Note
DNSBL (DNS based black hole list) is a database that lists IP
addresses of mail servers used for uncontrolled mass mailing. Such
servers receive mail from anyone and deliver it further to arbitrary
recipients. Use of DNSBL allows automatic blocking of mail from such
mail servers. Various services use different policies for generation of
such lists. Please examine carefully the policy of each service before you
start using it for mail filtration.
CHAPTER 1. KASPERSKY
®
MAIL
GATEWAY 5.6
Kaspersky® Mail Gateway 5.6, (henceforth referred to as Kaspersky Mail Gate-
way or the application), filters SMTP e-mail traffic to protect e-mail system users
against viruses and unwanted messages (spam). The application is a fullfeatured mail relay (compliant with IETF RFC internet standards) that runs under
the Linux and FreeBSD operating systems.
The application allows the user to:
Scan e-mail messages for viruses, including both attached objects and
message bodies.
Detect infected, suspicious, and password-protected attachments and
message bodies.
Perform anti-virus processing (including disinfection) of infected objects
detected in e-mail messages by scanning.
Filter e-mail traffic by the names and MIME types of attachments, and
apply specified processing rules to the filtered objects.
Check each message including attached objects for signs typical of
spam.
Check during anti-spam analysis the addresses of mail sender and re-
cipient (envelope), message size and various headers (including From
and To).
Perform the following checks as a part of the anti-spam mail analysis:
Presence of the sender‟s IP address in a DNS-based real time
black hole list (DNSBL).
Page 9
Kaspersky® Mail Gateway 5.69
Attention!
Please remember that new viruses appear every day, and therefore
you are advised to maintain the anti-virus databases in an up-to-date
state. New updates are made available on Kaspersky Lab‟s update
servers every hour.
availability of a DNS record for the sending server (reverse DNS
lookup);
a check of the sender's IP address for compliance with the list of
addresses allowed for a domain, based on the Sender Policy
Framework (SPF);
a check of addresses and links to web sites in the message text us-
ing the Spam URL Real-time Blocklists (SURBL) service.
Scan also attached images, comparing them to the signatures of known
spam messages, and take the comparison results into account to determine the status of the message.
Maintain archives of all e-mail messages sent and/or received by the
application, if required by the internal security policy of the company.
Enable restrictions for SMTP connections, to provide protection against
hacking attacks and to prevent the application being used as an open email relay for unsolicited e-mail messages.
Limit the load on your server by configuring the application‟s settings
and SMTP parameters.
Create white and black lists of senders and recipients applied during
processing of e-mail traffic.
Notify senders, recipients, and the administrator about disinfected let-
ters, about messages containing infected, suspicious, or protected objects, and also about errors that have occurred during mail scanning.
Quarantine messages identified as spam or probable spam, formal or
blacklisted mail as well as messages containing infected and suspicious
objects.
Update the anti-virus and anti-spam databases of Kaspersky Mail
Gateway. The application retrieves updates from Kaspersky Lab‟s update servers. You can also configure the application to update the databases from a local directory.
The application detects and cures infected objects using the anti-virus
database. During scans, the contents of each file are compared to the
sample code of known viruses contained in the database.
Page 10
10Kaspersky® Mail Gateway 5.6
Attention!
Kaspersky Lab‟s Linguistic Laboratory continues to work on improving
and supplementing the corpus of data used for spam detection. Effi-
cient spam fighting requires that you regularly update the application‟s
anti-spam databases. Updates for the databases are made available
on Kaspersky Lab‟s update servers every three minutes.
The anti-spam databases are used during analysis of message contents
(including Subject and other headers) and attached files. The application uses linguistic algorithms which compare the analyzed text with
sample messages, and search for typical words and word combinations.
The keepup2datecomponent‟s function is to update the anti-virus and
anti-spam databases (see section 5.1 on p. 46).
Configure and manage Kaspersky Mail Gateway, either from a remote
location using the Webmin web-based interface, or locally using standard operating system tools such as using command line options, signals, special command files or by modifying the application‟s configuration file.
Monitor the antivirus protection, spam filtering status, application statis-
tics and logs both locally and remotely using the Webmin interface.
Obtain configuration data and statistics on application activity via SNMP
and configure the application to generate and send SNMP traps upon
occurrence of certain events.
1.1. What’s new in Kaspersky Mail
Gateway 5.6
Kaspersky Mail Gateway has the following additional features as compared to
Kaspersky SMTP-Gateway 5.6:
The application includes anti-spam module with the following features:
Increased performance and stability.
Low RAM requirements.
Low level of Internet traffic (updates to Kaspersky Mail Gateway da-
tabases).
Page 11
Kaspersky® Mail Gateway 5.611
Improved filtration methods are used, namely:
Algorithms for parsing of HTML objects in e-mail messages (in-
creasing the efficiency of protection against various spammer tricks
devised to bypass filtration systems).
System for analysis of e-mail message headers.
System for analysis of graphical attachments (GSG).
Sender Policy Framework (SPF) and Spam URL Realtime Block-
lists (SURBL) services.
Internal Urgent Detection System (UDS) service, which allows ob-
taining information about certain types of spam in real time.
Individual settings available for user groups: certain scanning methods
can be enabled/disabled separately for every group; you can also define
the actions to be performed over e-mail messages.
Collection of configuration data and statistics of application activity via
SNMP; the application can be configured to send SNMP traps when
certain events occur.
Redesigned subsystem accepting incoming mail consumes fewer re-
sources and supports more simultaneous incoming connections.
1.2.Licensing policy
The licensing policy for Kaspersky Mail Gateway 5.6 limits product use based on
these criteria:
Number of users protected by the application.
E-mail traffic processed daily (MB/day).
Each type of license also has a time limit, typically one or two years from the
date of purchase.
At the time of purchase, you can specify which type of license limitation you require (for example, by the daily e-mail traffic volume).
In addition, you can choose during product purchase whether your copy of
Kaspersky Mail Gateway will only perform anti-virus scanning of e-mail traffic, or
if it will also filter spam.
The application has slightly different configuration parameters depending on the
type of license you purchased. For instance, if the license is issued for a certain
number of users, you will have to create a list of addresses (domains) that will
be protected by the application against viruses and spam. The application will
Page 12
12Kaspersky® Mail Gateway 5.6
Attention!
Please note that the application‟s working queue, quarantine directory, and archives of incoming and outgoing e-mail are not
included in the hard disk space required. If your network security
policy requires the use of these features, additional disk space will
be needed.
notify the administrator when the license limitations are reached: in this case,
when the number of protected accounts is exceeded.
1.3. Hardware and software
requirements
The minimum system requirements for normal operation of Kaspersky Mail
Gateway are as follows:
Hardware requirements:
Intel Pentium® processor (Pentium III or Pentium IV recom-
mended).
At least 256 МB of available RAM.
At least 100 MB of available space on your hard drive to install the
application.
At least 500 MB of available space in the /tmp file system.
Software requirements:
One of the following operating systems for 32-bit platforms:
o Red Hat Enterprise Linux Server 5.
o Fedora 7.
o SUSE Linux Enterprise Server 10.
o OpenSUSE Linux 10.3.
o Debian GNU/Linux 4 r1.
o Mandriva 2007.
o Ubuntu 7.10 Server Edition.
o FreeBSD 5.5, 6.2.
Page 13
Kaspersky® Mail Gateway 5.613
One of the following operating systems for 64-bit platforms:
o Red Hat Enterprise Linux Server 5.
o Fedora 7.
o SUSE Linux Enterprise Server 10.
o OpenSUSE Linux 10.3.
Perl interpreter, version 5.0 or higher (www.perl.org), bzip2 utility
for unpack spam filtration bases, and the which utility for application
installation.
Webmin version 1.070 or higher (www.webmin.com) to install the
remote administration module (optional).
1.4.Distribution kit
You can purchase the product either from our dealers or at one of our online
stores (for example, www.kaspersky.com/store – follow the E-store link).
If you purchase our application online, you will download it from Kaspersky Lab's
website. Your product key will be sent to you by e-mail after payment.
The License Agreement constitutes a legal agreement between you and Kaspersky Lab, containing the terms and conditions under which you may use the purchased software.
1.5.Help desk for registered users
Kaspersky Lab offers an extensive service package enabling registered customers to boost the productivity of Kaspersky Mail Gateway.
After purchasing the product key, you become entitled to receive the following
services for the validity period of your key:
new versions of the application provided free of charge.
phone or e-mail support on matters related to the installation, configura-
tion, and operation of the product you have purchased. You can contact
the Technical Support service for consulting using any of the following
methods:
Make a phone call to Technical Support.
Page 14
14Kaspersky® Mail Gateway 5.6
Note
Kaspersky Lab does not give advice on the performance and use of your operating system, third party applications or other technologies.
Create and send a request using the Technical Support web site
(http://www.kaspersky.com/helpdesk) or your personal user cabinet.
notifications about new software products from Kaspersky Lab, and
about new virus outbreaks. This service is provided to users who subscribe to Kaspersky Lab‟s e-mail newsletter service.
Page 15
CHAPTER 2. APPLICATION
STRUCTURE AND TYPICAL
DEPLOYMENT SCENARIOS
The correct configuration of the application, and its efficient operation, require
knowledge of its structure and internal algorithms. It is also important for the ap-
plication‟s deployment within an existing corporate e-mail system. This chapter
discusses in detail the application‟s structure, architecture and operating princi-
ples, as well as typical deployment scenarios.
2.1.Application architecture
A review of the application‟s functionality must be preceded by a description of its
internal architecture.
Kaspersky Mail Gateway is a fully-featured Mail Transfer Agent (MTA), able to
receive and route e-mail traffic, which also scans e-mail messages for viruses,
and filters spam.
The application uses SMTP protocol commands (RFC 2821), the Internet message format (RFC 2822), MIME format (RFC 2045-2049, 2231, 2646), and satisfies the requirements for e-mail relays (RFC 1123). In compliance with anti-spam
recommendations (RFC 2505 standard), the application uses access control
rules for SMTP clients to prevent the use of this application as an open relay. In
addition, Kaspersky Mail Gateway supports the following SMTP protocol extensions:
Pipelining – enhances performance of servers supporting this mode of
operation (RFC 2920).
8-bit MIME Transport – processes code tables of national language
characters (RFC 1652).
Enhanced Error Codes – provides more informative explanations of pro-
tocol errors (RFC 2034).
DSN (Delivery Status Notifications) – decreases bandwidth usage and
provides more reliable diagnostics (RFC 1891, 3461-3464).
SMTP Message Size – Decreases the server load and increases trans-
fer rate (RFC 1870).
Page 16
16Kaspersky® Mail Gateway 5.6
Note
The RFC documents mentioned above are available at: http://www.ietf.org.
The application includes these components:
mailgw – the main application component – a fully-featured e-mail relay
with built-in anti-virus protection and spam filtering.
licensemanager – thecomponent which manages product keys (their
installation, removal, and statistics).
keepup2date – the component that updates the anti-virus and anti-spam
databases, by downloading the updates either from Kaspersky Lab‟s
update servers or from a local directory.
Webmin module – for remote administration of the application using a
web-based interface (optional installation). This component allows the
user to configure and manage the database updating process, specify
the actions to be performed on detected objects, and monitor the application‟s operation.
The main application component (see Fig.1), in turn, consists of these modules:
Receiver, which receives incoming e-mail.
Sender, which sends out messages which have passed anti-virus scan-
ning and spam filtering.
AS module which performs anti-spam analysis of e-mail, its classifica-
tion and processing.
AV module, the anti-virus engine.
Scanning module, which acts with the AS and AV modules to process
messages, providing anti-virus scanning and spam filtering of e-mail
traffic.
Figure 1. General architecture of Kaspersky Mail Gateway
Page 17
Application structure and typical deployment scenarios17
2.2. The main application’s
algorithm
The application works as follows (see Fig. 2):
1. The e-mail agent receives e-mail messages via the SMTP protocol, and
passes them to the Receiver module.
Figure 2. Working queue of Kaspersky Mail Gateway
2. The Receiver module performs preliminary e-mail processing using the
following criteria:
presence of the sender‟s IP address in the list of blocked and/or
trusted addresses including masks;
compliance with the access restrictions specified for SMTP connec-
tions (see section 5.5.2 on p. 70);
compliance of the message size (and the total number of messages
within the session) with the limits specified in the application‟s settings;
compliance of the number of open sessions (both the total number
from all IP addresses, and from a single IP address) with the limits
specified in the application‟s settings.
If the message satisfies the preliminary processing requirements, it is
sent to the working queue to be processed by the scanning module.
If the option to archive all incoming e-mail has been selected, a copy of
any message added to the working queue will be automatically preserved in the archive of received messages.
Blind carbon copies of each message can also be sent to a specified list
of e-mail addresses before scanning of the received mail.
Page 18
18Kaspersky® Mail Gateway 5.6
3. The Scanning module receives a message from the working queue and
transfers it to the anti-spam module for inspection.
The anti-spam module consists of the following components:
Filtration master process and filtering processes which perform ac-
tual mail analysis.
Licensing daemon which verifies the presence of a valid key file
and compliance with the restrictions defined in the key.
Daemon processing SPF requests.
Auxiliary programs and scripts including the script compiling the
anti-spam databases.
The main component of the anti-spam module is the filtering master
process (mailgw-process-server) performing the following functions:
Monitoring of requests for connection to filtering processes from the
application Scanning module.
Launch of new filtering processes when there are no more avail-
able ones.
Control of the status of running filtering processes.
Termination of child processes upon an appropriate signal.
Filtering process (ap-mailfilter) receives at launch message header and
body, scans them and returns the results.
If message sender should be checked for compliance with the existing
SPF policy, the filtering process sends a request to SPF daemon
(mailgw-spfd), which performs necessary queries to DNS server and returns the results to the filtering process.
Message analysis and application of rules defined by the parameters in
configuration file are only performed when a valid product key is present.
All license-related checks are performed by the licensing module (kas-license) upon request from a filtering process.
Having finished message processing, a filtering process keeps running
expecting a new request. A filtering process is terminated after it has
handled the maximum number of messages specified for a single process (usually 300) or if it remains idle for a long time.
The AS module assigns to message a certain status based on the inspection results, and returns the message to the Scanning module,
Page 19
Application structure and typical deployment scenarios19
Attention!
