KASPERSKY Mail Gateway 5.6 User Manual

Page 1
KASPERSKY LAB
Kaspersky® Mail Gateway 5.6
ADMINISTRATOR’S
GUIDE
Page 2
KASPERSKY® MA I L GAT E W A Y 5 . 6
Administrator’s Guide
Kaspersky Lab
http://www.kaspersky.com
Revision date: July, 2008.
Page 3
Contents
CHAPTER 1. KASPERSKY® MAIL GATEWAY 5.6 ....................................................... 8
1.1. What‟s new in Kaspersky Mail Gateway 5.6 ...................................................... 10
1.2. Licensing policy ................................................................................................... 11
1.3. Hardware and software requirements ................................................................ 12
1.4. Distribution kit ...................................................................................................... 13
1.5. Help desk for registered users ............................................................................ 13
CHAPTER 2. APPLICATION STRUCTURE AND TYPICAL DEPLOYMENT
SCENARIOS .................................................................................................................. 15
2.1. Application architecture ....................................................................................... 15
2.2. The main application‟s algorithm ........................................................................ 17
2.3. Typical deployment scenarios ............................................................................. 20
2.3.1. Installing the application in a demilitarized zone .......................................... 21
2.3.2. Installing the application inside the corporate network‟s perimeter ............. 23
CHAPTER 3. INSTALLING THE APPLICATION ......................................................... 25
3.1. Installing the application on a server running Linux ........................................... 25
3.2. Installing the application on a server running FreeBSD ..................................... 26
3.3. Installation procedure .......................................................................................... 26
3.4. Configuring the application .................................................................................. 28
3.5. Installing the Webmin module to manage Kaspersky Mail Gateway ................ 30
CHAPTER 4. THE PRINCIPLES OF THE APPLICATION‟S OPERATION ............... 33
4.1. Creating groups of recipients/senders ................................................................ 33
4.2. General message processing algorithm ............................................................. 36
4.3. Operation of the anti-spam module .................................................................... 38
4.3.1. Analysis of formal signs ................................................................................ 39
4.3.2. Content filtration ............................................................................................ 40
4.3.3. Checks using external services .................................................................... 41
4.3.4. Urgent Detection System ............................................................................. 41
4.3.5. Recognition results and actions over messages ......................................... 42
4.4. Operation of the anti-virus scanning module ...................................................... 44
Page 4
4 Kaspersky® Mail Gateway 5.6
CHAPTER 5. ANTI-VIRUS PROTECTION AND SPAM FILTRATION....................... 46
5.1. Updating the anti-virus and anti-spam databases .............................................. 46
5.1.1. Automatic updating of the anti-virus and anti-spam databases .................. 48
5.1.2. Manual updating of the anti-virus and anti-spam databases ...................... 49
5.1.3. Creating a network directory to store and share updates ........................... 50
5.2. Spam filtration ...................................................................................................... 51
5.2.1. Starting and managing the components of the anti-spam module ............. 52
5.2.2. Managing the filtration process .................................................................... 52
5.2.3. Mail filtration using black and white lists....................................................... 54
5.2.4. Managing the UDS service .......................................................................... 55
5.2.5. Managing the list of enabled DNSBL services ............................................ 56
5.2.6. Marking of messages containing spam ....................................................... 57
5.2.7. Blocking delivery of spam messages ........................................................... 57
5.2.8. Storage of spam message copies in the quarantine directory .................... 58
5.3. Anti-virus protection of e-mail traffic .................................................................... 59
5.3.1. Delivery of messages with clean or disinfected objects only ...................... 59
5.3.2. Replacement of infected objects by standard notifications ......................... 60
5.3.3. Blocking delivery for messages containing suspicious objects ................... 61
5.3.4. Delivery of notifications to the sender, administrator and recipients ........... 62
5.3.5. Additional filtering of objects by name and type .......................................... 63
5.3.6. Saving messages in the quarantine directory ............................................. 64
5.4. Combining spam filtration and anti-virus protection ........................................... 65
5.4.1. Maximum speed ........................................................................................... 65
5.4.2. Recommended mode ................................................................................... 67
5.4.3. Maximum protection ..................................................................................... 68
5.5. Additional features of Kaspersky Mail Gateway ................................................. 69
5.5.1. Automatically add incoming and outgoing e-mail to archives ..................... 69
5.5.2. Protection from hacker attacks and spam ................................................... 70
5.6. Managing product keys ....................................................................................... 71
5.6.1. Viewing information about product keys ...................................................... 72
5.6.2. Renewing your product key .......................................................................... 74
5.6.3. Removing a key ............................................................................................ 75
CHAPTER 6. ADVANCED APPLICATION SETTINGS .............................................. 76
6.1. Configuring anti-virus protection of e-mail traffic ................................................ 76
6.1.1. Setting up application timeouts .................................................................... 76
Page 5
Contents 5
6.1.2. Setting performance restrictions .................................................................. 78
6.2. Setting up connection receiving interfaces ......................................................... 79
6.3. Setting up the routing table ................................................................................. 80
6.4. Checking the configuration file syntax ................................................................ 81
6.5. Syntax check in notification templates ................................................................ 81
6.6. Work with e-mail archives and the quarantine directory .................................... 82
6.7. Management of application working queue ........................................................ 85
6.8. Managing the application .................................................................................... 88
6.9. Control of application activity ............................................................................... 90
6.10. Customizing date and time formats .................................................................. 91
6.11. Reporting options .............................................................................................. 91
6.12. Adding supplementary information to messages ............................................. 93
6.13. Control of application activity via SNMP ........................................................... 94
CHAPTER 7. TESTING APPLICATION OPERABILITY ............................................. 97
7.1. Testing mail receipt and delivery using Telnet ................................................... 97
7.2. Testing the anti-spam filtration ............................................................................ 99
7.3. Testing the application using EICAR ................................................................ 100
CHAPTER 8. UNINSTALLING THE APPLICATION ................................................. 102
CHAPTER 9. FREQUENTLY ASKED QUESTIONS ................................................. 103
APPENDIX A. KASPERSKY MAIL GATEWAY CONFIGURATION FILE ................ 107
A.1. Section [path] .................................................................................................... 107
A.2. Section [locale] .................................................................................................. 108
A.3. Section [options] ................................................................................................ 108
A.4. Section [mailgw.access] ................................................................................... 109
A.5. Section [mailgw.antispam] ................................................................................ 114
A.6. Section [mailgw.forward] ................................................................................... 115
A.7. Section [mailgw.limits] ....................................................................................... 116
A.8. Section [mailgw.network] .................................................................................. 117
A.9. Section [mailgw.options] ................................................................................... 119
A.10. Section [mailgw.path] ...................................................................................... 121
A.11. Section [mailgw.timeouts] ............................................................................... 122
A.12. Section [mailgw.archive] ................................................................................. 124
A.13. Section [mailgw.snmp] .................................................................................... 125
A.14. Section [mailgw.policy] .................................................................................... 126
Page 6
6 Kaspersky® Mail Gateway 5.6
A.15. Section [path mailgw.group:group_name] ..................................................... 136
A.16. Section [updater.path] ..................................................................................... 145
A.17. Section [updater.options] ................................................................................ 146
A.18. Section [updater.report] .................................................................................. 148
APPENDIX B. SUPPLEMENTARY INFORMATION ABOUT THE PRODUCT ....... 149
B.1. Distribution of the application files in directories .............................................. 149
B.2. Use of external configuration files..................................................................... 153
B.3. Control signals for the main application daemon ............................................. 155
B.4. Command line application management ......................................................... 155
B.5. Application statistics .......................................................................................... 156
B.6. SNMP traps for interaction with the application via SNMP .............................. 163
B.7. Mailgwd command line options ........................................................................ 164
B.8. Mailgwd return codes ........................................................................................ 165
B.9. Licensemanager command line options .......................................................... 167
B.10. Licensemanager return codes ........................................................................ 167
B.11. Keepup2date command line options.............................................................. 168
B.12. Keepup2date return codes ............................................................................. 169
B.13. Templates........................................................................................................ 170
B.14. Mailgw-tlv utility return codes .......................................................................... 180
B.15. Mailgw-mailq utility command line options ..................................................... 180
B.16. Mailgw-maila utility command line options ..................................................... 181
B.17. Mailgw-maila and mailgw-mailq return codes ................................................ 182
B.18. Special headers added by the anti-spam module ......................................... 183
B.19. Format of messages about anti-virus scanning and spam filtration .............. 185
B.20. Notifications about actions applied to the message ...................................... 187
APPENDIX C. SENDING SPAM TO THE GROUP OF SPAM ANALYSTS ............ 191
APPENDIX D. KASPERSKY LAB............................................................................... 193
D.1. Other Kaspersky Lab Products ........................................................................ 194
D.2. Contact Us ........................................................................................................ 205
APPENDIX E. LICENSE AGREEMENT ..................................................................... 206
APPENDIX F. SOFTWARE COMPONENTS FROM THIRD-PARTY VENDORS .. 212
F.1. Berkeley DB 1.85 library ................................................................................... 212
F.2. Libjpeg 6b library ............................................................................................... 213
Page 7
Contents 7
F.3. Libungif library ................................................................................................... 215
F.4. Libevent library .................................................................................................. 215
F.5. Libspf2 library .................................................................................................... 216
F.6. Libpatricia library................................................................................................ 217
F.7. Pcre library ......................................................................................................... 218
F.8. Zlib library .......................................................................................................... 219
F.9. Expat library ....................................................................................................... 220
F.10. STLport library ................................................................................................. 220
F.11. OpenSSL library .............................................................................................. 221
F.12. FreeBSD libc library ........................................................................................ 223
F.13. Mcpp preprocessor program .......................................................................... 224
F.14. Libbind library .................................................................................................. 225
F.15. Snmp++v3.2.22 library .................................................................................... 226
F.16. Libdes-l-4.01a library ....................................................................................... 226
F.17. Crypt-1.02 library ............................................................................................. 227
F.18. AgentX++v1.4.16 library ................................................................................. 227
F.19. Agent++v3.5.28a library .................................................................................. 233
F.20. Universal Charset Detector (Mozilla) library ................................................... 235
Page 8
Note DNSBL (DNS based black hole list) is a database that lists IP
addresses of mail servers used for uncontrolled mass mailing. Such servers receive mail from anyone and deliver it further to arbitrary recipients. Use of DNSBL allows automatic blocking of mail from such mail servers. Various services use different policies for generation of such lists. Please examine carefully the policy of each service before you start using it for mail filtration.
CHAPTER 1. KASPERSKY
®
MAIL
GATEWAY 5.6
Kaspersky® Mail Gateway 5.6, (henceforth referred to as Kaspersky Mail Gate- way or the application), filters SMTP e-mail traffic to protect e-mail system users
against viruses and unwanted messages (spam). The application is a full­featured mail relay (compliant with IETF RFC internet standards) that runs under the Linux and FreeBSD operating systems.
The application allows the user to:
Scan e-mail messages for viruses, including both attached objects and
message bodies.
Detect infected, suspicious, and password-protected attachments and
message bodies.
Perform anti-virus processing (including disinfection) of infected objects
detected in e-mail messages by scanning.
Filter e-mail traffic by the names and MIME types of attachments, and
apply specified processing rules to the filtered objects.
Check each message including attached objects for signs typical of
spam.
Check during anti-spam analysis the addresses of mail sender and re-
cipient (envelope), message size and various headers (including From and To).
Perform the following checks as a part of the anti-spam mail analysis:
Presence of the sender‟s IP address in a DNS-based real time
black hole list (DNSBL).
Page 9
Kaspersky® Mail Gateway 5.6 9
Attention!
Please remember that new viruses appear every day, and therefore you are advised to maintain the anti-virus databases in an up-to-date
state. New updates are made available on Kaspersky Lab‟s update
servers every hour.
availability of a DNS record for the sending server (reverse DNS
lookup);
a check of the sender's IP address for compliance with the list of
addresses allowed for a domain, based on the Sender Policy Framework (SPF);
a check of addresses and links to web sites in the message text us-
ing the Spam URL Real-time Blocklists (SURBL) service.
Scan also attached images, comparing them to the signatures of known
spam messages, and take the comparison results into account to de­termine the status of the message.
Maintain archives of all e-mail messages sent and/or received by the
application, if required by the internal security policy of the company.
Enable restrictions for SMTP connections, to provide protection against
hacking attacks and to prevent the application being used as an open e­mail relay for unsolicited e-mail messages.
Limit the load on your server by configuring the application‟s settings
and SMTP parameters.
Create white and black lists of senders and recipients applied during
processing of e-mail traffic.
Notify senders, recipients, and the administrator about disinfected let-
ters, about messages containing infected, suspicious, or protected ob­jects, and also about errors that have occurred during mail scanning.
Quarantine messages identified as spam or probable spam, formal or
blacklisted mail as well as messages containing infected and suspicious objects.
Update the anti-virus and anti-spam databases of Kaspersky Mail
Gateway. The application retrieves updates from Kaspersky Lab‟s up­date servers. You can also configure the application to update the data­bases from a local directory.
The application detects and cures infected objects using the anti-virus database. During scans, the contents of each file are compared to the sample code of known viruses contained in the database.
Page 10
10 Kaspersky® Mail Gateway 5.6
Attention!
Kaspersky Lab‟s Linguistic Laboratory continues to work on improving
and supplementing the corpus of data used for spam detection. Effi-
cient spam fighting requires that you regularly update the application‟s
anti-spam databases. Updates for the databases are made available on Kaspersky Lab‟s update servers every three minutes.
The anti-spam databases are used during analysis of message contents (including Subject and other headers) and attached files. The applica­tion uses linguistic algorithms which compare the analyzed text with sample messages, and search for typical words and word combinations.
The keepup2date component‟s function is to update the anti-virus and anti-spam databases (see section 5.1 on p. 46).
Configure and manage Kaspersky Mail Gateway, either from a remote
location using the Webmin web-based interface, or locally using stan­dard operating system tools such as using command line options, sig­nals, special command files or by modifying the application‟s configura­tion file.
Monitor the antivirus protection, spam filtering status, application statis-
tics and logs both locally and remotely using the Webmin interface.
Obtain configuration data and statistics on application activity via SNMP
and configure the application to generate and send SNMP traps upon occurrence of certain events.
1.1. What’s new in Kaspersky Mail
Gateway 5.6
Kaspersky Mail Gateway has the following additional features as compared to Kaspersky SMTP-Gateway 5.6:
The application includes anti-spam module with the following features:
Increased performance and stability.  Low RAM requirements.  Low level of Internet traffic (updates to Kaspersky Mail Gateway da-
tabases).
Page 11
Kaspersky® Mail Gateway 5.6 11
Improved filtration methods are used, namely:
Algorithms for parsing of HTML objects in e-mail messages (in-
creasing the efficiency of protection against various spammer tricks devised to bypass filtration systems).
System for analysis of e-mail message headers.  System for analysis of graphical attachments (GSG).  Sender Policy Framework (SPF) and Spam URL Realtime Block-
lists (SURBL) services.
Internal Urgent Detection System (UDS) service, which allows ob-
taining information about certain types of spam in real time.
Individual settings available for user groups: certain scanning methods
can be enabled/disabled separately for every group; you can also define the actions to be performed over e-mail messages.
Collection of configuration data and statistics of application activity via
SNMP; the application can be configured to send SNMP traps when certain events occur.
Redesigned subsystem accepting incoming mail consumes fewer re-
sources and supports more simultaneous incoming connections.
1.2. Licensing policy
The licensing policy for Kaspersky Mail Gateway 5.6 limits product use based on these criteria:
Number of users protected by the application.  E-mail traffic processed daily (MB/day).
Each type of license also has a time limit, typically one or two years from the date of purchase.
At the time of purchase, you can specify which type of license limitation you re­quire (for example, by the daily e-mail traffic volume).
In addition, you can choose during product purchase whether your copy of Kaspersky Mail Gateway will only perform anti-virus scanning of e-mail traffic, or if it will also filter spam.
The application has slightly different configuration parameters depending on the type of license you purchased. For instance, if the license is issued for a certain number of users, you will have to create a list of addresses (domains) that will be protected by the application against viruses and spam. The application will
Page 12
12 Kaspersky® Mail Gateway 5.6
Attention!
