults directory and named as follows drwebd drweb monitor Installation from native RPM packages Files are saved to the etc sysconfig directory and named as follows drwebd enable drweb monitor enable 6 Run Dr Web Daemon and Dr Web Monitor either from the console or a file manager of your operation system After startup Dr Web Mon
588. the pass action was applied lt number gt lt size in bytes gt of the messages for which the reject action was applied lt number gt lt size in bytes gt of the messages for which the discard action was applied lt number gt lt size in bytes gt of the messages for which the tempfail action was lt number gt lt size in bytes gt of the messages for which the quarantine action was lt number gt lt size in bytes gt of the messages for which the redirect action was lt number gt lt size in bytes gt of the messages for which the notify action was applied lt number gt lt size in bytes gt of clean messages lt number gt lt size in bytes gt of the messages marked as spam lt number gt lt size in bytes gt of the messages marked as unconditional spam lt number gt lt size in bytes gt of the messages blocked by the filter lt number gt lt size in bytes gt of the messages with viruses number of infected attachments number of attachments infected with modification of a known virus DSV number of attachments infected with an unknown virus A yan Aq A Dr Web MailD 233 e DC number of cured attachments e DD number of deleted attachments e DSK number of attachments that were passed without anti virus check for various reasons e DAR number of attachments that were passed without anti virus check because of restrictions on archives e DE number of attachments which
589. this parameter value is small less than 10 bytes clients commands are not processed Default value MaxCommandLength 1000b OnFilterErrors Action to be applied to the message when an error occurs before action the message is transmitted to the drweb maild module Possible values are reject or pass Default value OnFilterErrors reject Data Sources This chapter provides you with description of sections that contain parameters of connection to data sources used in Lookup and Storage As a data source it is possible to use LDAP databases and text files with regular structure Note that these sections contain only general parameters used in Lookup and Storage by default Some parameters as marked in their description can be locally overridden in each concrete Lookup Storage Dr Web MailD configuration file can contain any sections with settings of connection to data sources Those sections are actual that are used in Lookup and Storage Sections that contain parameters of connections to unused data sources do not influence Dr Web for UNIX mail servers operation LDAP Section In the LDAP section settings to establish and maintain interaction between Dr Web MailD and LDAP server are specified Lib Path to OpenLDAP library version 2 0 or later ta co fil tipe coi Library must be built with thread support that is x suffix must Ta 1 ax Dr Web MailD 199 be present in the file name
590. time 121 busy max 1024 avg 50 756950 requests for new process 94 0 084305 num sec creating fails 0 max processing time 40000 ms avg 118646 ms curr 0 busy 0 where e min minimal number of processes in the pool e max maximal number of processes in the pool e auto displays if limits on number of processes in the pool are determined automatically e freetime maximum idle time for a process in the pool e busy max maximum number of simultaneously used processes avg average number of simultaneously used processes e requests for new process number of requests for new process creation frequency of requests per second is displayed in parenthesis e creating fails number of failed attempts to create a new process failures usually occur when the system is running low on resources e max processing time maximum time for processing a single scanning request e avg average time for processing a single scanning request e curr number of all current processes in the pool e busy number of currently used processes in the pool Configuration Dr Web Daemon can be run with default settings but you can configure it according to your specific requirements Daemon settings are stored in the Daemon section of the configuration file drweb32 ini by default which is located in setc dir directory To use another configuration file specify the full path to it as a command line op
591. tings for basic setup Setup can be performed manually as well for details refer to the corresponding chapters of this manual The configure mta sh script configures MTA as follows e Connection using special transport is performed for Exim e After Queue Mode configuration is performed for Postfix e Zmailer is configured to be used in context filter mode at the stage of SMTP session e Proxy scheme is performed for Qmail Thus for example to set Postfix to operate using Milter protocol configure MTA according to the steps described in the corresponding section instead of running the configure mta sh script Working in SMTP Proxy Mode Dr Web MailD can operate as a proxy server for SMTP LMTP mail protocols which allows to use it with a great number of mail systems In this mode drweb receiver module operates as an SMTP LMTP server i e Receiver component and drweb sender module operates as an SMTP LMTP client i e Sender component As drweb sender module can transfer messages directly via the local mail system the module is used in almost any solutions of integration with MTA Module drweb receiver includes a high performance SMTP server implemented using modern multiplexors epoll kevent and dev poll This SMTP server is multithreaded It supports several connections per each thread IPv6 protocol and the following SMTP extensions e PIPELINING RFC 2920 e 8BITMIME RFC 1652 e ENHANCEDSTATUSCODES RF
592. tings from different data sources As described at the beginning of this section values of required parameters are retrieved from Rules stored in the built in database then from Rules specified in the Rules section and after that from the configuration file Let us consider an example which illustrates joining of settings retrieved from different sources according to the described algorithm Example a Let us assume that the following Rules are specified for the test drweb user in the built in database gt email info test drweb com test drweb com A 1 S 1 name aliases alias test drweb com groups divine good evil rules 1 true cont modifier LocalRules select message append text Scanned 1 modifier LocalRules quarantine 2 true cont modifier LocalRules select message append text Scanned 2 3 rept odbc select rules from maild where addr S s cont custom Three processing Rules relate to test drweb com address at that the third rule has implicit SETTINGS part that checks condition using Lookup and imports selected set rules field value as the SETTINGS part of the Rule The Rule uses data from the maild database table access to this table is also configured via ODBC b Let us assume that the table entry which relates to test drweb com address is as follows test drweb com modifier LocalRules select message append text Scanned 3 c And let us also assume that