If you have only purchased a license for anti-virus scanning of e-
mail traffic, spam filtering will not be performed. Messages will be
delivered directly to the AV module for scanning, and any configuration parameters which apply to the anti-spam module are ignored.
Note
The creation of a copy of a message in backup storage or the quarantine directory does not block delivery of the original message to the
recipient. An additional action blocking its delivery must be specified
to prevent message delivery to the recipient.
which breaks it into its components and passes them to the AV module
for analysis.
4. The AV module scans the objects and, if this option is enabled, disinfects them when necessary.
5. The Scanning module handles messages according to the status (see
section 4.2 on p. 36) assigned to each part of the message during
analysis by the AS and AV modules. Possible actions include blocking
message delivery, deleting infected objects, modifying message headers, and moving the message to the quarantine directory. The actions to
be applied are specified in the application‟s configuration file. Each
processed message is then added to the ready-to -send message
queue.
6. If the application‟s configuration specifies that detected messages are to
be saved in quarantine, a copy of the scanned message will be saved in
the quarantine directory concurrently with its transfer to the ready-tosend queue. The application creates separate quarantine directories for
messages identified as spam or probable spam (after anti-spam analysis), and for messages containing infected or suspicious objects (after
anti-virus scanning).
7. The Sender module receives each message from the ready-to-send
queue, and transfers it via the SMTP protocol to the onward e-mail
agent to be delivered to local end users or rerouted to other mail servers.
8. If your network security policy requires logging of all outgoing e-mail
traffic, a copy of each message will be automatically stored in the archive of sent messages after it is dispatched (see Fig. 3).
Page 20
20Kaspersky® Mail Gateway 5.6
Attention!
The application, being an e-mail relay, does not include a local e-mail delivery
agent (MDA). Therefore, all deployment scenariosrequire an e-mail system (or e-mail systems) to deliver e-mail messages to local users within protected
domains.
Figure 3. Saving messages to the archives of received / sent messages
2.3.Typical deployment scenarios
Depending upon the network architecture, there are two options for installing
Kaspersky Mail Gateway:
install the application within a demilitarized zone (DMZ) acting as a
buffer between the internal corporate LAN and the external network;
install the application inside the perimeter of the corporate network, as
part of your existing e-mail system.
In each of the above cases the application can be installed:
on the same server as the running e-mail system;
on a dedicated server.
The sections below discuss these scenarios in detail and describe their advantages.
Page 21
Application structure and typical deployment scenarios21
Attention!
You must set up restrictions for the e-mail transfer agent (MTA) re-
ceiving e-mail from Kaspersky Mail Gateway via port 1025, so that it
accepts messages exclusively from Kaspersky Mail Gateway (e.g.,
configure mail receipt from the localhost (127.0.0.1) interface only).
Otherwise, it will be possible to bypass the application with a connection established directly from the external network through port 1025.
2.3.1. Installing the application in a
demilitarized zone
The main advantage of this deployment option is that it improves the overall performance of your e-mail system, by minimizing the number of transfer cycles for
e-mail messages. It also provides additional protection for data, because the
existing corporate mail server in that case has no connection to the Internet.
This is an overview of how to install the application and the e-mail system on the same server, so that they work together:
1. Configure all interfaces of Kaspersky Mail Gateway to listen on port 25
for incoming e-mail traffic from all IP addresses which match the
relevant MX records for the protected domain.
2. The application will filter spam and scan e-mail, and then transfer
processed messages to the corporate e-mail system via a different port
(e.g., 1025).
3. The e-mail system, configured to use a local interface, delivers
messages to users.
Follow these steps to install the application and the e-mail system on the same
server:
Configure the application to receive e-mail via port 25 on all the server‟s
network interfaces. To do this, specify the following value in the
[mailgw.network] section of the configuration file:
ListenOn=0.0.0.0:25
Specify in the routing table that all scanned messages will be trans-
ferred to the e-mail system via port 1025. To do this, specify the following value in the [mailgw.forward] section of the application‟s configuration file:
ForwardRoute=<company_mask> [localhost:1025]
where: <company_mask> is the mask for recipient addresses.
Page 22
22Kaspersky® Mail Gateway 5.6
Attention!
These are the default application configuration settings for this deployment
scenario, which will be stored in the configuration file by the installation process.
Change the settings of the existing e-mail system to receive messages
only from the application via port 1025. This will ensure that all incoming
e-mail messages are received, and that they are delivered to local users
within the protected domains of the company.
Set up the existing e-mail system to transfer all the messages it re-
ceives to the application via port 25. This will ensure anti-virus scanning
and anti-spam filtering of all outgoing e-mail messages from local users.
Specify a list of all corporate local domains as the value for the Pro-
tectedDomains option in the [mailgw.forward] section of the applica-
tion configuration file ("*" and "?" wildcards can be used). E-mail messages for the specified domains will be scanned.
When the application is installed on a dedicated server, its operation algorithm is
identical to when it is installed on the same server as the e-mail system, but the
settings will differ. The IP address of the server on which the application is installed, must be included in MX records corresponding to the protected domain.
To install the application on a dedicated server:
Configure the application to receive mail via port 25 on all the server‟s
network interfaces, by specifying the following value in the
[mailgw.network] section of the application‟s configuration file:
ListenOn=0.0.0.0:25
Specify in the routing table that all scanned messages must be trans-
ferred to the e-mail system via port 25, by setting the following value in
the [mailgw.forward] section of the application‟s configuration file:
ForwardRoute=<company_mask> [host:25]
where: <company_mask> is the mask for recipient addresses, and will
generally be of the form *@company.com
host – name of your corporate e-mail server.
Specify the list of all local corporate domains as the value for the Pro-
tectedDomains option in the [mailgw.network] section of the applica-
tion configuration file ("*" and "?" wildcards can be used). e-mail messages for the specified domains will be scanned.
Page 23
Application structure and typical deployment scenarios23
Attention!
This is the most convenient deployment scenario, especially if Kaspersky Mail
Gateway is installed at the same time as the network is deployed and the company‟s e-mail system is installed.
Attention!
This deployment scenario is recommended if you are sure of the reliability of
your e-mail system. Installing the application in this configuration will not affect
the stability of your e-mail system.
2.3.2.Installing the application inside the
corporate network’s perimeter
One advantage of installing the application inside the corporate perimeter is that
there is no external access to the information that the application is running on
the server, or to its configuration. Additionally, if the application is installed on a
dedicated server, the load of performing anti-virus scanning can be distributed
amongst several servers.
This is how the application and the e-mail system work together if they are installed on the same server:
1. Duplicate your e-mail system and configure one of the copies to listen
on port 25, and receive e-mail messages via all available interfaces.
2. This e-mail system forwards all incoming messages through the local interface via a different port (port 1025, for instance) to the application for
scanning and spam filtering.
3. The application filters spam, scans the e-mail messages for viruses and
forwards scanned and processed messages to the second e-mail system copy, which receives e-mail on a different port (e.g., port 1026).
4. The second e-mail system delivers e-mail to the local users.
Installing the application on a dedicated server is similar to the above procedure.
Additionally when installing the application on a dedicated server, you can create
and run several copies of the application on different servers, enabling you to
distribute the load of anti-virus processing and spam filtering amongst these several servers.
To deploy the application on a dedicated server:
Specify the list of all local corporate domains as a value for the ProtectedDomains option in the [mailgw.network] section of the application
Page 24
24Kaspersky® Mail Gateway 5.6
Attention!
Deploying Kaspersky Mail Gateway may require changes to the settings for e-
mail clients throughout company, to ensure that all outgoing e-mail messages
are delivered to the application. These messages will be transferred to the external network after an anti-virus scan and spam filtration.
Attention!
If the network includes installed firewalls or demilitarized zones (DMZ‟s), it is
necessary to provide e-mail clients and internal and external network servers
with access to the installed application to ensure joint operation and routing of
the e-mail traffic.
configuration file ("*" and "?" wildcards can be used). E-mail messages
for the specified domains will be scanned.
Page 25
Attention!
After installing the application from the rpm package, you must run the postin-
stall.pl script to perform post-installation configuration. The default location of
the postinstall.pl script is in the /opt/kaspersky/mailgw/lib/bin/setup/ directory (in
Linux) and in the
/usr/local/libexec/kaspersky/mailgw/setup directory (in FreeBSD).
CHAPTER 3. INSTALLING THE
APPLICATION
Before installing Kaspersky Mail Gateway, it is necessary to:
Make sure that your system meets the hardware and software require-
ments (see section 1.3 on p. 12).
Configure your Internet connection. The application distribution package
does not contain the anti-virus and anti-spam databases, which are required to perform anti-virus protection and filter spam.
Log on to the system as root, or as a privileged user.
3.1. Installing the application on a
server running Linux
For servers running the Linux operating system, Kaspersky Mail Gateway is distributed in two different installation packages, depending on the type of your
Linux distribution.
To install the application under Linux Red Hat, Linux SUSE or Linux Mandriva,
use the rpm package.
To initiate installation of Kaspersky Mail Gateway from the rpm package, enter
the following at the command line:
# rpm -i <distribution_package_file_name>
In Linux Debian and Linux Ubuntu, the installation is performed from a deb package.
To initiate installation of Kaspersky Mail Gateway from the deb package, enter
the following at the command line:
# dpkg -i <distribution_package_file_name>
Page 26
26Kaspersky® Mail Gateway 5.6
Attention!
The procedure of application setup under Mandriva distributions has some pe-
culiarities. You might have to perform some additional configuration to ensure
the correct functioning of the application on such systems (please see Chapter 9
on p. 103 for details).
Attention!
Installation errors can occur for a number of reasons. If an error message is
displayed, firstly make sure that your computer satisfies the hardware and
ware requirements (see section 1.3 on p. 12) and that you have logged on to the
system as root.
After you enter the command, the application will be installed automatically.
3.2. Installing the application on a
server running FreeBSD
The distribution file for installing Kaspersky Mail Gateway on servers running
FreeBSD OS is supplied as a pkg package.
To initiate installation of Kaspersky Mail Gateway from a pkg package, enter one
of the following at the command line:
# pkg_add <package_name>
After you enter the command, the application will be installed automatically.
3.3.Installation procedure
The application installer script applies these steps:
Step 1. Preparing the system
At this stage, the installation script creates the system group and user account
for the application. The default group is klusers and the default user account is
kluser. In future, the application will start under this user account (not root) to
provide additional security for your system.
Page 27
Installing the application27
Attention!
If you installed the application from an rpm package, you should run the postin-
stall.pl script (present by default in the /opt/kaspersky/mailgw/lib/bin/setup/ directory in Linux and in /usr/local/libexec/kaspersky/mailgw/setup in FreeBSD) to
perform the next step, Post-installation tasks.
Step 2. Copying application files to destination directories
on your server
The installer starts copying the application files to the destination directories on
your server. For a detailed description of the application‟s directories, see section
B.1 on p. 149.
Step 3. Post-installation tasks
The post-installation configuration includes these steps:
Configuring the main application component (see section 3.4 on p. 28).
Installing and registering the product key.
If you do not have a product key at the time of installation (for example,
if you purchased the application via the Internet and have not yet received the license key), you can activate the application after installation
and before its first use: for details, see section 5.6 on p. 71. Please note
that if the key is not installed, the anti-virus and anti-spam databases
cannot be updated and the main applicationcomponent cannot be
started during the installation process. In this case it must be done
manually, after the license key is installed.
Configuring the keepup2date component.
Installation (updating) of the anti-virus and anti-spam databases.
You must install the anti-virus and anti-spam databases before using
the application (see section 5.6 on p. 71). The procedure of detecting
and disinfecting viruses relies on the anti-virus database which contains
the descriptions of all currently known viruses, and the methods of disinfecting these viruses. Anti-virus scanning and processing of e-mail
messages cannot be performed without the anti-virus database. The
anti-spam database is used for spam detection, which analyzes the
contents of messages and attached files to identify the signs of unsolicited e-mail.
Installing the Webmin module.
The Webmin module for remote management of the application can be
installed correctly only if the Webmin application is located in the default
Page 28
28Kaspersky® Mail Gateway 5.6
Attention!
If after installation, Kaspersky Mail Gateway has not started working as required,
check the configuration settings. Pay special attention to the port number you
specified for receiving e-mail traffic. You should also view the application log file
for error messages.
Attention!
If you are using the rpm installation package, enter the following command to
directory. After the module is installed, you will receive detailed instructions on how to configure it to work with the application.
Launching the main applicationcomponent.
After these steps are properly completed, a message on the server console will
indicate that installation has been successful.
3.4.Configuring the application
Immediately after the application‟s files have been copied to your server, the
system configuration process will start. The configuration process will either be
started automatically or, if the package manager (such as rpm) does not allow
the use of interactive scripts, some additional actions will have to be performed
by the administrator. All settings are stored in the mailgw.conf file which is installed by default in the /etc/opt/kaspersky/ directory in Linux, and in the
/usr/local/etc/kaspersky/ directory in FreeBSD.
The configuration procedure includes the following tasks:
Specifying (by the administrator) the full domain name of the server that
will be used to identify the application in SMTP commands when creating the DSN and notifications: this is the Hostname parameter in the
[mailgw.network] section of the mailgw.conf configuration file.
Assigning addresses to be used by the application:
Assign the Postmaster address ([mailgw.network] section,
Postmaster parameter).
Page 29
Installing the application29
Assign the sender‟s return address for notifications
Define the administrator‟s address ([mailgw.policy] section, Ad-
minNotifyAddress parameter).
Allow incoming e-mail to the specified domain ([mailgw.access]
section, RelayRule parameter).
Defining the interface and port on which to listen for incoming e-mail
traffic ([mailgw.network] section, ListenOn parameter). The port name
and the IP address should be entered in the format <x.x.x.x:z>,
where:
x.x.x.x is the IP address, and
z is the port number.
Specifying local network identifiers. This value is used to assign rules
for message delivery and processing ([mailgw.access] section, Re-layRule parameter), for example, rules specific to your organization
concerning e-mail processing, or blocking e-mail messages from certain
domains. Specify the values using the following formats: <x.x.x.x> or
<x.x.x.x/y.y.y.y>, or <x.x.x.x/y>,
where:
x.x.x.x is the IP address, and
y.y.y.y or y is the subnet mask.