Please note that the application‟s working queue, quarantine di­rectory, and archives of incoming and outgoing e-mail are not included in the hard disk space required. If your network security policy requires the use of these features, additional disk space will be needed.
notify the administrator when the license limitations are reached: in this case, when the number of protected accounts is exceeded.
1.3. Hardware and software
requirements
The minimum system requirements for normal operation of Kaspersky Mail Gateway are as follows:
Hardware requirements:
Intel Pentium® processor (Pentium III or Pentium IV recom-
mended).
At least 256 МB of available RAM.  At least 100 MB of available space on your hard drive to install the
application.
At least 500 MB of available space in the /tmp file system.
Software requirements:
One of the following operating systems for 32-bit platforms:
o Red Hat Enterprise Linux Server 5. o Fedora 7. o SUSE Linux Enterprise Server 10. o OpenSUSE Linux 10.3. o Debian GNU/Linux 4 r1. o Mandriva 2007. o Ubuntu 7.10 Server Edition. o FreeBSD 5.5, 6.2.
Page 13
Kaspersky® Mail Gateway 5.6 13
One of the following operating systems for 64-bit platforms:
o Red Hat Enterprise Linux Server 5. o Fedora 7. o SUSE Linux Enterprise Server 10. o OpenSUSE Linux 10.3.
Perl interpreter, version 5.0 or higher (www.perl.org), bzip2 utility
for unpack spam filtration bases, and the which utility for application installation.
Webmin version 1.070 or higher (www.webmin.com) to install the
remote administration module (optional).
1.4. Distribution kit
You can purchase the product either from our dealers or at one of our online stores (for example, www.kaspersky.com/store – follow the E-store link).
If you purchase our application online, you will download it from Kaspersky Lab's website. Your product key will be sent to you by e-mail after payment.
The License Agreement constitutes a legal agreement between you and Kasper­sky Lab, containing the terms and conditions under which you may use the pur­chased software.
1.5. Help desk for registered users
Kaspersky Lab offers an extensive service package enabling registered custom­ers to boost the productivity of Kaspersky Mail Gateway.
After purchasing the product key, you become entitled to receive the following services for the validity period of your key:
new versions of the application provided free of charge.  phone or e-mail support on matters related to the installation, configura-
tion, and operation of the product you have purchased. You can contact the Technical Support service for consulting using any of the following methods:
Make a phone call to Technical Support.
Page 14
14 Kaspersky® Mail Gateway 5.6
Note
Kaspersky Lab does not give advice on the performance and use of your operat­ing system, third party applications or other technologies.
Create and send a request using the Technical Support web site
(http://www.kaspersky.com/helpdesk) or your personal user cabi­net.
notifications about new software products from Kaspersky Lab, and
about new virus outbreaks. This service is provided to users who sub­scribe to Kaspersky Lab‟s e-mail newsletter service.
Page 15
CHAPTER 2. APPLICATION
STRUCTURE AND TYPICAL DEPLOYMENT SCENARIOS
The correct configuration of the application, and its efficient operation, require knowledge of its structure and internal algorithms. It is also important for the ap-
plication‟s deployment within an existing corporate e-mail system. This chapter discusses in detail the application‟s structure, architecture and operating princi-
ples, as well as typical deployment scenarios.
2.1. Application architecture
A review of the application‟s functionality must be preceded by a description of its
internal architecture. Kaspersky Mail Gateway is a fully-featured Mail Transfer Agent (MTA), able to
receive and route e-mail traffic, which also scans e-mail messages for viruses, and filters spam.
The application uses SMTP protocol commands (RFC 2821), the Internet mes­sage format (RFC 2822), MIME format (RFC 2045-2049, 2231, 2646), and satis­fies the requirements for e-mail relays (RFC 1123). In compliance with anti-spam recommendations (RFC 2505 standard), the application uses access control rules for SMTP clients to prevent the use of this application as an open relay. In addition, Kaspersky Mail Gateway supports the following SMTP protocol exten­sions:
Pipelining enhances performance of servers supporting this mode of
operation (RFC 2920).
8-bit MIME Transport processes code tables of national language
characters (RFC 1652).
Enhanced Error Codes provides more informative explanations of pro-
tocol errors (RFC 2034).
DSN (Delivery Status Notifications) decreases bandwidth usage and
provides more reliable diagnostics (RFC 1891, 3461-3464).
SMTP Message Size Decreases the server load and increases trans-
fer rate (RFC 1870).
Page 16
16 Kaspersky® Mail Gateway 5.6
Note
The RFC documents mentioned above are available at: http://www.ietf.org.
The application includes these components:
mailgw – the main application component a fully-featured e-mail relay
with built-in anti-virus protection and spam filtering.
licensemanager – the component which manages product keys (their
installation, removal, and statistics).
keepup2date – the component that updates the anti-virus and anti-spam
databases, by downloading the updates either from Kaspersky Lab‟s
update servers or from a local directory.
Webmin module for remote administration of the application using a
web-based interface (optional installation). This component allows the user to configure and manage the database updating process, specify the actions to be performed on detected objects, and monitor the appli­cation‟s operation.
The main application component (see Fig.1), in turn, consists of these modules:
Receiver, which receives incoming e-mail.  Sender, which sends out messages which have passed anti-virus scan-
ning and spam filtering.
AS module which performs anti-spam analysis of e-mail, its classifica-
tion and processing.
AV module, the anti-virus engine.  Scanning module, which acts with the AS and AV modules to process
messages, providing anti-virus scanning and spam filtering of e-mail traffic.
Figure 1. General architecture of Kaspersky Mail Gateway
Page 17
Application structure and typical deployment scenarios 17
2.2. The main application’s
algorithm
The application works as follows (see Fig. 2):
1. The e-mail agent receives e-mail messages via the SMTP protocol, and passes them to the Receiver module.
Figure 2. Working queue of Kaspersky Mail Gateway
2. The Receiver module performs preliminary e-mail processing using the following criteria:
presence of the sender‟s IP address in the list of blocked and/or
trusted addresses including masks;
compliance with the access restrictions specified for SMTP connec-
tions (see section 5.5.2 on p. 70);
compliance of the message size (and the total number of messages
within the session) with the limits specified in the application‟s set­tings;
compliance of the number of open sessions (both the total number
from all IP addresses, and from a single IP address) with the limits specified in the application‟s settings.
If the message satisfies the preliminary processing requirements, it is sent to the working queue to be processed by the scanning module.
If the option to archive all incoming e-mail has been selected, a copy of any message added to the working queue will be automatically pre­served in the archive of received messages.
Blind carbon copies of each message can also be sent to a specified list of e-mail addresses before scanning of the received mail.
Page 18
18 Kaspersky® Mail Gateway 5.6
3. The Scanning module receives a message from the working queue and transfers it to the anti-spam module for inspection.
The anti-spam module consists of the following components: Filtration master process and filtering processes which perform ac-
tual mail analysis.
Licensing daemon which verifies the presence of a valid key file
and compliance with the restrictions defined in the key.
Daemon processing SPF requests.  Auxiliary programs and scripts including the script compiling the
anti-spam databases.
The main component of the anti-spam module is the filtering master process (mailgw-process-server) performing the following functions:
Monitoring of requests for connection to filtering processes from the
application Scanning module.
Launch of new filtering processes when there are no more avail-
able ones.
Control of the status of running filtering processes.  Termination of child processes upon an appropriate signal.
Filtering process (ap-mailfilter) receives at launch message header and body, scans them and returns the results.
If message sender should be checked for compliance with the existing SPF policy, the filtering process sends a request to SPF daemon (mailgw-spfd), which performs necessary queries to DNS server and re­turns the results to the filtering process.
Message analysis and application of rules defined by the parameters in configuration file are only performed when a valid product key is pre­sent.
All license-related checks are performed by the licensing module (kas- license) upon request from a filtering process.
Having finished message processing, a filtering process keeps running expecting a new request. A filtering process is terminated after it has handled the maximum number of messages specified for a single proc­ess (usually 300) or if it remains idle for a long time.
The AS module assigns to message a certain status based on the in­spection results, and returns the message to the Scanning module,
Page 19
Application structure and typical deployment scenarios 19
Attention! If you have only purchased a license for anti-virus scanning of e-
mail traffic, spam filtering will not be performed. Messages will be delivered directly to the AV module for scanning, and any configura­tion parameters which apply to the anti-spam module are ignored.
Note
The creation of a copy of a message in backup storage or the quaran­tine directory does not block delivery of the original message to the recipient. An additional action blocking its delivery must be specified to prevent message delivery to the recipient.
which breaks it into its components and passes them to the AV module for analysis.
4. The AV module scans the objects and, if this option is enabled, disin­fects them when necessary.
5. The Scanning module handles messages according to the status (see section 4.2 on p. 36) assigned to each part of the message during analysis by the AS and AV modules. Possible actions include blocking message delivery, deleting infected objects, modifying message head­ers, and moving the message to the quarantine directory. The actions to
be applied are specified in the application‟s configuration file. Each
processed message is then added to the ready-to -send message queue.
6. If the application‟s configuration specifies that detected messages are to be saved in quarantine, a copy of the scanned message will be saved in the quarantine directory concurrently with its transfer to the ready-to­send queue. The application creates separate quarantine directories for messages identified as spam or probable spam (after anti-spam analy­sis), and for messages containing infected or suspicious objects (after anti-virus scanning).
7. The Sender module receives each message from the ready-to-send queue, and transfers it via the SMTP protocol to the onward e-mail agent to be delivered to local end users or rerouted to other mail serv­ers.
8. If your network security policy requires logging of all outgoing e-mail traffic, a copy of each message will be automatically stored in the ar­chive of sent messages after it is dispatched (see Fig. 3).
Page 20
20 Kaspersky® Mail Gateway 5.6
Attention! The application, being an e-mail relay, does not include a local e-mail delivery
agent (MDA). Therefore, all deployment scenarios require an e-mail system (or e-mail systems) to deliver e-mail messages to local users within protected domains.
Figure 3. Saving messages to the archives of received / sent messages
2.3. Typical deployment scenarios
Depending upon the network architecture, there are two options for installing Kaspersky Mail Gateway:
install the application within a demilitarized zone (DMZ) acting as a
buffer between the internal corporate LAN and the external network;
install the application inside the perimeter of the corporate network, as
part of your existing e-mail system.
In each of the above cases the application can be installed:
on the same server as the running e-mail system;  on a dedicated server.
The sections below discuss these scenarios in detail and describe their advan­tages.
Page 21
Application structure and typical deployment scenarios 21
Attention! You must set up restrictions for the e-mail transfer agent (MTA) re-
ceiving e-mail from Kaspersky Mail Gateway via port 1025, so that it accepts messages exclusively from Kaspersky Mail Gateway (e.g., configure mail receipt from the localhost (127.0.0.1) interface only). Otherwise, it will be possible to bypass the application with a connec­tion established directly from the external network through port 1025.
2.3.1. Installing the application in a
demilitarized zone
The main advantage of this deployment option is that it improves the overall per­formance of your e-mail system, by minimizing the number of transfer cycles for e-mail messages. It also provides additional protection for data, because the existing corporate mail server in that case has no connection to the Internet.
This is an overview of how to install the application and the e-mail system on the same server, so that they work together:
1. Configure all interfaces of Kaspersky Mail Gateway to listen on port 25 for incoming e-mail traffic from all IP addresses which match the relevant MX records for the protected domain.
2. The application will filter spam and scan e-mail, and then transfer processed messages to the corporate e-mail system via a different port (e.g., 1025).
3. The e-mail system, configured to use a local interface, delivers messages to users.
Follow these steps to install the application and the e-mail system on the same server:
Configure the application to receive e-mail via port 25 on all the server‟s
network interfaces. To do this, specify the following value in the [mailgw.network] section of the configuration file:
ListenOn=0.0.0.0:25
Specify in the routing table that all scanned messages will be trans-
ferred to the e-mail system via port 1025. To do this, specify the follow­ing value in the [mailgw.forward] section of the application‟s configura­tion file:
ForwardRoute=<company_mask> [localhost:1025]
where: <company_mask> is the mask for recipient addresses.
Page 22
22 Kaspersky® Mail Gateway 5.6
Attention! These are the default application configuration settings for this deployment
scenario, which will be stored in the configuration file by the installation proc­ess.
Change the settings of the existing e-mail system to receive messages
only from the application via port 1025. This will ensure that all incoming e-mail messages are received, and that they are delivered to local users within the protected domains of the company.
Set up the existing e-mail system to transfer all the messages it re-
ceives to the application via port 25. This will ensure anti-virus scanning and anti-spam filtering of all outgoing e-mail messages from local users.
Specify a list of all corporate local domains as the value for the Pro-
tectedDomains option in the [mailgw.forward] section of the applica-
tion configuration file ("*" and "?" wildcards can be used). E-mail mes­sages for the specified domains will be scanned.
When the application is installed on a dedicated server, its operation algorithm is identical to when it is installed on the same server as the e-mail system, but the settings will differ. The IP address of the server on which the application is in­stalled, must be included in MX records corresponding to the protected domain.
To install the application on a dedicated server:
Configure the application to receive mail via port 25 on all the server‟s
network interfaces, by specifying the following value in the [mailgw.network] section of the application‟s configuration file:
ListenOn=0.0.0.0:25
Specify in the routing table that all scanned messages must be trans-
ferred to the e-mail system via port 25, by setting the following value in the [mailgw.forward] section of the application‟s configuration file:
ForwardRoute=<company_mask> [host:25]
where: <company_mask> is the mask for recipient addresses, and will generally be of the form *@company.com
host name of your corporate e-mail server.
Specify the list of all local corporate domains as the value for the Pro-
tectedDomains option in the [mailgw.network] section of the applica-
tion configuration file ("*" and "?" wildcards can be used). e-mail mes­sages for the specified domains will be scanned.
Page 23
Application structure and typical deployment scenarios 23
Attention! This is the most convenient deployment scenario, especially if Kaspersky Mail
Gateway is installed at the same time as the network is deployed and the com­pany‟s e-mail system is installed.
Attention! This deployment scenario is recommended if you are sure of the reliability of
your e-mail system. Installing the application in this configuration will not affect the stability of your e-mail system.
2.3.2. Installing the application inside the
corporate network’s perimeter
One advantage of installing the application inside the corporate perimeter is that there is no external access to the information that the application is running on the server, or to its configuration. Additionally, if the application is installed on a dedicated server, the load of performing anti-virus scanning can be distributed amongst several servers.
This is how the application and the e-mail system work together if they are in­stalled on the same server:
1. Duplicate your e-mail system and configure one of the copies to listen on port 25, and receive e-mail messages via all available interfaces.
2. This e-mail system forwards all incoming messages through the local in­terface via a different port (port 1025, for instance) to the application for scanning and spam filtering.
3. The application filters spam, scans the e-mail messages for viruses and forwards scanned and processed messages to the second e-mail sys­tem copy, which receives e-mail on a different port (e.g., port 1026).
4. The second e-mail system delivers e-mail to the local users.
Installing the application on a dedicated server is similar to the above procedure. Additionally when installing the application on a dedicated server, you can create and run several copies of the application on different servers, enabling you to distribute the load of anti-virus processing and spam filtering amongst these sev­eral servers.
To deploy the application on a dedicated server:
Specify the list of all local corporate domains as a value for the Protect­edDomains option in the [mailgw.network] section of the application
Page 24
24 Kaspersky® Mail Gateway 5.6
Attention! Deploying Kaspersky Mail Gateway may require changes to the settings for e-
mail clients throughout company, to ensure that all outgoing e-mail messages are delivered to the application. These messages will be transferred to the exter­nal network after an anti-virus scan and spam filtration.
Attention!
If the network includes installed firewalls or demilitarized zones (DMZ‟s), it is
necessary to provide e-mail clients and internal and external network servers with access to the installed application to ensure joint operation and routing of the e-mail traffic.
configuration file ("*" and "?" wildcards can be used). E-mail messages for the specified domains will be scanned.
Page 25
Attention! After installing the application from the rpm package, you must run the postin-
stall.pl script to perform post-installation configuration. The default location of the postinstall.pl script is in the /opt/kaspersky/mailgw/lib/bin/setup/ directory (in Linux) and in the /usr/local/libexec/kaspersky/mailgw/setup directory (in FreeBSD).
