File: /volume1/@appstore/MailPlus-Server/etc/template/bdamserver.template
# client-server SDK server configuration file
###
### Paths used by the application
###
# Specifies full path to the anti-malware database directory root which
# will contain the anti-malware databases used by the SDK. The actual
# databases will be stored in subdirectories 1 and 2 created in this directory.
# The file named 'active' will be created in this directory and will point
# to the currently active database.
#
# The path must be absolute, must exist and be writable, and must be different from PathAntispamRoot
#
# This parameter is required if you want to use anti-malware functionality.
#
PathAntimalwareRoot=/var/spool/@MailPlus-Server/bitdefender/antimalware
# This option specifies the full path to the anti-spam binaries and database directory root.
# The actual databases will be stored in subdirectories 1 and 2 created in this directory.
# The file named 'active' will be created in this directory and will point to the currently
# active database.
#
# If enabled, the server will load the anti-spam module from this directory, and will use
# it to scan for spam.
#
# This is an optional parameter. However if it is set, the LicenseAntispam must be set as well.
# The path must be absolute, must exist and be writable, and must be different from PathAntimalwareRoot
#
PathAntispamRoot=/var/spool/@MailPlus-Server/bitdefender/antispam
# Specifies the license serial number for the server.
# Required if you want to use anti-malware functionality.
#
LicenseSerial=3049D06F4E3FA923E404:9b3414ba-040d-446b-91de-5458e49b409d
# Specifies the license serial number for the anti-spam component. This serial is different
# from the one above, and must be obtained separately if the partner wants to use the anti-spam
# component of the server.
LicenseAntispam=b3323bd2-db2d-4b36-9ddb-4f08c65e8e07
# Specifies the path which should be used to store temporary files
# for ICAP. By default $TEMP or /tmp is used. Optional.
#
PathTemp=/tmp/mailplus_server/bitdefender
# Specifies the absolute file name to store the bdamserver process ID after
# daemonization. This file is automatically removed on process shutdown.
# Optional.
#
PathPid=/var/run/mailplus_server/bdamserver.pid
###
### Networking options
###
#
# Listening and access control. Multiple Listen statements allowed.
# Syntax:
# Listen <UNIX domain socket path>
# Listen <UNIX domain socket path>:<octalpermissions>
# Listen :<TCP/IP port number>
# Listen <IP address>:<TCP/IP port number>
#
# Examples:
#
# Listen on UNIX domain socket /var/lib/bitdefender/bdamsock, default permissions
#Listen /var/lib/bitdefender/bdamsock
#
# Listen on UNIX domain socket /var/run/bdamsocket, permissions -rw------- (0600)
#Listen /var/run/bdamsocket:0600
#
# Listen on all network interfaces, port 1344 (icap)
#Listen :1344
#
# Listen on interface bound to 192.168.0.1, port 9001
#Listen 192.168.0.1:9001
#
Listen=127.0.0.1:1344
# This option specifies the server mode:
# If set to 'preforked', the server works in the preforking mode.
# If set to 'threaded', the server works in the multithreaded mode.
# If set to 'worker', the server uses the worker mode.
# (without quotes)
# See the documentation describing the difference between modes.
# Note that only ICAP is supported in 'worker' mode!
#
# This is a required parameter
#
# MailPlus Server use 'threaded' server mode to avoid using too much system resources on low-end machine.
ServerMode=threaded
# Adding allowerd TCP/IP hosts to connect. By default, only locahost (127.0.0.1) is allowed to connect.
# Specify "HostAllow all" to enable connections from all addresses (only in trusted environment!)
# Single IPv4 addresses allowed, no netmasks. Multiple HostAllow statements supported.
#
# Allow TCP/IP connections from 192.168.1.2
#
#HostAllow 192.168.1.2
#
# Allow TCp/IP connections from any address (insecure, NOT recommended)
#
#HostAllow=all
# Uncomment to disable Nagle TCP algorithm (TCP_NODELAY), which may increase ICAP server
# network performance depending on host configuration. By default Nagle is enabled.
#
#SocketSetNoDelay=1
# Sets up the socket send buffer size in bytes for each created socket.
# Value 0 (default) uses system defaults (typically ~100Kb on unconfigured Linux 2.6)
#
#SocketBufferSizeSend=1048576
# Sets up the socket recv buffer size in bytes for each created socket.
# Value 0 (default) uses system defaults (typically ~100Kb on unconfigured Linux 2.6)
#
#SocketBufferSizeRecv=1048576
###
### Logging options
###
# Specifies the absolute file name to the bdamserver log file. If not present,
# no log is written.
#
# TODO: Use syslog and redirect local0 facility to /volumeX/\@maillog/bdamserver.log
PathLog=syslog
# PathLog=/var/spool/@MailPlus-Server/bitdefender/log/bdamserver.log
# Enables debugging log. Grows up very fast, do not use for production!
#
LogDebug=0
# Enables scan request logging.
#
LogScanRequests=0
# Enables opening the log file in APPEND mode. Do not enable on NFS!
#
# TODO: Check how this interact with syslog
LogAppend=1
