|
In the [Receiver] section, settings of the Receiver component (module drweb-receiver) are specified. This component is used in Dr.Web for UNIX mail servers, if the solution interacts with Exim, Zmailer and Postfix mail systems (if Postfix mail system does not use the Milter protocol) or operates in the SMTP/LMTP proxy mode.
1. General parameters
Address = {address}
|
Address used by Receiver to receive messages.
Socket used for receiving messages is specified (either TCP socket, or UNIX socket ).
|
Default value:
Address = inet:25@0.0.0.0
|
RealClients = {logical}
|
Accept connections directly from clients.
|
Default value:
RealClients = Yes
|
ProcessingErrors = {action}
|
Action applied to messages when processing errors occur.
The parameter value can be one of the following actions:
tempfail, discard, reject.
Only one action can be specified.
|
Default value:
ProcessingErrors = reject
|
StalledProcessingInterval = {time}
|
Timeout to process stalled messages.
Stalled messages are messages got by Receiver, but not processed in time and thus not sent to MailD core. That can happen when problems with network or power supply occur.
If a stalled message is found, Receiver queues it for processing.
|
Default value:
StalledProcessingInterval = 10m
|
OneCommandTimeout = {time}
|
Timeout to execute a single command.
|
Default value:
OneCommandTimeout = 5m
|
OneMessageTimeout = {time}
|
Timeout to receive a single message.
|
Default value:
OneMessageTimeout = 10m
|
AddReceivedHeader = {logical}
|
Adds a Received header to all received messages.
|
Default value:
AddReceivedHeader = Yes
|
ReturnReject = {logical}
|
Receiver behaviour after the Reject action is applied to the message that is processed in the synchronous mode.
When the parameter value is set to Yes, the component returns SMTP 55* error. When the parameter value is set to No, the component returns successful SMTP 250 response, but the sender receives DSN (if not disabled).
The return response is extended with the Reply<Reason> string (the string is set in the settings of a plug-in which performed the reject action), but only if it is allowed by its UseCustomReply=Yes setting (where <Reason> is the reject action cause). Otherwise, the following standard message is output: "The message has been rejected by the Dr.Web MailD".
Note that if Dr.Web MailD is not operating in SMTP/LMTP proxy mode and is integrated with MTA, it is recommended to set the parameter value to No. This ensures correct notification of the sender if a message was rejected. Otherwise, if the parameter value is set to Yes, MTA can send notification on success before the message is checked and rejected.
If ReturnReject=No, it is recommended to specify an additional notify action (as during SMTP session Receiver, after rejecting a message, replies with 250 code that indicates successful message processing), or enable DSN (with the SkipDSNOnBlock parameter in the [Maild] section). But it is recommended to enable DSN only if the number of rejected messages is not large; otherwise, high load on MTA, which sends DSN, can occur.
|
Default value:
ReturnReject = Yes
|
GreetingString = {string}
|
Greeting line that is output on connection of a new SMTP client.
"%host%" macro is replaced with the Hostname parameter value from the [General] section.
"%ver%" macro is replaced with the current version of the drweb-receiver module.
|
Default value:
GreetingString = "%host% Dr.Web SMTP receiver v%ver% ready"
|
RelayDomains = {Lookup}
|
List of domains that are allowed to relay messages.
If you specify a usual domain list, for which Dr.Web MailD is a mail relay, their subdomains are ignored. That is, mail arriving from their subdomains are not relayed.
It is possible to specify a list of subdomains by using regular expression or rfile.
Please note that the parameter value is Lookup.
Example:
RelayDomains = regex:.*.domain.com
Allows relaying to all domain.com subdomains.
Example:
RelayDomains = rfile:/path
rfile contains a list of regular expressions (Perl syntax), which must be specified one per line:
.*.domain.com
.*.domain1.com
.*.domain2.com
In the current version of Dr.Web MailD, the RelayDomains parameter does not support wildcard DNS records. Thus, expressions of this type are not allowed:
RelayDomains = *.domain
|
Default value:
RelayDomains =
|
RestrictionStat = {logical}
|
Enables or disables statistics on SMTP restrictions (description of restrictions is provided below).
