/*
 * -------------------------------------------------------------
 *
 *   Mail filters configuration file description
 *
 *  $Revision: 1.49 $
 *
 * -------------------------------------------------------------
 */

    Configuration file is an ordinary text file with the following rules:

[Section 1 name]
Parameter1 = volume
.....
ParameterN = volume

.....

[Section X name]
Parameter1 = volume
.....
ParameterY = volume

The parameters will be described in the following way:

---
parameter_name = parameter_type (default_value or 'absent')

parameter description
---

All the parameters may be of the following four types:
- string parameters (STRING), and here paths, names, actions etc. 
- list of strings parameters (STRING_LIST), these are strings separated by ","
- numeric ones (COUNT), these are signless numbers from 0 to 2^31 - 1,
- octal ones (OCTAL), these are numbers in octal representation
- Boolean ones (BOOL), these variables may have such values as:
     yes, on, true - to enable,
     no, off, false - to disable the option set by this parameter,
  any of the adduced variants possible, letter case is not taken into account.
- address specification (ADDRESS), these variables may correspond to the 
  following : TYPE:TRANSPORT_ADDRESS
  Admissible the following types:
      inet - TCP sockets used, than TRANSPORT_ADDRESS has the following :
             PORT@HOST_NAME
             HOST_NAME may be either direct IP address, or host domain name.
             Example:
               Address = inet:3003@localhost
      local - local UNIX sockets used, than TRANSPORT_ADDRESS 
             is a mere path to the socket file.
             Example:
               Address = local:/var/drweb/run/.drweb-agent
- list of addresses specifications (ADDRESS_LIST)

Now let's stop at the options that may be specified. 


    In the [DaemonCommunication] section the parameters regarding the
.filter-daemon interaction are described.

Address = ADDRESS_LIST (absent)

This parameter specifies daemon transport address to which the filter will
give out scanning jobs. One more type of addresses is available for this
parameter:
   pid - shows that the real address must be read from the daemons pid file.
         Example:
           Address = pid:/var/drweb/run/drwebd.pid
   Example of some addresses:
     Address = pid:/var/drweb/run/drwebd.pid, inet:3000@srv2.example.com

Cache = BOOL (on)

This option may be used only if TCP sockets are utilized to provide the
connection with the daemon. If it is enabled (yes, on, true) and the daemon
host address is a domain name, than its IP will be requested only once (at
the filer start) and this very IP will be used in future; if the option is
disabled, IP will get ascertained at every request (which is quite a
slow-speed operation).

Timeout = COUNT (0)

This option specifies the timeout (in seconds) value for the whole handling 
session of an object. If the daemon failed to give answer within the
timeout period, than the action specified by ProcessingErrors option is
undertaken (see below). 0 value corresponds to infinite timeout.

UseTcpNodelay = BOOL (no)

This option set\unset option TCP_NODELAY for connection with daemon.
Do not set this option if you have not network problem.


    In the [Scanning] section the scanning process parameters are described.

HeuristicAnalysis = BOOL (on)

Enable/disable heuristic analyser to detect unknown viruses, although it
makes possible false alarms.

StripPath = COUNT (0)

Strip the smallest prefix containing StripPath leading shashes from each 
path passed to scanning.  A  sequence  of one or more adjacent slashes is 
counted as a single slash.  
NOTE: Option works same the -p parameter in patch utility (man patch) 
NOTE: See alse example after PrefixPath description.
EXAMPLE: path = /some/path/to/file.ext
         StripPath = 1 -> path = some/path/to/file.ext
         StripPath = 2 -> path = path/to/file.ext

PrefixPath = STRING (absent)

Path that prefixes scan paths. Works after path modification by StripPrefix 
option. It's option usefull for collaboration chrooted MTA or Samba and 
non-chrooted (or chrooted to another root) DrWeb Daemon. 
ATTENTION: PrefixPath must not ends by slash.
EXAMPLE: path = /some/path/to/file.ext
         PrefixPath = /my/prefix -> path = /my/prefix/some/path/to/file.ext

EXAMPLE: Full path conversion
  LocalScan = yes
  StripPath = 3
  PrefixPath = /jail
Source path received by filter: spool/file.ext
1. After processing LocalScan : /var/drweb/spool/file.ext
2. After processing StripPath : spool/file.ext
3. After processing PrefixPath : /jail/spool/file.ext
DrWeb Daemon will be scan path : /jail/spool/file.ext

IncludeReport = BOOL (yes)

Enable/disable including Dr.Web daemon report to notifications (see macros 
$DAEMON_REPORT$ in notifications description).