CHAPTER 3. INSTALLING THE
APPLICATION
Before installing Kaspersky Mail Gateway, it is necessary to:
Make sure that your system meets the hardware and software require-
ments (see section 1.3 on p. 12).
Configure your Internet connection. The application distribution package
does not contain the anti-virus and anti-spam databases, which are re­quired to perform anti-virus protection and filter spam.
Log on to the system as root, or as a privileged user.
3.1. Installing the application on a
server running Linux
For servers running the Linux operating system, Kaspersky Mail Gateway is dis­tributed in two different installation packages, depending on the type of your Linux distribution.
To install the application under Linux Red Hat, Linux SUSE or Linux Mandriva, use the rpm package.
To initiate installation of Kaspersky Mail Gateway from the rpm package, enter the following at the command line:
# rpm -i <distribution_package_file_name>
In Linux Debian and Linux Ubuntu, the installation is performed from a deb pack­age.
To initiate installation of Kaspersky Mail Gateway from the deb package, enter the following at the command line:
# dpkg -i <distribution_package_file_name>
Page 26
26 Kaspersky® Mail Gateway 5.6
Attention! The procedure of application setup under Mandriva distributions has some pe-
culiarities. You might have to perform some additional configuration to ensure the correct functioning of the application on such systems (please see Chapter 9 on p. 103 for details).
Attention! Installation errors can occur for a number of reasons. If an error message is
displayed, firstly make sure that your computer satisfies the hardware and ware requirements (see section 1.3 on p. 12) and that you have logged on to the system as root.
After you enter the command, the application will be installed automatically.
3.2. Installing the application on a
server running FreeBSD
The distribution file for installing Kaspersky Mail Gateway on servers running FreeBSD OS is supplied as a pkg package.
To initiate installation of Kaspersky Mail Gateway from a pkg package, enter one of the following at the command line:
# pkg_add <package_name>
After you enter the command, the application will be installed automatically.
3.3. Installation procedure
The application installer script applies these steps:
Step 1. Preparing the system
At this stage, the installation script creates the system group and user account for the application. The default group is klusers and the default user account is kluser. In future, the application will start under this user account (not root) to provide additional security for your system.
Page 27
Installing the application 27
Attention! If you installed the application from an rpm package, you should run the postin-
stall.pl script (present by default in the /opt/kaspersky/mailgw/lib/bin/setup/ direc­tory in Linux and in /usr/local/libexec/kaspersky/mailgw/setup in FreeBSD) to perform the next step, Post-installation tasks.
Step 2. Copying application files to destination directories
on your server
The installer starts copying the application files to the destination directories on
your server. For a detailed description of the application‟s directories, see section
B.1 on p. 149.
Step 3. Post-installation tasks
The post-installation configuration includes these steps:
Configuring the main application component (see section 3.4 on p. 28).  Installing and registering the product key.
If you do not have a product key at the time of installation (for example, if you purchased the application via the Internet and have not yet re­ceived the license key), you can activate the application after installation and before its first use: for details, see section 5.6 on p. 71. Please note that if the key is not installed, the anti-virus and anti-spam databases cannot be updated and the main application component cannot be started during the installation process. In this case it must be done manually, after the license key is installed.
Configuring the keepup2date component.  Installation (updating) of the anti-virus and anti-spam databases.
You must install the anti-virus and anti-spam databases before using the application (see section 5.6 on p. 71). The procedure of detecting and disinfecting viruses relies on the anti-virus database which contains the descriptions of all currently known viruses, and the methods of disin­fecting these viruses. Anti-virus scanning and processing of e-mail messages cannot be performed without the anti-virus database. The anti-spam database is used for spam detection, which analyzes the contents of messages and attached files to identify the signs of unsolic­ited e-mail.
Installing the Webmin module.
The Webmin module for remote management of the application can be installed correctly only if the Webmin application is located in the default
Page 28
28 Kaspersky® Mail Gateway 5.6
Attention! If after installation, Kaspersky Mail Gateway has not started working as required,
check the configuration settings. Pay special attention to the port number you specified for receiving e-mail traffic. You should also view the application log file for error messages.
Attention! If you are using the rpm installation package, enter the following command to
start post-installation configuration (in Linux):
# /opt/kaspersky/mailgw/lib/bin/setup/postinstall.pl
In FreeBSD:
# /usr/local/libexec/kaspersky/mailgw/setup/postinstall.pl
directory. After the module is installed, you will receive detailed instruc­tions on how to configure it to work with the application.
Launching the main application component.
After these steps are properly completed, a message on the server console will indicate that installation has been successful.
3.4. Configuring the application
Immediately after the application‟s files have been copied to your server, the system configuration process will start. The configuration process will either be started automatically or, if the package manager (such as rpm) does not allow the use of interactive scripts, some additional actions will have to be performed by the administrator. All settings are stored in the mailgw.conf file which is in­stalled by default in the /etc/opt/kaspersky/ directory in Linux, and in the /usr/local/etc/kaspersky/ directory in FreeBSD.
The configuration procedure includes the following tasks:
Specifying (by the administrator) the full domain name of the server that
will be used to identify the application in SMTP commands when creat­ing the DSN and notifications: this is the Hostname parameter in the [mailgw.network] section of the mailgw.conf configuration file.
Assigning addresses to be used by the application:
Assign the Postmaster address ([mailgw.network] section,
Postmaster parameter).
Page 29
Installing the application 29
Assign the sender‟s return address for notifications
([mailgw.policy] section, NotifyFromAddress parameter).
Define the administrator‟s address ([mailgw.policy] section, Ad-
minNotifyAddress parameter).
Allow incoming e-mail to the specified domain ([mailgw.access]
section, RelayRule parameter).
Defining the interface and port on which to listen for incoming e-mail
traffic ([mailgw.network] section, ListenOn parameter). The port name and the IP address should be entered in the format <x.x.x.x:z>,
where:
x.x.x.x is the IP address, and z is the port number.
Specifying local network identifiers. This value is used to assign rules
for message delivery and processing ([mailgw.access] section, Re- layRule parameter), for example, rules specific to your organization concerning e-mail processing, or blocking e-mail messages from certain domains. Specify the values using the following formats: <x.x.x.x> or <x.x.x.x/y.y.y.y>, or <x.x.x.x/y>,
where:
x.x.x.x is the IP address, and y.y.y.y or y is the subnet mask.
Specifying (when necessary) the server to which all processed mes-
sages will be forwarded ([mailgw.forward] section, the ForwardRoute parameter). Type the host name in the format: <x.x.x.x:z>,
where:
x.x.x.x is the IP address, and z is the port number.
Specifying the proxy server name ([updater.options] section,
ProxyAddress parameter). This option is necessary for computers
connected to the Internet via a proxy server.
Confirmation of UDS installation and use.
UDS service allows blocking spam in a timely manner before updates to Kaspersky Mail Gateway databases are downloaded. You are advised to disable UDS checks only if the method considerably decreases the filtration server performance or if the server cannot contact the UDS
Page 30
30 Kaspersky® Mail Gateway 5.6
Attention! To increase UDS efficiency, specify regular launch of the task that
determines the time for access to UDS servers (see section 5.2.4 on page 55).
Attention! After the system is installed and configured, it is recommended that you check
the settings for Kaspersky Mail Gateway and test its performance. For more details, see Chapter 7 on page 97.
servers of Kaspersky Lab. Please refer to section 4.3.4 on page 41 for details on UDS service.
Modifying the application configuration file to fine-tune the operation of
the AV and AS modules (optional).
If all the above steps have been successfully completed, the configuration file will contain all settings that are required to start working with the application.
During Kaspersky Mail Gateway 5.6 installation you can choose to use saved settings of previous product version 5.5.139 installed earlier. In that case you will be offered to:
Specify the path to the configuration file of an earlier version.  Move or copy files from the queue, archives and Quarantine of the ear-
lier version to the corresponding directories of the new one.
Use UDS because that feature was introduced in version 5.6 (see
above).
Application databases will be downloaded as well. If the configuration file of an earlier version is not available or if you do not wish
to use it, post-install setup will consist of the steps described above.
3.5. Installing the Webmin module to
manage Kaspersky Mail Gateway
The activity of Kaspersky Mail Gateway can be controlled remotely via a web browser using Webmin.
Page 31
Installing the application 31
Note
The Webmin module is the file mailgw.wbm, which is installed by default in the /opt/kaspersky/mailgw/share/contrib/ directory (for Linux distributions), or the /usr/local/share/mailgw/contrib/ directory (for FreeBSD distributions).
Webmin is a program which simplifies the administration of Linux/Unix systems. The software has a modular structure, and supports connection of new or cus­tomized modules. Additional information about Webmin can be obtained, and its distribution package downloaded, from the official program web site at:
www.webmin.com.
Kaspersky Mail Gateway‟s distribution package contains a Webmin module that can either be connected during the application‟s post-installation configuration
(see section 3.3 on p. 26) if the system already has Webmin installed, or at any time later after Webmin is installed.
The following part of this manual contains a detailed description of the procedure necessary to connect the Webmin module for administration of Kaspersky Mail Gateway.
If the default settings were used during Webmin installation, the program can be accessed from a web browser using HTTP / HTTPS to connect to port 10000, as soon as the installation procedure is finished.
To install the Webmin module to control Kaspersky Mail Gateway:
1. Use your web browser to access Webmin with administrative privileges.
2. Select the Webmin Configuration tab in the program menu, and then proceed to the Webmin Modules section.
3. Select the From Local File option in the Install Module section and click (see Figure 4).
Figure 4. Install Module section
4. Select the path to the Webmin module of the product and click ОК.
Page 32
32 Kaspersky® Mail Gateway 5.6
A message on the display will confirm the successful installation of the Webmin module.
You can access the settings of Kaspersky Mail Gateway by clicking its icon within the Others tab (see Figure 5).
Figure 5. The icon of Kaspersky Mail Gateway in the Others tab
Page 33
Note
The anti-virus and spam filtering functionality of Kaspersky Mail Gateway de­pends on the configuration file settings. Changes to the configuration file can be made either locally or remotely (using the Webmin remote administration mod­ule).
CHAPTER 4. THE PRINCIPLES
OF THE APPLICATION’S OPERATION
This chapter describes in more detail how the application works and the interac­tion between its components, and gives information required for correct software setup.
4.1. Creating groups of
recipients/senders
A Recipients/Senders group is defined as a specified list of recipient/sender e­mail addresses. A particular e-mail message may be assigned to a particular group depending on whether this group contains the message sender‟s address (or sender IP) or the recipient‟s address, which are specified in the MAIL FROM and RCPT TO parts of the message header.
The administrator can specify individual rules for processing each e-mail mes­sage depending on the group of recipients/senders. Therefore, it is particularly important that the addresses are associated with the correct group.
When processing a message, the application searches through the list of ad­dresses for each specific group. If it finds a matching combination of sender/recipient addresses, the rules defined for this group will be applied to the e-mail message.
The configuration file contains the [mailgw.policy] section that implicitly defines the policy group, which determines the default rules for processing e-mail mes­sages.
Page 34
34 Kaspersky® Mail Gateway 5.6
Attention! Both the section [mailgw.policy], and all the parameters specified in the sec-
tion, are mandatory.
The [mailgw.policy] section does not contain names of senders and recipients. The section [mailgw.policy] defines the default rules which are applied to all messages which do not belong to other groups explicitly described in [mailgw.group:group_name] sections.
All parameters in [mailgw.group:group_name] sections are optional. If a pa­rameter value in such a section is not specified, it will be taken from the corre­sponding parameter in the [mailgw.policy] section.
The configuration file included in the application‟s installation package contains
the following rules in the policy group. Messages which are not assigned to an­other group will be processed using the following rules (defined in the [mailgw.policy] section):
Check all e-mail messages for indications of spam.  Scan all e-mail messages for viruses.  Deliver to recipients just messages which contain clean or disinfected
objects only.
Remove the following from messages: infected objects, objects which
caused errors during their analysis, suspicious objects and password­protected and damaged objects.
Notify recipients and the administrator about infected, suspicious, pro-
tected or filtered objects in messages and any objects which caused er­rors during analysis.
The parameters of the policy group can be altered, and new groups created. To process e-mail messages belonging to different groups of recipients/senders using different rules, you will have to create several groups.
To create a new group of user addresses:
1. Create a section [mailgw.group:group_name] in the configuration file.
2. Specify sender addresses (address masks, IP addresses, host names, masks for host names, subnets) and recipient addresses (address masks) as the values of Senders and Recipients parameters. To de­fine several addresses or address masks, each record must be entered in a new line:
Senders=user1@example.com
Senders=*@internal.local
Senders=ip 192.168.0.1
Page 35
The principles of the application’s operation 35
Attention! If you leave the Senders or Recipients parameter in a group descrip-
tion empty, e.g.:
Senders=
then no messages will be processed using the rules specified for that group. To use the default value for a parameter, delete (or place a comment mark before) the corresponding parameter from the group description.
Attention! If a sender/recipient address fits several groups, the application will
use the rules for the first of those groups.
Attention! If a message has several recipients belonging to different groups,
virtual copies of the initial message will be created to match the num­ber of such groups. Each copy will be processed individually, accord­ing to the rules specified by the particular group.
Senders=ip 192.168.0.0/255.255.0.0
Senders=host example.com
Senders=network MyNetwork
Recipients=*@management.local
Recipients=help@helpdesk.local
"*" and "?" wildcards may be used to define masks. If a group descrip­tion contains no Recipients or Senders parameter, the application will
use the default value, "*@*" (i.e. all addresses). At least one of the Senders or Recipients parameters must be specified.
If you have added other groups to the configuration file, the application will proc­ess messages from these groups as follows:
1. The application first compares the message address(es) with addresses in the groups created by the administrator. If the recipient/senders addresses pair is found in a specific group, the rules defined for that group will be applied to the message.
2. If the message addresses do not match any group created by the administrator, the message will be processed according to the rules described in the policy group.
Figure 6 demonstrates the sequence of actions applied by the application to a received e-mail message.
Page 36
36 Kaspersky® Mail Gateway 5.6
Figure 6. Message processing
4.2. General message processing
algorithm
This section discusses how the application processes e-mail messages. When the server receives an e-mail message, the scanning module:
1. Determines which group of recipients this message belongs to.
2. If the message has multiple recipients belonging to different groups, several virtual copies of this message are created to match the number
Page 37
The principles of the application’s operation 37
Attention! If you have only purchased a license for anti-virus scanning of e-mail
traffic, spam filtering will not be performed. Messages will be immedi­ately delivered to the AV module for scanning (Step 4). The applica­tion will ignore any configuration parameters which apply to the anti­spam module.
of groups, so that the respective group rules for anti-spam filtering and anti-virus scanning can be applied to each of the copies.
3. Then the application transfers the message for analysis by the anti­spam module.
Please refer to section 4.3 on page 38 for details on the operation of the anti-spam module.
After processing, the anti-spam filter returns messages to the scanning module.
If a message has been assigned the status of Spam, Probable Spam, Formal or Blacklisted and the application is configured to block such messages (the BlockMessage parameter is assigned the as/spam, as/probable, as/formal, as/blacklisted value), then anti-virus message scanning will be skipped. Further actions of the application are de­scribed in Step 8.
4. Using a built-in MIME format identifier (MIME, RFC2822, UUE), the application divides the message into its components: headers, message body and attachments.
5. If the application is configured to filter objects by name and/or attachment type, it will apply the specified filtering rules for this message. If the message meets the filter conditions, the object will be assigned the Filtered status and will not be subjected to further anti­spam scanning.
6. Each of the received objects is then sent to the AV module that analyzes each object and returns the status assigned to it.
7. Depending on the status assigned to each object, the application performs actions as specified in the settings for the respective group (please see section 4.4 on page 44 for basic actions of the AV module) in the configuration file.
8. After the anti-virus scan of all the message‟s components, and the execution of required actions on those components, an additional action can be performed on the message as a whole:
Add label to the message title (Subject) in accordance with the re-
sults of its anti-spam analysis (see section 4.3.5 on page 42).
Page 38
38 Kaspersky® Mail Gateway 5.6
Append additional informational fields to the message‟s header or
body (see section 6.12 on p. 93).