Specifying (when necessary) the server to which all processed mes-
sages will be forwarded ([mailgw.forward] section, the ForwardRoute
parameter). Type the host name in the format: <x.x.x.x:z>,
where:
x.x.x.x is the IP address, and
z is the port number.
Specifying the proxy server name ([updater.options] section,
ProxyAddress parameter). This option is necessary for computers
connected to the Internet via a proxy server.
Confirmation of UDS installation and use.
UDS service allows blocking spam in a timely manner before updates to
Kaspersky Mail Gateway databases are downloaded. You are advised
to disable UDS checks only if the method considerably decreases the
filtration server performance or if the server cannot contact the UDS
Page 30
30Kaspersky® Mail Gateway 5.6
Attention!
To increase UDS efficiency, specify regular launch of the task that
determines the time for access to UDS servers (see section 5.2.4 on
page 55).
Attention!
After the system is installed and configured, it is recommended that you check
the settings for Kaspersky Mail Gateway and test its performance. For more
details, see Chapter 7 on page 97.
servers of Kaspersky Lab. Please refer to section 4.3.4 on page 41 for
details on UDS service.
Modifying the application configuration fileto fine-tune the operation of
the AV and AS modules (optional).
If all the above steps have been successfully completed, the configuration file will
contain all settings that are required to start working with the application.
During Kaspersky Mail Gateway 5.6 installation you can choose to use saved
settings of previous product version 5.5.139 installed earlier. In that case you will
be offered to:
Specify the path to the configuration file of an earlier version.
Move or copy files from the queue, archives and Quarantine of the ear-
lier version to the corresponding directories of the new one.
Use UDS because that feature was introduced in version 5.6 (see
above).
Application databases will be downloaded as well.
If the configuration file of an earlier version is not available or if you do not wish
to use it, post-install setup will consist of the steps described above.
3.5. Installing the Webmin module to
manage Kaspersky Mail
Gateway
The activity of Kaspersky Mail Gateway can be controlled remotely via a web
browser using Webmin.
Page 31
Installing the application31
Note
The Webmin module is the file mailgw.wbm, which is installed by default in the
/opt/kaspersky/mailgw/share/contrib/ directory (for Linux distributions), or the
/usr/local/share/mailgw/contrib/ directory (for FreeBSD distributions).
Webmin is a program which simplifies the administration of Linux/Unix systems.
The software has a modular structure, and supports connection of new or customized modules. Additional information about Webmin can be obtained, and its
distribution package downloaded, from the official program web site at:
www.webmin.com.
Kaspersky Mail Gateway‟s distribution package contains a Webmin module that
can either be connected during the application‟s post-installation configuration
(see section 3.3 on p. 26) if the system already has Webmin installed, or at any
time later after Webmin is installed.
The following part of this manual contains a detailed description of the procedure
necessary to connect the Webmin module for administration of Kaspersky Mail
Gateway.
If the default settings were used during Webmin installation, the program can be
accessed from a web browser using HTTP / HTTPS to connect to port 10000, as
soon as the installation procedure is finished.
To install the Webmin module to control Kaspersky Mail Gateway:
1. Use your web browser to access Webmin with administrative privileges.
2. Select the Webmin Configuration tab in the program menu, and then
proceed to the Webmin Modules section.
3. Select the From Local File option in the Install Module section and
click (see Figure 4).
Figure 4. Install Module section
4. Select the path to the Webmin module of the product and click ОК.
Page 32
32Kaspersky® Mail Gateway 5.6
A message on the display will confirm the successful installation of the Webmin
module.
You can access the settings of Kaspersky Mail Gateway by clicking its icon
within the Others tab (see Figure 5).
Figure 5. The icon of Kaspersky Mail Gateway in the Others tab
Page 33
Note
The anti-virus and spam filtering functionality of Kaspersky Mail Gateway depends on the configuration file settings. Changes to the configuration file can be
made either locally or remotely (using the Webmin remote administration module).
CHAPTER 4. THE PRINCIPLES
OF THE APPLICATION’S
OPERATION
This chapter describes in more detail how the application works and the interaction between its components, and gives information required for correct software
setup.
4.1. Creating groups of
recipients/senders
A Recipients/Senders group is defined as a specified list of recipient/sender email addresses. A particular e-mail message may be assigned to a particular
group depending on whether this group contains the message sender‟s address
(or sender IP) or the recipient‟s address, which are specified in the MAIL FROM
and RCPT TO parts of the message header.
The administrator can specify individual rules for processing each e-mail message depending on the group of recipients/senders. Therefore, it is particularly
important that the addresses are associated with the correct group.
When processing a message, the application searches through the list of addresses for each specific group. If it finds a matching combination of
sender/recipient addresses, the rules defined for this group will be applied to the
e-mail message.
The configuration file contains the [mailgw.policy] section that implicitly defines
the policy group, which determines the default rules for processing e-mail messages.
Page 34
34Kaspersky® Mail Gateway 5.6
Attention!
Both the section [mailgw.policy], and all the parameters specified in the sec-
tion, are mandatory.
The [mailgw.policy] section does not contain names of senders and recipients.
The section [mailgw.policy] defines the default rules which are applied to all
messages which do not belong to other groups explicitly described in
[mailgw.group:group_name] sections.
All parameters in [mailgw.group:group_name] sections are optional. If a parameter value in such a section is not specified, it will be taken from the corresponding parameter in the [mailgw.policy] section.
The configuration file included in the application‟s installation package contains
the following rules in the policy group. Messages which are not assigned to another group will be processed using the following rules (defined in the
[mailgw.policy] section):
Check all e-mail messages for indications of spam.
Scan all e-mail messages for viruses.
Deliver to recipients just messages which contain clean or disinfected
objects only.
Remove the following from messages: infected objects, objects which
caused errors during their analysis, suspicious objects and passwordprotected and damaged objects.
Notify recipients and the administrator about infected, suspicious, pro-
tected or filtered objects in messages and any objects which caused errors during analysis.
The parameters of the policy group can be altered, and new groups created. To
process e-mail messages belonging to different groups of recipients/senders
using different rules, you will have to create several groups.
To create a new group of user addresses:
1. Create a section [mailgw.group:group_name] in the configuration file.
2. Specify sender addresses (address masks, IP addresses, host names,
masks for host names, subnets) and recipient addresses (address
masks) as the values of Senders and Recipients parameters. To define several addresses or address masks, each record must be entered
in a new line:
Senders=user1@example.com
Senders=*@internal.local
Senders=ip 192.168.0.1
Page 35
The principles of the application’s operation 35
Attention!
If you leave the Senders or Recipients parameter in a group descrip-
tion empty, e.g.:
Senders=
then no messages will be processed using the rules specified for that
group. To use the default value for a parameter, delete (or place a
comment mark before) the corresponding parameter from the group
description.
Attention!
If a sender/recipient address fits several groups, the application will
use the rules for the first of those groups.
Attention!
If a message has several recipients belonging to different groups,
virtual copies of the initial message will be created to match the number of such groups. Each copy will be processed individually, according to the rules specified by the particular group.
Senders=ip 192.168.0.0/255.255.0.0
Senders=host example.com
Senders=network MyNetwork
Recipients=*@management.local
Recipients=help@helpdesk.local
"*" and "?" wildcards may be used to define masks. If a group description contains no Recipients or Senders parameter, the application will
use the default value, "*@*" (i.e. all addresses). At least one of the
Senders or Recipients parameters must be specified.
If you have added other groups to the configuration file, the application will process messages from these groups as follows:
1. The application first compares the message address(es) with addresses
in the groups created by the administrator. If the recipient/senders
addresses pair is found in a specific group, the rules defined for that
group will be applied to the message.
2. If the message addresses do not match any group created by the
administrator, the message will be processed according to the rules
described in the policy group.
Figure 6 demonstrates the sequence of actions applied by the application to a
received e-mail message.
Page 36
36Kaspersky® Mail Gateway 5.6
Figure 6. Message processing
4.2. General message processing
algorithm
This section discusses how the application processes e-mail messages. When
the server receives an e-mail message, the scanning module:
1. Determines which group of recipients this message belongs to.
2. If the message has multiple recipients belonging to different groups,
several virtual copies of this message are created to match the number
Page 37
The principles of the application’s operation 37
Attention!
If you have only purchased a license for anti-virus scanning of e-mail
traffic, spam filtering will not be performed. Messages will be immediately delivered to the AV module for scanning (Step 4). The application will ignore any configuration parameters which apply to the antispam module.
of groups, so that the respective group rules for anti-spam filtering and
anti-virus scanning can be applied to each of the copies.
3. Then the application transfers the message for analysis by the antispam module.
Please refer to section 4.3 on page 38 for details on the operation of the
anti-spam module.
After processing, the anti-spam filter returns messages to the scanning
module.
If a message has been assigned the status of Spam, Probable Spam,
Formal or Blacklisted and the application is configured to block such
messages (the BlockMessage parameter is assigned the as/spam,
as/probable, as/formal, as/blacklisted value), then anti-virus message
scanning will be skipped. Further actions of the application are described in Step 8.
4. Using a built-in MIME format identifier (MIME, RFC2822, UUE), the
application divides the message into its components: headers, message
body and attachments.
5. If the application is configured to filter objects by name and/or
attachment type, it will apply the specified filtering rules for this
message. If the message meets the filter conditions, the object will be
assigned the Filtered status and will not be subjected to further antispam scanning.
6. Each of the received objects is then sent to the AV module that
analyzes each object and returns the status assigned to it.
7. Depending on the status assigned to each object, the application
performs actions as specified in the settings for the respective group
(please see section 4.4 on page 44 for basic actions of the AV module)
in the configuration file.
8. After the anti-virus scan of all the message‟s components, and the
execution of required actions on those components, an additional action
can be performed on the message as a whole:
Add label to the message title (Subject) in accordance with the re-
sults of its anti-spam analysis (see section 4.3.5 on page 42).
Page 38
38Kaspersky® Mail Gateway 5.6
Append additional informational fields to the message‟s header or
body (see section 6.12 on p. 93).
Block delivery of messages to the recipients; see section 5.2.7 on
p. 57 for an example of blocking the delivery of spam messages,
and section 5.3.3 on p. 61 for messages containing infected objects.
Create and send notifications to the sender, administrator, and re-
cipient (see example in section 5.3.4 on p. 62).
Quarantine a message; see section 5.2.8 on p. 58 for an example
of quarantining spam messages, and section 5.3.6 on p. 64 for
messages containing infected objects.
4.3. Operation of the anti-spam
module
Spam filtration by the anti-spam module is performed during the third step of the
procedure described in section 4.2 on p. 36. This section contains a brief overview of the spam detection technologies implemented in the application, namely:
Analysis of formal signs (see section 4.3.1 on page 39).
Content filtration (see section 4.3.2 on page 40).
Checks involving external services (see section 4.3.3 on page 41).
Urgent Detection System technology (see section 4.3.4 on page 41).
During all inspection stages, message analysis is performed according
to the required filtering intensity, defined in the application configuration
file (SpamRateLimitoption in the [mailgw.policy]or
[mailgw.group:group_name] section).
The following degrees of filtering intensity are available:
Minimum (SpamRateLimit=minimum).
Standard (SpamRateLimit=standard).
High (SpamRateLimit=high).
Maximum (SpamRateLimit=maximum).
The application decides if a message contains spam based on several signs
detected in mail by the anti-spam module. The higher is filtering intensity, the
smaller is the number of signs required to recognize a message as spam. When
Page 39
The principles of the application’s operation 39
Note
The Standard level of filtering intensity is recommended.
Note
Apart from the intensity level, filtering result is also affected by the methods used for
spam recognition. When false positives occur you should consider the methods
employed for spam recognition.
the specified filtering intensity is lower, the same set of signs can only result in
message identification as suspicious (Probable Spam) or even normal.
Higher level of filtering intensity can be used in cases, when the application does
not detect spam or when it recognizes spam as suspicious mail (Probable Spam). However, the probability of false positives in that case also becomes
higher and normal mail can be recognized as spam.
Lower intensity degree decreases the probability of false positives but it increases the possibilities for spam to bypass the filter.
4.3.1.Analysis of formal signs
The method uses a set of rules based on examination of certain message headers and their comparison with sets of headers typical of spam messages. In addition to header analysis, the application takes into account message structure,
size, presence of attachments and other similar signs.
The method also provides for analysis of data transmitted by the sender during
an SMTP session. In particular, the following information is estimated:
IP address of the server that has sent the message, and whether it is
included into black list of recipients;
IP addresses of intermediate relay servers obtained from the Received
headers;
e-mail addresses of message sender and recipients transmitted in
SMTP session commands;
presence of the sender's and recipients' addresses in white or black
lists;
conformity of the addresses transmitted during SMTP session to the set
of addresses specified in message headers and a number of other
checks.
Page 40
40Kaspersky® Mail Gateway 5.6
Note
The purpose of spam filtering is to decrease the volume of unwanted messages
in the mailboxes of your users. It is impossible to guarantee detection of all
spam messages, because too strict criteria would inevitably cause filtering of
some normal messages as well.
4.3.2.Content filtration
Message analysis employs the algorithms of content filtering: the application
uses artificial intelligence technologies to analyze the actual message content
(including the Subject header), and its attachments (attached files) in the following formats:
plain text (ASCII, not multibyte)
HTML (2.0, 3.0, 3.2, 4.x, XHTML 1.0).
The application uses three main groups of methods to detect spam messages:
Text comparison with semantic samples of various categories
(based on the search for key terms (words and word combinations) in
message body and their subsequent probabilistic analysis). The method
provides for heuristic search for typical phrases and expressions in text.
Fuzzy comparison of a message being examined with a collection
of sample messages based on comparison of their signatures. The
method helps detect modified spam messages.
Analysis of attached images.
All the data employed by Kaspersky Mail Gateway for content filtering: classification index (a hierarchical list of categories), message samples, typical terms, etc. are stored in the application databases.
Page 41
The principles of the application’s operation 41
Note
The group of spam analysts at Kaspersky Lab works nonstop to supplement and
improve Kaspersky Mail Gateway databases. Therefore, you are advised to update the databases regularly.
You can also send to Kaspersky Lab samples of spam messages, which
Kaspersky Mail Gateway has failed to recognize as well as the samples of messages erroneously classified as spam. The data will help us improve Kaspersky
Mail Gateway databases and react in a timely manner to new types of spam.
Please refer to Appendix C on page 191 for details on forwarding sample messages.