###
### Advanced options
###
# Daemonize the process. If 1, forks the bdamserver process into background. Default is 1.
#
Daemon=1
# Client socket timeout in seconds, i.e. the client should send a request each specified amount of time.
# If no request is sent, the connection is closed. Disabled by default. Should be enabled with care,
# as requires special attention in client code.
#
#ClientTimeout=180
# Specifies the maximum number of simultaneously connected clients. Depending on the server mode this
# setting might not actually restrict any clients from connecting to the server, but rather allows the
# server to preallocate enough resources to handle the specified number of simultaneous connections.
# One of the resources allocated with this setting is the file descriptor table. For each client
# connection the server needs to allocate up to two file descriptors. By default there are only 1024
# file descriptors available, meaning the server will be able to handle maximum of roughly 500 concurrent
# connections. The system requires root privileges to raise this limit over 1024, which means that if
# the server must handle more than 500 simultaneous connections, it must be run with root privileges
# (preferably in chroot).
#
# Since for the preforked mode the server pre-forks the processes to handle the connections, in this
# mode this setting specifies how many processes will be preforked (i.e. for MaxClients=500 the server
# will prefork 500 processes). This also means that in this mode this setting actually limits the number
# of simultaneous connections the server will accept, meaning if this value is set to 100, the server
# will not accept more than 100 connections concurrently (however, as described above, it is not
# guaranteed the server may not be able to accept even 100 connections if the system is low on resources).
#
# For the worker and threaded modes the number of simultaneously handled connections is not restricted
# by this setting, and the server will accept as many connections as allowed by the system.
#
# This is a required parameter
#
MaxClients=256
# Set maximum number of allocated anti-malware engine instances. If unset or zero, an engine instance will
# be allocated for each thread, and deallocated when the thread is finished.
# Preallocating engines makes sense in two cases:
# - It slightly (less than 1%) increases performance, as the engines do not need to be allocated and
# deallocated each time a new thread spawned.
# - It allows supporting more than 100 simultaneous threads without increasing memory requirements dramatically,
# as each engine instance could allocate up to 10Mb of memory in extreme cases (typically around 1Mb)
#
# This parameter is not used when ServerMode=preforked
#
# MaxCores=32
# If defined, this option specifies the number of worker threads spawned in ServerMode=worker. The number
# which would give the best performance depends on the system and the objects scanned, and generally is in
# range 1 - 4 * the number of CPU cores, i.e. for quad core machine the good number would be in 4-16 range.
#
# This option is required if ServerMode is set to worker.
#
#WorkerThreads=4
# This parameter only makes sense to use if ServerMode=preforked, and should be commented out
# otherwise. If defined and set to 1, this option instructs the server to close the connection right
# after the last request has been processed, so the child process can exit and a new process can be
# forked instead, which will contain a copy of new database. This option makes sense if ClientTimeout
# is not set, and the client uses persistent connections.
#
KillIdleConnectionsOnUpdate=1
# This parameter only makes sense to use if ServerMode=threaded or ServerMode=worker
# If defined, this option specifies the number of seconds engine internal memory buffers will be kept
# after the last use, until they are freed. This may increase the "first scan" performance, but will
# increase idle memory usage, as the memory usage will not go down after all scans complete.
#
# MailPlus Server requires 2GB RAM to enable antivirus.
# Current(2021/07/05) startup memory usage for multithread: 330MB
# Document recommend 10-120
KeepEngineMemory=120
# This option enables (1) or disables (0) building and using the on-disk signature cache,
# which would be mapped into the memory. This will increase the disk usage, but will
# dramatically reduce the product memory consumption as the signatures would be stored on disk.
EnableSignatureCache=1
###
### ICAP server options
###
# Enables or disables the ICAP protocol support, and specifies which components should be used for
# scanning the objects received by the ICAP protocol. The following values are supported:
# off - ICAP protocol support is disabled
# antimalware - ICAP enabled, and the received objects are scanned with antimalware component
# antispam - ICAP enabled, and the received objects are scanned with antispam component
# antimalware,antispam - ICAP enabled, and the received objects are scanned with both antimalware and antispam components