Block delivery of messages to the recipients; see section 5.2.7 on
p. 57 for an example of blocking the delivery of spam messages, and section 5.3.3 on p. 61 for messages containing infected ob­jects.
Create and send notifications to the sender, administrator, and re-
cipient (see example in section 5.3.4 on p. 62).
Quarantine a message; see section 5.2.8 on p. 58 for an example
of quarantining spam messages, and section 5.3.6 on p. 64 for messages containing infected objects.
4.3. Operation of the anti-spam
module
Spam filtration by the anti-spam module is performed during the third step of the procedure described in section 4.2 on p. 36. This section contains a brief over­view of the spam detection technologies implemented in the application, namely:
Analysis of formal signs (see section 4.3.1 on page 39).  Content filtration (see section 4.3.2 on page 40).  Checks involving external services (see section 4.3.3 on page 41).  Urgent Detection System technology (see section 4.3.4 on page 41).  During all inspection stages, message analysis is performed according
to the required filtering intensity, defined in the application configuration file (SpamRateLimit option in the [mailgw.policy] or [mailgw.group:group_name] section).
The following degrees of filtering intensity are available:
Minimum (SpamRateLimit=minimum).  Standard (SpamRateLimit=standard).  High (SpamRateLimit=high).  Maximum (SpamRateLimit=maximum).
The application decides if a message contains spam based on several signs detected in mail by the anti-spam module. The higher is filtering intensity, the smaller is the number of signs required to recognize a message as spam. When
Page 39
The principles of the application’s operation 39
Note The Standard level of filtering intensity is recommended.
Note
Apart from the intensity level, filtering result is also affected by the methods used for spam recognition. When false positives occur you should consider the methods employed for spam recognition.
the specified filtering intensity is lower, the same set of signs can only result in message identification as suspicious (Probable Spam) or even normal.
Higher level of filtering intensity can be used in cases, when the application does not detect spam or when it recognizes spam as suspicious mail (Probable Spam). However, the probability of false positives in that case also becomes higher and normal mail can be recognized as spam.
Lower intensity degree decreases the probability of false positives but it in­creases the possibilities for spam to bypass the filter.
4.3.1. Analysis of formal signs
The method uses a set of rules based on examination of certain message head­ers and their comparison with sets of headers typical of spam messages. In addi­tion to header analysis, the application takes into account message structure, size, presence of attachments and other similar signs.
The method also provides for analysis of data transmitted by the sender during an SMTP session. In particular, the following information is estimated:
IP address of the server that has sent the message, and whether it is
included into black list of recipients;
IP addresses of intermediate relay servers obtained from the Received
headers;
e-mail addresses of message sender and recipients transmitted in
SMTP session commands;
presence of the sender's and recipients' addresses in white or black
lists;
conformity of the addresses transmitted during SMTP session to the set
of addresses specified in message headers and a number of other checks.
Page 40
40 Kaspersky® Mail Gateway 5.6
Note
The purpose of spam filtering is to decrease the volume of unwanted messages in the mailboxes of your users. It is impossible to guarantee detection of all spam messages, because too strict criteria would inevitably cause filtering of some normal messages as well.
4.3.2. Content filtration
Message analysis employs the algorithms of content filtering: the application uses artificial intelligence technologies to analyze the actual message content (including the Subject header), and its attachments (attached files) in the follow­ing formats:
plain text (ASCII, not multibyte)  HTML (2.0, 3.0, 3.2, 4.x, XHTML 1.0).
The application uses three main groups of methods to detect spam messages:
Text comparison with semantic samples of various categories
(based on the search for key terms (words and word combinations) in message body and their subsequent probabilistic analysis). The method provides for heuristic search for typical phrases and expressions in text.
Fuzzy comparison of a message being examined with a collection
of sample messages based on comparison of their signatures. The
method helps detect modified spam messages.
Analysis of attached images.
All the data employed by Kaspersky Mail Gateway for content filter­ing: classification index (a hierarchical list of categories), message samples, typi­cal terms, etc. are stored in the application databases.
Page 41
The principles of the application’s operation 41
Note
The group of spam analysts at Kaspersky Lab works nonstop to supplement and improve Kaspersky Mail Gateway databases. Therefore, you are advised to up­date the databases regularly.
You can also send to Kaspersky Lab samples of spam messages, which Kaspersky Mail Gateway has failed to recognize as well as the samples of mes­sages erroneously classified as spam. The data will help us improve Kaspersky Mail Gateway databases and react in a timely manner to new types of spam. Please refer to Appendix C on page 191 for details on forwarding sample mes­sages.
4.3.3. Checks using external services
In addition to the analysis of message text and headers, Kaspersky Mail Gate­way allows a number of the following checks involving external network services:
availability of a DNS record for message sender's IP (reverse DNS
lookup);
the presence of the sender's IP address in a DNS-based real time black
hole list or lists (DNSBL);
a check of the sender's address for compliance with SPF (Sender Policy
Framework) policy for the domain containing the server used to send the message;
a check of addresses and links to sites in message text for the presence
in the Spam URL Realtime Blocklists database – www.surbl.org;
recognition of e-mail messages using the UDS (Urgent Detection Sys-
tem) technology.
All the checks listed above, except for UDS, are based on the use of the DNS protocol and as a rule they require no additional network configuration.
4.3.4. Urgent Detection System
Urgent Detection System is an original technology of spam detection developed and supported by Kaspersky Lab. It is based on the following principles:
A message being analyzed is used to select a collection of properties,
which can be used to identify the message. The set of properties may include header information, text fragments and other information about the message being processed.
Page 42
42 Kaspersky® Mail Gateway 5.6
Note
Since the product does not transmit to external servers any data that could allow viewing the recipients or the text of the processed mail, the use of this method does not pose any risk to the safety or confidential­ity of your information.
Note
The UDS technology allows filtering of known spam before updates to Kaspersky Mail Gateway databases become available.
Filtration server uses the properties thus collected to generate a small
UDS request and sends it to one of UDS servers of Kaspersky Lab.
The UDS server checks the received request against a database of
known spam. If the request matches a known spam sample, a message will be sent to the filtration server informing that the e-mail is very likely to be spam. The information will be taken into account during assign­ment of a certain status to e-mail.
A filtration server interacts with UDS servers of Kaspersky Lab via UDP using port 7060 for communication. In order to use UDS, a filtration server must be able to establish outgoing connections through that port.
Information about available UDS servers is added to Kaspersky Mail Gateway databases. The choice of an individual UDS to be used for message analysis is performed automatically on the basis of the response time of accessible UDS servers.
4.3.5. Recognition results and actions over
messages
The analysis procedure results in assignment of one of the following statuses to a message:
Spam – message recognized as spam.  Probable Spam – message contains some spam signs; however, it
cannot be unambiguously identified as spam.
Formal (automatically generated letter) message is formal, for exam-
ple, it is a mail server notification informing about mail delivery or inabil­ity to deliver it or about message infection with a virus. The category in­cludes messages sent automatically by mail clients. Such messages are usually not considered to be spam.
Page 43
The principles of the application’s operation 43
Note
Although the product is being constantly developed in order to improve spam recognition and decrease the number of false positives from the filter, it is not possible to eliminate altogether the probability of recognizing normal messages as spam. Therefore, you are advised to use with caution the actions deleting messages.
Attention!
Preservation of all useful mail must be the top priority task for the system ad­ministrator because the loss of a single important message may cause more trouble for the end user than receipt of a dozen of spam messages. To avoid the loss of necessary mail, you are advised to use only non-destructive actions with mail identified after content analysis as spam or probable spam.
Blacklisted – message received from an address present in a black list.  Not detected – a message that has no sufficient spam signs to be rec-
ognized as spam. No actions are specified for messages with such status.
Messages that have received the Not detected status (the message has not been recognized as spam), are always transferred to the specified recipient. In that case the letter must also contain no infected or suspicious objects revealed during anti-virus scanning.
Each e-mail message can be assigned just one of the above statuses. The appli­cation records the status assigned to a message after analysis to a special X- SpamTest-Status-Extended header. Please refer to section B.18 on page 183 for details about the headers added to mail messages after filtering.
After recognition, the application may perform one of the following actions over a message:
add a text mark in the message subject field;  append special headers to the message;  delete message.
System administrator can define which of the listed actions will be performed over messages with a specific status.
In addition to actions related to mail routing, the administrator can specify the actions for message modification, which can be helpful both for visualization of recognition results and for use in combination with the filters in client e-mail soft­ware of end users:
Add a label to the message subject field.
Page 44
44 Kaspersky® Mail Gateway 5.6
Attention! You are advised to update the anti-virus databases regularly, to maximize the
efficiency of anti-virus functionality with respect to new viruses. Updates for the anti-virus databases are made available on Kaspersky Lab‟s update servers every hour.
Note
An object can be assigned the Disinfected status only if the cure mode has been enabled for infected objects.
Add to message special X-SpamTest-* headers. The headers can be
used later for automatic mail processing by the e-mail software of end users. Please refer to section B.18 on page 183 for details about the headers added to mail messages after filtering.
4.4. Operation of the anti-virus
scanning module
The AV module checks message components for the presence of viruses. During the scanning and disinfection of detected infected objects the AV module
uses the anti-virus databases, which contain descriptions of all currently known viruses and methods for disinfecting objects containing them.
By default, the application‟s AV module only scans your e-mail traffic; it does not cure infected objects.
To enable disinfection, set the AVCure parameter in the [mailgw.group: group_name] section of the configuration file to true. If disinfection has been successful, the object is assigned Disinfected status.
An object may be assigned one of the following statuses in the process of its scanning:
Clean – object is clean.  Infected – object is infected and cannot be disinfected or its disinfection
has not been attempted.
Disinfected – infected object has been successfully disinfected.
Suspicious – object is suspected of being infected with an unknown vi-
rus or with a new modification of a known virus.
Page 45
The principles of the application’s operation 45
Attention! The action can only be defined for objects with Disinfected status (Ac-
tionDisinfected parameter).
Protected – scanning failed because the object is password-protected
(e.g., it is an archive).
Error – object is an error occurred during the scan.  Not_checked – object has not been scanned because anti-virus checks
have been disabled.
The actions performed by the AV module on an object which has passed scan­ning are determined by the corresponding options in the configuration file (Ac- tionInfected, ActionSuspicious, etc.). Each message status has a correspond­ing option. The following actions are available:
cure – replace the infected object in a message with a disinfected one;
pass – transfer the object without modifications, no actions will be ap-
plied to the object;
remove – remove the object from the e-mail message;  placeholder – replace the object with a notification generated from a
template.
Page 46
Attention!
To perform the tasks described, some changes must be made to the applica­tion‟s configuration file, following which the application must be restarted to ap­ply the modifications.
Attention! In the examples below, it is assumed that the administrator has completed all
required post-installation tasks and the application operates correctly.
CHAPTER 5. ANTI-VIRUS
PROTECTION AND SPAM FILTRATION
Kaspersky Mail Gateway can provide anti-virus protection and spam filtering for e-mail traffic transferred through your organization‟s mail server.
The tasks implemented by Kaspersky Mail Gateway may be divided into three major groups:
1. Updates of the anti-spam and anti-virus databases used for spam filtering, anti-virus scanning and disinfection of objects.
2. Spam filtering.
3. Anti-virus protection of e-mail traffic.
Each of these groups comprises more specific tasks. In this chapter, we will dis­cuss some typical tasks that the administrator can combine and enhance in ac­cordance with the needs of his/her organization.
This guide describes how to locally configure and start tasks from the command line. Issues related to starting and managing tasks from remote computers using the Webmin application are not discussed in this document.
5.1. Updating the anti-virus and anti-
spam databases
Kaspersky Mail Gateway uses the anti-virus and anti-spam databases while processing e-mail traffic.
Page 47
Anti-virus protection and spam filtration 47
Note
The keepup2date component supports Basic authentication for connections through a proxy server.
Note
Updates for the anti-spam databases are made available on Kaspersky Lab‟s update servers every three minutes. Updates for the anti-virus databases of Kaspersky Mail Gateway are made available on Kaspersky Lab‟s update serv­ers every hour.
Attention! We strongly recommend that the keepup2date component is configured to up-
date the databases every three minutes!
The anti-spam database is employed for spam filtering, which requires the analy­sis of the contents of message bodies and attached files to identify unsolicited e­mail.
The anti-virus databases are employed during scanning and disinfection of in­fected objects; they contain descriptions of all currently known viruses and the methods of disinfection for objects affected by those viruses.
The keepup2date component is included in Kaspersky Mail Gateway to provide
for software updates. The updates are retrieved from Kaspersky Lab‟s update
servers, e.g.:
http://downloads1.kaspersky-labs.com/ http://downloads2.kaspersky-labs.com/ ftp://downloads1.kaspersky-labs.com/ etc.
The updcfg.xml file included in the installation package lists the URLs of all avail­able update servers.
To update the anti-virus and content filtration databases, the keepup2date com­ponent selects an address from the list of update servers and tries to download updates from that server. If the server is currently unavailable, the application connects to another server on the list, until it succeeds.
After connection to an update server, keepup2date identifies available updates and downloads them.
After a successful update, the command specified by the value of the PostUp- dateCmd parameter in the [updater.options] section of the configuration file will be executed. By default, this command starts compilation of the anti-spam mod­ule databases and automatically restarts the application. The restart is necessary to make the application use the updated anti-spam databases. Kaspersky Mail
Page 48
48 Kaspersky® Mail Gateway 5.6
Note
All settings of the keepup2date component are stored in the [updater.*] sec­tions of the configuration file.
Gateway anti-virus databases are loaded without restart. Incorrect modification of this parameter may prevent the application from using the updated databases or cause it to function erroneously.
If you have purchased a license for Kaspersky Mail Gateway to provide only anti­virus scanning of e-mail traffic, downloading of updates for the anti-spam data­bases can be disabled. To do so, assign the values AVS, AVS_OLD, CORE,
Updater, and BLST to the UpdateComponentsList parameter in the [up­dater.options] section:
[updater.options]
UpdateComponentsList=AVS, AVS_OLD, CORE, Updater, BLST
If your network has a complicated structure, you are advised to download up­dates from Kaspersky Lab‟s update servers every three minutes and place them in a network directory. Other networked computers can be configured to copy their updates from that directory. For detailed instructions on how to implement this scenario, see section 5.1.3 on p. 50.
The updating process can either be scheduled to run automatically using the cron utility (see section 5.1.1 on p. 48), or started manually from the command line (see section 5.1.2 on p. 49). Starting the keepup2date component requires root user privileges.
5.1.1. Automatic updating of the anti-virus
and anti-spam databases
Regular automatic updates for the anti-virus and anti-spam databases can be scheduled using the cron utility.
Example:
Configure the cron utility to update automatically your anti-virus and anti­spam databases every three minutes. An update server should be selected from the updcfg.xml file by default. Only errors occurring in the component operation should be recorded in the system log. Keep a general log of all task starts. Output no information to the console.
Page 49
Anti-virus protection and spam filtration 49
To perform the above task, do the following:
1. In the application‟s configuration file, specify the following values for these parameters:
[updater.options]
KeepSilent=true
[updater.report]
Append=true
ReportLevel=1
2. Edit the cron task file for the root user by typing this command: crontab
-u root -e and add the following line:
In Linux:
*/3 * * * * /opt/kaspersky/mailgw/bin/mailgw­keepup2date
In FreeBSD:
*/3 * * * * /usr/local/bin/mailgw-keepup2date
5.1.2. Manual updating of the anti-virus and
anti-spam databases
You can start updating your anti-virus and anti-spam databases from the com­mand line at any time.
Example:
start updating of the anti-virus and anti-spam databases, save the results of updating in the /tmp/updatesreport.log file.
To accomplish the task, log in as root (or any other privileged user) and enter at the command line:
# mailgw-keepup2date -l /tmp/updatesreport.log
If you need to update the anti-virus and anti-spam databases on several servers, it may be more convenient to download the updates from an update server once, save them to a shared directory, and mount the directory within the file system of every server running Kaspersky Mail Gateway. Then it will be sufficient to launch the update script, having first specified the mounted directory as the source of updates. Please see section 5.1.3 on p. 50 for details of how to create a shared directory for updates.
Page 50
50 Kaspersky® Mail Gateway 5.6
Attention! These and other similar tasks can be accomplished remotely using the Webmin
remote administration module.