4.3.3.Checks using external services
In addition to the analysis of message text and headers, Kaspersky Mail Gateway allows a number of the following checks involving external network services:
availability of a DNS record for message sender's IP (reverse DNS
lookup);
the presence of the sender's IP address in a DNS-based real time black
hole list or lists (DNSBL);
a check of the sender's address for compliance with SPF (Sender Policy
Framework) policy for the domain containing the server used to send
the message;
a check of addresses and links to sites in message text for the presence
in the Spam URL Realtime Blocklists database – www.surbl.org;
recognition of e-mail messages using the UDS (Urgent Detection Sys-
tem) technology.
All the checks listed above, except for UDS, are based on the use of the DNS
protocol and as a rule they require no additional network configuration.
4.3.4.Urgent Detection System
Urgent Detection System is an original technology of spam detection developed
and supported by Kaspersky Lab. It is based on the following principles:
A message being analyzed is used to select a collection of properties,
which can be used to identify the message. The set of properties may
include header information, text fragments and other information about
the message being processed.
Page 42
42Kaspersky® Mail Gateway 5.6
Note
Since the product does not transmit to external servers any data that
could allow viewing the recipients or the text of the processed mail, the
use of this method does not pose any risk to the safety or confidentiality of your information.
Note
The UDS technology allows filtering of known spam before updates to
Kaspersky Mail Gateway databases become available.
Filtration server uses the properties thus collected to generate a small
UDS request and sends it to one of UDS servers of Kaspersky Lab.
The UDS server checks the received request against a database of
known spam. If the request matches a known spam sample, a message
will be sent to the filtration server informing that the e-mail is very likely
to be spam. The information will be taken into account during assignment of a certain status to e-mail.
A filtration server interacts with UDS servers of Kaspersky Lab via UDP using
port 7060 for communication. In order to use UDS, a filtration server must be
able to establish outgoing connections through that port.
Information about available UDS servers is added to Kaspersky Mail Gateway
databases. The choice of an individual UDS to be used for message analysis is
performed automatically on the basis of the response time of accessible UDS
servers.
4.3.5. Recognition results and actions over
messages
The analysis procedure results in assignment of one of the following statuses to
a message:
Spam – message recognized as spam.
Probable Spam – message contains some spam signs; however, it
cannot be unambiguously identified as spam.
Formal (automatically generated letter) – message is formal, for exam-
ple, it is a mail server notification informing about mail delivery or inability to deliver it or about message infection with a virus. The category includes messages sent automatically by mail clients. Such messages
are usually not considered to be spam.
Page 43
The principles of the application’s operation 43
Note
Although the product is being constantly developed in order to improve spam
recognition and decrease the number of false positives from the filter, it is not
possible to eliminate altogether the probability of recognizing normal messages
as spam. Therefore, you are advised to use with caution the actions deleting
messages.
Attention!
Preservation of all useful mail must be the top priority task for the system administrator because the loss of a single important message may cause more
trouble for the end user than receipt of a dozen of spam messages. To avoid
the loss of necessary mail, you are advised to use only non-destructive actions
with mail identified after content analysis as spam or probable spam.
Blacklisted – message received from an address present in a black list.
Not detected – a message that has no sufficient spam signs to be rec-
ognized as spam. No actions are specified for messages with such
status.
Messages that have received the Not detected status (the message has not
been recognized as spam), are always transferred to the specified recipient. In
that case the letter must also contain no infected or suspicious objects revealed
during anti-virus scanning.
Each e-mail message can be assigned just one of the above statuses. The application records the status assigned to a message after analysis to a special X-SpamTest-Status-Extended header. Please refer to section B.18 on page
183 for details about the headers added to mail messages after filtering.
After recognition, the application may perform one of the following actions over a
message:
add a text mark in the message subject field;
append special headers to the message;
delete message.
System administrator can define which of the listed actions will be performed
over messages with a specific status.
In addition to actions related to mail routing, the administrator can specify the
actions for message modification, which can be helpful both for visualization of
recognition results and for use in combination with the filters in client e-mail software of end users:
Add a label to the message subject field.
Page 44
44Kaspersky® Mail Gateway 5.6
Attention!
You are advised to update the anti-virus databases regularly, to maximize the
efficiency of anti-virus functionality with respect to new viruses. Updates for the
anti-virus databases are made available on Kaspersky Lab‟s update servers
every hour.
Note
An object can be assigned the Disinfected status only if the cure mode
has been enabled for infected objects.
Add to message special X-SpamTest-* headers. The headers can be
used later for automatic mail processing by the e-mail software of end
users. Please refer to section B.18 on page 183 for details about the
headers added to mail messages after filtering.
4.4. Operation of the anti-virus
scanning module
The AV module checks message components for the presence of viruses.
During the scanning and disinfection of detected infected objects the AV module
uses the anti-virus databases, which contain descriptions of all currently known
viruses and methods for disinfecting objects containing them.
By default, the application‟s AV module only scans your e-mail traffic; it does not
cure infected objects.
To enable disinfection, set the AVCure parameter in the [mailgw.group: group_name] section of the configuration file to true. If disinfection has been
successful, the object is assigned Disinfected status.
An object may be assigned one of the following statuses in the process of its
scanning:
Clean – object is clean.
Infected – object is infected and cannot be disinfected or its disinfection
has not been attempted.
Disinfected – infected object has been successfully disinfected.
Suspicious – object is suspected of being infected with an unknown vi-
rus or with a new modification of a known virus.
Page 45
The principles of the application’s operation 45
Attention!
The action can only be defined for objects with Disinfected status (Ac-
tionDisinfected parameter).
Protected – scanning failed because the object is password-protected
(e.g., it is an archive).
Error – object is an error occurred during the scan.
Not_checked – object has not been scanned because anti-virus checks
have been disabled.
The actions performed by the AV module on an object which has passed scanning are determined by the corresponding options in the configuration file (Ac-tionInfected, ActionSuspicious, etc.). Each message status has a corresponding option. The following actions are available:
cure – replace the infected object in a message with a disinfected one;
pass – transfer the object without modifications, no actions will be ap-
plied to the object;
remove – remove the object from the e-mail message;
placeholder – replace the object with a notification generated from a
template.
Page 46
Attention!
To perform the tasks described, some changes must be made to the application‟s configuration file, following which the application must be restarted to apply the modifications.
Attention!
In the examples below, it is assumed that the administrator has completed all
required post-installation tasks and the application operates correctly.
CHAPTER 5. ANTI-VIRUS
PROTECTION AND SPAM
FILTRATION
Kaspersky Mail Gateway can provide anti-virus protection and spam filtering for
e-mail traffic transferred through your organization‟s mail server.
The tasks implemented by Kaspersky Mail Gateway may be divided into three
major groups:
1. Updates of the anti-spam and anti-virus databases used for spam
filtering, anti-virus scanning and disinfection of objects.
2. Spam filtering.
3. Anti-virus protection of e-mail traffic.
Each of these groups comprises more specific tasks. In this chapter, we will discuss some typical tasks that the administrator can combine and enhance in accordance with the needs of his/her organization.
This guide describes how to locally configure and start tasks from the command
line. Issues related to starting and managing tasks from remote computers using
the Webmin application are not discussed in this document.
5.1. Updating the anti-virus and anti-
spam databases
Kaspersky Mail Gateway uses the anti-virus and anti-spam databases while
processing e-mail traffic.
Page 47
Anti-virus protection and spam filtration47
Note
The keepup2date component supports Basic authentication for connections
through a proxy server.
Note
Updates for the anti-spam databases are made available on Kaspersky Lab‟s
update servers every three minutes. Updates for the anti-virus databases of
Kaspersky Mail Gateway are made available on Kaspersky Lab‟s update servers every hour.
Attention!
We strongly recommend that the keepup2date component is configured to up-
date the databases every three minutes!
The anti-spam database is employed for spam filtering, which requires the analysis of the contents of message bodies and attached files to identify unsolicited email.
The anti-virus databases are employed during scanning and disinfection of infected objects; they contain descriptions of all currently known viruses and the
methods of disinfection for objects affected by those viruses.
The keepup2date component is included in Kaspersky Mail Gateway to provide
for software updates. The updates are retrieved from Kaspersky Lab‟s update
servers, e.g.:
http://downloads1.kaspersky-labs.com/
http://downloads2.kaspersky-labs.com/
ftp://downloads1.kaspersky-labs.com/ etc.
The updcfg.xml file included in the installation package lists the URLs of all available update servers.
To update the anti-virus and content filtration databases, the keepup2date component selects an address from the list of update servers and tries to download
updates from that server. If the server is currently unavailable, the application
connects to another server on the list, until it succeeds.
After connection to an update server, keepup2date identifies available updates
and downloads them.
After a successful update, the command specified by the value of the PostUp-dateCmd parameter in the [updater.options] section of the configuration file will
be executed. By default, this command starts compilation of the anti-spam module databases and automatically restarts the application. The restart is necessary
to make the application use the updated anti-spam databases. Kaspersky Mail
Page 48
48Kaspersky® Mail Gateway 5.6
Note
All settings of the keepup2date component are stored in the [updater.*] sections of the configuration file.
Gateway anti-virus databases are loaded without restart. Incorrect modification of
this parameter may prevent the application from using the updated databases or
cause it to function erroneously.
If you have purchased a license for Kaspersky Mail Gateway to provide only antivirus scanning of e-mail traffic, downloading of updates for the anti-spam databases can be disabled. To do so, assign the values AVS, AVS_OLD, CORE,
Updater, and BLST to the UpdateComponentsList parameter in the [updater.options] section:
If your network has a complicated structure, you are advised to download updates from Kaspersky Lab‟s update servers every three minutes and place them
in a network directory. Other networked computers can be configured to copy
their updates from that directory. For detailed instructions on how to implement
this scenario, see section 5.1.3 on p. 50.
The updating process can either be scheduled to run automatically using the
cron utility (see section 5.1.1 on p. 48), or started manually from the command
line (see section 5.1.2 on p. 49). Starting the keepup2date component requires
root user privileges.
5.1.1. Automatic updating of the anti-virus
and anti-spam databases
Regular automatic updates for the anti-virus and anti-spam databases can be
scheduled using the cron utility.
Example:
Configure the cron utility to update automatically your anti-virus and antispam databases every three minutes. An update server should be selected
from the updcfg.xml file by default. Only errors occurring in the component
operation should be recorded in the system log. Keep a general log of all
task starts. Output no information to the console.
Page 49
Anti-virus protection and spam filtration49
To perform the above task, do the following:
1. In the application‟s configuration file, specify the following values for
these parameters:
[updater.options]
KeepSilent=true
[updater.report]
Append=true
ReportLevel=1
2. Edit the cron task file for the root user by typing this command: crontab
You can start updating your anti-virus and anti-spam databases from the command line at any time.
Example:
start updating of the anti-virus and anti-spam databases, save the results of
updating in the /tmp/updatesreport.log file.
To accomplish the task, log in as root (or any other privileged user) and enter at
the command line:
# mailgw-keepup2date -l /tmp/updatesreport.log
If you need to update the anti-virus and anti-spam databases on several servers,
it may be more convenient to download the updates from an update server once,
save them to a shared directory, and mount the directory within the file system of
every server running Kaspersky Mail Gateway. Then it will be sufficient to launch
the update script, having first specified the mounted directory as the source of
updates. Please see section 5.1.3 on p. 50 for details of how to create a shared
directory for updates.
Page 50
50Kaspersky® Mail Gateway 5.6
Attention!
These and other similar tasks can be accomplished remotely using the Webmin
remote administration module.
Note
Please keep in mind that for Kaspersky Mail Gateway 5.6 only anti-virus and
anti-spam databases will be updated.
Example:
start updating the anti-virus and anti-spam databases from the local directory /home/kluser/bases. If the directory is inaccessible or empty, update the
databases from Kaspersky Lab‟s update servers. Save the results to the
/tmp/updatesreport.log file.
To accomplish the task, log in as root (or any other privileged user) and do the
following:
1. Mount the shared directory containing the anti-virus database updates
as the local directory /home/kluser/bases.
2. In the application configuration file, specify the following values for
these parameters:
[updater.options]
UpdateServerUrl=/home/kluser/bases
UseUpdateServerUrl=true
UseUpdateServerUrlOnly=false
3. Enter the following at the command line:
# mailgw-keepup2date -l /tmp/updatesreport.log
5.1.3. Creating a network directory to store
and share updates
Kaspersky Mail Gateway supports copying of updates to databases and application modules into a network directory for sharing and storage. That directory can
be specified as the source of updates for the Kaspersky Mail Gateway 5.6 installations on network computers as well as other applications of Kaspersky Lab
(versions 6.0 and 7.0).
To ensure that local computers are correctly updated from the shared directory,
the directory must have the same file structure as Kaspersky Lab‟s update servers. This task deserves a detailed explanation.
Page 51
Anti-virus protection and spam filtration51
Note
If other applications (versions 6.0 and 7.0) of Kaspersky Lab will be updated from the shared directory, the keepup2date component must be
started as follows:
#mailgw-keepup2date –x <rdir>
Note
Users may set up their e-mail clients to transfer labeled messages to
corresponding directories.
Example:
create a shared local directory which local computers will use as the source
to update their anti-virus and anti-spam databases.
To accomplish the task, log in as root (or any other privileged user) and do the
following:
1. Create a local directory.
2. Define the following parameter values in the application configuration
file:
where <rdir> is the full path to the directory created.
4. Grant read-only access to the directory for local computers on your
network.
5.2.Spam filtration
This section contains sample tasks demonstrating the application‟s functionality
related to spam filtering. The examples show the main mechanisms used by the
application to combat spam, and in particular:
spam filtration and organization of user groups;
marking of messages identified as spam, probable spam, formal or
blacklisted mail with special labels in the Subject header;
blocking of delivery for messages identified as spam, probable spam,
formal or blacklisted mail;
Page 52
52Kaspersky® Mail Gateway 5.6
saving of messages identified as spam, probable spam, formal or black-
listed mail in the quarantine directory.
The section also includes information about the procedure used by the anti-spam
module components and about the parameters controlling the anti-spam module.