593. tion Daemon EnginePath Location of drweb32 d11 module anti virus engine Dr Web path to file Engine This parameter is also used by the Dr Web Updater Default value EnginePath tbin dir lib drweb32 d11 VirusBase Masks for virus databases list f Zil k A z ec Gee tam som This parameter is also used by Dr Web Updater Multiple values are allowed separated by commas By default virus databases files has the vadb extension Default value VirusBase bvar dir bases vdb UpdatePath Directory to store updates The parameter is mandatory Ta g ys TempPath path to directory Key path to file MailAddressesList path to file OutputMode Terminal Quiet RunForeground logical User text value Dr Web Daemon Default value UpdatePath var dir updates Directory where the Dr Web Engine anti virus engine puts temporary files It is used when system has insufficient memory or to unpack certain types of archives Default value TempPath var dir spool Key file location license or demo By default a key file has the key extension Please note that Dr Web Daemon and Dr Web Scanner can have different license key files In this case change the value of this parameter correspondingly The parameter value can be set several times to specify several license key files In this case Dr Web Daemon tries to combine all license permissions from all availa
594. tion method refer to Working with POP3 IMAP Mail Clients 4 Combined integration This mode is a combination of either the first or the second mode any of them with the third mode Thus it is possible although not always reasonable to implement double message check when a message is received on the protected MTA MDA and when the message is transferred from MDA to MUA This integration method can be useful if some of the messages are sent through MTA further and they must be checked on the SMTP level but for the rest of the messages this MTA is the end MDA and they can be checked by request from the end MUA upon receipt Note that in this case fine tuning of the Dr Web MailD operation logic is required including specification of message processing Rules and probably rules for routing the outgoing mail set in the Router parameter in Sender settings To simplify the integration process Dr Web for UNIX mail servers includes installation packages and configuration scripts for different mail systems The configure mta sh script is responsible for setting up interaction between Dr Web for UNIX mail servers and the currently used mail system After startup the script checks whether the required mail system is installed If it appears to be missing the script finishes its operation If the required mail 327 Ta J 1 ax Dr Web MailD system is installed the script asks the user several questions on essential set
595. tions Ta J i ax Dr Web MailD 129 It is recommended to gether internal statistics on Dr Web MailD operation to estimate the load and its bandwidth This information can be used to optimize operation and system resources usage Statistics on SMTP restrictions appliance Statistics on appliance of restrictions on different SMTP session stages is saved to the restrictions txt file Restrictions for Receiver are specified in the Receiver section of the Dr Web MailD configuration file Statistics is saved only if the value of the RestrictionStat parameter in the same is set to Yes Statistics records are always added to the end of file Each record starts with the following lines start Tue Oct 9 14 44 15 2008 curr Tue Oct 9 14 44 29 2008 period Od Oh Om 14s where e start time of the previous statistics record e curr time of the current statistics record e period time interval between the previous and current records Further after an empty line applied SMTP restrictions are listed one line for one restriction For example reject_unknown_ domain total 19 trusted 0 reject 0 tempfail 0 For each restriction the following information is output e restriction type e total count of messages for which this restriction was checked total e count of messages which were marked as trusted upon applying of this restriction trusted e count of messages which were rejected upon applying of this re
596. to For more information see Message processing Default value CanChangeBody Yes Timeout for the drweb milter module to wait for a message to be scanned It is recommended to set this parameter value greater than the SendTimeout parameter value from the MailBase section Note that value of the ITPCTimeout parameter in the General section is also considered Dr Web MailD selects greater value among values of the ProcessingTimeout and IPCTimeout parameters If during the selected timeout Dr Web MailD does not return response to drweb milter action specified in the ProcessingErrors parameter is performed see below and broken pipe errors are recorded in the Dr Web MailD log Default value ProcessingTimeout 40s Action applied to messages that caused scanning errors Only one of these actions can be specified tempfail discard pass reject Default value ProcessingErrors reject Minimum number of connections to the drweb maild module In the current version this parameter cannot be changed with SIGHUP signal restart of Dr Web MailD is required Default value MinPersistConnection 2 Statistics of connections to the drweb maild module Statistics is logged when drweb milter process receives SIGUSRI1 signal Default value UseStat No 191 Ta yan A A Dr Web MailD 192 MaxFreetime Maximum idle time before closing all connections with the drweb time maild module
597. to 0 in the enable file Each of the components can be run independently as well but note that Dr Web Agent must be started first since all other modules receive configuration from Dr Web Agent For FreeBSD OS To run Dr Web for UNIX mail servers 1 Register the software 2 Copy or move the key file with the key extension to the directory with Dr Web for UNIX mail servers executable files the default directory for UNIX systems is bin dir Name of the key file can differ in different distribution packages for details see Software Registration e If Dr Web for UNIX mail servers was purchased as a standalone product license key file is named drweb32 key In this case copy the file to the bin dir directory without changing its name e If Dr Web for UNIX mail servers was purchased as a part of Dr Web Enterprise Security Suite archive received during registration contains a key file for Dr Web Enterprise Server enterprise key and a key file for workstations agent key Rename agent key to Ta J 1 aX Starting Dr Web for UNIX mail servers drweb32 key and copy the file to the bbin dir directory To use a key file from a different location or with another name for example agent key specify its full path as a Key parameter value in the drweb32 ini configuration file In the Standalone mode alternative path to the key file must be specified as a value of the LicenseFile parameter in agent conf a config