Note
Please keep in mind that for Kaspersky Mail Gateway 5.6 only anti-virus and anti-spam databases will be updated.
Example:
start updating the anti-virus and anti-spam databases from the local direc­tory /home/kluser/bases. If the directory is inaccessible or empty, update the
databases from Kaspersky Lab‟s update servers. Save the results to the
/tmp/updatesreport.log file.
To accomplish the task, log in as root (or any other privileged user) and do the following:
1. Mount the shared directory containing the anti-virus database updates as the local directory /home/kluser/bases.
2. In the application configuration file, specify the following values for these parameters:
[updater.options]
UpdateServerUrl=/home/kluser/bases
UseUpdateServerUrl=true
UseUpdateServerUrlOnly=false
3. Enter the following at the command line:
# mailgw-keepup2date -l /tmp/updatesreport.log
5.1.3. Creating a network directory to store
and share updates
Kaspersky Mail Gateway supports copying of updates to databases and applica­tion modules into a network directory for sharing and storage. That directory can be specified as the source of updates for the Kaspersky Mail Gateway 5.6 instal­lations on network computers as well as other applications of Kaspersky Lab (versions 6.0 and 7.0).
To ensure that local computers are correctly updated from the shared directory, the directory must have the same file structure as Kaspersky Lab‟s update serv­ers. This task deserves a detailed explanation.
Page 51
Anti-virus protection and spam filtration 51
Note
If other applications (versions 6.0 and 7.0) of Kaspersky Lab will be up­dated from the shared directory, the keepup2date component must be started as follows:
#mailgw-keepup2date –x <rdir>
Note
Users may set up their e-mail clients to transfer labeled messages to corresponding directories.
Example:
create a shared local directory which local computers will use as the source to update their anti-virus and anti-spam databases.
To accomplish the task, log in as root (or any other privileged user) and do the following:
1. Create a local directory.
2. Define the following parameter values in the application configuration file:
[updater.options]
RetranslateComponentsList =KAS303, AVS, AVS_OLD, CORE, Updater, BLST
3. Run the keepup2date component as follows:
# mailgw-keepup2date -u <rdir>
where <rdir> is the full path to the directory created.
4. Grant read-only access to the directory for local computers on your network.
5.2. Spam filtration
This section contains sample tasks demonstrating the application‟s functionality
related to spam filtering. The examples show the main mechanisms used by the application to combat spam, and in particular:
spam filtration and organization of user groups;  marking of messages identified as spam, probable spam, formal or
blacklisted mail with special labels in the Subject header;
blocking of delivery for messages identified as spam, probable spam,
formal or blacklisted mail;
Page 52
52 Kaspersky® Mail Gateway 5.6
saving of messages identified as spam, probable spam, formal or black-
listed mail in the quarantine directory.
The section also includes information about the procedure used by the anti-spam module components and about the parameters controlling the anti-spam module.
5.2.1. Starting and managing the
components of the anti-spam module
The main components of the anti-spam filtration server including:
the filtering master process (mailgw-process-server)  licensing daemon (mailgw-kas-license)  the SPF daemon (mailgw-spfd)
are launched at the operating system start-up by a special script, which is named and located differently in Linux and FreeBSD operating systems. The Linux op­erating system uses the mailgw script located in the /opt/kaspersky/mailgw/lib/bin/ directory (the /etc/init.d/mailgw link can be used, too), while the FreeBSD operating system employs the mailgw.sh script in the /usr/local/etc/rc.d/ directory.
The administrator can use the said scripts with the command line parameters described below to start, stop or restart the main components of the filtration server:
start – start the main components of the filtration server.  stop – stop operation of the main components of the filtration server.  restart – restart the main components of the filtration server; the action
is identical to running the stop and start actions one after another.
5.2.2. Managing the filtration process
The main purpose of the anti-spam module is detection of unwanted messages in e-mail stream. The module has an advanced system of settings for configura­tion of spam recognition and its further processing:
The level of spam recognition intensity (SpamRateLimit parameter in
the [mailgw.policy] section). The application decides whether a mes­sage contains spam on the basis of several signs revealed in it by the scanning module (please refer to section 4.3 on page 38 for details).
Page 53
Anti-virus protection and spam filtration 53
Addition of ProbableSpam or Obscene marks to the header of mes-
sages recognized as mail belonging to the corresponding category after checks (SpamMarkProbable and SpamMarkObscene parameters re­spectively).
Verification of information about message sender in DNS and DNS-
based services: DNSBL, SPF, etc (SpamUseDNS parameter).
Checks of the sender IP address using a set of DNSBL services
(SpamCheckDNSBL parameter).
Check of sender IP presence in DNS (SpamCheckHostInDNS parame-
ter).
Check of sender IP using SPF (Sender Policy Framework) (Spam-
CheckSPF parameter).
Check of sender IP address presence using SURBL (Spam URL Real-
time Blocklists) (SpamCheckSURBL parameter).
Analysis of message headers checking them for:
List of undisclosed recipients in message headers (SpamHeader-
sToUndisclosed parameter).
Groups of digits in the sender‟s or recipient‟s address (SpamHead-
ersFromOrToDigits parameter).
Missing domain part in address (SpamHeadersFromOrToNoDo-
main parameter).
Long text in message subject (SpamHeadersSubjectTooLong pa-
rameter).
Multiple spaces and dots in message subject (SpamHeadersSub-
jectWSOrDots parameter).
Digital identifier or time label in message subject (SpamHeaders-
SubjectDigitIDOrTimestamp parameter).
Text in Chinese, Korean, Thai or Japanese in message headers
(SpamHeadersMarkAllChinese, SpamHeadersMarkAllKorean, SpamHeadersMarkAllThai, SpamHeadersMarkAllJapanese pa­rameters).
Addition to message header of a prefix describing its status assigned by
the anti-spam module after scanning (MarkSubject parameter).
Maximum size (Kb) of messages scanned for spam presence (Spam-
CheckSizeLimit parameter).
Page 54
54 Kaspersky® Mail Gateway 5.6
Definition of individual groups of senders/recipients whose mail will be
handled using custom rules (the [mailgw.group:group_name] section is used), including filtration based on black or white lists (please refer to section 5.2.3 on page 54 for details).
5.2.3. Mail filtration using black and white
lists
White list of senders is used to specify explicitly the addresses that provide mail which should not be scanned for presence of spam signs. The list can include, for example, IP addresses of e-mail servers used to relay mail in corporate LAN or the addresses of internal mailing lists.
During application configuration, white lists are created using specifically defined groups for which anti-spam and/or anti-virus scanning is disabled (CheckSpam=false, CheckAV=false).
Black list of senders has the opposite meaning. Administrators of the filtration server can add to the list addresses which spammers use to distribute their mail and computers spreading viruses.
Black lists are implemented through definition of an appropriate set of Connec- tRule rules with specified deny action.
Example: Task:
Create a group of senders whose mail will be treated as belonging to a
white list. Criterion including senders in white list: any host of the
10.10.0.0/16 subnet.
Create a group of senders whose mail will be treated as belonging to a
black list. Criterion including senders in black list: host with the
10.10.138.99 address.
Messages from the white list should not be scanned for presence of
spam or viruses; they should be forwarded to recipients unchanged.
Messages from the black list should not be accepted.
To accomplish the task, perform the following steps:
o Define the level of spam filtration intensity setting the corresponding pa-
rameter in the [mailgw.policy] section of the configuration file to the fol­lowing value:
SpamRateLimit=standard
Page 55
Anti-virus protection and spam filtration 55
2. In the [mailgw.access] section specify a ConnectRule to reject a ses­sion when connection is established with the 10.10.138.99 address:
[mailgw.access]
...
ConnectRule=deny for ip 10.10.138.99
...
3. Create the [mailgw.group:whitelist] section which defines the follow­ing rules for processing of mail for the users included into the whitelist group:
[mailgw.group:whitelist]
Recipients=*
Senders=ip 10.10.0.0/16
CheckSpam=false
CheckAV=false
5.2.4. Managing the UDS service
Checking the access time of UDS servers
The application uses the uds-rtts.sh script to check the time required for access to the UDS servers of Kaspersky Lab. Collected data is used to select the most suitable server for UDS queries.
Script launch command in Linux:
# /opt/kaspersky/mailgw/lib/bin/kas-filter/uds-rtts.sh -q
In FreeBSD:
# /usr/local/libexec/kaspersky/mailgw/kas-filter/\ uds-rtts.sh -q
To increase the efficiency of the UDS server you should configure the task checking the UDS server access time to run regularly, for example, using cron.
The recommended interval between task starts is every 10-15 minutes.
Checking UDS server availability
To check if a UDS server is available (i.e. it can be accessed), run the uds-rtts.sh script with the -a option as follows:
In Linux:
# /opt/kaspersky/mailgw/lib/bin/kas-filter/uds-rtts.sh -a
Page 56
56 Kaspersky® Mail Gateway 5.6
In FreeBSD:
# /usr/local/libexec/kaspersky/mailgw/kas-filter/\ uds-rtts.sh -a
Restarting as kluser
uds-rtts: OK, updated 1 records.
uds-rtts: uds.kaspersky-labs.com available rtt=4103
uds-rtts finished successfully.
5.2.5. Managing the list of enabled DNSBL
services
Checks of sender IP address presence in DNSBL are performed on two levels:
When an incoming connection is established (provided that an appro-
priate rule is specified in the ConnectRule parameter), please see sec­tion Appendix A on page 107.
When the anti-spam module checks a message (the check also in-
cludes verification of IP addresses mentioned in the Received header of the message). You can define for each group of users whether the ap­plication will run checks involving DNSBL services for that group.
Management of the DNSBL services used by the application belongs to general settings of the anti-spam module. The list of available services is common for all user groups.
Each DNSBL service is defined through its address where queries are sent and its corresponding rating.
Service rating determines how trustworthy the service is in the opinion of the administrator. When a sender‟s IP address is checked in DNSBL, Kaspersky Mail Gateway sends a query to all the services included in the list. When the results are returned, it sums up the rating values of the services, which have recognized the specified IP address as a source of spam mail.
When IP address presence in DNSBL is checked at connection establishment, the in_dnsbl rule (see section Appendix A on page 107) will be applied if the sum of ratings of the triggered DNSBL services reaches 100 or exceeds the value.
If IP address presence in DNSBL is checked by the anti-spam module, message sender is assumed to be included in the black list and the letter receives black­listed status if the sum of ratings of triggered DNSBL services reaches 100 or exceeds the value. The status is assigned irrespectively of the results returned by checks using other methods.
Page 57
Anti-virus protection and spam filtration 57
If the sum of ratings of the triggered DNSBL services exceeds 100, the sender will be assumed to be included into black list and the corresponding message will receive the blacklisted status independently from the results returned by other checks based on various methods. Some filtering intensity levels also allow situations when the sum of ratings for services which contain the sender in their black lists is less than 100. In that case information about sender presence in black lists is used as an additional sign only and such mail is recognized as spam if there are more signs revealed by other checks.
5.2.6. Marking of messages containing
spam
Example:
Filter spam using the standard degree of filtering intensity.  Modify the Subject header of messages identified as spam or probable
spam.
To perform the above task, do the following:
Specify the level of spam filtering intensity, by setting the Spam- RateLimit parameter value in the [mailgw.policy] section of the con­figuration file. Then define the mail processing rules:
SpamRateLimit=standard
CheckSpam=true
MarkSubject=spam,probable
5.2.7. Blocking delivery of spam messages
Example:
Filter spam; specify the standard degree of filtering intensity.  Block the delivery of messages identified as spam or probable spam, for
users in the managers group.
Block the delivery of spam messages only, for all other users.
To perform the above task, do the following:
1. Specify the level of filtering intensity. To do so, specify the following parameter value in the [mailgw.policy] section of the configuration file:
SpamRateLimit=standard
Page 58
58 Kaspersky® Mail Gateway 5.6
2. Create the [mailgw.group:managers] section, which will define the rules for processing the e-mail of users included in the managers group:
[mailgw.group:managers]
Recipients=*@managers.example.com
CheckSpam=true
BlockMessage=as/spam,as/probable
Mail processing rules for all other users will also be defined by the [mailgw.policy] section:
[mailgw.policy]
CheckSpam=true
BlockMessage=as/spam
5.2.8. Storage of spam message copies in
the quarantine directory
Storing message copies in the quarantine directory can be combined with block­ing e-mail delivery, but not necessarily. In the first case messages identified as spam or probable spam will not reach the mailboxes of recipients, but are saved in the quarantine directory. In the second case, the messages will be delivered to end users and message copies will be preserved in quarantine.
Example:
Filter spam; specify the standard degree of filtering intensity.  Copy all messages identified as spam, probable spam, formal or black-
listed mail to the quarantine directory.
Block the delivery of messages identified as spam or probable spam.
To perform the above task, do the following:
1. Specify the level of filtering intensity, by setting the following parameter value in the [mailgw.policy] section of the configuration file:
SpamRateLimit=standard
2. Specify the following parameter values in the [mailgw.policy] section of the configuration file:
[mailgw.policy]
CheckSpam=true
BlockMessage=as/spam,as/probable
Page 59
Anti-virus protection and spam filtration 59
Attention! Blocked and quarantined messages that have been assigned the status Spam,
Probable Spam, Formal or Blacklisted by the anti-spam module may contain viruses, as their anti-virus scanning will be skipped after performance of these actions.
QuarantineMessage=as/spam,as/probable,as/formal, as/blacklisted
5.3. Anti-virus protection of e-mail
traffic
This section contains examples of Kaspersky Mail Gateway‟s anti-virus protec­tion of e-mail traffic. The settings described in the examples can be combined to produce more sophisticated e-mail traffic protection schemes.
5.3.1. Delivery of messages with clean or
disinfected objects only
Example:
Scan all the server‟s incoming and outgoing e-mail traffic for viruses.  Cure infected objects.  Remove from e-mail messages all infected objects which could not be
cured.
Deliver messages to recipients containing clean and disinfected objects
only.
To perform the above task, specify the following parameter values in the [mailgw.policy] section:
1. Define the anti-virus scanning mode for all e-mail messages:
CheckAV=true
2. Enable disinfection mode for infected objects:
AVCure=true
3. Specify the operations, which must be performed with the objects:
ActionDisinfected=cure
ActionInfected=remove
Page 60
60 Kaspersky® Mail Gateway 5.6
Note
Notifications can be delivered to the administrator, message recipient and sender, informing them of the detection of infected or suspicious objects (see section 5.3.4 on p. 62). Also, messages containing infected, suspicious or password-protected objects can be saved in the quarantine directory (see section 5.3.6 on p. 64).
ActionSuspicious=remove
ActionProtected=remove
ActionError=remove
BlockMessage=
5.3.2. Replacement of infected objects by
standard notifications
Task:
Scan all e-mail traffic on the server for viruses, and cure infected ob-
jects in e-mail messages.
Objects which cannot be cured, and suspicious, damaged or password-
protected objects, must be deleted and replaced with a standard notifi­cation.
Solution: To perform the above task, specify the following parameter values in the [mailgw.policy] section:
1. Define the anti-virus scanning mode for all e-mail messages:
CheckAV=true
2. Enable disinfection mode for infected objects:
AVCure=true
3. Specify the operations, which must be performed with the objects:
ActionDisinfected=cure
ActionInfected=placeholder
ActionSuspicious=placeholder
ActionProtected=placeholder
ActionError=placeholder
BlockMessage=
Page 61
Anti-virus protection and spam filtration 61
Note
In addition to replacing infected and suspicious objects with standard sages, the application can deliver notifications to the administrator with in­formation about the detection of the objects (see section 5.3.4 on p. 62) and save the messages containing the objects in the quarantine directory (see section 5.3.6 on p. 64).
Attention! While implementing this task, please note that if a message contains several
objects, one of which cannot be disinfected or is suspicious or password protected, the delivery of the whole message will be blocked.
5.3.3. Blocking delivery for messages
containing suspicious objects
Example:
Scan all e-mail traffic on the server for viruses, and cure infected ob-
jects in e-mail messages;
Block the delivery of messages containing objects which cannot be
cured, and suspicious, damaged or password-protected objects.