#
# Due to significant risk of false positives please DO NOT enable the anti-spam component if you scan the HTML
# pages via ICAP. It should only be enabled if you use the ICAP protocol to scan RFC822 emails (not webmail).
#
#ProtocolICAP=antimalware
# Sets the maximum size in bytes of the processing object ICAP server connection will keep in memory.
# If the object grows larger than specified size, it will be dumped to the disk. This is value
# per single connection, not for all connections. Setting this value too low will negatively
# affect the performance. Default is 1048576 (1Mb)
#
#ICAPMaxMemoryObjectSize=1048576
# Sets the maximum chunk size in bytes to send the ICAP reply back to the client. Only relevant for
# clients which do not understand "Allow: 204" option (squid does). Default value is 32768 bytes,
# values less than 2048 are not supported.
#
#ICAPOutputChunkSize=4096
# Specifies HTML template file which will be returned instead of malicious object when found.
# The file supports the following macroses, which will be replaced by appropriate values
# before sending:
#
# %REASON% - a text message explaining why the file cannot be received.
# It looks like "spyware Win32.Patched was detected" or "file is encrypted"
#
# %MALWARENAME% - a name of detected malware. If no malware detected, an empty string.
#
# %MALWARETYPE% - a type of detected malware. If no malware detected, an empty string.
#
# %MALWARESTATUS% - a single word text description like "encryped" or "infected"
#
# %REQUESTURL% - the URL requested by the client
#
#ICAPHtmlTemplate=template-virus.html
# Specifies Content-Types to skip. Those content types will not be delayed and scanned,
# and will be passed as soon as the header is parsed. Since relying on content-type is not
# secure, this should be used as temporary workaround for a reported issue until the fix is
# provided. By default, all content types are scanned.
# Multiple content-types could be listed, but should be separated by comma.
#
#ICAPSkipContentType=text/html, application/x-msword
# Allows skipping for known media streams. This option lowers the security, since the media streams
# are bypassed without being scanned. However it might be necessary, as without it media streams are
# only played once they are received completely, and scanned. This might take a while for video streams,
# especially for streams like live TV.
# This options detects video streams by content-type header, and - if possible - verifying that video
# stream format matches the content type, so it provides more secutiry than just adding the stream types
# into ICAPSkipContentType. However it won't be able to protect against vulnerabilities found in legitimate
# streams, as only the stream header is scanned.
# By default streams are not skipped.
ICAPBypassStreamMedia=1
# Allow scanning archives. If disabled, the archives will still be delayed, but not scanned by the engine.
# If enabled, the archives will be scanned. Disabling this option lowers the security but increases
# performance on archives.
#
ICAPScanArchives=1
# Allow scanning e-mail databases, like Outlook, The Bat, Thunderbird and so on. Depending on type of
# traffic going through the client, it may or may not make sense to scan it.
#
ICAPScanEmaildb=1
# If defined, allow logging infected ICAP requests or responses into a separate log file.
# Only infected or suspicious verdicts are logged, together with the URL requested and the
# client IP (if available). This option only works when ProtocolICAP option is enabled.
# This log is supplemental to the general bdamserver log, and does not depend on it.
#
#PathInfectedLogICAP=
# If this option is set to “on” or “extended”, the ICAP protocol handler will also accept
# scans via INSTREAM protocol supported by Clamd.
ICAPSupportInstream=off
###
### SPAMD server options
###
# Enables or disables the SPAMD protocol support, and specifies which components should be used for
# scanning the objects received by the SPAMD protocol. The following values are supported:
# off - SPAMD protocol support is disabled
# antimalware - SPAMD enabled, and the received objects are scanned with antimalware component
# antispam - SPAMD enabled, and the received objects are scanned with antispam component
# antimalware,antispam - SPAMD enabled, and the received objects are scanned with both antimalware and antispam components
#
#ProtocolSPAMD=antispam
###
### Updater options
###
#
# This option must be defined (unless UpdateURLAntivirus is defined). It must
# specify the host where the anti-malware database updates, and optionally
# anti-spam updates will be downloaded from. This should be either the hostname
# of the partner's mirror server, or Bitdefender hostname created for the partner.
# If you do not know what to put here, please ask your account manager.
#
# This option must start with a schema (http:// or https://) and end up with /
#
UpdateHostname=http://synology-57238133-4789-4e7d-bea5-7bacf7a993aa.2d7dd.cdn.bitdefender.net/