To get statistics, send SIGUSER1 signal to the drweb-receiver process. Statistics is stored in the restrictions.txt file in the directory defined in the BaseDir parameter from the [General] section.
|
Default value:
RestrictionStat = No
|
DelayRejectToRcpt = {logical}
|
Suspends block of messages until RCPT stage, even if a restriction was applied before.
Setting this parameter allows working with outdated versions of email clients and output the list of blocked recipient addresses to the log file.
|
Default value:
DelayRejectToRcpt = Yes
|
2. Numerical restrictions of SMTP session
The following parameters allow setting numerical restrictions upon violation of which SMTP protocol dialog is aborted.
MaxRecipients = {numerical value}
|
Maximum number of recipients for one email message (number of RCPT TO commands).
When the parameter value is set to 0, maximum number of recipients is not limited.
If an IP address from which connection is established is marked as trusted, this restriction is not checked.
|
Default value:
MaxRecipients = 100
|
MaxConcurrentConnection = {numerical value}
|
Maximum number of concurrent SMTP connections from a single IP address.
When the parameter value is set to 0, maximum number of SMTP connections from a single IP address is not limited.
|
Default value:
MaxConcurrentConnection = 5
|
MaxMailsPerSession = {numerical value}
|
Maximum number of messages per single session (number of MAIL FROM commands).
When the parameter value is set to 0, maximum number of messages per single session is not limited.
|
Default value:
MaxMailsPerSession = 20
|
MaxReceivedHeaders = {numerical value}
|
Maximum number of Received headers.
When the parameter value is set to 0, maximum number of Received headers is not limited.
Receiver always checks this restriction, even if an IP address is marked as trusted.
|
Default value:
MaxReceivedHeaders = 100
|
MaxErrorsPerSession = {numerical value}
|
Maximum number of errors per single session.
When the parameter value is set to 0, maximum number of errors per single session is not limited.
|
Default value:
MaxErrorsPerSession = 10
|
MaxMsgSize = {size}
|
Maximum message size (transmitted in DATA command).
Receiver always checks this restriction, even if an IP address is marked as trusted.
|
Default value:
MaxMsgSize = 10m
|
MaxJunkCommands = {numerical value}
|
Maximum number of RSET, NOOP and VRFY commands per session.
If this number exceeds the specified value, an error counter activates.
Current value of the error counter is set to 0 each time the message is successfully processed by the drweb-maild module.
If the parameter value is set to 0, this restriction is not checked.
|
Default value:
MaxJunkCommands = 100
|
MaxHELOCommands = {numerical value}
|
Maximum number of HELO, EHLO and LHLO commands per session.
If this number exceeds the specified value, an error counter activates. The score is reset after every successful processing of the message by drweb-maild.
If the parameter value is set to 0, this restriction is ignored.
|
Default value:
MaxHELOCommands = 20
|
Please note that some of the restrictions mentioned above are checked even if an IP addresses are marked as Trusted. The following table describes behavior of restrictions for Trusted clients and texts of SMTP replies that are sent if a message does not satisfy the restriction.
Restriction
|
Message to the sender if the connection to Client is restricted
|
Whether checked for trusted connections
|
MaxRecipients
|
452 4.5.3 Too many rcpts
|
No
|
MaxConcurrentConnection
|
421 4.7.0 Too many concurrent SMTP connections from this IP address; please try again later
|
No
|
MaxMailsPerSession
|
421 4.2.1 too many messages in this connection
|
No
|
MaxReceivedHeaders
|
554 5.7.0 MailD error: Too many received headers: N
|
Yes
|
MaxErrorsPerSession
|
421 4.7.0 Error: too many errors
|
No
|
MaxMsgSize
|
552 5.3.4 Message size exceeds file system imposed limit
|
Yes
|
MaxJunkCommands
|
421 4.7.0 Error: too many errors
|
No
|
MaxHELOCommands
|
421 4.7.0 Error: too many errors
|
No
|
3. Restrictions and conditions for different stages of SMTP session
Parameters described below (*Restrictions) configure check of IP addresses on various SMTP session stages. Check is performed if the address is not marked as Trusted. By default, only connections from localhost and UNIX sockets are considered trusted.