To perform the above task, specify the following parameter values in the [mailgw.policy] section:
1. Define the anti-virus scanning mode for all e-mail messages:
CheckAV=true
2. Enable disinfection mode for infected objects:
AVCure=true
3. Specify the operations, which must be performed with the objects:
ActionDisinfected=cure
ActionInfected=pass
ActionSuspicious=pass
ActionProtected=pass
ActionError=pass
BlockMessage=av/infected,av/suspicious, av/protected,av/error
Page 62
62 Kaspersky® Mail Gateway 5.6
Note
The application can also be configured to send notifications to the administrator with information about the detection of infected or suspicious objects (see tion 5.3.4 on p. 62) and save the messages containing those objects in the quarantine directory for later delivery to Kaspersky Lab for examination (see section 5.3.6 on p. 64).
5.3.4. Delivery of notifications to the
sender, administrator and recipients
Example:
Scan all e-mail traffic on the server for viruses, and cure all infected ob-
jects.
Deliver messages to recipients containing only clean and disinfected
objects.
Delete all objects which cannot be cured, as well as suspicious, dam-
aged or password-protected objects.
Notify the senders, recipients and the administrator about cured, incur-
able, deleted and suspicious and damaged objects in e-mail messages.
To perform the above task, specify the following parameter values in the [mailgw.policy] section:
1. Enable disinfection mode for infected objects:
AVCure=true
2. Specify the operations, which must be performed with the objects:
ActionDisinfected=cure
ActionInfected=remove
ActionSuspicious=remove
ActionProtected=remove
ActionError=remove
BlockMessage=
3. Specify the cases in which notifications should be sent, and their recipi­ents:
NotifyAdmin=av/disinfected,av/infected, av/suspicious,av/protected,av/error
Page 63
Anti-virus protection and spam filtration 63
NotifyRecipient=av/disinfected,av/infected, av/suspicious,av/protected,av/error
NotifySender=av/disinfected,av/infected, av/suspicious,av/protected,av/error
5.3.5. Additional filtering of objects by
name and type
E-mail messages frequently contain objects for which virus infection is highly probable (e.g., executable files). To avoid infection, you are advised to configure the application to filter e-mail by name and/or attachment types, and save these objects in a separate directory.
There are also objects which cannot be infected with viruses (e.g., plain text files). To reduce the load on the server during anti-virus scanning of e-mail mes­sages, you are advised to specify the types and/or the names of such attach­ments in advance so that the application does not scan them.
Filtering of objects is performed using name masks (IncludeByName, Exclude- ByName parameters) and MIME types (IncludeByMime, ExcludeByMime pa­rameters).
Example:
Delete .exe and .reg attachments from the e-mail of users in the man-
agers group.
For users in the accounts group, delete all attached objects except for
.doc files .
For users in the sales group, block messages containing attached .exe
files.
To perform the above task, do the following:
Create in the application‟s configuration file three
[mailgw.group:group_name] sections, which will contain processing rules for the e-mail of users in the managers, accounts and sales groups respectively:
[mailgw.group:managers]
Recipients=*@managers.example.com
IncludeByName=*.exe
IncludeByName=*.reg
ActionFiltered=remove
Page 64
64 Kaspersky® Mail Gateway 5.6
[mailgw.group:accounts]
Recipients=*@accounts.example.com
ExcludeByName=*.doc
ActionFiltered=remove
[mailgw.group:sales]
Recipients=*@sales.example.com
IncludeByName=*.exe
BlockMessage=av/filtered
5.3.6. Saving messages in the quarantine
directory
Kaspersky Mail Gateway can be configured to store messages with specified statuses in the quarantine directory.
This feature may be used, for example, if an infected attachment containing im­portant data was detected during anti-virus scanning. Attempting to disinfect the file may corrupt the data. The message can be isolated in a separate directory and subsequently sent to Kaspersky Lab for analysis. Our experts will probably be able to disinfect the file, and preserve the data‟s integrity.
Example:
Scan all e-mail traffic on the server for viruses and cure all infected ob-
jects.
Deliver messages to the recipients containing only clean and disinfected
objects.
Messages with incurable attachments or suspicious, damaged or pass-
word-protected objects must be saved in the quarantine directory /opt/quarantine; delivery of these messages must be blocked.
To perform the above task, do the following:
1. Create the directory /opt/quarantine, which will be used to store blocked messages, and grant the right to write to that directory to the account used to run the application (kluser by default).
2. Enable the cure mode for infected objects, by setting the following pa­rameter value in the [mailgw.policy] section of the configuration file:
AVCure=true
Page 65
Anti-virus protection and spam filtration 65
Note
The application settings described in this section are provided as examples only; the administrator should adapt them as necessary.
3. Specify these parameter values in the [mailgw.policy] section of the configuration file:
ActionDisinfected=cure
ActionInfected=pass
ActionSuspicious=pass
ActionProtected=pass
ActionError=pass
BlockMessage=
av/infected,av/suspicious,av/protected,av/error
QuarantineMessage=av/infected,av/suspicious, av/protected,av/error
AVQuarantinePath=/opt/quarantine
5.4. Combining spam filtration and
anti-virus protection
The choices of application mode, of level of anti-virus scanning and of spam fil­tering intensity depend both on the volume of e-mail traffic to be processed by the application, and the corporate security policy. Three modes demonstrated in this section illustrate methods for combining spam filtration with anti-virus protec­tion of e-mail traffic.
5.4.1. Maximum speed
The mode allows high performance anti-virus scanning and spam filtration, which may be necessary for processing a large volume of e-mail messages. The secu­rity level in this case is reduced, because the application does not cure infected objects, but just sends notifications about their detection.
In this mode, the application:
filters e-mail traffic for spam; the degree of filtering intensity is mini-
mum;
blocks messages identified as spam;
Page 66
66 Kaspersky® Mail Gateway 5.6
marks messages identified as probable spam, formal or blacklisted mail
using special labels in the Subject header;
performs anti-virus scanning of e-mail attachments, but does not at-
tempt to cure infected objects;
filters and blocks delivery of messages containing the most dangerous
attachment types (an external file is used to define the list of dangerous objects) and for messages containing infected attachments;
notifies recipients about messages which have been blocked.
To enable this mode:
1. Specify the following parameter value in the [mailgw.policy] section of the configuration file:
SpamRateLimit=minimum
2. Create a file List1 which contains a list of the most likely sources of vi­ruses, for example:
*.exe
*.bat
*.com
*.scr
*.bin
*.dll
3. Specify the following parameter values in the [mailgw.policy] section of the configuration file:
AVCure=false
AVScanArchives=false
AVScanMailBases=false
CheckAV=true
CheckSpam=true
IncludeByName=file:<path to file>/List1
MarkSubject=probable,formal,blacklisted
ActionFiltered=pass
ActionInfected=pass
ActionSuspicious=pass
ActionProtected=pass
ActionError=pass
BlockMessage=av/infected,av/filtered,as/spam
Page 67
Anti-virus protection and spam filtration 67
Note
The presence of several groups of senders/recipients ([mailgw.group:group_name] sections) slows down processing of e-mail traffic. When high performance is required, you are advised to use the de­fault group only ([mailgw.policy] section) to specify the e-mail processing rules.
NotifyRecipient=av/infected,av/filtered
5.4.2. Recommended mode
The mode gives the optimal balance between server performance and security. In this mode, the application:
filters e-mail traffic looking for spam; the degree of filtering intensity is
standard;
marks messages identified as spam, probable spam, formal or black-
listed mail using special labels in the Subject header;
performs anti-virus scanning and disinfection of e-mail attachments;  replaces suspicious objects, and infected objects which cannot be
cured, with a standard notification;
blocks delivery for messages containing password-protected attach-
ments and attached objects that cause errors during scanning; these at­tachments are added to the quarantine directory;
notifies recipients about blocked messages.
To enable this mode:
1. Specify the following parameter value in the [mailgw.policy] section of the application‟s configuration file:
SpamDetection=standard
2. Specify the following parameter values in the [mailgw.policy] section:
AVCure=true
AVScanArchives=true
AVScanMailBases=true
CheckAV=true
CheckSpam=true
MarkSubject=spam,probable,formal,blacklisted
ActionDisinfected=cure
Page 68
68 Kaspersky® Mail Gateway 5.6
ActionInfected=placeholder
ActionSuspicious=placeholder
ActionProtected=pass
ActionError=pass
BlockMessage=av/protected,av/error
QuarantineMessage=av/protected,av/error
NotifyRecipient=av/protected,av/error
5.4.3. Maximum protection
In the maximum protection mode the speed of e-mail traffic processing is lower. However, the mode provides the best protection for users against spam and vi­ruses. In this mode the application:
filters e-mail traffic looking for spam; the degree of filtering intensity is
maximum;
blocks delivery for messages identified as spam, probable spam, formal
or blacklisted mail and adds them to the quarantine directory;
performs anti-virus scanning and disinfection of e-mail attachments;  removes the following from messages: infected attachments which can-
not be cured; suspicious or password-protected objects, and objects which caused errors during scanning;
notifies message recipients and the administrator about infected, suspi-
cious and password-protected attachments, and objects which caused errors during scanning.
To enable that mode:
1. Specify the following parameter value in the [mailgw.policy] section of the configuration file:
SpamRateLimit=maximum
2. Specify the following parameter values in the [mailgw.policy] section of the configuration file:
AVCure=true
AVScanArchives=true
AVScanMailBases=true
CheckAV=true
CheckSpam=true
MarkSubject=spam,probable,formal,blacklisted
Page 69
Anti-virus protection and spam filtration 69
ActionDisinfected=cure
ActionInfected=remove
ActionSuspicious=remove
ActionProtected=remove
ActionError=remove
BlockMessage=as/all
QuarantineMessage=as/all
NotifyRecipient=av/infected,av/suspicious, av/protected,av/error
NotifyAdmin=av/infected,av/suspicious, av/protected,av/error
5.5. Additional features of
Kaspersky Mail Gateway
In addition to its main functions, of spam filtering and anti-virus scanning of e­mail traffic, the application can also perform these tasks:
logging of received and sent e-mail;  forwarding of all received e-mail;  enabling restrictions for SMTP connections, preventing both hacker at-
tacks and the use of the application as an open relay for sending unau­thorized e-mail.
5.5.1. Automatically add incoming and
outgoing e-mail to archives
If the security policy of your organization includes archiving e-mail traffic proc­essed by the server, the application can be configured to add all e-mail mes­sages to archives. If necessary, the administrator can view all messages in ar­chives.
If the auto archiving option is enabled, copies of the following messages will be archived:
All incoming messages including spam or infected objects, without addi-
tionally notifying the administrator. Archiving these messages is enabled when the path to the archive directory is specified as the value of the IncomingArchivePath parameter in the [mailgw.archive] section).
Page 70
70 Kaspersky® Mail Gateway 5.6
Attention! Before you enable automatic archiving, make sure that there is enough space in
your server‟s file system to accommodate the archive. Do not forget to purge this directory occasionally to remove old messages, and
to compress necessary files (the frequency at which this is required depends on the intensity of e-mail traffic in your network).
All outgoing messages, including messages delivered to recipients,
messages blocked because of a virus or spam, and notification mes­sages generated by the application. Archiving these messages is en­abled when the path to the archive directory is specified as the value of the OutgoingArchivePath parameter in section [mailgw.archive]).
All received messages before their scanning. The application starts
adding mail to archive if you specify a list of e-mail addresses (address) where blind carbon copies of the mail will be sent (IncomingBcc option in the [mailgw.archive] section).
5.5.2. Protection from hacker attacks and
spam
To provide the highest level of security for your e-mail system, you are advised to modify the configuration file to extend the application‟s anti-virus functionality. To protect your server from hacker attacks or, for example, to prevent spam being relayed through your server, configure the following options:
ConnectRule in the [mailgw.access] section. The parameter defines
application behaviour during establishment of an SMTP session.
HeloRule in the [mailgw.access] section. The parameter defines the
application response to HELO/EHLO commands received from a client.
MailfromRule in the [mailgw.access] section. The parameter defines
the application‟s behaviour in response to an attempt to send a mes­sage from a source (passed with the MAIL FROM command) with a domain name which does not match the actual IP address or MX host corresponding to that domain.
RelayRule in the [mailgw.access] section. The parameter defines
rules for client access to the gateway. The correct settings of this option are essential to prevent the application‟s use as a publicly open e-mail relay.
Page 71
Anti-virus protection and spam filtration 71
Attention! Kaspersky Mail Gateway WILL NOT work without a key!
Attention! A detailed discussion of the syntax of these parameters is provided in the de-
scription of the configuration file (see Appendix A on p. 107).
Attention! DNSBL service (DNS-based Blackhole List) is a database that lists IP ad-
dresses of mail servers used for uncontrolled mass mailing. Such servers re­ceive mail from anyone and deliver it further to arbitrary recipients. Use of DNSBL allows automatic blocking of mail from such mail servers. Various ser­vices use different policies for generation of such lists. Please examine care­fully the policy of each service before you start using it for mail filtration.
If a certain address is constantly used for sending spam and the administration of the server used for spam distribution takes no preventive steps, you can inform RBL about the spammer. The latter will be added to the database and the record will allow automatic blocking of incoming e-mail sent from that mail server.
You are also advised to enable restrictions for SMTP connections (see section
6.1.2 on p. 78). Application version 5.6 supports the technology of DNS black lists. This technol-
ogy allows the blocking of incoming e-mail sent from unsafe servers registered in the DNSBL database as servers sending spam. The list of DNSBL services is specified in the DNSBlackList parameter, in the [mailgw.access] section of the application configuration file.
5.6. Managing product keys
The right to use Kaspersky Mail Gateway is determined by the product key. The key is included in the application‟s distribution kit and entitles you to use the ap­plication from the day on which you purchased it and installed the key.
After the key expires, the application will continue to work as before, except that the anti-virus and anti-spam databases will no longer be updated. That is, the application will still be able to scan e-mail messages for viruses, filter spam and disinfect infected objects, but will be unable to use databases issued after the key expiration date. Therefore, you may not be protected against new viruses that appear after the license expired, and the anti-spam module will be unable to filter new spam types.
Page 72
72 Kaspersky® Mail Gateway 5.6
To protect your network‟s computers against new viruses and efficiently filter spam, you are advised to renew the key for Kaspersky Mail Gateway.
The key gives you the right to use the application. It contains information related to the license you have purchased, including the type of license, the key expiry date, and information about dealers.
In addition to the right to use the application during the period of key validity, you will have the following benefits:
twenty-four-hour technical support;  hourly updates of the anti-virus databases, and updates to the anti-
spam database made available every three minutes;
timely notifications about new virus threats.
For all these reasons, it is essential to extend your product key before it expires. One way to manage licenses is to install an additional key, which the application will start to use as soon as the current active key expires (see section 5.6.2 on p.
74).
5.6.1. Viewing information about product
keys
You can view information about installed product keys in the reports of the mailgw component. Each time the main application component starts it loads the
license key and displays its contents in the report. More detailed information about the status of license keys may be obtained using
licensemanager, a special component of the application. All information about keys may be viewed either on the server‟s console, or re-
motely from any networked computer that has access to the Webmin module.
To view information about all installed product keys, enter the following in the command line:
In Linux:
# /opt/kaspersky/mailgw/bin/mailgw-licensemanager -s
in FreeBSD:
# /usr/local/bin/mailgw-licensemanager -s
The server console will display information similar to the following:
Kaspersky license manager for Linux. Version
5.6.0/RELEASE
Copyright (C) Kaspersky Lab, 1997-2008.
Page 73
Anti-virus protection and spam filtration 73
Portions Copyright (C) Lan Crypto
License info:
Product name: Kaspersky Mail Gateway
Expiration date: 02-06-2008, expires in 34 days
Active key info:
Product name: Kaspersky Mail Gateway
Key file 00086CA1.key
Type: Commercial
Expiration date: 02-06-2008
Serial: 0007-000487-00086CA
To view information about a particular key, enter, the following in the command line:
in Linux:
# /opt/kaspersky/mailgw/bin/mailgw-licensemanager -k 00053E3D.key
where 00053E3D.key is the name of the product key file.
in FreeBSD:
# /usr/local/bin/mailgw-licensemanager -k 00053E3D.key
The server console will display information similar to the following:
Kaspersky license manager. Version 5.6.0/RELEASE
Copyright (C) Kaspersky Lab. 1998-2008.