598. to be executed by drweb maild Messages must be sent to the address specified in the FilterMail parameter from the Notifier section of the Dr Web MailD configuration file or in local rules which are true for this message ACL setup for control messages is performed by setting a value of the OnlyTrustedControlMails parameter from the Maila section of the Dr Web MailD configuration file Receiving messages from Quarantine is enabled by setting Yes as a value of the AccessByEmail parameter from the Quarantine section of the Dr Web MailD configuration file To receive a certain message from Quarantine specify the following string in the Subject field of the control message q relative path to file where relative path to file is a relative path to the file in Quarantine for example def drweb F 00014F8F DW SHOT PRODUCT QgFpdH The message is requested from Quarantine only if its sender or one of its recipients is the same as the sender of a contro message The contro message can be automatically generated by the user MUA when the user clicks the corresponding link in report sent by Dr Web Notifier upon transfer of message to Quarantine Migrating to New Quarantine Version Dr Web MailD version 6 0 and later features Quarantine of a new format message body is saved to the file system but message envelope and additional information are now saved to the internal database To upgrade Quarantine to a new format for Dr Web Mai
599. topped o Score score add a SCORE to the message counter The SCORE value can be negative o Add header HEADER add a header of the following type NAME BODyY to the email message where NAME is the name of the header the default name is x DrWeb MailD and BODY is the text of the header Please note that you can use strings from language files 1ng String to be inserted is defined by a number for example add header X Added Header 3 In this case the X Added Header header is to be added with the lt value gt value which is taken from the 3 lt value gt string of the used language file If you use and characters it is necessary to escape them in order to avoid incorrect interpretation of the header To escape characters To escape a punctuation character in a header use 3 backslashes Example EmptyFrom continue add header header Empty header spam To escape parenthesis use a backslash Example ProcessingErrors tempfail add header header header To escape a whole header use quotes add header BODY Example ProcessingErrors tempfail add header header spam To escape double quotation marks use 3 backslashes Examples EmptyFrom continue add header header X Header new header EmptyFrom continue add header header X Header new header You can use the following actions when config
600. tor is used Size is specified in KB MB or GB enter the corresponding suffix after the number k m g Example size gt 10m Message score Before the size it is required to specify the comparison operator If not specified the default lt operator is used Example score 1000 Port number Path to UNIX socket Lookup Port number Identifier string Absent Size or comparison operator Number or comparison operator used by default for example user domain com stop lt some_settings gt is equal to the following Rule any user domain com stop lt some_settings gt e If the parameter value contains white spaces or amp r ae characters the value must Ta J i ax Dr Web MailD be quoted To use a character within the quotation marks escape the character with the backslash e If the Rule contains an empty address specify it as follows for that For example from stop scan no and do not use angle brackets lt gt To create composite conditions use the following logical operators to join simple Boolean terms AND amp amp OR NoT You can also use brackets to set priority of logical operations Condition must contain at least one Boolean term Example 1 true stop lt some_settings gt Settings lt some_settings gt are applied unconditionally if the Rule is used during the processing that is t
601. tories Installing software Updating file permissions Running post install commands Installation of drweb libs is complete Backing up old versions of files to be installed Creating installation directories Installing software Updating file permissions Installation of drweb boost144 is complete Backing up old versions of files to be installed Creating installation directories Installing software Checking configuration files Updating file permissions Running post install commands Installation of drweb agent is complete Copyright Doctor Web Ltd 7 Once installation of the components completes the post install script runs automatically to set up Dr Web for UNIX mail servers basic configuration You are offered to specify the path to the license key file and automatically enable all the services necessary for Dr Web for UNIX mail servers proper operation for example Dr Web Daemon Dr Web Agent Dr Web Monitor In addition you can set an order of mail processing by the plug ins and specify lists of protected networks and domains user hostname Mpaska Bug Monck This installation script will help you to configure DrWeb for Mail server Antivirus Ant ispam Do you want to continue YES no yes yes Enter path to key file for Dr Web MailD If you don t have the key yet you can leave this value unspecified but you must set LicenseFile parameter value in configuration file agent conf
602. tpd_milters parameter and remove all of the changes made to master cf file Necessary restrictions can be specified directly in the Postfix configuration files Address of the transport connection through which Postfix interacts with drweb milter module can be specified as a TCP socket or as a UNIX socket Address is specified in the smtpd_milters parameter of the Postfix configuration file main cf If the connection is established via a TCP socket the parameter value is set in the following format inet host port for example smtpd_milters inet 127 0 0 1 3001 If the connection is established through the UNIX socket the address is set in the following format unix pathname where pathname is an absolute path to the UNIX socket A If UNIX socket is used Postfix must have privileges for writing to the socket file Address of the transport connection between Postfix system and drweb milter module must be also specified in the Address parameter of the Milter section in Dr Web MailD configuration file 341 Ta J i ax Dr Web MailD Format and value of this parameter must be identical to the format and value of smtpd milters parameter in main cf file Apart from transport address the following parameters must be specified in main cf configuration file e milter_content_timeout 300s this timeout of Postfix system is very important It defines the maximum time period for Dr Web MailD to check a message in the BeforeQueueFi
603. tput in the groups get rules format e groups remove rule client group index remove the rule with index ordinal number for the group specified in client group Numeration index starts with 1 If a group does not exist an error is output If the index value exceeds the maximum number of rules for the specified group or index is less or equal to 0 an error is output After successful modification the rules for the current group are output in the groups get rules format e groups info ext group list output all users from ext group list list information about their activity and other information If a group from ext group list does not exist an error is output but the execution continues If ext group list is not specified information on all existing groups is output Aliases in the address lists are not output Output format client idl groupl A activel S statl emails emaill email2 custom tagl infol tag2 info2 client id2 group2 A active2 S stat2 emails email21 email22 custom tag21 info21l tag22 info22 e groups count ext group list this command is similar to groups info command but outputs only the number of found groups groups get custom tag group list receive information with the tag associated with each user in the group list list If a group does not exist an error is output but the execution continues If information with the tag is not found an empty string is out