The restrictions allow filtering of unwanted mail in drweb-receiver module on the stage of SMTP session, before messages are transmitted to drweb-maild. That saves resources and adds an additional level of spam filtration, which increases spam detection probability.
SMTP Restrictions are applied on the following stages of SMTP session:
•connection of the new client (INTRO) (restrictions are specified in the SessionRestrictions parameter); •receipt of HELO/EHLO command (restrictions are specified in the HeloRestrictions parameter); •receipt of FROM command – that is, when the client specifies sender for the new message (restrictions are specified in the SenderRestrictions parameter); •receipt of RCPT command – that is, when the client adds a new recipient to the message (restrictions are specified in the RecipientRestrictions parameter); •receipt of DATA command – that is, when the client has already finished transferring all recipients and is ready to send the body of the message (restrictions are specified in the DataRestrictions parameter). Restrictions are set as values of *Restrictions parameters separated by commas. They are checked in sequential order – from left to right. Restriction checking is performed only after all other checks (sequencing of commands, validity of their parameters and others) until the message is considered as trusted. After that, restriction check stops.
SessionRestrictions ={restrictions list}
|
These checks are performed immediately after the connection was established (INTRO).
The following restrictions are checked:
•trust_protected_network •trust_protected_domains •trust_white_networks •trust_white_domains •reject_dnsbl •reject_black_networks •reject_black_domains |
Default value:
SessionRestrictions = trust_protected_network
|
HeloRestrictions = {restriction list}
|
These checks are performed on HELO/EHLO session stage.
The following restrictions are checked:
•reject_unknown_hostname •reject_diff_ip |
Default value:
HeloRestrictions =
|
SenderRestrictions = {restriction list}
|
Checks performed on FROM session stage.
The following restrictions can be checked:
•reject_unknown_sndrs •reject_unknown_domain •trust_sasl_authenticated •pass_sasl_authenticated |
Default value:
SenderRestrictions = trust_sasl_authenticated
|
RecipientRestrictions = {restriction list}
|
Checks performed on RCPT session stage. All recipients are checked in order they are declared.
The following restrictions can be checked:
•reject_unknown_domain •reject_unauth_destination •reject_unknown_rcpts •pass_sasl_authenticated |
Default value:
RecipientRestrictions = reject_unauth_destination
|
DataRestrictions = {restriction list}
|
Checks performed on DATA stage of session.
The following restrictions can be checked:
•reject_spam_trap •reject_multi_recipient_bounce •pass_sasl_authenticated |
Default value:
DataRestrictions =
|
Result of blocking can be different depending on the stage of SMTP session. When blocking is performed according to restrictions from the SessionRestrictions parameter (INTRO stage) – the whole session is blocked: that is, an error is returned on any user command. On other SMTP stages, only a certain SMTP command is blocked.
Each restriction can have an optional parameter – score value [SCORE] (except for set_score and add_score restrictions, where the score value is the only mandatory parameter). Depending on the restriction type, score is processed in different ways:
•restriction can be applied if the current message score is less than the value specified in the parameter •restriction can be applied if the current message score is greater than the value specified in the parameter •if restriction is applied, the corresponding parameter value is added to the message score. Depending on the SMTP session stage, restrictions can affect either a score that is added to the one of every message in the current session (for SessionRestrictions and HeloRestrictions stages) or an individual message score (for other stages).
Each stage of the check could have its own specific restrictions as well as restrictions that are actual for all stages. The latter include the following restrictions:
Action
|
Description
|
sleep {time} [SCORE]
|
Suspend the SMTP connection for the specified period (in seconds)
If SCORE is specified, this restriction is applied only to messages the current score of which is greater than the parameter value.
|
reject [SCORE]
|
Return the permanent SMTP error (code 5*).
If SCORE is specified, the permanent error is returned only when the current message score is greater than the parameter value.
|
tempfail [SCORE]
|
Return the temporary SMTP error (code 4*).
If SCORE is specified, then temporary error is returned only when the current message score is greater than the parameter value.
|
mark_trust [SCORE]
|
Set Trusted flag.
All other restrictions after this parameter are to be skipped.
If SCORE is specified, Trusted flag is set only when the current message score is lower than the parameter value.
|
set_score SCORE
|
Changes the current message score to the specified SCORE value.