IncludeStats = BOOL (no)

Enable/disable including short stat to notifications (see macros $SCAN_STAT$ in
notifications description).

ReportMaxSize = COUNT (4096)

Max size of report that be created if IncludeReport is set to "yes".
You can specify 0 if you do not want restrict size, but it is bad idea - 
report can grow to some megabytes for "mail bombs".

LocalScan = BOOL (yes)

Enable/disable "local scanning" mode. In the "local scanning" mode the
filter does not transmit to the daemon the file itself (as it is in general
mode) but only reports to the daemon the location of the file (containing
the message). This mode is notable for high performance, although it
requires accurate setting of the rights to the directories.
NOTE: Remember that LocalScan mode affect only on connection with main
Dr.Web daemon (that specified first in Address list), for reserved daemons
"local scanning" mode ALLWAYS off.
NOTE: See example of Path Convertion in description PathPrefix

RuleFilter = BOOL (off)

Enable/disable message header analyser. The analyser uses the rules written
in regular expressions in the daemons configuration file (DAEMON_INI).
See documentation on the daemon. This option is available only starting
from the daemon v4.27.

Spool = STRING (absent)

Path to the directory where temporary files will be created for checking.

SpoolFilesMode = OCTAL (0600)

Permissions would been used for files in spool directory.

SpoolFilenamesMode = STRING (Std)

Naming mode for spool files, currently supported next modes:
* std - using mkstemp (: %{SpoolFilenamesPrefix}XXXXXX)
* tai - use TAI  (: %sec.%usec.%{SpoolFilenamesPrefix}XXXXXX)
        In example this  can be processed by tai2tai64n and tai64nlocal 
        from daemontools package
* rand48 - using lrand48 (: %{SpoolFilenamesPrefix}XXXXXXXX)
        this  recommended for heavy loaded systems that has poorly 
        implemented mkstemp (i.e. Solaris)

SpoolFilenamesPrefix = STRING (drweb.tmp.)

Prefix for name spool file (see SpoolFilenamesMode description)

DenyMode = STRING (byAll)

The parameter specifies how the filter should skip viruschecking bases on
DenyList. Virus checking can be "denied" (skipped) if mail addresses match
to deny list by mode defined by this parameter. "deny" check means that message 
would been delivered to all recipients unchecked. Possibles modes:
* byAll - deny if all addresses (sender and recipients) are denied in DenyList
  (obsolete DenyOnOne = no)
* byOne - deny if only one address (sender or recipient) is denied in DenyList
  (obsolete DenyOnOne = yes)
* bySender - deny if sender address is denied (recipients are not checked)
* bySenderAndOneRecipient - deny if sender and one of recipients addresses
  are denied in DenyList
* byOneRecipient - deny if one of recipients addresses are denied in DenyList
  (sender address is not checked)
* byAllRecipients - deny if all of recipients addresses are denied in DenyList
   (sender address is not checked)

DenyList = STRING (absent)

Path to the file containing the "blocked" masks; if it is not specified
there are no such.

   In the [Actions] section the actions the filter undertakes in different
cases are described.

---------------------------------------------------------------------------
 NOTES: 

 1. If you do not using quarantine action for some causes, please check
 templates of notification for appropriate case - if need, remove text about 
 where original message has been storied.

 2. Notification would been sent (if enabled) to administrator even if message 
 was passed by configuration but has not been checked completly (see cases:
 SkipObject, ArchiveRestriction, ProcessingErrors, ScanningErrors).

 3. Cleaned message should be repacked if you use "cure" or "remove" actions
 for infected, suspicious objects. If repack procedure was failed then CureFail 
 action would been applied. Incurable action would never been used if you 
 do not use "cure" action for Infected.
 
---------------------------------------------------------------------------

LicenseLimit = STRING (tempfail)

The action taken if an object was not checked by license limitations.
Actions:
pass - accept such a messages 
tempfail - say "service temporary unavailable" to mailer and reject such a messages 
reject - deny accepting such a messages 

Infected = STRING (quarantine)

The action taken if an "infected" object is found in the message body -
i.e. a known virus. 
Possible actions: 
cure - cure infected attachment(s) and generate cleaned message 
remove - remove infected attachment(s) and generate cleaned message 
quarantine - deny the delivery and store the message itself in the quarantine 
redirect - forward to RedirectMail and reject such a messages 
reject - deny accepting such a messages 
discard - silently discard such a messages (blackhole) 

Suspicious = STRING (quarantine)