604. ts must be specified Description of each module must contain the following information name and list of sections in the configuration file with parameters that are necessary for proper operation The list of sections and parameters is comma separated To describe individual parameters properly specify the full path to them for example Quarantine DBISettings In the section descriptions only their names can be specified for example General To denote line breaks a back slash is used If the component requires all settings from the configuration file you can specify a path instead of the list of sections and or parameters 101 Ta yan A A W Dr Web Agent Example of amc file from Dr Web MailD package for Linux Application MAILD id 40 ConfFil etc drweb maild_smtp conf Components lookup ldap LDAP lookup _regex REGEX drweb maild General Logging MailBase Stat Maild Filters Quarantine Rules Rule Rules Reports Send Reports SendTimes Reports Names Reports MaxPoolSize Reports MaxStoreInDbPeriod Reports CheckForRemovePeriod Notifier FilterMail Notifier NotifyLangs Notifier LngBaseDir drweb notifier General Logging Notifier Sender Method Rules Reports Filters BeforeQueueFilters Filters AfterQueueFilters Quarantine AccessByEmail Quarantine StoredTime drweb sender General Logging Sender drweb receiver General Logging Maild ProtectedNetworks Maild P
605. tuation might occur due to network or power supply problems If a stalled message is found it is queued for dispatch Also this parameter value is used for repeated requests to datasources from Lookups specified in the Router parameter see below if the used data sources are not accessible and therefore a message cannot be delivered as the destination address is unknown Default value StalledProcessingInterval 10m Time period between attempts to send stalled messages and notifications that were not sent on the first attempt When Dr Web for UNIX mail servers is running in synchronous mode Sender attempts to send processed messages regardless of the first interval specified in the parameter value If the attempt is unsuccessful Sender starts dispatching delayed messages after a time period specified in the SendingIntervals parameter value If the first parameter value is 0 it is ignored as an attempt to send a message was already performed If Dr Web for UNIX mail servers is running in asynchronous mode Sender always attempts to send messages according to time intervals specified in the parameter value Please note that all generated notifications and DSN are always sent in asynchronous mode regardless of Dr Web MailD operation mode Thus dispatch of delayed messages and DSN starts according to the first time interval specified in the SendingIntervals list So it is recommended to set 0 as the first interval If the
606. ubject see below SpamThreshold parameter value must be less than or equal to the value of the UnconditionalSpamThreshold parameter Please note that Vaderetro plug in classifies a message as spam or not spam only according to the ratio of the message score to the SpamThreshold value At that the class to which VadeRetro classified the message is not taken into account For example a message can be considered as spam by the library and classified to group 1 but if its score assigned by the library is less than the specified threshold the message is not indicated as spam by Vaderetro plug in X Drweb SpamState header is set to No and thus the action specified for spam messages is not applied to it Default value SpamThreshold 100 The parameter value is a threshold for the total message score If a message score is greater than or equal to this parameter value the message is identified as unconditional spam and X Drweb SpamState header is set to Yes In this case action specified in the UnconditionalAction parameter is applied to the message and the text specified in the UnconditionalSubjectPrefix parameter is added to the message subject see below Value specified in the UnconditionalSpamThreshold parameter must be greater than or equal to the value of the SpamThreshold parameter Default value UnconditionalSpamThreshold 1000 Actions to be applied to a message which was identified as spam by Vaderetro plug in
607. uded drweb libs and drweb 1ibs32 which contain libraries for 64 and 34 bit systems correspondingly To install all Dr Web for UNIX mail servers components automatically use either console CLI or the default file manager of your GUI based shell In the first case allow the execution of the corresponding self extracting package with the following command chmod x drweb mail product name version number OS name run and then run it drweb mail product name version number OS name run As a result drweb mail product name version number OS name directory is created and the GUI installer starts If it starts without root privileges the GUI installer tries to gain required privileges If the GUI installer fails to start then interactive console installer starts automatically If you need only to extract the content of the package without starting the GUI installer use noexec command line parameter drweb mail product name version number OS name run noexec After you extract the content you can start the GUI installer and continue setup with the following command drweb mail product name version number OS name install sh To install with the use of the console installer use the following command drweb mail product name version number OS name setup sh Installation regardless of the used method includes the following steps e Original configuration files are record
608. ue Interactive management control socket allows you to e Manage the general status of the solution e Manage users join them in user groups create aliases and adjust parameters of messages processing e Manage Quarantine e Get gathered statistics e Check Notifier operation General Management Commands General commands and their descriptions are presented in the following table help Outputs complete list of commands from all the sections lt section name gt A ah lt command name gt After this command you can specify the section name to receive information on all of all the commands from it Also you can specify the name of the specific command to get information only on it You can view the list of all commands with the help al1 command option Outputs the list of the parameters and their values used by both drweb maild and regex plug ins which receibed their settings from Dr Web MailD The output parameter names match the specified regular expression If a regular expression is not specified all parameters are output db state Outputs the current state of the Dr Web MailD internal database in the following format Number NC NM Size SC SM where NC and NM are current and maximum amount of messages in the database and sc and SM are current and maximum size in bytes of the database If NM or SM are equal to 0 the maximum amount of messages and maximum database size are not limited