# If defined, this option specifies the URL the anti-malware database updates will
# be downloaded from. Generally this should be the URL on the partner's mirror
# server, but for the testing purposes the Bitdefender update server will be used
# if this variable is commented out.
#
# If this option is set to an empty value, the anti-malware database update is disabled.
#
#UpdateURLAntivirus=http://www.example.com/avupdate
# If defined, this option specifies the interval (in minutes) between update
# checks, meaning that if this option is set to 15 (default), the server
# will check for update every 15 minutes. If no update is available, the
# server will only download the index file. This option only makes sense when
# the UpdateURLAntivirus option is set. Default value is 15 minutes.
#
# If this option is set to zero the anti-malware database updates are disabled.
#
#CheckUpdateInterval=15
# If the update attempt fails, the SDK will attempt to retry the update based
# on the random delay (in seconds) from 5 seconds and up to in this parameter.
# This is useful to prevent the “thundering herd” problem, when the update
# server was down and the clients try to connect at the same time.
#
# UpdateFailureDelay=120 means the actual delay would be a random value
# between 5 and 120 seconds. Default is 60 (seconds).
#
#UpdateFailureDelay=60
# If defined, this option specifies the URL the anti-spam SDK updates will
# be downloaded from. Generally this should be the URL on the partner's mirror
# server, but for the testing purposes the Bitdefender update server will be used
# if this variable is commented out. The SDK will check for the anti-spam SDK updates
# every time it is started or once a day, whatever comes first.
#
# For this option to work it is necessary to set the LicenseAntispam value.
#
# If this option is set to an empty value, the anti-spam SDK update is disabled.
#
#UpdateURLAntispam=http://www.example.com/asupdate
# If defined, this option specifies the interval (in minutes) between anti-spam
# update checks, meaning that if this option is set to 15 (default), the server
# will check for update every 15 minutes. If no update is available, the server
# will only download the index file. This option only makes sense when the
# UpdateURLAntispam option is set. Default value is 15 minutes.
#
# If this option is set to zero the anti-spam database updates are disabled.
#
#CheckUpdateIntervalAntispam=15
###
### Anti-spam options
###
# If defined, this option overrides the default Anti-Spam SDK aggressivity level which is 5.
# Increasing the aggressivity level increases the anti-spam detection rate but brings up
# the risk of false positives.
#
#AntispamAggressivityLevel=5
# If defined and set to nonzero value, this option enables automatic retry for the anti-spam
# scans which resulted in the “CLOUD_NO_RESPONSE” error for the number of times specified.
# If commented out, the retry is disabled.
#
AntiSpamScanRetry=2
# If defined, specifies the time IN MILLISECONDS the Anti-Spam SDK would wait between retries.
# Default timeout is 1000 milliseconds, i.e. 1 second.
#
AntiSpamScanRetryTimeout=1000
# Specifies the maximum time IN MILLISECONDS the Anti-Spam SDK would wait for the cloud response.
# If the response is not receied within the specified time frame, the request is considered timed out.
# Default timeout is 1000 milliseconds, i.e. 1 second.
#
AntiSpamCloudTimeout=1000
# If set to 1, the Anti-Spam component will communicate with Bitdefender cloud using HTTPS.
# Please also see AntiSpamHTTPSpathCA option if you enable HTTPS.
# Default value is 0, and thus HTTP is used.
#
#AntiSpamUseHTTPS=0
# If AntiSpamUseHTTPS is set to 1, the Anti-Spam SDK will use HTTPS. Since it requires the SSL certificate
# validation against known certificate authorities, the SDK must know where your system stores the listed
# certificate authorities. If this option is defined, and specifies the path to the certificate authorities
# in OpenSSL 1.0+ format, the SDK will use this list.
# By default (if this option is not defined), the system default list is used.
#
#AntiSpamHTTPSpathCA=/etc/openss/ca/