The action taken if a "suspicious" object is found in the message body -
possibly a new virus. 
Possible actions: 
pass - accept such a messages 
reject - deny accepting such a messages 
quarantine - deny the delivery and store the message itself in the quarantine 
redirect - forward to RedirectMail and reject such a messages 
discard - silently discard such a messages (blackhole) 

Incurable = STRING (quarantine)

The action taken if a part of message infected by incurable virus. 
Also see notes before.
Possible actions: 
remove - remove infected attachment(s) and generate cleaned message 
reject - deny accepting such a messages 
quarantine - deny the delivery and store the message itself in the quarantine 
redirect - forward to RedirectMail and reject such a messages 
discard - silently discard such a messages (blackhole) 

CureFail = STRING (quarantine)

The action taken if daemon fails to cure (remove) infected attachment or
generate cleaned message. Also see notes before.
Possible actions: 
reject - deny accepting such a messages 
quarantine - deny the delivery and store the message itself in the quarantine 
redirect - forward to RedirectMail and reject such a messages 
discard - silently discard such a messages (blackhole) 

Adware = STRING (quarantine)

The action taken if a message contains an advertizing software.
Possible actions : 
pass - accept such a messages 
reject - deny accepting such a messages 
discard - silently discard such a messages (blackhole) 
MSG_RENAME_ACTION
MSG_MOVE_ACTION

Dialers = STRING (quarantine)

The action taken if a message contains a dialer program.
Possible actions : 
pass - accept such a messages 
reject - deny accepting such a messages 
discard - silently discard such a messages (blackhole) 
MSG_RENAME_ACTION
MSG_MOVE_ACTION

Jokes = STRING (quarantine)

The action taken if a message contains a joke program or hoax.
Possible actions : 
pass - accept such a messages 
reject - deny accepting such a messages 
discard - silently discard such a messages (blackhole) 
MSG_RENAME_ACTION
MSG_MOVE_ACTION

Riskware = STRING (quarantine)

The action taken if a message contains a potentially dangerous software.
Possible actions : 
pass - accept such a messages 
reject - deny accepting such a messages 
discard - silently discard such a messages (blackhole) 
MSG_RENAME_ACTION
MSG_MOVE_ACTION

Hacktools = STRING (quarantine)

The action taken if a message contains an intrusion tool also known as hacktool.
Possible actions : 
pass - accept such a messages 
reject - deny accepting such a messages 
discard - silently discard such a messages (blackhole) 
MSG_RENAME_ACTION
MSG_MOVE_ACTION

RuleFilterAlert = STRING (quarantine)

The action taken if a message fell under the inhibitory actions of the
message header analyser. 
Possible actions: 
reject - deny accepting such a messages 
quarantine - deny the delivery and store the message itself in the quarantine 
redirect - forward to RedirectMail and reject such a messages 
discard - silently discard such a messages (blackhole) 

EmptyFrom = STRING (continue)

The action taken if a message has blank sender <>. 
Possible actions:
reject - deny accepting such a messages 
discard - silently discard such a messages (blackhole) 

ATTENTION: Your MTA would not RFC-compliant if you set up
 non-continue action. The MTA MUST accept messages with <> sender 
 (rfc-2505 see 2.6.1).

SkipObject = STRING (reject)

The action taken if an object which cannot be checked by the antivirus
daemon is found in the message (e.g., a passworded archive). 
Possible actions: 
pass - accept such a messages 
reject - deny accepting such a messages 
quarantine - deny the delivery and store the message itself in the quarantine 
redirect - forward to RedirectMail and reject such a messages 

ArchiveRestriction = STRING (reject)

The action taken against an object found in the message which cannot be
checked by the antivirus daemon because its compression rate (or the
embedded file) exceeds the maximum compression rate specified in the
daemons configuration file (see MaxCompressionRatio, MaxFileSizeToExtract and
MaxArchiveLevel in DAEMON_INI)
Possible actions: 
pass - accept such a messages 
reject - deny accepting such a messages 
quarantine - deny the delivery and store the message itself in the quarantine 
redirect - forward to RedirectMail and reject such a messages 

ScanningErrors = STRING (quarantine)

The action taken if any errors occurred during the message processing by
the daemon (e.g. memory shortage or no rights to access the file).
Possible actions: 
pass - accept such a messages 
reject - deny accepting such a messages 
quarantine - deny the delivery and store the message itself in the quarantine 
redirect - forward to RedirectMail and reject such a messages 
tempfail - say "service temporary unavailable" to mailer and reject such a messages 

ProcessingErrors = STRING (quarantine)

The action taken if any errors occurred during the message processing by
the filter (e.g. memory shortage or could not stablish connection with the
daemon). 
Possible actions: 
pass - accept such a messages 
reject - deny accepting such a messages 
quarantine - deny the delivery and store the message itself in the quarantine 
redirect - forward to RedirectMail and reject such a messages 
tempfail - say "service temporary unavailable" to mailer and reject such a messages 

AdminMail = STRING (absent)

Specifies the mail address to which the notification signed for
administrator will be sent. The macros $POSTMASTER$ will be 
replaced by this address.