609. ue IpcTimeout 40s Name of the host used by Dr Web for UNIX mail servers Default value Hostname In the Maila section general setting for Dr Web MailD proper operation are specified ProtectedNetworks Lookup ProtectedDomains Lookup List of networks protected by Dr Web MailD Values are specified in the CIDR format This parameter is used to specify trusted networks in the corresponding Vaderetro plug in parameters and if trust protected networks is specified in the SessionRestrictions parameter in the Receiver section Please note that the parameter value is Lookup Using of Lookup has series of restrictions described below Example ProtectedNetworks 10 0 0 0 24 127 0 0 0 8 mysql select net from networks where net S s Default value ProtectedNetworks 127 0 0 0 8 List of domains protected by Dr Web MailD This parameter is used to specify trusted domains if trust protected domains is specified in the SessionRestrictions parameter in the Receiver section Please note that the parameter value is Lookup Ta 1 ax IncludeSubdomains InPoolOptions pool options OutPoolOptions pool options RedirectMail email address OnlyTrustedControlMails logical MaxScore numerical value MaxScoreAction actions logical Dr Web MailD 144 Example ProtectedDomains example ru example com Default value ProtectedDomains Include
610. ue and an epilogue As any nested object has the same structure as a message object also consists of a header body and Ta J i ax Dr Web MailD in some cases prologue and epilogue messages can be treated as a MIME object with headers Headers and content Body This MIME object is called a root object To search objects in a message Dr Web Modifier supports the following versions of regular expressions e basic regular expressions e extended regular expressions e Perl compatible regular expressions For details on regular expressions you can visit Wikipedia Regular expression article Order of modification rules for message processing The plug in processes messages according to modification rules These rules are divided into local rules and global rules At first local rules are applied and then global rules If a message does not have local modification rules specified for it that depends on the Processing rules applied for the message see below the message is checked only according to global modification rules If a message does not satisfy local modification rules it is rejected and check with the use of global rules is not performed Local modification rules used by Dr Web Modifier can be specified in Message processing rules either in the Rules section of the Dr Web MailD configuration file or in the built in database of users and user groups For modification rules the modifier LocalRules p
611. ue can also be locally overriden in a Lookup Default value OnError ignore Dr Web MailD uses a library version 4 3 4 6 Internal Proxy This chapter provides you with description of sections which contain parameters of Dr Web for UNIX mail servers proxying Proxying is used for transparent distribution of Dr Web MailD modules by several hosts Please note that if proxying is used Sender Receiver component pairs operate on some hosts and MailD core core processing component on the others On hosts where Sender and Receiver components work Proxy client component is run on hosts with Maild core Proxy server component On the host where Proxy server operates Dr Web MailD configuration file must have the ProxyServer section and on the host where Proxy client component operates ProxyClient section If proxying is not used both sections in the configuration file can be absent ProxyClient Section In the ProxyClient section settings for drweb proxy client module Proxy client component are specified ProxyServersAddresses list of List of socket addresses used by drweb proxy server addresses components Addresses are specified as follows ADDRESS1 WEIGHT1 ADDRESS2 WEIGHT2 where ADDRESS has a basic address type and WEIGHT is an optional numeric value in the range 0 100 defining a weight of this address The WEIGHT value determines a relative work load on a certain host in the network The greate
612. ue of the LogLevel parameter from the Logging section is used o stop timeout time maximum time for a working thread to stop for example when program finishes its operation or when it is necessary to decrease the number of threads in a pool Example InPoolOptions auto Number of threads is detected automatically internal statistics is not collected except for Receiver and Sender as statistics is collected permanently for these components Example for Notifier PoolOptions 25 stat yes In the example number of threads in the pool always equals 25 internal statistics is collected For Sender and Receiver components auto value equals to 2 500 and for other Dr Web MailD components the value equals to 2 1000 Be careful when changing a number of threads in pools For details refer to Optimizing operation and use of system resources For Sender and Receiver components additional parameters of the thread pool such as timeout stat and others are not specified and even if the values are set they take no effect as Sender and Receiver permanently collect statistics on the thread pools Ta J i ax Dr Web MailD 135 Lookup Lookup s generalized interface for searching objects and receiving their values Values are separated by commas Some values have a prefix denoting a specific type of Lookup The prefix is separated by a colon prefixl valuel prefix2 value2 If a prefix is not specified
613. uest for creation of DSN about failure to dispatch an email message MailD notifications can be sent to senders and recipients of email messages and to the system administrator Functions of this component are performed by the drweb notifier module Additional modules used for analysis and check of email messages for viruses suspicious software and spam attributes Messages are processed by plug ins in a user defined order List of used plug ins can be changed at any time without restart of Dr Web MailD To do this change the corresponding parameters in the configuration file and send SIGHUP signal to MailD core or Dr Web Monitor General set of plug ins concrete set depends on the installed distribution kit e Drweb plug in for anti virus check of email messages It uses Dr Web Daemon that receives email messages that are already parsed e Dr Web HeadersFilter plug in for filtering of email messages by their headers The filtering rules can be set using Perl regular expressions e Vaderetro plug in which checks mail for spam messages It uses a VadeRetro library that is regularly updated and provides spam recognition of high quality Ta N ys Dr Web MailD 118 e Dr Web Modifier plug in allows modification of an email message or its any part according to some conditions For example the plug in allows adding a text label to check email messages or deleting pictures from messages marked as spam C