5.2.1. Starting and managing the
components of the anti-spam module
The main components of the anti-spam filtration server including:
the filtering master process (mailgw-process-server)
licensing daemon (mailgw-kas-license)
the SPF daemon (mailgw-spfd)
are launched at the operating system start-up by a special script, which is named
and located differently in Linux and FreeBSD operating systems. The Linux operating system uses the mailgwscript located in the
/opt/kaspersky/mailgw/lib/bin/ directory (the /etc/init.d/mailgw link can be used,
too), while the FreeBSD operating system employs the mailgw.sh script in the
/usr/local/etc/rc.d/ directory.
The administrator can use the said scripts with the command line parameters
described below to start, stop or restart the main components of the filtration
server:
start – start the main components of the filtration server.
stop – stop operation of the main components of the filtration server.
restart – restart the main components of the filtration server; the action
is identical to running the stop and start actions one after another.
5.2.2.Managing the filtration process
The main purpose of the anti-spam module is detection of unwanted messages
in e-mail stream. The module has an advanced system of settings for configuration of spam recognition and its further processing:
The level of spam recognition intensity (SpamRateLimit parameter in
the [mailgw.policy] section). The application decides whether a message contains spam on the basis of several signs revealed in it by the
scanning module (please refer to section 4.3 on page 38 for details).
Page 53
Anti-virus protection and spam filtration53
Addition of ProbableSpam or Obscene marks to the header of mes-
sages recognized as mail belonging to the corresponding category after
checks (SpamMarkProbable and SpamMarkObscene parameters respectively).
Verification of information about message sender in DNS and DNS-
based services: DNSBL, SPF, etc (SpamUseDNS parameter).
Checks of the sender IP address using a set of DNSBL services
(SpamCheckDNSBL parameter).
Check of sender IP presence in DNS (SpamCheckHostInDNS parame-
ter).
Check of sender IP using SPF (Sender Policy Framework) (Spam-
CheckSPF parameter).
Check of sender IP address presence using SURBL (Spam URL Real-
time Blocklists) (SpamCheckSURBL parameter).
Analysis of message headers checking them for:
List of undisclosed recipients in message headers (SpamHeader-
sToUndisclosed parameter).
Groups of digits in the sender‟s or recipient‟s address (SpamHead-
ersFromOrToDigits parameter).
Missing domain part in address (SpamHeadersFromOrToNoDo-
main parameter).
Long text in message subject (SpamHeadersSubjectTooLong pa-
rameter).
Multiple spaces and dots in message subject (SpamHeadersSub-
jectWSOrDots parameter).
Digital identifier or time label in message subject (SpamHeaders-
SubjectDigitIDOrTimestamp parameter).
Text in Chinese, Korean, Thai or Japanese in message headers
Addition to message header of a prefix describing its status assigned by
the anti-spam module after scanning (MarkSubject parameter).
Maximum size (Kb) of messages scanned for spam presence (Spam-
CheckSizeLimit parameter).
Page 54
54Kaspersky® Mail Gateway 5.6
Definition of individual groups of senders/recipients whose mail will be
handled using custom rules (the [mailgw.group:group_name] section
is used), including filtration based on black or white lists (please refer to
section 5.2.3 on page 54 for details).
5.2.3. Mail filtration using black and white
lists
White list of senders is used to specify explicitly the addresses that provide mail
which should not be scanned for presence of spam signs. The list can include,
for example, IP addresses of e-mail servers used to relay mail in corporate LAN
or the addresses of internal mailing lists.
During application configuration, white lists are created using specifically defined
groups for which anti-spam and/or anti-virus scanning is disabled
(CheckSpam=false, CheckAV=false).
Black list of senders has the opposite meaning. Administrators of the filtration
server can add to the list addresses which spammers use to distribute their mail
and computers spreading viruses.
Black lists are implemented through definition of an appropriate set of Connec-tRule rules with specified deny action.
Example:
Task:
Create a group of senders whose mail will be treated as belonging to a
white list. Criterion including senders in white list: any host of the
10.10.0.0/16 subnet.
Create a group of senders whose mail will be treated as belonging to a
black list. Criterion including senders in black list: host with the
10.10.138.99 address.
Messages from the white list should not be scanned for presence of
spam or viruses; they should be forwarded to recipients unchanged.
Messages from the black list should not be accepted.
To accomplish the task, perform the following steps:
o Define the level of spam filtration intensity setting the corresponding pa-
rameter in the [mailgw.policy] section of the configuration file to the following value:
SpamRateLimit=standard
Page 55
Anti-virus protection and spam filtration55
2. In the [mailgw.access] section specify a ConnectRule to reject a session when connection is established with the 10.10.138.99 address:
[mailgw.access]
...
ConnectRule=deny for ip 10.10.138.99
...
3. Create the [mailgw.group:whitelist] section which defines the following rules for processing of mail for the users included into the whitelist
group:
[mailgw.group:whitelist]
Recipients=*
Senders=ip 10.10.0.0/16
CheckSpam=false
CheckAV=false
5.2.4. Managing the UDS service
Checking the access time of UDS servers
The application uses the uds-rtts.sh script to check the time required for access
to the UDS servers of Kaspersky Lab. Collected data is used to select the most
suitable server for UDS queries.
To increase the efficiency of the UDS server you should configure the task
checking the UDS server access time to run regularly, for example, using cron.
The recommended interval between task starts is every 10-15 minutes.
Checking UDS server availability
To check if a UDS server is available (i.e. it can be accessed), run the uds-rtts.sh
script with the -a option as follows:
In Linux:
# /opt/kaspersky/mailgw/lib/bin/kas-filter/uds-rtts.sh -a
Page 56
56Kaspersky® Mail Gateway 5.6
In FreeBSD:
# /usr/local/libexec/kaspersky/mailgw/kas-filter/\
uds-rtts.sh -a
Restarting as kluser
uds-rtts: OK, updated 1 records.
uds-rtts: uds.kaspersky-labs.com available rtt=4103
uds-rtts finished successfully.
5.2.5. Managing the list of enabled DNSBL
services
Checks of sender IP address presence in DNSBL are performed on two levels:
When an incoming connection is established (provided that an appro-
priate rule is specified in the ConnectRule parameter), please see section Appendix A on page 107.
When the anti-spam module checks a message (the check also in-
cludes verification of IP addresses mentioned in the Received header of
the message). You can define for each group of users whether the application will run checks involving DNSBL services for that group.
Management of the DNSBL services used by the application belongs to general
settings of the anti-spam module. The list of available services is common for all
user groups.
Each DNSBL service is defined through its address where queries are sent and
its corresponding rating.
Service rating determines how trustworthy the service is in the opinion of the
administrator. When a sender‟s IP address is checked in DNSBL, Kaspersky Mail
Gateway sends a query to all the services included in the list. When the results
are returned, it sums up the rating values of the services, which have recognized
the specified IP address as a source of spam mail.
When IP address presence in DNSBL is checked at connection establishment,
the in_dnsbl rule (see section Appendix A on page 107) will be applied if the
sum of ratings of the triggered DNSBL services reaches 100 or exceeds the
value.
If IP address presence in DNSBL is checked by the anti-spam module, message
sender is assumed to be included in the black list and the letter receives blacklisted status if the sum of ratings of triggered DNSBL services reaches 100 or
exceeds the value. The status is assigned irrespectively of the results returned
by checks using other methods.
Page 57
Anti-virus protection and spam filtration57
If the sum of ratings of the triggered DNSBL services exceeds 100, the sender
will be assumed to be included into black list and the corresponding message will
receive the blacklisted status independently from the results returned by other
checks based on various methods. Some filtering intensity levels also allow
situations when the sum of ratings for services which contain the sender in their
black lists is less than 100. In that case information about sender presence in
black lists is used as an additional sign only and such mail is recognized as
spam if there are more signs revealed by other checks.
5.2.6. Marking of messages containing
spam
Example:
Filter spam using the standard degree of filtering intensity.
Modify the Subject header of messages identified as spam or probable
spam.
To perform the above task, do the following:
Specify the level of spam filtering intensity, by setting the Spam-RateLimit parameter value in the [mailgw.policy] section of the configuration file. Then define the mail processing rules:
SpamRateLimit=standard
CheckSpam=true
MarkSubject=spam,probable
5.2.7.Blocking delivery of spam messages
Example:
Filter spam; specify the standard degree of filtering intensity.
Block the delivery of messages identified as spam or probable spam, for
users in the managers group.
Block the delivery of spam messages only, for all other users.
To perform the above task, do the following:
1. Specify the level of filtering intensity. To do so, specify the following
parameter value in the [mailgw.policy] section of the configuration file:
SpamRateLimit=standard
Page 58
58Kaspersky® Mail Gateway 5.6
2. Create the [mailgw.group:managers] section, which will define the
rules for processing the e-mail of users included in the managers
group:
[mailgw.group:managers]
Recipients=*@managers.example.com
CheckSpam=true
BlockMessage=as/spam,as/probable
Mail processing rules for all other users will also be defined by the
[mailgw.policy] section:
[mailgw.policy]
CheckSpam=true
BlockMessage=as/spam
5.2.8. Storage of spam message copies in
the quarantine directory
Storing message copies in the quarantine directory can be combined with blocking e-mail delivery, but not necessarily. In the first case messages identified as
spam or probable spam will not reach the mailboxes of recipients, but are saved
in the quarantine directory. In the second case, the messages will be delivered to
end users and message copies will be preserved in quarantine.
Example:
Filter spam; specify the standard degree of filtering intensity.
Copy all messages identified as spam, probable spam, formal or black-
listed mail to the quarantine directory.
Block the delivery of messages identified as spam or probable spam.
To perform the above task, do the following:
1. Specify the level of filtering intensity, by setting the following parameter
value in the [mailgw.policy] section of the configuration file:
SpamRateLimit=standard
2. Specify the following parameter values in the [mailgw.policy] section of
the configuration file:
[mailgw.policy]
CheckSpam=true
BlockMessage=as/spam,as/probable
Page 59
Anti-virus protection and spam filtration59
Attention!
Blocked and quarantined messages that have been assigned the status Spam,
Probable Spam, Formal or Blacklisted by the anti-spam module may contain
viruses, as their anti-virus scanning will be skipped after performance of these
actions.
This section contains examples of Kaspersky Mail Gateway‟s anti-virus protection of e-mail traffic. The settings described in the examples can be combined to
produce more sophisticated e-mail traffic protection schemes.
5.3.1. Delivery of messages with clean or
disinfected objects only
Example:
Scan all the server‟s incoming and outgoing e-mail traffic for viruses.
Cure infected objects.
Remove from e-mail messages all infected objects which could not be
cured.
Deliver messages to recipients containing clean and disinfected objects
only.
To perform the above task, specify the following parameter values in the
[mailgw.policy] section:
1. Define the anti-virus scanning mode for all e-mail messages:
CheckAV=true
2. Enable disinfection mode for infected objects:
AVCure=true
3. Specify the operations, which must be performed with the objects:
ActionDisinfected=cure
ActionInfected=remove
Page 60
60Kaspersky® Mail Gateway 5.6
Note
Notifications can be delivered to the administrator, message recipient and
sender, informing them of the detection of infected or suspicious objects (see
section 5.3.4 on p. 62). Also, messages containing infected, suspicious or
password-protected objects can be saved in the quarantine directory (see
section 5.3.6 on p. 64).
ActionSuspicious=remove
ActionProtected=remove
ActionError=remove
BlockMessage=
5.3.2. Replacement of infected objects by
standard notifications
Task:
Scan all e-mail traffic on the server for viruses, and cure infected ob-
jects in e-mail messages.
Objects which cannot be cured, and suspicious, damaged or password-
protected objects, must be deleted and replaced with a standard notification.
Solution: To perform the above task, specify the following parameter values in
the [mailgw.policy] section:
1. Define the anti-virus scanning mode for all e-mail messages:
CheckAV=true
2. Enable disinfection mode for infected objects:
AVCure=true
3. Specify the operations, which must be performed with the objects:
ActionDisinfected=cure
ActionInfected=placeholder
ActionSuspicious=placeholder
ActionProtected=placeholder
ActionError=placeholder
BlockMessage=
Page 61
Anti-virus protection and spam filtration61
Note
In addition to replacing infected and suspicious objects with standard
sages, the application can deliver notifications to the administrator with information about the detection of the objects (see section 5.3.4 on p. 62) and
save the messages containing the objects in the quarantine directory (see
section 5.3.6 on p. 64).
Attention!
While implementing this task, please note that if a message contains several
objects, one of which cannot be disinfected or is suspicious or password
protected, the delivery of the whole message will be blocked.
5.3.3. Blocking delivery for messages
containing suspicious objects
Example:
Scan all e-mail traffic on the server for viruses, and cure infected ob-
jects in e-mail messages;
Block the delivery of messages containing objects which cannot be
cured, and suspicious, damaged or password-protected objects.
To perform the above task, specify the following parameter values in the
[mailgw.policy] section:
1. Define the anti-virus scanning mode for all e-mail messages:
CheckAV=true
2. Enable disinfection mode for infected objects:
AVCure=true
3. Specify the operations, which must be performed with the objects:
The application can also be configured to send notifications to the administrator
with information about the detection of infected or suspicious objects (see
tion 5.3.4 on p. 62) and save the messages containing those objects in the
quarantine directory for later delivery to Kaspersky Lab for examination (see
section 5.3.6 on p. 64).
5.3.4. Delivery of notifications to the
sender, administrator and recipients
Example:
Scan all e-mail traffic on the server for viruses, and cure all infected ob-
jects.
Deliver messages to recipients containing only clean and disinfected
objects.
Delete all objects which cannot be cured, as well as suspicious, dam-
aged or password-protected objects.
Notify the senders, recipients and the administrator about cured, incur-
able, deleted and suspicious and damaged objects in e-mail messages.
To perform the above task, specify the following parameter values in the
[mailgw.policy] section:
1. Enable disinfection mode for infected objects:
AVCure=true
2. Specify the operations, which must be performed with the objects:
ActionDisinfected=cure
ActionInfected=remove
ActionSuspicious=remove
ActionProtected=remove
ActionError=remove
BlockMessage=
3. Specify the cases in which notifications should be sent, and their recipients:
E-mail messages frequently contain objects for which virus infection is highly
probable (e.g., executable files). To avoid infection, you are advised to configure
the application to filter e-mail by name and/or attachment types, and save these
objects in a separate directory.
There are also objects which cannot be infected with viruses (e.g., plain text
files). To reduce the load on the server during anti-virus scanning of e-mail messages, you are advised to specify the types and/or the names of such attachments in advance so that the application does not scan them.