FilterMail = STRING (absent)

The address that will be indicated as notification senders one. The
macros $FILTER_MAIL$ will be replaced by this address.

RedirectMail = STRING (absent)

All redirected (by redirect action) messages will be sent to this address.

UnnotificableVirusesList = STRING (absent)

Path to the file containing the list of viruses for which notification and 
quarantine action can be disabled; if it is not specified there are no such. 
See viruses_list.txt for details.

UnnotificableAddressesList = STRING (absent)

Path to the file containing the list of addresses for which notification  
action can be disabled; if it is not specified there are no such. 
See addresses_list.txt for details.

Quarantine = STRING (absent)

Path to the "quarantine" - the directory where the infected messages will
be stored.

QuarantineFilesMode = OCTAL (0660)

Permissions would been used for files in quarantine directory.

QuarantineFilenamesMode = STRING (Std)

Naming mode for quarantined files, currently supported next modes:
* std - using mkstemp (: %{QuarantineFilenamesPrefix}XXXXXX)
* tai - use TAI  (: %sec.%usec.%{QuarantineFilenamesPrefix}XXXXXX)
        In example this  can be processed by tai2tai64n and tai64nlocal 
        from daemontools package
* rand48 - using lrand48 (: %{QuarantineFilenamesPrefix}XXXXXXXX)
        this  recommended for heavy loaded systems that has poorly 
        implemented mkstemp (i.e. Solaris)

QuarantineFilenamesPrefix = STRING (drweb.quarantine.)

Prefix for name quarantined files (see QuarantineFilenamesMode description)


    In the [VirusNotifications] section regulations of notifying about a
detected virus are described.

SenderNotify = BOOL (yes)
AdminNotify = BOOL (yes)
RcptsNotify = BOOL (yes)

To inform or not to inform the sender, the administrator and the recipients
correspondingly that a virus has been found in the message.

SenderTemplate = STRING (absent)
AdminTemplate = STRING (absent)
RcptsTemplate = STRING (absent)

Paths to the templates of the correspondent notifications.

Assigning the parameters of the same name for the sections
[SkipNotifications], [CuredNotifications], [ArchiveRestrictionNotifications] 
and [ErrorNotifications] is similar, the only exception being the event they 
regard. In section [CuredNotifications] RcptsNotify and RcptsTemplates options
are disabled because it is useless.

    In the [Logging] section the parameters of outputting the information
on filter operating are described.

Level = STRING (Quiet)

Set the detalization level of the output information. Currently available next 
values: Quiet, Errors, Alerts, Info, Verbose, Debug. Operational information 
will be output with SyslogPriority priority and SyslogFacility facility.

SyslogFacility = STRING (Mail)

Logging type if syslogd system service is used. Available values: Daemon, Mail, 
Local0 .. Local7

SyslogPriority = STRING (Info)

Logging priority if syslogd system service is used. Available values: Debug, 
Info, Notice, Alert.


[Submitter] section is obsolete by [Mailer] section.

    In the [Mailer] section the parameters of mail system are described

MailSystem = STRING (QMail)

Mail system name, must containt name of your MTA (see in the brackets).

Sendmail = STRING (absent)

Path to mail submission program with the standard sendmail interface:
{program} {add_args} {default_args} -f {sender} -- {rcpts} < {mail.msg}
In most case, program has been located as /var/qmail/bin/qmail-inject
Also see description for SendmailArgs for arguments details. 

SendmailArgs = STRING (absent)

Additional (to default) arguments for submission program, by default 
submission program has following arguments: absent
Examples: 
  SendmailArgs = "-C/usr/exim/alt_exim.conf"
  SendmailArgs = "-FUserName"

QmailQueue = STRING (absent)

Path to the original qmail-queue, preserved when installing.

    In the [Agent] section the parameters regarding the filter-agent 
interaction are described.

Address = ADDRESS (absent)

Definition of agents address. Agent is used for collecting statistic
from mail filters and sending it to stat.drweb.com. 
Please read agent/readme.txt for details.

Timeout = COUNT (10)

Timeout (in seconds) for communication session between filter and agent.
'