# If defined, the Anti-Spam SDK would use the specified HTTP proxy to communicate with the cloud. The proxy
# must be specified as IP:port or domain:port without schema. Only HTTP proxy is supported.
# Additionally, if AntiSpamProxyUser and AntiSpamProxyPass are defined, they also would be used to authenticate
# to the proxy.
# By default no proxy is used
#
#AntiSpamProxy=192.168.0.1:3128
#AntiSpamProxyUser=admin
#AntiSpamProxyPass=password
# This setting should be used if your emails are routed through internal SMTP relays before reaching the SDK.
# To avoid extra delays and possible false positives, you need to specify those relays to specify one or
# more (separated by a space) IP addresses of trusted SMTP relays which your e-mails are routed through.
#
# TODO: May become UI option
#AntiSpamTrustedSMTPrelays=192.168.22.33 17.139.11.34
###
### Cloud communication options
###
# Specifies the path containing the cloud communication files (libbdnc.so and bdnc.ini)
# Those files are installed next to bdamserver executable, but could be copied anywhere.
# If this path is not defined, the cloud communication functionality in the SDK is disabled.
# Please note that enabling cloud communication may require a different Bitdefender license serial.
#
CloudBinaryPath=/var/packages/MailPlus-Server/target/lib/bitdefender
# When cloud communication is enabled, to improve detection the Bitdefender engine might need
# to upload some files which are detected as malicious to Bitdefender cloud. Generally this only
# happens with malicious files; please see the documentation for further details.
#
# This parameter must be set to 0, 1 or 2 and specifies the policy for those uploads:
#
# CloudUploadLevel=0 would disable any file uploads;
# CloudUploadLevel=1 would enable only uploads of malicious executables;
# CloudUploadLevel=2 would enable uploads of malicious executables and certain other files, including HTML and DOC/PDF;
#
# Bitdefender recommends using at least CloudUploadLevel=1
#
CloudUploadLevel=1
###
### URL Reputation options
###
# Specifies the license to use the URL Reputation server via SCANURL command. Optional, only needed if you use this functionality.
#
#LicenseUrlReputation=
###
### Sandbox options
###
# Please specify your Bitdefender Sandbox license here. This license controls access to Bitdefender Sandbox submission only; it
# does not control access to Prefiltering functionality.
# As the license is very long, please pay attention not to introduce extra line breaks, which would terminate the license prematurely.
#SandboxLicense=
# Please specify the path which Sandbox integration will use to store the cache files. Those are small files (up to 64Kb) storing
# either the jobid or scan result for the previously scanned files, based on their SHA3-256 hash.
# This option must be set if you use Sandbox. It should point to an existing writable directory. Make sure to secure it.
#
#SandboxCachePath=
# This option specifies the aggressivity level of Sandbox prefiltering engine when scanning all kinds of files
# and returning BDAM_THREAT_TYPE_NEEDSANDBOX scan verdict. The option accepts the value from 0 to 10, with the following meanings:
# 0 Disabled
# 1 Permissive
# 2 Normal
# 3 Aggressive
# 10 Always
#
#SandboxPrefilterLevelAll=
#
# OR you can specify individual aggressivity levels per each category individually, by commenting out SandboxPrefilterLevelAll
# and uncommenting ALL options below and setting them.
#
#SandboxPrefilterLevelGeneric=
#SandboxPrefilterLevelApplications=
#SandboxPrefilterLevelDocuments=
#SandboxPrefilterLevelScripts=
#SandboxPrefilterLevelEmails=
#SandboxPrefilterLevelArchives=