Portions Copyright (C) Lan Crypto
Product name: Kaspersky Mail Gateway
Creation date: 02-12-2007
Expiration date: 02-06-2008
Serial 0007-000487-00086CA
Serial 02B1-000454-00053E3
Type: Commercial
Lifespan: 91
Page 74
74 Kaspersky® Mail Gateway 5.6
5.6.2. Renewing your product key
Renewing the Kaspersky Mail Gateway key gives you the right to re-enable full product functionality, and to resume the additional services listed in section 5.6 on p. 71.
The validity period of the key depends on the product you bought, and the type of the license you purchased. The license for Kaspersky Mail Gateway is usually issued for one year.
To renew the Kaspersky Mail Gateway key:
Contact the company that sold you the application and renew your key for Kaspersky Mail Gateway.
or: Purchase a key directly from Kaspersky Lab. Write a letter of request to
the Sales Department of our company at sales@kaspersky.com or fill in the corresponding form on our website (www.kaspersky.com), in the section E-Store Renew Your License. After your payment is re­ceived, we will send a license key to the e-mail address indicated in the corresponding field of your license renewal form.
To install a new license key, enter the following in the command line: in Linux:
# /opt/kaspersky/mailgw/bin/mailgw-licensemanager -a
00053E3D.key where 00053E3D.key is the name of the product key file.
in FreeBSD:
# /usr/local/bin/mailgw-licensemanager -a 00053E3D.key
If the installation is successful, the server console will display information similar to the following:
Kaspersky license manager. Version 5.6.0/RELEASE
Copyright (C) Kaspersky Lab. 1998-2008.
Portions Copyright (C) Lan Crypto
Key file 00053E3D.key is successfully registered
You are advised to update the anti-virus database after the installation. If you want to install a new key before the current one expires, it can be added as
a backup key. The backup key will be activated immediately after the current one expires. The term of validity for the additional key starts from the activation date. You can install only one backup key.
Page 75
Anti-virus protection and spam filtration 75
If you have installed two keys (the current and an additional one), information about both of them can be viewed on the server console.
5.6.3. Removing a key
To remove the current license key and the backup key (if it is installed), enter the following in the command line:
in Linux:
# /opt/kaspersky/mailgw/bin/mailgw-licensemanager -da
in FreeBSD:
# /usr/local/bin/mailgw-licensemanager -da
If the component removes the license key(s) successfully, the server console will display the following (or similar) information:
Kaspersky license manager. Version 5.6.0/RELEASE
Copyright (C) Kaspersky Lab. 1998-2008.
Portions Copyright (C) Lan Crypto
Active key was successfully removed
To remove a backup key, enter the following in the command line: in Linux:
# opt/kaspersky/mailgw/bin/mailgw-licensemanager -dr
in FreeBSD:
# /usr/local/bin/mailgw-licensemanager -dr
The server console will display the following (or similar) information:
Kaspersky license manager. Version 5.6.0/RELEASE
Copyright (C) Kaspersky Lab. 1998-2008.
Portions Copyright (C) Lan Crypto
Additional key was successfully removed
Page 76
Attention! Restart the application to apply modified settings.
Attention! All timeout settings are located in the [mailgw.timeouts] section of the applica-
tion configuration file.
CHAPTER 6. ADVANCED
APPLICATION SETTINGS
This chapter discusses in detail the advanced settings of Kaspersky Mail Gate­way. In contrast to the main settings that provide the application functionality, advanced settings can be configured optionally at the administrator‟s discretion.
6.1. Configuring anti-virus protection
of e-mail traffic
Application parameters in the [mailgw.policy] section define modes for mes­sage scanning and disinfection. They also and enable/disable the scanning of archives and e-mail attachments (the AVScanArchives and AVScanMailBases parameters respectively).
6.1.1. Setting up application timeouts
By setting up various timeouts, the administrator can:
Limit the maximum period during which the application will attempt to
deliver unsent outgoing messages (MaximalBackoffTime parameter, in seconds).
Limit the minimum time which should elapse before the application will
attempt to re-send undelivered messages (MinimalBackoffTime pa­rameter).
Specify the interval during which the application will try to deliver mes-
sages, at the frequency defined by the MinimalBackoffTime and MaximalBackoffTime parameters (MaximalQueueLifetime option).
Page 77
Advanced application settings 77
After this period elapses, the unsent message will be removed from the ready-to-send queue. If necessary, a DSN message about the initial message delivery failure will be generated.
Specify timeouts for intercepting various network operations (for the
Sender and Receiver modules), such as: Network reading timeout (ReadTimeout option). The default time-
out specified in the application‟s configuration file is the optimal
value for most cases and it is advisable not to alter it.
Network writing timeout (WriteTimeout option). The default timeout
specified in the application„s configuration file is the optimal value
for most cases, and it is advisable not to alter it.
Specify timeouts used by the application to send messages:
Maximum time for receiving data from the remote server when es-
tablishing an SMTP session (SendingInitialTimeout option).
Maximum time to start an e-mail session (command HELO/EHLO)
(SendingHelloTimeout option).
Timeout for receiving a response from the remote server to the
MAIL FROM command (SendingMailTimeout option).
Timeout for defining the recipient (RCPT TO command) (Send-
ingRcptTimeout option).
Timeout for initiating data transfer (DATA command) (Sending-
DataInitiationTimeout option).
Timeout for stopping data transfer (CRLF.CRLF sequence) to the
remote server (SendingDataTerminationTimeout option).
Timeout for quitting the current e-mail session (QUIT command)
(SendingQuitTimeout option).
Specify timeouts used by the application to receive messages:
Timeout for starting the DATA command (ReceivingDataInitia-
tionTimeout option).
Timeout for stopping data transfer by the remote server (Receiv-
ingDataTerminationTimeout option).
Timeout for waiting for the HELO/EHLO, MAIL FROM, RCPT TO
and QUIT commands from the remote server (ReceivingCom- mandTimeout option).
Timeout for object processing by the AV module (ScanTimeout option).
Page 78
78 Kaspersky® Mail Gateway 5.6
Attention! You can find all restriction settings in the [mailgw.limits] section of the applica-
tion‟s configuration file.
Specify timeouts used by the application during communication with
DNS servers: Timeout for sending a query to DNS server and arrival of its re-
sponse (DNSNetworkTimeout option).
Timeout for the total time it takes to receive response from DNS
server for all attempts (DNSResolveTimeout option).
Timeout for storage of a DNS record in DNS cache (DNSCache-
MaximalTTL option).
Timeout for storage of a DNS record for unreachable servers in
mailgw cache (UnreachableCacheTTL option).
6.1.2. Setting performance restrictions
Kaspersky Mail Gateway allows the administrator to set certain limits when work­ing with the application, which may reduce the load on the server and increase performance. In addition, the application of network restrictions may prevent some types of virus outbreaks and DOS attacks, which attempt to paralyze mail servers with huge volumes of e-mail traffic.
You can set the following restrictions:
Number of objects simultaneously processed by the Receiver, Sender
and AV modules (the IncomingSessions, OutgoingSessions, and AntiviralSessions options, respectively).
Maximum number of message hops (MaximalIncomingHops option).
Set this parameter to avoid looping due to incorrect configuration of the routing table.
Limit the maximum size for messages received by the server (Maximal-
IncomingMessageSize option), and the total number of messages re- ceived during one e-mail session (MaximalIncomingMessagesPer­Session option).
Limit the number of recipients of a single message (MaximalIncoming-
RcptsPerMessage option). This parameter prevents spam addressed
to your users).
Maximum size of a single e-mail session (MaximalIncomingSession-
Size option).
Page 79
Advanced application settings 79
Maximum number of simultaneous connections from
the same IP (or host) that are processed by the Receiver and by the Sender modules (MaximalIncomingSessionsPerlP and MaximalOut- goingSessionsPerHost options respectively).
Minimum size of available disk space on the partition where the applica-
tion‟s working queue is stored (the MinimalQueueFreeSpaceSize op- tion). If during the application‟s operation the queue size increases to the point that the available space is below this value, the application will temporarily suspend receipt of new messages until the value returns to the specified limits.
If the e-mail traffic at your server exceeds the specified limits, you are advised to decrease the number of objects being simultaneously processed by the AV mod­ule (AntiviralSessions parameter) and the number of hops for a single message (MaximalIncomingMessageSize option). This will increase the application‟s performance and the message processing speed.
If your server has a low-speed Internet connection, the following actions are rec­ommended:
Decrease the number of objects being simultaneously processed by the
Receiver and Sender modules (IncomingSessions and OutgoingSes- sions options).
Decrease the maximum number of incoming messages received during
a single session (MaximalIncomingMessagesPerSession option).
6.2. Setting up connection receiving
interfaces
The set of interfaces and ports on which the application receives connections is defined by the ListenOn parameter in the [mailgw.network] section of the ap­plication‟s configuration file. By default, Kaspersky Mail Gateway listens for con- nections on port 25 using all available interfaces.
If a particular interface is to be used, rather than all available interfaces, or if it is necessary to use a port other than 25, additional settings configuration must be performed.
For instance, To make the application wait for connections on port 1025 of inter­face 192.168.0.1:
assign the following value to the ListenOn parameter in the [mailgw.network] section:
ListenOn=192.168.0.1:1025
Page 80
80 Kaspersky® Mail Gateway 5.6
To use several particular interfaces, create several ListenOn parameter records in the configuration file, for instance:
ListenOn=192.168.0.1:25
ListenOn=10.0.0.1:25
6.3. Setting up the routing table
The application does not include a local agent for message delivery, and there­fore all incoming e-mail messages must be transferred to the local host on which the agent is installed.
The rules for transferring (routing) are set by the ForwardRoute parameter in the [mailgw.forward] section.
This parameter is specified using one of the following formats:
ForwardRoute=<address_mask> <recipient>
ForwardRoute=<address_mask> [<recipient>]
ForwardRoute=<address_mask> [<recipient>:<port>]
where:
<address_mask> – the address of the recipient of the messages (wild­cards "*" and "?" can be used; if the parameter is assigned the value any, then any recipient‟s address may be used).
<recipient> is the name of the domain containing the mail server, to which (according to MX records) the e-mail must be sent.
[<recipient>:<port>] is the delivery point, using the recipient‟s IP ad­dress or host name, and port number.
For example, if you create the following record in section [mailgw.forward]:
ForwardRoute=*@example.com [localhost:1025]
then all e-mail messages to example.com will be sent to port 1025 of the local host after processing by the application.
If several routing rules must be specified, create several copies of the For- wardRoute parameter in the configuration file.
For example, if the section [mailgw.forward] contains these entries:
ForwardRoute=*@example.com [localhost:1025]
ForwardRoute=*@example.net [somehost.example.com]
ForwardRoute=*@example.org example.com
Page 81
Advanced application settings 81
Attention! When more than one rule applies to a message, the rule used is the first one
where the specified domain matches the domain of the message recipient.
the following processing rules will be followed:
forward all e-mail messages for domain example.com to port 1025 of
the local host after processing by the application.
forward all e-mail messages for domain example.net to port 25 of host
somehost.example.com after processing by the application.
forward all e-mail messages for domain example.org to MX-host of
domain example.com after processing by the application (the domain will be determined at the time the message is sent).
forward all other messages to the corresponding MX-hosts after anti-
virus scanning and spam filtering.
6.4. Checking the configuration file
syntax
Use the -k or --check-config key in the command line of the mailgwd appli­cation component to check the syntax of its configuration file.
If the configuration file contains no errors, no information will be output to the server console.
If the check reveals errors, the list of errors will be displayed in the console.
6.5. Syntax check in notification
templates
The application allows syntax checks of notification templates to be made by the
mailgw-tlv utility, which is installed by default in the directory /opt/kaspersky/mailgw/bin/ (in Linux distributions) or in /usr/local/bin/ (for
FreeBSD distributions).
Page 82
82 Kaspersky® Mail Gateway 5.6
To check the syntax of a notification template, enter the following in the com­mand line:
in Linux:
> /opt/kaspersky/mailgw/bin/mailgw-tlv ./dsn.tmpl
in FreeBSD:
> /usr/local/bin/mailgw-tlv ./dsn.tmpl
The utility will output, to the server console, a report similar to the example be­low:
Kaspersky Template Language Verifier, version
5.6.12/RELEASE,
Copyright (C) Kaspersky Lab, 1997-2008
Parsing error: Unexpected end of line in the declara­tion, line 63
If a template check is successful, the utility will report that template syntax is cor­rect. In case of errors it will display a description of possible failure. The utility‟s return codes are described in section B.13 on p. 170.
6.6. Work with e-mail archives and
the quarantine directory
The mailgw-maila utility allows the management of objects stored in the quaran­tine directories, or in the archives of incoming/outgoing messages. The mailgw- maila utility is installed by default to the /opt/Kaspersky/mailgw/bin/ directory (in Linux) or /usr/local/bin/ directory (in FreeBSD).
It has the following functionality:
Reviewing the whole storage contents, or information about certain
messages, for example, in Linux:
> /opt/kaspersky/mailgw/bin/mailgw-maila
--show-all --archive­path=/var/opt/kaspersky/mailgw/arch_in
In FreeBSD:
> /usr/local/bin/mailgw-maila
--show-all --archive­path=/var/db/kaspersky/mailgw/arch_in
Page 83
Advanced application settings 83
The following (or similar) information will be output to console:
Kaspersky Mail Archives Manager, version
5.6.12/RELEASE,
Copyright (C) Kaspersky Lab, 1997-2008
--QueueID--Status-Size-------ArrivalTime---------
------Sender.../Recipient...
jFDpgGKo70777 av/suspicious 1065 Mon, 12 Dec 2007 15:13:51 +0300 10.0.0.1 <test@example.com> -> <test2@example.com>
jFDpg4Hc04120 av/error 1056 Mon, 12 Dec 2007 15:13:51 +0300 10.0.0.1 <test@example.com> -> test2@example.com
Total: 2 archived messages, 11425 bytes.
The utility outputs information about messages in a storage directory in the following format:
ID STATUS SIZE DATE IP <SENDER> -> <RECIPIENT>
where:
ID – identification number of a stored message
STATUS – message status reflecting its current state.
A stored message may have any of the following statuses:
o incoming – message from the archive of incoming mail; o outgoing – message from the archive of outgoing mail; o as/spam – message with the Spam status, assigned by the
anti-spam module;
o as/probable – message with the status Probable Spam,
assigned by the anti-spam module;
o as/formal – message with the Formal status assigned by
the anti-spam module;
o as/blacklisted – message with the Blacklisted status
assigned by the anti-spam module;
o av/clean – message with the Clean status, assigned by the
AV module;
Page 84
84 Kaspersky® Mail Gateway 5.6
o av/disinfected – message with the Disinfected status,
assigned by the AV module;
o av/infected – message with the Infected status, assigned
by the AV module;
o av/suspicious – message with the Suspicious status,
assigned by the AV module;
o av/protected – message with the Protected status, as-
signed by the AV module;
o av/error – message with the Error status, assigned by the
AV module;
o av/filtered – message with the Filtered status, assigned
by the AV module.
SIZE message size (may be specified in bytes, kilobytes, or megabytes as determined by the respective prefixes);
DATE time and date that the message was received by the appli- cation;
IP – IP address of message sender; SENDER – message sender‟s address; RECIPIENT – message recipient‟s address (the field may contain
several values).
Removal of all messages, or a specified message, from storage, for ex-
ample, in Linux:
> /opt/kaspersky/mailgw/bin/mailgw-maila
--remove-all=jHrWPC7s86253 --archive­path=/var/opt/kaspersky/mailgw/arch_in
In FreeBSD:
> /usr/local/bin/mailgw-maila
--remove-all --archive­path=/var/db/kaspersky/mailgw/arch_in
The following (or similar) information will be output to console:
Kaspersky Mail Archives Manager, version
5.6.12/RELEASE,
Copyright (C) Kaspersky Lab, 1997-2008
Total: 4586 archived messages have been removed.
Page 85
Advanced application settings 85
Attention! If the --send-id command line option is specified, the selected message must
pass anti-virus scanning and anti-spam filtering procedure before it is deliv­ered to the recipient. To send a message from storage without anti-virus scanning and anti-spam filtration, use the -send-id-without-check command line option.