If it is used on SessionRestrictions or HeloRestrictions stages, it affects the score of every message in the session, on other stages it affects the score of the current processed message.
|
add_score SCORE
|
Add the specified SCORE value to the current message score.
If it is used on SessionRestrictions or HeloRestrictions stages, it affects the score of every processed message in the session, on other stages it affects the score of the current processed message.
|
Restrictions actual for different check steps:
Action
|
Descpirtion
|
Actions for SessionRestrictions
|
trust_protected_network [SCORE]
|
If the IP address of the connection is included in the list specified in the ProtectedNetworks parameter (the [Maild] section), the address is either marked as Trusted or, if SCORE is specified, its value is added to the score of each message transferred in the current session and to the score of the sender's IP address.
|
trust_protected_domains [SCORE]
|
Checks if the IP address of the connection is in the list defined by the ProtectedDomains parameter (the [Maild] section).
The check is performed using double DNS request: PTR request is sent to check if the received host name is in the ProtectedDomains list. If so, an A request is sent to check if the connection IP address is in the received address list. If so, address is either marked as Trusted or, if SCORE is specified, its value is added to the score of each message transferred in the current session and to the score of the sender's IP address.
|
trust_white_networks [SCORE]
|
If the IP address of the connection is in the white list defined by the WhiteNetworks parameter (see below), the address is either marked as Trusted or, if SCORE is specified, its value is added to the score of each message transferred in the current session and to the score of the sender's IP address.
|
trust_white_domains [SCORE]
|
Checks if the domain of the IP address is in the white list defined by the WhiteDomains parameter (see below).
DNS PTR request is made. If the domain is in the list, the address is either marked as Trusted or, if SCORE is specified, its value is added to the score of each message transferred in the current session and to the score of the sender's IP address.
|
reject_dnsbl [SCORE]
|
Checks if the IP address of the connection is in the black lists of RBL/DNSBL servers specified in the DNSBLList parameter (see below).
At first, availability of RBL/DNSBL servers is checked by sending a test request to resolve 127.0.0.2 IP address (as required by the specification). If a server operates correctly, it must return positive response. If not, the server is marked as inaccessible, which is logged.
If the server is available, an A request to DNSBL is sent.
If the DNSBL server sent a positive response, the session terminates or, if SCORE is specified, its value is added to the score of each message transferred in the current session and to the score of the sender's IP address and the error is logged.
Please note that if all specified RBL/DNSBL servers are inaccessible, the IP address is considered "untrusted", reject_dnsbl is not applied to it and a record that all of the servers are unavailable is logged.
|
reject_black_networks [SCORE]
|
If the IP address of the connection is in the black list defined by the BlackNetworks parameter (see below), the session terminates or, if SCORE is specified, an error is logged, and the SCORE value is added to the score of each message transferred in the current session and to the score of the sender's IP address.
|
reject_black_domains [SCORE]
|
Checks if the sender's domain is in the black list defined by the BlackDomains parameter (see below).
PTR request is made. If the domain is in this list, the session terminates or, if SCORE is specified, an error is logged, and the SCORE value is added to the score of each message transferred in the current session and to the score of the sender's IP address.
|
Actions for HeloRestrictions restriction
|
reject_unknown_hostname [SCORE]
|
If the host name has neither DNS A record nor DNS MX record, mail from this address is blocked or, if SCORE is specified, an error is logged, and the SCORE value is added to the score of each message transferred in the current session and to the score of the senders's IP address.
During check, A requests and, sometimes, MX requests are sent.
|
reject_diff_ip [SCORE]
|
If the client's IP address does not match any of the IP addresses resolved for the domain name from the EHLO/HELO command, mail from this address is blocked.
If SCORE is specified, the message is passed, but an error is logged and the SCORE value is added to the score of each message transferred in the current session and to the score of the sender's IP address.
|
Actions for SenderRestrictions
|
reject_unknown_domain [SCORE]
|
If the sender's host name has neither DNS A record nor DNS MX record, mail from this address is blocked or, if SCORE is specified, an error is logged, and the SCORE value is added to the score of each message transferred in the current session.
During check, A requests and sometimes MX requests are sent.
