Dr.Web for UNIX mail servers can be used for checking messages not when mail system receives them but at the moment they are transferred via IMAP and POP3 to the MUA of the end receiver. This integration solution can be implemented only when the mail system protected with Dr.Web for UNIX mail servers is not a proxy, but is finite, meaning that the system serves requests from the end MUA.
To implement the solution, the following two proxy components are included into Dr.Web for UNIX mail servers:
•POP3 filter – used for intercepting messages of POP3 the protocol during communication between MUA and MDA. Implemented as drweb-pop3 module;
•IMAP filter – used for intercepting messages of IMAP protocol during communication between MUA and MDA. Implemented as drweb-imap module.
The following picture illustrates Dr.Web MailD connection diagram when working with mail clients.
Рис. 22. Work with mail clients
General operation principles:
1.Filter of the user protocol (POP3 filter or IMAP filter, depending on the used protocol) is configured as a proxy to receive messages transmitted from MUA to MDA through the corresponding protocol.
2.Messages received from MUA are transferred to the target MDA (it can be local or remote in relation to Dr.Web MailD).
3.After a message is transmitted from MDA to MUA, it passes through the filter component which sends the message for check to MailD core (via the interface used by Receiver).
4.MailD core checks the message (using Processing rules and configured plug-ins).
5.If MailD core responds with the positive check result, the message is transmitted further to MUA. Otherwise, instead of the requested message, MUA receives a report on the detected threat. This report is generated by Notifier.
6.If MailD core is enabled to send reports on detected threats, the corresponding reports generated by Notifier are dispatched by Sender (it sends the reports for final delivery to MTA that is specified in Sender settings).
Note the following restrictions when Dr.Web MailD is used for checking messages via client protocols:
•All used plug-ins must be assigned to the BeforeQueueFilters queue, that is, message check in asynchronous mode, when messages are saved to the storage, is not allowed (due to aspects of POP3 and IMAP operation).
•redirect action must not be used in Rules and plug-in settings, as a message transmitted from MDA to the user's MUA cannot be redirected to another address.
Filter component characteristics:
1. IMAP filter component
Supports interaction with IMAP servers (including the cache function). This component is a proxy server between MailD core (drweb-maild) and IMAP server (MDA). The component filters messages which the server sends to the user. MDA IMAP server can run on the local computer, as well as on a remote computer.
Functions of the component are performed by the drweb-imap module. Its settings are specified in the [IMAP] section of the main Dr.Web MailD configuration file.
The IMAP filter component caches main message headers to speed up access to them. Theoretically, it is possible to run out of available memory and slow down filter operation by filtering large number of messages that are formed in a special way and contain a lot of headers.
To prevent this situation, IMAP filter has MaxCachedHeadersPerMail setting that controls maximum total size of cached headers. Note that if this value is too small, names and types of MIME attachments can display incorrectly on users' computers.
The filter is disabled by default. To enable it, uncomment the following string in the mmc file of Dr.Web Moritor (maild_<MTA>.mmc):
drweb-imap local:/var/drweb/ipc/.agent 15 30 MAIL drweb:drweb
2. POP3 filter component
Supports operation with POP3 servers. The component is a proxy server between MailD core (drweb-maild) and POP3 server (MDA). The component filters messages which server sends to the user. MDA POP3 server can run on the local computer, as well as on a remote computer.
Functions of the component are performed by drweb-pop3 module. Its settings are specified in the [POP3] section of the main Dr.Web MailD configuration file.
Every time a connection is established, POP3 filter retrieves the user name from the USER username command and saves the name during the session. If authentication is successful, the filter performs transmission of the messages from the server to the client. At that, all commands and data are transmitted literally except for a server response to the RETR command (message retrieval).
Response from MDA to this command is transmitted to MailD core for analysis and then MUA receives the processed response.
The filter is disabled by default. To enable it, uncomment the following string in the mmc file of Dr.Web Moritor (maild_<MTA>.mmc):
drweb-pop3 local:/var/drweb/ipc/.agent 15 30 MAIL drweb:drweb
When Dr.Web MailD is operating in the POP3/IMAP proxy mode, the following modules must be running in the system (this is specified in mmc file of the Dr.Web Monitor):
•drweb-notifier
•drweb-sender
•drweb-maild
•drweb-pop3 or drweb-imap (depending on the intercepting user protocol)
|
Note that a part of the <MTA> file name depends on the name of the MTA associated with Dr.Web for UNIX mail servers |