Filtering of objects is performed using name masks (IncludeByName, Exclude-ByName parameters) and MIME types (IncludeByMime, ExcludeByMime parameters).
Example:
Delete .exe and .reg attachments from the e-mail of users in the man-
agers group.
For users in the accounts group, delete all attached objects except for
.doc files .
For users in the sales group, block messages containing attached .exe
files.
To perform the above task, do the following:
Create in the application‟s configuration file three
[mailgw.group:group_name] sections, which will contain processing
rules for the e-mail of users in the managers, accounts and sales
groups respectively:
[mailgw.group:managers]
Recipients=*@managers.example.com
IncludeByName=*.exe
IncludeByName=*.reg
ActionFiltered=remove
…
Page 64
64Kaspersky® Mail Gateway 5.6
[mailgw.group:accounts]
Recipients=*@accounts.example.com
ExcludeByName=*.doc
ActionFiltered=remove
…
[mailgw.group:sales]
Recipients=*@sales.example.com
IncludeByName=*.exe
BlockMessage=av/filtered
5.3.6. Saving messages in the quarantine
directory
Kaspersky Mail Gateway can be configured to store messages with specified
statuses in the quarantine directory.
This feature may be used, for example, if an infected attachment containing important data was detected during anti-virus scanning. Attempting to disinfect the
file may corrupt the data. The message can be isolated in a separate directory
and subsequently sent to Kaspersky Lab for analysis. Our experts will probably
be able to disinfect the file, and preserve the data‟s integrity.
Example:
Scan all e-mail traffic on the server for viruses and cure all infected ob-
jects.
Deliver messages to the recipients containing only clean and disinfected
objects.
Messages with incurable attachments or suspicious, damaged or pass-
word-protected objects must be saved in the quarantine directory
/opt/quarantine; delivery of these messages must be blocked.
To perform the above task, do the following:
1. Create the directory /opt/quarantine, which will be used to store blocked
messages, and grant the right to write to that directory to the account
used to run the application (kluser by default).
2. Enable the cure mode for infected objects, by setting the following parameter value in the [mailgw.policy] section of the configuration file:
AVCure=true
Page 65
Anti-virus protection and spam filtration65
Note
The application settings described in this section are provided as examples only;
the administrator should adapt them as necessary.
3. Specify these parameter values in the [mailgw.policy] section of the
configuration file:
The choices of application mode, of level of anti-virus scanning and of spam filtering intensity depend both on the volume of e-mail traffic to be processed by
the application, and the corporate security policy. Three modes demonstrated in
this section illustrate methods for combining spam filtration with anti-virus protection of e-mail traffic.
5.4.1.Maximum speed
The mode allows high performance anti-virus scanning and spam filtration, which
may be necessary for processing a large volume of e-mail messages. The security level in this case is reduced, because the application does not cure infected
objects, but just sends notifications about their detection.
In this mode, the application:
filters e-mail traffic for spam; the degree of filtering intensity is mini-
mum;
blocks messages identified as spam;
Page 66
66Kaspersky® Mail Gateway 5.6
marks messages identified as probable spam, formal or blacklisted mail
using special labels in the Subject header;
performs anti-virus scanning of e-mail attachments, but does not at-
tempt to cure infected objects;
filters and blocks delivery of messages containing the most dangerous
attachment types (an external file is used to define the list of dangerous
objects) and for messages containing infected attachments;
notifies recipients about messages which have been blocked.
To enable this mode:
1. Specify the following parameter value in the [mailgw.policy] section of
the configuration file:
SpamRateLimit=minimum
2. Create a file List1 which contains a list of the most likely sources of viruses, for example:
*.exe
*.bat
*.com
*.scr
*.bin
*.dll
3. Specify the following parameter values in the [mailgw.policy] section of
the configuration file:
AVCure=false
AVScanArchives=false
AVScanMailBases=false
CheckAV=true
CheckSpam=true
IncludeByName=file:<path to file>/List1
MarkSubject=probable,formal,blacklisted
ActionFiltered=pass
ActionInfected=pass
ActionSuspicious=pass
ActionProtected=pass
ActionError=pass
BlockMessage=av/infected,av/filtered,as/spam
Page 67
Anti-virus protection and spam filtration67
Note
The presence of several groups of senders/recipients
([mailgw.group:group_name] sections) slows down processing of e-mail
traffic. When high performance is required, you are advised to use the default group only ([mailgw.policy] section) to specify the e-mail processing
rules.
NotifyRecipient=av/infected,av/filtered
5.4.2.Recommended mode
The mode gives the optimal balance between server performance and security.
In this mode, the application:
filters e-mail traffic looking for spam; the degree of filtering intensity is
standard;
marks messages identified as spam, probable spam, formal or black-
listed mail using special labels in the Subject header;
performs anti-virus scanning and disinfection of e-mail attachments;
replaces suspicious objects, and infected objects which cannot be
cured, with a standard notification;
blocks delivery for messages containing password-protected attach-
ments and attached objects that cause errors during scanning; these attachments are added to the quarantine directory;
notifies recipients about blocked messages.
To enable this mode:
1. Specify the following parameter value in the [mailgw.policy] section of
the application‟s configuration file:
SpamDetection=standard
2. Specify the following parameter values in the [mailgw.policy] section:
AVCure=true
AVScanArchives=true
AVScanMailBases=true
CheckAV=true
CheckSpam=true
MarkSubject=spam,probable,formal,blacklisted
ActionDisinfected=cure
Page 68
68Kaspersky® Mail Gateway 5.6
ActionInfected=placeholder
ActionSuspicious=placeholder
ActionProtected=pass
ActionError=pass
BlockMessage=av/protected,av/error
QuarantineMessage=av/protected,av/error
NotifyRecipient=av/protected,av/error
5.4.3.Maximum protection
In the maximum protection mode the speed of e-mail traffic processing is lower.
However, the mode provides the best protection for users against spam and viruses. In this mode the application:
filters e-mail traffic looking for spam; the degree of filtering intensity is
maximum;
blocks delivery for messages identified as spam, probable spam, formal
or blacklisted mail and adds them to the quarantine directory;
performs anti-virus scanning and disinfection of e-mail attachments;
removes the following from messages: infected attachments which can-
not be cured; suspicious or password-protected objects, and objects
which caused errors during scanning;
notifies message recipients and the administrator about infected, suspi-
cious and password-protected attachments, and objects which caused
errors during scanning.
To enable that mode:
1. Specify the following parameter value in the [mailgw.policy] section of
the configuration file:
SpamRateLimit=maximum
2. Specify the following parameter values in the [mailgw.policy] section of
the configuration file:
In addition to its main functions, of spam filtering and anti-virus scanning of email traffic, the application can also perform these tasks:
logging of received and sent e-mail;
forwarding of all received e-mail;
enabling restrictions for SMTP connections, preventing both hacker at-
tacks and the use of the application as an open relay for sending unauthorized e-mail.
5.5.1. Automatically add incoming and
outgoing e-mail to archives
If the security policy of your organization includes archiving e-mail traffic processed by the server, the application can be configured to add all e-mail messages to archives. If necessary, the administrator can view all messages in archives.
If the auto archiving option is enabled, copies of the following messages will be
archived:
All incoming messages including spam or infected objects, without addi-
tionally notifying the administrator. Archiving these messages is enabled
when the path to the archive directory is specified as the value of the
IncomingArchivePath parameter in the [mailgw.archive] section).
Page 70
70Kaspersky® Mail Gateway 5.6
Attention!
Before you enable automatic archiving, make sure that there is enough space in
your server‟s file system to accommodate the archive.
Do not forget to purge this directory occasionally to remove old messages, and
to compress necessary files (the frequency at which this is required depends on
the intensity of e-mail traffic in your network).
All outgoing messages, including messages delivered to recipients,
messages blocked because of a virus or spam, and notification messages generated by the application. Archiving these messages is enabled when the path to the archive directory is specified as the value of
the OutgoingArchivePath parameter in section [mailgw.archive]).
All received messages before their scanning. The application starts
adding mail to archive if you specify a list of e-mail addresses (address)
where blind carbon copies of the mail will be sent (IncomingBcc option
in the [mailgw.archive] section).
5.5.2. Protection from hacker attacks and
spam
To provide the highest level of security for your e-mail system, you are advised to
modify the configuration file to extend the application‟s anti-virus functionality. To
protect your server from hacker attacks or, for example, to prevent spam being
relayed through your server, configure the following options:
ConnectRule in the [mailgw.access] section. The parameter defines
application behaviour during establishment of an SMTP session.
HeloRule in the [mailgw.access] section. The parameter defines the
application response to HELO/EHLO commands received from a client.
MailfromRule in the [mailgw.access] section. The parameter defines
the application‟s behaviour in response to an attempt to send a message from a source (passed with the MAIL FROM command) with a
domain name which does not match the actual IP address or MX host
corresponding to that domain.
RelayRule in the [mailgw.access] section. The parameter defines
rules for client access to the gateway. The correct settings of this option
are essential to prevent the application‟s use as a publicly open e-mail
relay.
Page 71
Anti-virus protection and spam filtration71
Attention!
Kaspersky Mail Gateway WILL NOT work without a key!
Attention!
A detailed discussion of the syntax of these parameters is provided in the de-
scription of the configuration file (see Appendix A on p. 107).
Attention!
DNSBL service (DNS-based Blackhole List) is a database that lists IP ad-
dresses of mail servers used for uncontrolled mass mailing. Such servers receive mail from anyone and deliver it further to arbitrary recipients. Use of
DNSBL allows automatic blocking of mail from such mail servers. Various services use different policies for generation of such lists. Please examine carefully the policy of each service before you start using it for mail filtration.
If a certain address is constantly used for sending spam and the administration
of the server used for spam distribution takes no preventive steps, you can
inform RBL about the spammer. The latter will be added to the database and
the record will allow automatic blocking of incoming e-mail sent from that mail
server.
You are also advised to enable restrictions for SMTP connections (see section
6.1.2 on p. 78).
Application version 5.6 supports the technology of DNS black lists. This technol-
ogy allows the blocking of incoming e-mail sent from unsafe servers registered in
the DNSBL database as servers sending spam. The list of DNSBL services is
specified in the DNSBlackList parameter, in the [mailgw.access] section of the
application configuration file.
5.6.Managing product keys
The right to use Kaspersky Mail Gateway is determined by the product key. The
key is included in the application‟s distribution kit and entitles you to use the application from the day on which you purchased it and installed the key.
After the key expires, the application will continue to work as before, except that
the anti-virus and anti-spam databases will no longer be updated. That is, the
application will still be able to scan e-mail messages for viruses, filter spam and
disinfect infected objects, but will be unable to use databases issued after the
key expiration date. Therefore, you may not be protected against new viruses
that appear after the license expired, and the anti-spam module will be unable to
filter new spam types.
Page 72
72Kaspersky® Mail Gateway 5.6
To protect your network‟s computers against new viruses and efficiently filter
spam, you are advised to renew the key for Kaspersky Mail Gateway.
The key gives you the right to use the application. It contains information related
to the license you have purchased, including the type of license, the key expiry
date, and information about dealers.
In addition to the right to use the application during the period of key validity, you
will have the following benefits:
twenty-four-hour technical support;
hourly updates of the anti-virus databases, and updates to the anti-
spam database made available every three minutes;
timely notifications about new virus threats.
For all these reasons, it is essential to extend your product key before it expires.
One way to manage licenses is to install an additional key, which the application
will start to use as soon as the current active key expires (see section 5.6.2 on p.
74).
5.6.1. Viewing information about product
keys
You can view information about installed product keys in the reports of the
mailgw component. Each time the main application component starts it loads the
license key and displays its contents in the report.
More detailed information about the status of license keys may be obtained using
licensemanager, a special component of the application.
All information about keys may be viewed either on the server‟s console, or re-
motely from any networked computer that has access to the Webmin module.
To view information about all installed product keys, enter the following in the
command line:
The server console will display information similar to the following:
Kaspersky license manager. Version 5.6.0/RELEASE
Copyright (C) Kaspersky Lab. 1998-2008.
Portions Copyright (C) Lan Crypto
Product name: Kaspersky Mail Gateway
Creation date: 02-12-2007
Expiration date: 02-06-2008
Serial 0007-000487-00086CA
Serial 02B1-000454-00053E3
Type: Commercial
Lifespan: 91
Page 74
74Kaspersky® Mail Gateway 5.6
5.6.2.Renewing your product key
Renewing the Kaspersky Mail Gateway key gives you the right to re-enable full
product functionality, and to resume the additional services listed in section 5.6
on p. 71.
The validity period of the key depends on the product you bought, and the type
of the license you purchased. The license for Kaspersky Mail Gateway is usually
issued for one year.
To renew the Kaspersky Mail Gateway key:
Contact the company that sold you the application and renew your key
for Kaspersky Mail Gateway.
or:
Purchase a key directly from Kaspersky Lab. Write a letter of request to
the Sales Department of our company at sales@kaspersky.com or fill in
the corresponding form on our website (www.kaspersky.com), in the
section E-Store Renew Your License. After your payment is received, we will send a license key to the e-mail address indicated in the
corresponding field of your license renewal form.
To install a new license key, enter the following in the command line:
in Linux:
# /opt/kaspersky/mailgw/bin/mailgw-licensemanager -a
00053E3D.key
where 00053E3D.key is the name of the product key file.
in FreeBSD:
# /usr/local/bin/mailgw-licensemanager -a
00053E3D.key
If the installation is successful, the server console will display information similar
to the following:
Kaspersky license manager. Version 5.6.0/RELEASE
Copyright (C) Kaspersky Lab. 1998-2008.
Portions Copyright (C) Lan Crypto
Key file 00053E3D.key is successfully registered
You are advised to update the anti-virus database after the installation.
If you want to install a new key before the current one expires, it can be added as
a backup key. The backup key will be activated immediately after the current one
expires. The term of validity for the additional key starts from the activation date.
You can install only one backup key.
Page 75
Anti-virus protection and spam filtration75
If you have installed two keys (the current and an additional one), information
about both of them can be viewed on the server console.
5.6.3.Removing a key
To remove the current license key and the backup key (if it is installed), enter the
following in the command line:
The server console will display the following (or similar) information:
Kaspersky license manager. Version 5.6.0/RELEASE
Copyright (C) Kaspersky Lab. 1998-2008.