It is recommended to use reject_unknown_domain together with other restrictions for this session stage (reject_unknown_domain restriction is checked first and then - the others). It is necessary because if the FROM field of email message is empty, this restriction is not applied (as there is no domain name to check in DNS). But it is impossible to ban email messages with empty FROM and TO fields because, according to RFC 5321 specification, Dr.Web MailD must always be able to receive DSN and MSN notifications that have empty FROM fields <>.
|
trust_sasl_authenticated [SCORE]
|
If SASL authentication was successful, the IP address is marked as Trusted. However, if SCORE is specified, it is also checked whether the IP address score is less than the specified value.
|
pass_sasl_authenticated [SCORE]
|
Skip all other checks on this SMTP session stage if the client has successfully passed SASL authentication.
If SCORE is specified, a client that has successfully passed SASL authentication is checked unless the current score is less than the specified parameter value.
|
reject_unknown_sndrs [SCORE]
|
Checks if the recipient is specified in the ProtectedSenderEmails list (see below).
If the sender's address is not in this list, mail from this address is blocked or, if SCORE is specified, an error is logged and the SCORE value is added to the message score.
It is recommended to use this action together with anti_dha Reputation IP Filter.
|
Actions for RecipientRestrictions
|
reject_unknown_domain [SCORE]
|
If the recipient host name has neither DNS A record nor DNS MX record, mail to this address is blocked or, if SCORE is specified, an error is logged, and the SCORE value is added to the message score.
During check, A requests and, sometimes, MX requests are sent.
Recommendations on how to use reject_unknown_domain together with other restrictions for this session stage are similar to the recommendations described above for SenderRestrictions stage, but they are actual for TO field.
|
reject_unauth_destination [SCORE]
|
If the recipient's domain is neither in the RelayDomains list nor in the ProtectedDomains list (see the[Maild] section), mail sent to this address is blocked or, if SCORE is specified, an error is logged, and the SCORE value is added to the message score.
If mail for subdomains of protected domains is also received (that is, the IncludeSubdomains parameter is set to Yes), it is required to set both reject_unauth_destination and reject_unknown_domain restrictions on the RCPT stage. Otherwise, Dr.Web MailD will receive messages for all subdomains of the protected domains even if these subdomains do not exist.
|
reject_unknown_rcpts [SCORE]
|
Checks if the recipient is in the ProtectedEmails list (see below).
If the recipient's address is not in this list, mail to this address is blocked. If SCORE is specified, an error is logged, and the SCORE value is added to the message score.
It is recommended to use this action with anti_dha Reputation IP Filter.
|
pass_sasl_authenticated [SCORE]
|
Skip all other checks on this SMTP session stage if the client has successfully passed SASL authentication.
If SCORE is specified, a client that has successfully passed SASL authentication is checked unless the current score is less than the specified parameter value.
|
Actions for DataRestrictions restriction
|
reject_spam_trap [SCORE]
|
Checks for a spam trap. The recipient's address must be of the <USER@HOST> format.
If the host name is in the list defined by the ProtectedDomains parameter (unless the list is empty, see below) and the user name is in the list defined by the SpamTrap parameter (see below), the message is blocked or, if SCORE is specified, an error is logged and the SCORE value is added to the message score. Full email address can be also specified in the SpamTrap list.
|
reject_multi_recipient_bounce [SCORE]
|
Blocks messages with empty FROM header and several recipients or, if SCORE is specified, an error is logged and the SCORE value is added to the message score.
|
pass_sasl_authenticated [SCORE]
|
Skip all other checks on this SMTP session stage if the client has successfully passed SASL authentication.
If SCORE is specified, a client that has successfully passed SASL authentication is checked unless the current score is less than the specified parameter value.
|
Examples:
SenderRestrictions = trust_protected_networks, reject
Allows receiving email messages only from IP addresses which belong to the networks specified in the ProtectedNetworks parameter value. Messages from other IP addresses are rejected.
SenderRestrictions = trust_protected_networks, trust_protected_domains, sleep 5, add_score 10
Allows receiving email messages from IP addresses which belong to the networks specified in the ProtectedNetworks parameter value and from domains specified in the ProtectedDomains parameter value. Processing of other messages is paused for 5 seconds and 10 points are added to the score of these messages.