614. ult value BindDn Password used for binding The parameter value can also be locally overridden in a Lookup Default value BindPw Ta 1 ax SearchBase SeenON SizeLimit numerical value Dereference 3 2 2 OF ChaseReferrals numerical value SkipDomains LookupLite OnError ignore exception CheckPeriod time Dr Web MailD 200 Base DN to start search from RFC2253 Default value SearchBase Maximum number of strings received in response to the single database request When parameter value is set to 0 maximum number of received strings is not limited The parameter value can also be locally overridden in a Lookup Default value SizeLimit 0 Permissions for LDAP aliases e 0 never e 1 when searching e 2 when locating base object for search e 3 always The parameter value can also be locally overridden in a Lookup Default value Dereference 0 LDAP OPT REFERRALS setting To set this parameter LDAP protocol version 3 or later is required The parameter value can also be locally overridden in a Lookup Default value ChaseReferrals 0 List of domains for which request to database is not required This parameter often helps improve performance and considerably reduce server load Please note that the parameter value is LookupLite The parameter value can also be locally overridden in a Lookup Default value SkipDomains
615. ults of the uninstallation steps in the console in real time 6 Once the process completes exit setup Installing from Native Packages You can install Dr Web for UNIX mail servers from native packages for common Linux distributions or FreeBSD operating system All packages are located in the Dr Web official repository http officeshield drweb com drweb Once you added the repository to the package manager of your system you can install update or remove necessary packages like any other program from repository All dependencies are resolved automatically Ta 5 N Installation and Uninstallation 42 aX After installing packages from repository automatic post install script for installing license key file is not initiated Licence key file must be manually copied to bin dir For the updates to take effect you need to restart all Dr Web services after updating from repository Depending on required solution replace lt package name gt in commands below with one of the following packages e drweb mail gateways as Dr Web Anti spam for UNIX Mail Gateways e drweb mail gateways av Dr Web Anti virus for UNIX Mail Gateways e drweb mail gateways av as Dr Web Anti virus and Anti spam for UNIX Mail Gateways e drweb courier as Dr Web Anti spam for Courier Mail Servers e drweb courier av Dr Web Anti virus for Courier Mail Servers e drweb courier av as Dr Web Anti virus and Anti spam for Couri
616. uration file Infected cure quarantine notify add header infected Anti Spam Tab This tab contains general settings of Vaderetro anti spam plug in included in Dr Web for UNIX mail servers 370 rE os Dr Web Console for UNIX mail servers 371 Dr Web MailD version Dr Web Web Interface version Configuration 7 2r Web maib is running S o Ee ea Ee 8 vy Common Full check Enables full spam check for each message more gt gt Yes Ignore embedded ham domains X Drweb SpamVersion header with information on VadeRetro version is added to message X Drweb SpamState Num header added to message more gt gt Unconditional spam action Action to be applied to unconditional spam o more gt gt Main action pass Additional actions quarantine redirect es addheader __ Spam action Action to be applied to spam messages M more gt gt Main action pass Additional actions quarantine redirect add header Black List Black list of senders more gt gt custom value _ Z Size limit Maximum size of a message to scan o Log verbosity level Plug in log verbosity level info m Apply and Save Settings Figure 40 Anti spam settings Headers Filter Tab This tab contains general
617. uration file of Dr Web Agent 3 Configure the software by making necessary changes to the configuration files For details on configuration parameters see the corresponding sections of this Manual 4 Add the following lines to the etc rc conf file e drwebd_enable YES to run Dr Web Daemon If it is not required to run Dr Web Daemon on the local machine properly configured Dr Web Daemon is working on another local network computer then you do not need to add the line to the rc conf file e drweb monitor enable YES to run Dr Web Monitor 5 Run Dr Web Daemon and Dr Web Monitor either from the console or from a file manager of your operation system After startup Dr Web Monitor starts all other Dr Web for UNIX mail servers components Sender Receiver Notifier etc Each of the components can be run independently as well but note that Dr Web Agent must be started first since all other modules receive their configuration from Dr Web Agent Configuring SeLinux Security Policies If the used Linux distribution features SELinux security subsystem Security Enhanced Linux you need to configure security policies used by SELinux in order to enable correct operation of anti virus components Dr Web Daemon and Dr Web Console Scanner after the installation Moreover if SELinux is enabled product installation from distribution packages run can fail because an attempt to create drweb user whose privileges are used by
618. uring Dr Web Scanner o Move move the file to the Quarantine folder o Delete delete the infected file o Rename rename the file o Ignore ignore the file o Report only log information about the file o Cure try to cure the infected object A Please note that action names are case insensitive for example value Report equals to report Ta J N ys Installation and Uninstallation Installation and Deinstallation Below you can find detailed description of Dr Web for UNIX mail servers installation update and uninstallation procedures in UNIX systems You need superuser root privileges to perform these operations To get it use the su command or sudo prefix If previously the product was installed from packages of other formats for example RPM or DEB ensure that they are carefully uninstalled Dr Web for UNIX mail servers distribution package for UNIX systems is delivered in EPM format script based distribution package with installation and uninstallation scripts and standard install uninstall GUIs designed to use with ESP Package Manager EPM Please note that all these scripts relate to the EPM package not to any of the Dr Web for UNIX mail servers components You can install deinstall and update Dr Web for UNIX mail servers in one of the following ways e using GUI e using console scripts During installation dependencies are supported that is if a component installation requires other components to
619. uristicAnalysis AddXHeaders Paranoid RegexsForCheckedFilename LicenseLimit Infected Suspicious Incurable Adware Dialers Jokes Riskware Hacktools SkipObject ArchiveRestriction ScanningErrors ProcessingErrors BlockByFilename 251 Ta J 1 ax Dr Web MailD 252 Vaderetro HeadersFilter Modifier gt gt gt gt gt gt gt UseCustomReply ReportMaxSize ReplyInfected ReplyMalware ReplySuspicious ReplySkipObject ReplyArchiveRestriction ReplyError ReplyBlockByFilename FullCheck NoHamFrom AddVersionHeader AddXDrwebSpamStateNumHeader AddXSpamLevel AddXHeaders CheckDelivery SubjectPrefix NotifySubjectPrefix UnconditionalSpamThreshold UnconditionalSubjectPrefix SpamThreshold UnconditionalAction Action NotifyAction SpamCustomReply WhiteList BlackList CheckForViruses AllowRussian AllowCJK UseCustomReply FromProtectedNetworkScoreAdd ProtectedNetworkReplyCacheLifeTime ReplyToProtectedNetworkScoreAdd ScanEncodedHeaders RejectCondition AcceptCondition FilterParts RejectPartCondition AcceptPartCondition MissingHeader Action UseCustomReply ReplyRuleFilter Encoding UseCustomReply ReplyRuleFilter LocalRules Local rules of message check with the plug in similar to the format of the GlobalRules plug in parameter Note that this parameter can be used only in Rules and is not specified in the plug in configuration file For the plug in rule format see