Portions Copyright (C) Lan Crypto
Additional key was successfully removed
Page 76
Attention!
Restart the application to apply modified settings.
Attention!
All timeout settings are located in the [mailgw.timeouts] section of the applica-
tion configuration file.
CHAPTER 6. ADVANCED
APPLICATION SETTINGS
This chapter discusses in detail the advanced settings of Kaspersky Mail Gateway. In contrast to the main settings that provide the application functionality,
advanced settings can be configured optionally at the administrator‟s discretion.
6.1. Configuring anti-virus protection
of e-mail traffic
Application parameters in the [mailgw.policy] section define modes for message scanning and disinfection. They also and enable/disable the scanning of
archives and e-mail attachments (the AVScanArchives and AVScanMailBases
parameters respectively).
6.1.1.Setting up application timeouts
By setting up various timeouts, the administrator can:
Limit the maximum period during which the application will attempt to
deliver unsent outgoing messages (MaximalBackoffTime parameter, in
seconds).
Limit the minimum time which should elapse before the application will
attempt to re-send undelivered messages (MinimalBackoffTime parameter).
Specify the interval during which the application will try to deliver mes-
sages, at the frequency defined by the MinimalBackoffTime and
MaximalBackoffTime parameters (MaximalQueueLifetime option).
Page 77
Advanced application settings77
After this period elapses, the unsent message will be removed from the
ready-to-send queue. If necessary, a DSN message about the initial
message delivery failure will be generated.
Specify timeouts for intercepting various network operations (for the
Sender and Receiver modules), such as:
Network reading timeout (ReadTimeout option). The default time-
out specified in the application‟s configuration file is the optimal
value for most cases and it is advisable not to alter it.
Network writing timeout (WriteTimeout option). The default timeout
specified in the application„s configuration file is the optimal value
for most cases, and it is advisable not to alter it.
Specify timeouts used by the application to send messages:
Maximum time for receiving data from the remote server when es-
tablishing an SMTP session (SendingInitialTimeout option).
Maximum time to start an e-mail session (command HELO/EHLO)
(SendingHelloTimeout option).
Timeout for receiving a response from the remote server to the
MAIL FROM command (SendingMailTimeout option).
Timeout for defining the recipient (RCPT TO command) (Send-
ingRcptTimeout option).
Timeout for initiating data transfer (DATA command) (Sending-
DataInitiationTimeout option).
Timeout for stopping data transfer (CRLF.CRLF sequence) to the
remote server (SendingDataTerminationTimeout option).
Timeout for quitting the current e-mail session (QUIT command)
(SendingQuitTimeout option).
Specify timeouts used by the application to receive messages:
Timeout for starting the DATA command (ReceivingDataInitia-
tionTimeout option).
Timeout for stopping data transfer by the remote server (Receiv-
ingDataTerminationTimeout option).
Timeout for waiting for the HELO/EHLO, MAIL FROM, RCPT TO
and QUIT commands from the remote server (ReceivingCom-mandTimeout option).
Timeout for object processing by the AV module (ScanTimeout option).
Page 78
78Kaspersky® Mail Gateway 5.6
Attention!
You can find all restriction settings in the [mailgw.limits] section of the applica-
tion‟s configuration file.
Specify timeouts used by the application during communication with
DNS servers:
Timeout for sending a query to DNS server and arrival of its re-
sponse (DNSNetworkTimeout option).
Timeout for the total time it takes to receive response from DNS
server for all attempts (DNSResolveTimeout option).
Timeout for storage of a DNS record in DNS cache (DNSCache-
MaximalTTL option).
Timeout for storage of a DNS record for unreachable servers in
mailgw cache (UnreachableCacheTTL option).
6.1.2.Setting performance restrictions
Kaspersky Mail Gateway allows the administrator to set certain limits when working with the application, which may reduce the load on the server and increase
performance. In addition, the application of network restrictions may prevent
some types of virus outbreaks and DOS attacks, which attempt to paralyze mail
servers with huge volumes of e-mail traffic.
You can set the following restrictions:
Number of objects simultaneously processed by the Receiver, Sender
and AV modules (the IncomingSessions, OutgoingSessions, and
AntiviralSessions options, respectively).
Maximum number of message hops (MaximalIncomingHops option).
Set this parameter to avoid looping due to incorrect configuration of the
routing table.
Limit the maximum size for messages received by the server (Maximal-
IncomingMessageSize option), and the total number of messages re-ceived during one e-mail session (MaximalIncomingMessagesPerSession option).
Limit the number of recipients of a single message (MaximalIncoming-
RcptsPerMessage option). This parameter prevents spam addressed
to your users).
Maximum size of a single e-mail session (MaximalIncomingSession-
Size option).
Page 79
Advanced application settings79
Maximum number of simultaneous connections from
the same IP (or host) that are processed by the Receiver and by the
Sender modules (MaximalIncomingSessionsPerlP and MaximalOut-goingSessionsPerHost options respectively).
Minimum size of available disk space on the partition where the applica-
tion‟s working queue is stored (the MinimalQueueFreeSpaceSize op-
tion). If during the application‟s operation the queue size increases to
the point that the available space is below this value, the application will
temporarily suspend receipt of new messages until the value returns to
the specified limits.
If the e-mail traffic at your server exceeds the specified limits, you are advised to
decrease the number of objects being simultaneously processed by the AV module (AntiviralSessions parameter) and the number of hops for a single message
(MaximalIncomingMessageSize option). This will increase the application‟s
performance and the message processing speed.
If your server has a low-speed Internet connection, the following actions are recommended:
Decrease the number of objects being simultaneously processed by the
Receiver and Sender modules (IncomingSessions and OutgoingSes-sions options).
Decrease the maximum number of incoming messages received during
a single session (MaximalIncomingMessagesPerSession option).
6.2. Setting up connection receiving
interfaces
The set of interfaces and ports on which the application receives connections is
defined by the ListenOn parameter in the [mailgw.network] section of the application‟s configuration file. By default, Kaspersky Mail Gateway listens for con-
nections on port 25 using all available interfaces.
If a particular interface is to be used, rather than all available interfaces, or if it is
necessary to use a port other than 25, additional settings configuration must be
performed.
For instance, To make the application wait for connections on port 1025 of interface 192.168.0.1:
assign the following value to the ListenOn parameter in the
[mailgw.network] section:
ListenOn=192.168.0.1:1025
Page 80
80Kaspersky® Mail Gateway 5.6
To use several particular interfaces, create several ListenOn parameter records
in the configuration file, for instance:
ListenOn=192.168.0.1:25
ListenOn=10.0.0.1:25
6.3.Setting up the routing table
The application does not include a local agent for message delivery, and therefore all incoming e-mail messages must be transferred to the local host on which
the agent is installed.
The rules for transferring (routing) are set by the ForwardRoute parameter in the
[mailgw.forward] section.
This parameter is specified using one of the following formats:
ForwardRoute=<address_mask> <recipient>
ForwardRoute=<address_mask> [<recipient>]
ForwardRoute=<address_mask> [<recipient>:<port>]
where:
<address_mask> – the address of the recipient of the messages (wildcards "*" and "?" can be used; if the parameter is assigned the value
any, then any recipient‟s address may be used).
<recipient> is the name of the domain containing the mail server, to
which (according to MX records) the e-mail must be sent.
[<recipient>:<port>] is the delivery point, using the recipient‟s IP address or host name, and port number.
For example, if you create the following record in section [mailgw.forward]:
ForwardRoute=*@example.com [localhost:1025]
then all e-mail messages to example.com will be sent to port 1025 of the local
host after processing by the application.
If several routing rules must be specified, create several copies of the For-wardRoute parameter in the configuration file.
For example, if the section [mailgw.forward] contains these entries:
ForwardRoute=*@example.com [localhost:1025]
ForwardRoute=*@example.net [somehost.example.com]
ForwardRoute=*@example.org example.com
Page 81
Advanced application settings81
Attention!
When more than one rule applies to a message, the rule used is the first one
where the specified domain matches the domain of the message recipient.
the following processing rules will be followed:
forward all e-mail messages for domain example.com to port 1025 of
the local host after processing by the application.
forward all e-mail messages for domain example.net to port 25 of host
somehost.example.com after processing by the application.
forward all e-mail messages for domain example.org to MX-host of
domain example.com after processing by the application (the domain
will be determined at the time the message is sent).
forward all other messages to the corresponding MX-hosts after anti-
virus scanning and spam filtering.
6.4. Checking the configuration file
syntax
Use the -k or --check-config key in the command line of the mailgwd application component to check the syntax of its configuration file.
If the configuration file contains no errors, no information will be output to the
server console.
If the check reveals errors, the list of errors will be displayed in the console.
6.5. Syntax check in notification
templates
The application allows syntax checks of notification templates to be made by the
mailgw-tlv utility, which is installed by default in the directory
/opt/kaspersky/mailgw/bin/ (in Linux distributions) or in /usr/local/bin/ (for
FreeBSD distributions).
Page 82
82Kaspersky® Mail Gateway 5.6
To check the syntax of a notification template, enter the following in the command line:
in Linux:
> /opt/kaspersky/mailgw/bin/mailgw-tlv ./dsn.tmpl
in FreeBSD:
> /usr/local/bin/mailgw-tlv ./dsn.tmpl
The utility will output, to the server console, a report similar to the example below:
Kaspersky Template Language Verifier, version
5.6.12/RELEASE,
Copyright (C) Kaspersky Lab, 1997-2008
Parsing error: Unexpected end of line in the declaration, line 63
If a template check is successful, the utility will report that template syntax is correct. In case of errors it will display a description of possible failure. The utility‟s
return codes are described in section B.13 on p. 170.
6.6. Work with e-mail archives and
the quarantine directory
The mailgw-maila utility allows the management of objects stored in the quarantine directories, or in the archives of incoming/outgoing messages. The mailgw-maila utility is installed by default to the /opt/Kaspersky/mailgw/bin/ directory (in
Linux) or /usr/local/bin/ directory (in FreeBSD).
It has the following functionality:
Reviewing the whole storage contents, or information about certain
The utility outputs information about messages in a storage directory in
the following format:
ID STATUS SIZE DATE IP <SENDER> -> <RECIPIENT>
where:
ID – identification number of a stored message
STATUS – message status reflecting its current state.
A stored message may have any of the following statuses:
o incoming – message from the archive of incoming mail;
o outgoing – message from the archive of outgoing mail;
o as/spam – message with the Spam status, assigned by the
anti-spam module;
o as/probable – message with the status ProbableSpam,
assigned by the anti-spam module;
o as/formal – message with the Formal status assigned by
the anti-spam module;
oas/blacklisted – message with the Blacklisted status
assigned by the anti-spam module;
oav/clean – message with the Clean status, assigned by the
AV module;
Page 84
84Kaspersky® Mail Gateway 5.6
oav/disinfected – message with the Disinfected status,
assigned by the AV module;
oav/infected – message with the Infected status, assigned
by the AV module;
oav/suspicious – message with the Suspicious status,
assigned by the AV module;
oav/protected – message with the Protected status, as-
signed by the AV module;
oav/error – message with the Error status, assigned by the
AV module;
oav/filtered – message with the Filtered status, assigned
by the AV module.
SIZE – message size (may be specified in bytes, kilobytes, or
megabytes as determined by the respective prefixes);
DATE – time and date that the message was received by the appli-
cation;
IP – IP address of message sender;
SENDER – message sender‟s address;
RECIPIENT – message recipient‟s address (the field may contain
several values).
Removal of all messages, or a specified message, from storage, for ex-
The following (or similar) information will be output to console:
Kaspersky Mail Archives Manager, version
5.6.12/RELEASE,
Copyright (C) Kaspersky Lab, 1997-2008
Total: 4586 archived messages have been removed.
Page 85
Advanced application settings85
Attention!
If the --send-id command line option is specified, the selected message must
pass anti-virus scanning and anti-spam filtering procedure before it is delivered to the recipient. To send a message from storage without anti-virus
scanning and anti-spam filtration, use the -send-id-without-check command
line option.
Note
Descriptions of command line options for mailgw-maila utility can be found
in section B.16 on p. 181, and its return codes are described in section B.17
on p. 182.
Sending of all messages/certain messages from storage directories to
The application outputs information, about messages in the working
queue, in the following format:
ID STATUS SIZE DATE IP <SENDER> -> <RECIPIENT>
where:
ID – identification number of a queued message;
STATUS – message status reflecting its current state.
Page 87
Advanced application settings87
A message in working queue may have any of the following
statuses:
oWFC – message waiting for anti-spam filtration and anti-virus
scanning;
o CHK – message being scanned for virus presence;
o WFS – message waiting for creation of its virtual copies;
o SPL – message being used for creation of virtual copies;
o QUE – message waiting to be sent to its recipient;
o SND – message being sent.
SIZE – message size, which may be specified in bytes, kilobytes,
or megabytes as determined by the respective prefixes;
DATE – time and date that the message was added to the queue;
IP – IP address of message sender;
SENDER – message sender‟s address;
RECIPIENT – message recipient‟s address (the field may contain
several values).
Removal of all messages, or a specified message, from the working
queue.
To remove all messages from the working queue, enter the following in
the command line (in Linux):
The utility will output to the server console a report similar to the example below:
Kaspersky Mail Queue Manager, version
5.6.12/RELEASE,
Copyright (C) Kaspersky Lab, 1997-2008
Total: 12 queued messages have been removed.
Page 88
88Kaspersky® Mail Gateway 5.6
Attention!
A message can only be removed from the queue if its status is
WFC, WFS or QUE .
Attention!
A message can be sent ahead of the general queue only if it has
the status QUE (expects delivery to the recipient).
Note
Descriptions of command line options for mailgw-mailq utility can
be found in section B.15 on p. 180, and its return codes are described in section B.17 on p. 182.
Send all or selected messages ahead of the general queue, for exam-
ple, in Linux:
> /opt/kaspersky/mailgw/bin/mailgw-mailq
--send-id=jHrWPC7s86253
In FreeBSD:
> /usr/local/bin/mailgw-mailq
--send-id=jHrWPC7s86253
The following (or similar) information will be output to console:
Kaspersky Mail Queue Manager, version
5.6.12/RELEASE,
Copyright (C) Kaspersky Lab, 1997-2008
Message with QueueID jHrWPC7s86253 will be sent
asap.