It is possible to gather statistics on each restriction to define the quantity of blocked messages and efficiency of the restriction. To get the gathered data, send the special signal to the drweb-receiver process as described in the Signals section of the current manual. To enable or disable statistics gathering, use the RestrictionStat parameter (see above, in part 1 of this section).
4. Check parameters for different SMTP sessions
BlackNetworks = {Lookup}
WhiteNetworks = {Lookup}
|
Network black and white lists.
These lists are used in trust_white_networks and reject_black_networks actions.
Syntax is similar to the one of the ProtectedNetworks parameter in the [Maild] section.
Please note that the parameter value is Lookup.
|
Default value:
BlackNetworks =
WhiteNetworks =
|
DNSBLList = {LookupLite}
|
DNSBL server list. This list is used in reject_dnsbl action.
Servers are checked one after another in the order they are specified in the parameter value until the message is blocked (upon the server response that the IP address is a "spammer") or the list ends.
Accessibility of the servers is checked by requesting them to resolve special IP address 127.0.0.2 (defined by the specification). The server must return positive response. Otherwise, the server is marked as unavailable, which is logged.
If no server responds to the request, the IP address is considered absent in the list of DNSBL servers, that is, the IP address is considered "clean".
Please note that the parameter value is LookupLite.
|
Default value:
DNSBLList =
|
PositiveDNSBLCacheTimeout = {time}
|
Maximum time for caching positive responses from DNSBL servers.
|
Default value:
PositiveDNSBLCacheTimeout = 24h
|
NegativeDNSBLCacheTimeout = {time}
|
Maximum time for caching negative responses from DNSBL servers.
|
Default value:
NegativeDNSBLCacheTimeout = 10m
|
NegativeDNSCacheTimeout = {time}
|
Maximum wait time for caching negative responses from DNS servers.
Parameter value is valid for all responses from DNS servers except for those from DNSBL servers.
|
Default value:
NegativeDNSCacheTimeout = 10m
|
BlackDomains = {Lookup}
WhiteDomains = {Lookup}
|
Black and white lists of domains. These lists are used in trust_white_domains and reject_black_domains actions.
Syntax is similar to the one of the ProtectedDomains parameter in the [Maild] section.
Please note that the parameter value is Lookup.
|
Default value:
BlackDomains =
WhiteDomains =
|
SpamTrap = {LookupLite}
|
Spam trap address list.
This list is used in reject_spam_trap action.
Please note that the parameter value is LookupLite.
|
Default value:
SpamTrap =
|
ProtectedEmails = {Lookup}
|
List of protected recipients' addresses.
It is used in reject_unknown_rcpts restriction. It allows to discard messages with invalid recipients (that are not in the list) and to resist DHA attacks (when used with anti_dha filter in Reputation IP Filter).
It is recommended to specify this parameter with reject_unknown_rcpts restriction and use it with anti_dha filter.
Please note that the parameter value is Lookup.
|
Default value:
ProtectedEmails =
|
ProtectedSenderEmails = {Lookup}
|
List of protected senders' addresses.
It is used in reject_unknown_sndrs restriction. It allows to discard messages form invalid (unknown) senders and to resist DHA attacks (when used with anti_dha filter in Reputation IP Filter).
It is recommended to specify this parameter together with reject_unknown_sndrs and use it with anti_dha filter.
Please note that the parameter value is Lookup.
|
Default value:
ProtectedSenderEmails =
|
ReputationIPFilter = {filters list}
|
Reputation IP Filter settings.
Reputation IP filter allows assigning a score to the IP address according to the gathered statistics on connections as well as blocking this IP address temporarily if its total score is greater than some threshold value.
The following filters are available:
anti_dha, errors_filter, score_filter.
Filters are listed using comma as a delimiter, and are checked in order they were specified. For each filter, its name is specified first and then optional parameters are enumerated with a comma as a delimiter.
|
Default value:
ReputationIPFilter =
|
MaxSessionScore = {numerical value}
|
A threshold value for the general score of each session.
If this score exceeds the threshold value, the corresponding connection will be closed and a temporary error is returned.
If this value is set to 0, this parameter is ignored.
|
Default value:
MaxSessionScore = 10000
|
|