620. us statistics record e curr time of the current statistics record e period time interval between the previous and current records For srv a number of created and closed connections and maximum number of elements in different queues are displayed closed 0 0 num sec total created 0 0 num sec max rea 0 est 0 don 0 act 0 For cli a number of connections created by request and closed on timeout their average amount and current number are displayed created on request 0 0 num sec closed by timeout 0 0 num sec avg number 0 current 2 Ta yan A A Dr Web MailID 131 thr output looks as follows min 2 max 2147483647 type 0 freetime 120 busy max 0 avg 0 requests for new threads 0 0 num sec creating fails 0 max processing time 0 ms avg 0 ms curr 2 busy 0 where e first line contains information on the maximum and minimum number of threads in one pool type of the pool maximum time in seconds for an additional thread to close upon inactivity e second line contains information on the maximum and average number of busy threads e third line contains information on the number and frequency of requests to create additional threads e fourth line contains information on the number of failed attempts to create additional threads such failure can be caused by insufficient resources e fifth line contains information on the maximum and average time o
621. value MaxFilterItMpildtorectios numerical value FilterIMeildeqhlivfime time PoolOptions pool options CallbackPoolOptions pool options MaxConnections numerical value DoS Blackhole logical Dr Web MailD Timeout for drweb maild to process messages Default value ProcessingTimeout 60s Minimum number of connections between the POP3 filter and drweb maild Default value MinFilterToMaildConnections 2 Maximum number of connections between the POP3 filter and drweb maild module When the value is set to 0 number of connections is not limited Default value MaxFilterToMaildConnections 0 Maximum period for retention of inactive connections between POP3 filter and drweb maild if number of connections exceeds the specified minimum To interact with drweb maild POP3 filter maintains several connections with it and each connection can handle one operation If no more connections are available new connections are created until their amount reaches the maximum allowed specified in the MaxFilterToMaildConnection parameter value If connections are inactive during a time period specified in the FilterToMaildKeepAliveTime parameter the connections are closed At that total amount of opened connections cannot be less than the value specified in the MinFilterToMaildConnections parameter Default value FilterToMaildKeepAliveTime 30s Settings of the main thread pool These thread
622. values must be enclosed in quotation marks R Use custom messages as an SMTP reply when messages are UseCustomReply rejected roe Default value UseCustomReply No Custom message used as an SMTP reply when the following SpamCustomReply actions are applied Action UnconditionalAction text NotifyAction reject actions and also when UseCustomReply yes You can specify only the text part of the message Text must be enclosed in quotation marks if it contains white spaces Example S50 So 750 MWessic pare Ce reply Ta 2 1 ax Dr Web MailD 308 Default value SpamCustomReply Dr Web vaderetro plugin this roas Oana If UseCustomReply No or the corresponding string is not specified the following standard message outputs The message has been rejected by the Dr Web MailD Note that it is required to consider encoding of the search text for all parameters that change or search a header value or a part of a message Rules of working with header values in custom encoding are described in the Work with String Values Examples Examples of Vaderetro anti spam plug in usage 1 If an email message score exceeds the Threshold value e This message is blocked client gets 550 SMTP reply code e Message is moved to Quarantine e Copy of the message is sent to the address specified in the value of the AdminMail parameter in the Notifier section Dr Web MailD configuration file Actio
623. var dir daemon You can also specify a socket address in the following format PORT interfaces FILE access For a TCP socket specify a decimal port number PORT and the list of interface names or IP addresses for incoming requests interfaces Example Socket 30008027 2070S 92 ko 3 OR a0 For UNIX sockets specify a socket name FILE and access permissions in the octal form Example Socket var dir daemon 0660 Number of Socket parameter values is not limited Dr Web Daemon will work with all sockets described correctly To enable connections on all available interfaces set 3000 0 0 0 0 as a value of this parameter Default value Socket var_dir run daemon Maximum time in seconds allowed for transferring data through socket file scanning time is not included If the parameter value is set to 0 the time is unlimited Default value SocketTimeout 10 Enables splitting of log files If during communication with Dr Web Daemon a client uses the option to transfer its ID log file will be substituted with the file specified in this parameter Descriptions of log files are separated by commas or spaces If more than six values are set the configuration file is considered invalid Log files are defined in the following way lt client namel gt lt path to file gt lt client name2 gt lt path to file gt Client name may be one of the following e web Dr Web ICAPD e smb sp
624. ve response Otherwise the server is marked as unavailable which is logged If no server responds to the request the IP address is considered absent in the list of DNSBL servers that is the IP address is considered clean Please note that the parameter value is LookupLite Default value DNSBLList Reiti adhima time Maximum time for caching positive responses from DNSBL servers Default value PositiveDNSBLCacheTimeout 24h NegativelNeiCachTimeout time Maximum time for caching negative responses from DNSBL servers Ta 1 ax NegativeDNSCacheTimeout time BlackDomains Lookup a WhiteDomains Lookup a SpamTrap LookupLite ProtectedEmails Lookup ProtectedSenderEmails Lookup ReputationIPFilter Edlicers Ialsic Dr Web MailD 180 Default value NegativeDNSBLCacheTimeout 10m Maximum wait time for caching negative responses from DNS servers Parameter value is valid for all responses from DNS servers except for those from DNSBL servers Default value NegativeDNSCacheTimeout 10m Black and white lists of domains These lists are used in trust white domains and reject_black domains actions Syntax is similar to the one of the ProtectedDomains parameter in the Maild section Please note that the parameter value is Lookup Default value BlackDomains WhiteDomains Spam trap address list This list is used in reject spam trap act