6.8.Managing the application
While Kaspersky Mail Gateway is running, it can be managed using scripts, signals, and the command line.
This section describes how to manage the application using scripts. For management options using signals, see section B.3 on p. 155, and for information
about using files, see B.4 on p. 155).
Page 89
Advanced application settings89
Attention!
Application management using scripts requires privileged user (root) rights.
Value
Meaning
start
Start the application.
stop
Stop the application.
restart
Stop and then start the application.
reload
Reinitialize the main application component, reload the antivirus database and the configuration file, and restart the
anti-spam module.
reload-bases
Reload the anti-virus databases and restart the anti-spam
module.
status
Request the application‟s status.
stats
Request the application‟s statistics.
recv-off
Suspend the operation of the Receiver module.
recv-on
Resume the operation of the Receiver module.
send-off
Suspend the operation of the Sender module.
If you use the Linux distribution package to run the management script, enter the
following at the command line:
# /opt/kaspersky/mailgw/lib/bin/mailgw <action>
or use the link:
# /etc/init.d/mailgw <action>
If you use the FreeBSD distribution package, run the management script by entering the following:
# /usr/local/etc/rc.d/mailgw.sh <action>
Table 1 contains possible values of the <action> parameter:
Table 1. Management script parameters
Page 90
90Kaspersky® Mail Gateway 5.6
Value
Meaning
send-on
Resume the operation of the Sender module.
check-off
Suspend the operation of the scanning module.
check-on
Resume the operation of the scanning module.
clear-stats
Reset statistics.
post-update
Load Kaspersky Mail Gateway databases after their successful downloading.
Attention!
You can control timeouts of the watchdog process using the application com-
mand line options. See section B.6 on p. 163 for details.
When the Receiver module is suspended, mail servers will be unable to establish
connection with Kaspersky Mail Gateway to transfer messages to recipients
within your e-mail system. Messages already added to the work queue will be
treated as normal, that is scanned for viruses and spam signs, processed in accordance with the existing rules and forwarded to the recipients (unless the rules
block their delivery).
When the Sender module is suspended, the application stops transmitting processed messages. Processed messages will be preserved in the work queue of
outgoing messages. Suspension of the Sender module does not affect the Receiver module. Receipt of messages from mail servers will not be suspended.
When the scanning module is suspended, e-mail messages accepted by the
Receiver module will be transferred directly to the Sender module for subsequent
delivery to recipients. Anti-virus scanning, spam filtering and message processing will not be performed.
6.9.Control of application activity
A special watchdog process ensures that individual application modules function
correctly while the software is running. As soon as the application starts, it creates a child process to monitor the application. If after a specified interval the
parent process receives no confirmation of correct operation from any module,
the watchdog process restarts the application.
Page 91
Advanced application settings91
Level
Level description
Letter symbol
Meaning
0
Fatal Errors
F
Only information regarding critical
errors which terminate the program, due to the impossibility of
6.10. Customizing date and time
formats
Kaspersky Mail Gateway generates reports on the activity of every component.
This information always contains the date and time of report generation.
By default, Kaspersky Mail Gateway displays the date and time using the strftime
standard:
%H:%M:%S – displayed time format.
%d-%m-%Y – displayed date format.
The administrator can customize how time and date information are displayed in
the [locale] section of the application configuration file. You can specify one of
the following formats:
%I:%M:%S %P – display time in 12-hour format (TimeFormat parame-
ter).
%y/%m/%d or %m/%d/%y – display date (DateFormat parameter) as
yy/mm/dd or mm/dd/yy, respectively).
6.11.Reporting options
The performance of the main application component is recorded either in the
application log file in plain text format (LogFilename option in the
[mailgw.options] section) or in the system log (syslog). The data is not logged if
the LogFilename option is not defined (LogFilename=).
To customize the output data, change the report detail level (LogLevel option in
the [mailgw.options] section).
Report detail level is a number that defines the level of reported details for application performance data. Each subsequent level of detail contains all the details from the previous level, and adds new information.
Table 2 below lists the possible report detail levels.
Table 2. Report detail levels
Page 92
92Kaspersky® Mail Gateway 5.6
Level
Level description
Letter symbol
Meaning
executing an action. For example,
a component is infected, or scanning, database loading, or product
key loading failed.
1
Errors
E
Information about other errors that
may or may not lead to application
shutdown, for example, file scan
errors.
2
Warning
W
Notifications about errors that may
lead to the application shutdown
(product key expiration warning,
out-of-disk-space warning, etc.).
3
Info, Notice
I
Important informational messages, such as whether a component is running or inactive, the
path to the configuration file, latest
changes in the scan area, database updates, product keys, statistics summary.
4
Activity
A
Messages on scanning of files
according to the report detail level.
9
Debug
D
All debug messages.
Information about fatal errors is always displayed, regardless of the report detail
level. The optimal level is level 4, which is also the default level.
Information messages may be divided into the following types:
Messages about actions on e-mail messages.
Notifications about system events.
Other messages (component start, loading of databases, return codes,
etc.).
The output format for each of the levels of detail listed above is as follows:
for messages about actions on e-mail messages:
[date time detail_level] envelope-id: MESSAGE;
Page 93
Advanced application settings93
for all other types of message:
[date time detail_level]: MESSAGE,
where:
[date time detail_level] gives the date and the time (in the
format specified by the administrator in the [locale]) section, and
the letter indicating the report detail level.
envelope-id – e-mail message identifier in the working queue of
the application, which identifies the e-mail message.
MESSAGE – message text that may have different formats depend-
ing on the message type.
For the text of report messages containing information about actions on e-mail
messages, see section B.20 on p. 187.
6.12. Adding supplementary
information to messages
The application supports two methods of adding supplementary information to email messages:
Adding an extension header field to the e-mail message.
The information may describe the application‟s version, date when the
anti-virus databases were last updated, or the time and result of antivirus and anti-spam scanning of the message (determined by the
AddXHeaders parameter in the [mailgw.policy] section of the application configuration file).
Header format:
X-Anti-Virus: <product name and version>, bases:
<date of the last update to anti-virus databases in
YYYYMMDD format> #<the number of records in AV databases>, check: <scan date in YYYYMMDDTHHMMSS format>
<scanning status or not_checked>
For detailed information about the headers added to messages by the
anti-spam module, please see section B.18 on page 183.
Adding a disclaimer text to the e-mail message‟s body.
The information will be added as plain text; it may contain a statement
generated in accordance with the security policy (or other rules) of a
specific organization (the AddDisclaimer parameter in the
[mailgw.policy] section). The default message text notifies that the
message has been scanned by Kaspersky Mail Gateway. The administrator can modify the information format (e.g., generate disclaimer message as a HTML text).
6.13. Control of application activity
via SNMP
Beginning with version 5.6, the application provides read-only access to the following information via Simple Network Management Protocol (SNMP):
Configuration of the application – information about all parameters from
all sections of the program configuration file.
Activity statistics – statistical information about application operations.
Availability of the information via SNMP is defined by the SNMPServices parameter in the [mailgw.snmp] section of the configuration file.
The application provides the following data accessible through SNMP:
Information about configuration of the application.
Statistics of application activity:
Date of application launch (in ISO 8601 format).
Time (seconds) passed since application start.
Date of the last successful update (in ISO 8601 format).
Total number of records in the current databases of Kaspersky Mail
Gateway.
Page 95
Advanced application settings95
Attention!
To ensure correct interaction with the application via AgentX, you are advised to
use the NET-SNMP version 5.1.2 or later.
Release date of the current application database update (in ISO
8601 format).
Interaction via SNMP is implemented in Kaspersky Mail Gateway using an
SNMP subagent, which works in turn with SNMP master agent. Interaction parameters are listed in the [mailgw.snmp] section of the configuration file:
ConnectTo – the option defines the socket for interaction. A local file or
a network socket can be used. E.g.:
ConnectTo=unix:/path/to/dir/
or
ConnectTo=127.0.0.1:705
PingInterval – interval (seconds) that the subagent will use between at-
tempts to connect to the master agent in case of disconnection.
Timeout – timeout (seconds) for sending a request to the master agent.
Retries – number of attempts to send a request to master agent.
The application can use as master any agent that supports the AgentX protocol.
In this section the NET-SNMP agent is used as an example. Interaction is performed through a local socket.
The following steps are necessary for configuration of the agent:
1. Modify the snmpd.conf configuration file adding the following lines to it:
master agentx
AgentXSocket tcp:localhost:705
rocommunity public
trapsink localhost
2. Modify the snmp.conf configuration file adding the following lines to it:
mibdirs +/opt/kaspersky/mailgw/share/snmp-mibs
mibs all
The /opt/kaspersky/mailgw/share/snmp-mibs (in Linux) or
/usr/local/share/mailgw/snmp-mibs path (in FreeBSD) defines the loca-
tion of MIB files of Kaspersky Mail Gateway. If you have installed the
application to a different directory, specify the path corresponding to
your configuration.
Page 96
96Kaspersky® Mail Gateway 5.6
Note
Detailed information regarding configuration of the NET-SNMP agent is available at its official site http://www.net-snmp.org/. To display information about
snmpd.conf and snmp.conf use the program manual pages.
3. Restart NET-SNMP.
During data access via SNMP the following OID (object identifier) is used:
1.3.6.1.4.1.23668.1159
Administrator can configure the application to send SNMP traps when certain
events occur. Generation of SNMP traps is regulated by the SNMPTraps option
in the [mailgw.snmp] section of the configuration file. SNMP traps are generated when the following events occur:
Reloading of the anti-virus databases (TrapBasesReloaded, TrapBas-
esReloading) or application configuration (TrapConfigReloaded, TrapConfigReloading).
After you install and configure Kaspersky Mail Gateway, it is recommended that
you test its settings and operability by using the following three methods:
Telnet program.
Mail messages containing test phrases in the Subject header.
Templates GTUBE.
EICAR test virus.
7.1. Testing mail receipt and
delivery using Telnet
To test the application operation using Telnet it is necessary to:
1. Connect to the server on which the application is installed using Telnet.
To do so, enter the following at the command line:
telnet <mailgw host address> <port>
where the <mailgw host address> and <port> are the values assigned to the ListenOn option in the [mailgw.network] section of the
application configuration file.
2. After the connection is established, wait for a response from the main
application component. You will see the following information:
220 example.org ESMTP
where mailgw.company.com is the name of the server being tested.
3. After the connection to the server is confirmed, type the following at the
command line:
EHLO <fqdn>
where <fqdn> stands for a full domain name of the host, which establishes connection.
Page 98
98Kaspersky® Mail Gateway 5.6
You will see the following (or similar) information:
250-example.org hello user [127.0.0.1]
250-ENHANCEDSTATUSCODES
250-PIPELINING
250-8BITMIME
250-SIZE 10485760
250 DSN
where:
mailgw.company.com is the name of the server being tested
user is the client host name
[127.0.0.1] is the client IP address.
Enter at the command line:
MAIL FROM: <sender_address>
You will see the following (or similar) information:
250 2.1.0 OK
Enter at the command line:
RCPT TO: <recipient_address>
You will see the following (or similar) information:
250 2.1.0 OK
Enter in the command line:
DATA
You will see the following (or similar) information:
354 Start mail input; end with <CRLF>.<CRLF>
Enter in the command line:
From:xz@example.com
To: xz@example.com
Subject: test
test
.
You will see the following (or similar) information:
250 2.1.0 OK
Page 99
Testing application operability99
Test phrase in the Subject
header
Response of the anti-spam module
Subject: spam is bad do not send
it
or
Subject: t h i s i s n o t
s p a m
Based on the analysis, the message will
be assigned the Spam status.
Subject: News and special
events May
Based on the analysis, the message will
be assigned the Probable Spam status.
Subject: Out of Office AutoReply
Based on the filter‟s analysis, the message will be assigned the status Not de-tected. The label [--Formal Messages--]
will be added to its Subject header
Text of the Subject header contains invective.
Based on the filter‟s analysis, the message will be assigned the status Not de-tected. The label [--Obscene--] will be
added to its Subject header/
4. If the response is 250 2.1.0 OK, the test message has been successfully accepted by the server. After this, the message will be checked by
the anti-spam module, scanned for viruses and then sent to the recipient in accordance with the routing table. You are advised to check message delivery. To verify the results, view the application statistics. One
message will be added to the totals for scanned and sent messages.
7.2.Testing the anti-spam filtration
To test the Spamtest filter functionality, you must create e-mail messages containing specific phrases in the Subject header. Table 3 below contains a summary of test phrases and the corresponding Spamtest responses.
Table 3. Test messages
Having sent a message with a test phrase in the Subject, you should check that
the message has been processed in accordance with the specified rules: for instance, that the application has changed the specified message headers; or that
the message has been added to the quarantine directory. If the application does
not function properly, you should consult Kaspersky Lab‟s Technical Support.
Page 100
100Kaspersky® Mail Gateway 5.6
Attention!
Never use real viruses to test the operation of your anti-virus application!
Furthermore, you can test filtration using a special GTUBE (Generic Test for
Unsolicited Bulk E-mail) template. Test of spam filtration using GTUBE is identical to the tests of anti-virus software based on EICAR test virus.
Create an e-mail message containing the following string (without spaces or hyphenation):
and send it to an e-mail account protected by Kaspersky Mail Gateway. After
analysis the message will receive the SPAM status and the application will apply
to it the action specified in the policy assigned for the account.
7.3. Testing the application using
EICAR
This test "virus" has been developed by (The European Institute for
Computer Anti-Virus Research) specifically to verify the functioning of anti-virus
software.
It IS NOT A VIRUS and contains no code that may harm your computer. However, most anti-virus products identify it as a virus, according to The European
Institute for Computer Antivirus Research.
The test "virus" can be downloaded from the official EICAR site at:
http://www.eicar.org/anti_virus_test_file.htm. If you have no Internet access, you
can create a test "virus" manually, by entering the line below into any text editor
and save the file as eicar.com:
The file that you downloaded from the EICAR website, or created in a text editor
as described above, contains the body of a standard test "virus". The anti-virus
application will detect it, flag it as Infected and perform the specified action for
objects with this status.
To test the application's response to objects with other statuses, modify the body
of the standard test "virus" by adding one of the prefixes below (see Table 4).
Loading...
+ hidden pages
You need points to download manuals.
1 point = 1 manual.
You can buy points or you can get point for every manual you upload.