625. ves SMTP 451 code in response If some plug ins are assigned to AfterQueue i e the asynchronous mode is selected the parameter CanChangeBody Yes and significant delays occur when a message is processed for example one of the plug ins does not finish message processing during the period specified by ProcessingTimeout then MTA receives SMTP 250 queued code in response but the message is still processed and sent via the Sender module drweb sender plug in Thus if the parameter CanChangeBody Yes the asynchronous mode is not recommended as it provides neither speed gain additional time for saving service files to the storage is required nor reliability gain When operating in the asynchronous mode CanChangeBody No and a component MailD core or Sender is not responding during message processing the message _is lost and MTA 121 Ta J i ax Dr Web MailD receives SMTP 250 queued in response Thus this setting combination is strongly not recommended 6 Thus it is recommended not to select the asynchronous mode i e assigning plug ins to AfterQueue when connecting to MTA via the Milter protocol as this mode does not provide any gain in message processing Moreover it is recommended to optimize operation and system resources usage if the following problems occur delays in message processing queues when receiving or sending messages not responding errors shortage of system resources Used Modules
626. virus policy depending on available licenses and collect virus statistics Statistics depending on Dr Web Agent operational mode is sent with the predetermined frequency either to the public server of the company or to the central protection server that works under Dr Web Agent When Dr Web for UNIX mail servers modules are started or settings are changed Dr Web Agent sends all necessary configuration to these modules A Note that drweb agent can operate in enterprise mode only with Dr Web ESS 6 If you want to ensure connection to the central protection server Dr Web ESS 10 install and configure the new agent version implemented as drweb agent10 module For details on how to install and configure drweb agent10 refer to the Migration to Dr Web ESS 10 section Dr Web Agent can interact with other modules through exchanging control signals Since all Dr Web for UNIX mail servers components except for Dr Web Monitor receive their configuration via drweb agent module it must be run before all these modules but after the drweb monitor module Please note that when several parameters with the same name are specified in the configuration file Dr Web Agent unites them in one comma delimited string You can also use a backslash symbol to define parameter value in several lines New line after backslash is added to the previous line when Dr Web Agent is reading configuration Note that using of a space character after a slash is not allowed
627. web interface displays Under the module header you can see the following three sections Quarantine Configuration and Templates By default the main page of the Quarantine section opens Next to the section headers you can see the following buttons Interface configuration a Start Dr Web MailD E and Stop Dr Web MailD i as well as the current Dr Web MailD status When operating in the central protection mode clicking Stop Dr Web MailD stops all local Dr Web for UNIX mail servers services running in this mode If Dr Web MailD is operating in the central protection mode after access permissions to Dr Web ESS Control Center settings are changed reload the web interface page for the changes to take effect Quarantine Messages filtered by Dr Web for UNIX mail servers anti virus or anti spam module and considered to be malicious or spam can be moved to Quarantine On the Quarantine tab of the Dr Web for UNIX mail servers web interface all necessary tools for successful management of quarantined messages are collected 361 Dr Web MailD version Dr Web Web Interface version cl Quarantine Configuration E Send S Forward Delete MNot spam Report spam Sender Recipient Subject Date ai dates z Size z Status 01 01 2000 00 00 28 12 2011 23 59 Sender Recipient Subject a quarantine script wazup misha jodaka ru ROLEX GUCCI LOUIS VUITTON Great Prices for the Holidays I quarantine script wazup medved jod
628. web receiver pool Thus drweb receiver can simultaneously handle no more than 2 t_ max connections at that some of them can be queued Once the queue is full drweb receiver stops receiving new connections and responds to clients with the following error Server error 421 3 8 Too many concurrent SMTP connections please try again later On heavy load some new connections are not discarded as active threads start processing queued connections as soon as they become free and thus other new connections can be queued Nevertheless it is recommended to increase the maximum limit t_max of threads in a pool of drweb receiver module to avoid failure to process new connections For other Dr Web MailD modules increase in number of threads does not influence module operation To control the components number of active threads in pools and queue length it is recommended to periodically send a SIGUSR1 signal to all processes of Dr Web MailD 265 Ta J 1 ax Dr Web MailD Dr Web Monitor and Dr Web Agent which control operation of Dr Web MailD components do not process SIGUSR1 signal in the current version Thus SIGUSR1 signal if sent to the components causes them to terminate their operation When Dr Web MailD components receive SIGUSR1 signal they reset statistics on thread pools Statistics can be saved either to separate text files or to the log on Debug level Location of files with statistics is controlled by the BaseDir p
629. y case are excluded Example select mime headers Content type html or mime body lt script According to the first criterion all MIME objects that contain html word in the Content type header are selected According to the second criterion all MIME objects that contain lt script in any case are added Note the following typical errors in using selection operators e If you specify several consecutive select operators the successive select replaces the result of the previous select Example select mime headers Content type html select mime body lt script select mime headers Content type html and select mime body lt script The received selection results correspond only to the second criterion thus only those mail fragments MIME objects are selected that contain lt script in any case e If neither logical operators are used nor select command is specified before the successive argument this argument is ignored and selection results are not changed Mpumep select mime headers Content type html mime body lt script The received selection results correspond only to the first criterion thus only those mail fragments MIME objects are selected that contain html in the Content type header Ta J 1 ax Dr Web MailD 2 Action operators Actions are always applied to the result set of the select operator These actions are divided into the following three types e Act
Download Pdf Manuals
Related Search