Note
Descriptions of command line options for mailgw-maila utility can be found in section B.16 on p. 181, and its return codes are described in section B.17 on p. 182.
Sending of all messages/certain messages from storage directories to
their original recipients, for example, in Linux:
> /opt/kaspersky/mailgw/bin/mailgw-maila
--send-id=jHrWPC7s86253 --archive­path=/var/opt/kaspersky/mailgw/arch_in
In FreeBSD:
> /usr/local/bin/mailgw-maila
--send-id=jHrWPC7s86253 --archive­path=/var/db/kaspersky/mailgw/arch_in
The following (or similar) information will be output to console:
Kaspersky Mail Archives Manager version
5.6.19/RELEASE,
Copyright (C) Kaspersky Lab, 1997-2008
Message with QueueID jHrWPC7s86253 will be sent asap.
6.7. Management of application
working queue
While the application is running, it creates a working queue of messages for processing by the anti-spam and AV modules.
The mailgw-mailq utility, which is installed by default in the directory
/opt/kaspersky/mailgw/bin/ (in Linux distributions) or in /usr/local/bin/ (for
Page 86
86 Kaspersky® Mail Gateway 5.6
FreeBSD distributions) allows the management of messages in the working queue.
It has the following functionality:
Reviewing the contents of the working queue, or supplying information
on specific messages in it.
To display information about all messages in the working queue, enter the following in the command line (in Linux):
> /opt/kaspersky/mailgw/bin/mailgw-mailq
--show-all
In FreeBSD:
> /usr/local/bin/mailgw-mailq --show-all
The utility will output to the server console a report similar to the exam­ple below:
Kaspersky Mail Queue Manager, version
5.6.12/RELEASE,
Copyright (C) Kaspersky Lab, 1997-2008
--QueueID--Status-Size-------ArrivalTime---------
------Sender.../Recipient...
iAgUF4Oi21098 WFS 1570 Tue, 12 Feb 2007 10:42:30 +0000 10.0.0.28 <test2@scmsmtpgw1.example.com> -> <test1@scmsmtpgw1.example.com>
iAgVF4Qs38118 WFC 897 Tue, 12 Feb 2007 10:42:31 +0000 10.0.0.16
<test2@scmsmtpgw1.example.com> -> <test1@scmsmtpgw1.example.com>
iAgTF45Y97588 SND 1048 Tue, 12 Feb 2007 10:42:29 +0000 10.0.0.16 <test2@scmsmtpgw1.example.com> -> <test1@scmsmtpgw1.example.com>
Total: 3 queued messages, 3515 bytes.
The application outputs information, about messages in the working queue, in the following format:
ID STATUS SIZE DATE IP <SENDER> -> <RECIPIENT>
where:
ID – identification number of a queued message; STATUS message status reflecting its current state.
Page 87
Advanced application settings 87
A message in working queue may have any of the following statuses:
o WFC message waiting for anti-spam filtration and anti-virus
scanning;
o CHK – message being scanned for virus presence; o WFS – message waiting for creation of its virtual copies; o SPL – message being used for creation of virtual copies; o QUE – message waiting to be sent to its recipient; o SND – message being sent. SIZE – message size, which may be specified in bytes, kilobytes,
or megabytes as determined by the respective prefixes;
DATE – time and date that the message was added to the queue; IP – IP address of message sender; SENDER – message sender‟s address; RECIPIENT – message recipient‟s address (the field may contain
several values).
Removal of all messages, or a specified message, from the working
queue.
To remove all messages from the working queue, enter the following in the command line (in Linux):
> /opt/kaspersky/mailgw/bin/mailgw-mailq -­remove-all
In FreeBSD:
> /usr/local/bin/mailgw-mailq --remove-all
The utility will output to the server console a report similar to the exam­ple below:
Kaspersky Mail Queue Manager, version
5.6.12/RELEASE,
Copyright (C) Kaspersky Lab, 1997-2008
Total: 12 queued messages have been removed.
Page 88
88 Kaspersky® Mail Gateway 5.6
Attention! A message can only be removed from the queue if its status is
WFC, WFS or QUE .
Attention! A message can be sent ahead of the general queue only if it has
the status QUE (expects delivery to the recipient).
Note
Descriptions of command line options for mailgw-mailq utility can be found in section B.15 on p. 180, and its return codes are de­scribed in section B.17 on p. 182.
Send all or selected messages ahead of the general queue, for exam-
ple, in Linux:
> /opt/kaspersky/mailgw/bin/mailgw-mailq
--send-id=jHrWPC7s86253
In FreeBSD:
> /usr/local/bin/mailgw-mailq
--send-id=jHrWPC7s86253
The following (or similar) information will be output to console:
Kaspersky Mail Queue Manager, version
5.6.12/RELEASE,
Copyright (C) Kaspersky Lab, 1997-2008
Message with QueueID jHrWPC7s86253 will be sent asap.
6.8. Managing the application
While Kaspersky Mail Gateway is running, it can be managed using scripts, sig­nals, and the command line.
This section describes how to manage the application using scripts. For man­agement options using signals, see section B.3 on p. 155, and for information about using files, see B.4 on p. 155).
Page 89
Advanced application settings 89
Attention! Application management using scripts requires privileged user (root) rights.
Value
Meaning
start
Start the application.
stop
Stop the application.
restart
Stop and then start the application.
reload
Reinitialize the main application component, reload the anti­virus database and the configuration file, and restart the anti-spam module.
reload-bases
Reload the anti-virus databases and restart the anti-spam module.
status
Request the application‟s status.
stats
Request the application‟s statistics.
recv-off
Suspend the operation of the Receiver module.
recv-on
Resume the operation of the Receiver module.
send-off
Suspend the operation of the Sender module.
If you use the Linux distribution package to run the management script, enter the following at the command line:
# /opt/kaspersky/mailgw/lib/bin/mailgw <action>
or use the link:
# /etc/init.d/mailgw <action>
If you use the FreeBSD distribution package, run the management script by en­tering the following:
# /usr/local/etc/rc.d/mailgw.sh <action>
Table 1 contains possible values of the <action> parameter:
Table 1. Management script parameters
Page 90
90 Kaspersky® Mail Gateway 5.6
Value
Meaning
send-on
Resume the operation of the Sender module.
check-off
Suspend the operation of the scanning module.
check-on
Resume the operation of the scanning module.
clear-stats
Reset statistics.
post-update
Load Kaspersky Mail Gateway databases after their suc­cessful downloading.
Attention! You can control timeouts of the watchdog process using the application com-
mand line options. See section B.6 on p. 163 for details.
When the Receiver module is suspended, mail servers will be unable to establish connection with Kaspersky Mail Gateway to transfer messages to recipients within your e-mail system. Messages already added to the work queue will be treated as normal, that is scanned for viruses and spam signs, processed in ac­cordance with the existing rules and forwarded to the recipients (unless the rules block their delivery).
When the Sender module is suspended, the application stops transmitting proc­essed messages. Processed messages will be preserved in the work queue of outgoing messages. Suspension of the Sender module does not affect the Re­ceiver module. Receipt of messages from mail servers will not be suspended.
When the scanning module is suspended, e-mail messages accepted by the Receiver module will be transferred directly to the Sender module for subsequent delivery to recipients. Anti-virus scanning, spam filtering and message process­ing will not be performed.
6.9. Control of application activity
A special watchdog process ensures that individual application modules function correctly while the software is running. As soon as the application starts, it cre­ates a child process to monitor the application. If after a specified interval the parent process receives no confirmation of correct operation from any module, the watchdog process restarts the application.
Page 91
Advanced application settings 91
Level
Level de­scription
Letter symbol
Meaning
0
Fatal Errors
F
Only information regarding critical errors which terminate the pro­gram, due to the impossibility of
6.10. Customizing date and time
formats
Kaspersky Mail Gateway generates reports on the activity of every component. This information always contains the date and time of report generation.
By default, Kaspersky Mail Gateway displays the date and time using the strftime standard:
%H:%M:%S – displayed time format.  %d-%m-%Y – displayed date format.
The administrator can customize how time and date information are displayed in the [locale] section of the application configuration file. You can specify one of the following formats:
%I:%M:%S %P – display time in 12-hour format (TimeFormat parame-
ter).
%y/%m/%d or %m/%d/%y – display date (DateFormat parameter) as
yy/mm/dd or mm/dd/yy, respectively).
6.11. Reporting options
The performance of the main application component is recorded either in the application log file in plain text format (LogFilename option in the [mailgw.options] section) or in the system log (syslog). The data is not logged if the LogFilename option is not defined (LogFilename=).
To customize the output data, change the report detail level (LogLevel option in the [mailgw.options] section).
Report detail level is a number that defines the level of reported details for ap­plication performance data. Each subsequent level of detail contains all the de­tails from the previous level, and adds new information.
Table 2 below lists the possible report detail levels.
Table 2. Report detail levels
Page 92
92 Kaspersky® Mail Gateway 5.6
Level
Level de­scription
Letter symbol
Meaning
executing an action. For example, a component is infected, or scan­ning, database loading, or product key loading failed.
1
Errors
E
Information about other errors that may or may not lead to application shutdown, for example, file scan errors.
2
Warning
W
Notifications about errors that may lead to the application shutdown (product key expiration warning, out-of-disk-space warning, etc.).
3
Info, Notice
I
Important informational mes­sages, such as whether a compo­nent is running or inactive, the path to the configuration file, latest changes in the scan area, data­base updates, product keys, sta­tistics summary.
4
Activity
A
Messages on scanning of files according to the report detail level.
9
Debug
D
All debug messages.
Information about fatal errors is always displayed, regardless of the report detail level. The optimal level is level 4, which is also the default level.
Information messages may be divided into the following types:
Messages about actions on e-mail messages.  Notifications about system events.  Other messages (component start, loading of databases, return codes,
etc.).
The output format for each of the levels of detail listed above is as follows:
for messages about actions on e-mail messages:
[date time detail_level] envelope-id: MESSAGE;
Page 93
Advanced application settings 93
for all other types of message:
[date time detail_level]: MESSAGE,
where: [date time detail_level] gives the date and the time (in the
format specified by the administrator in the [locale]) section, and the letter indicating the report detail level.
envelope-id – e-mail message identifier in the working queue of
the application, which identifies the e-mail message.
MESSAGE – message text that may have different formats depend-
ing on the message type.
For the text of report messages containing information about actions on e-mail messages, see section B.20 on p. 187.
6.12. Adding supplementary
information to messages
The application supports two methods of adding supplementary information to e­mail messages:
Adding an extension header field to the e-mail message.
The information may describe the application‟s version, date when the
anti-virus databases were last updated, or the time and result of anti­virus and anti-spam scanning of the message (determined by the AddXHeaders parameter in the [mailgw.policy] section of the applica­tion configuration file).
Header format:
X-Anti-Virus: <product name and version>, bases: <date of the last update to anti-virus databases in YYYYMMDD format> #<the number of records in AV data­bases>, check: <scan date in YYYYMMDDTHHMMSS format> <scanning status or not_checked>
where:
YYYY - year indicated in four-digit format;
MM – month;
DD – date;
HH – hour;
MM – minute;
Page 94
94 Kaspersky® Mail Gateway 5.6
SS - second.
E.g.:
X-Anti-Virus: Kaspersky Mail Gateway, version
5.6.12/RELEASE, bases: 20080118T085614 #519212, check: 20080118 clean
For detailed information about the headers added to messages by the anti-spam module, please see section B.18 on page 183.
Adding a disclaimer text to the e-mail message‟s body.
The information will be added as plain text; it may contain a statement generated in accordance with the security policy (or other rules) of a specific organization (the AddDisclaimer parameter in the [mailgw.policy] section). The default message text notifies that the message has been scanned by Kaspersky Mail Gateway. The adminis­trator can modify the information format (e.g., generate disclaimer mes­sage as a HTML text).
6.13. Control of application activity
via SNMP
Beginning with version 5.6, the application provides read-only access to the fol­lowing information via Simple Network Management Protocol (SNMP):
Configuration of the application – information about all parameters from
all sections of the program configuration file.
Activity statistics – statistical information about application operations.
Availability of the information via SNMP is defined by the SNMPServices pa­rameter in the [mailgw.snmp] section of the configuration file.
The application provides the following data accessible through SNMP:
Information about configuration of the application.  Statistics of application activity:
Date of application launch (in ISO 8601 format).  Time (seconds) passed since application start.  Date of the last successful update (in ISO 8601 format).  Total number of records in the current databases of Kaspersky Mail
Gateway.
Page 95
Advanced application settings 95
Attention! To ensure correct interaction with the application via AgentX, you are advised to
use the NET-SNMP version 5.1.2 or later.
Release date of the current application database update (in ISO
8601 format).
Interaction via SNMP is implemented in Kaspersky Mail Gateway using an SNMP subagent, which works in turn with SNMP master agent. Interaction pa­rameters are listed in the [mailgw.snmp] section of the configuration file:
ConnectTo – the option defines the socket for interaction. A local file or
a network socket can be used. E.g.:
ConnectTo=unix:/path/to/dir/
or
ConnectTo=127.0.0.1:705
PingInterval – interval (seconds) that the subagent will use between at-
tempts to connect to the master agent in case of disconnection.
Timeout – timeout (seconds) for sending a request to the master agent.  Retries – number of attempts to send a request to master agent.
The application can use as master any agent that supports the AgentX protocol. In this section the NET-SNMP agent is used as an example. Interaction is per­formed through a local socket.
The following steps are necessary for configuration of the agent:
1. Modify the snmpd.conf configuration file adding the following lines to it:
master agentx
AgentXSocket tcp:localhost:705
rocommunity public
trapsink localhost
2. Modify the snmp.conf configuration file adding the following lines to it:
mibdirs +/opt/kaspersky/mailgw/share/snmp-mibs
mibs all
The /opt/kaspersky/mailgw/share/snmp-mibs (in Linux) or /usr/local/share/mailgw/snmp-mibs path (in FreeBSD) defines the loca-
tion of MIB files of Kaspersky Mail Gateway. If you have installed the application to a different directory, specify the path corresponding to your configuration.
Page 96
96 Kaspersky® Mail Gateway 5.6
Note
Detailed information regarding configuration of the NET-SNMP agent is avail­able at its official site http://www.net-snmp.org/. To display information about snmpd.conf and snmp.conf use the program manual pages.
3. Restart NET-SNMP.
During data access via SNMP the following OID (object identifier) is used:
1.3.6.1.4.1.23668.1159
Administrator can configure the application to send SNMP traps when certain events occur. Generation of SNMP traps is regulated by the SNMPTraps option in the [mailgw.snmp] section of the configuration file. SNMP traps are gener­ated when the following events occur:
Reloading of the anti-virus databases (TrapBasesReloaded, TrapBas-
esReloading) or application configuration (TrapConfigReloaded, Trap­ConfigReloading).
Application start/stop (TrapStart, TrapStarting, TrapStop, TrapStop-
ping), critical error (TrapError).
Page 97
CHAPTER 7. TESTING
APPLICATION OPERABILITY
After you install and configure Kaspersky Mail Gateway, it is recommended that you test its settings and operability by using the following three methods:
Telnet program.  Mail messages containing test phrases in the Subject header.  Templates GTUBE.  EICAR test virus.
7.1. Testing mail receipt and
delivery using Telnet
To test the application operation using Telnet it is necessary to:
1. Connect to the server on which the application is installed using Telnet. To do so, enter the following at the command line:
telnet <mailgw host address> <port>
where the <mailgw host address> and <port> are the values as­signed to the ListenOn option in the [mailgw.network] section of the application configuration file.
2. After the connection is established, wait for a response from the main application component. You will see the following information:
220 example.org ESMTP
where mailgw.company.com is the name of the server being tested.
3. After the connection to the server is confirmed, type the following at the command line:
EHLO <fqdn>
where <fqdn> stands for a full domain name of the host, which estab­lishes connection.
Page 98
98 Kaspersky® Mail Gateway 5.6
You will see the following (or similar) information:
250-example.org hello user [127.0.0.1]
250-ENHANCEDSTATUSCODES
250-PIPELINING
250-8BITMIME
250-SIZE 10485760
250 DSN
where:
mailgw.company.com is the name of the server being tested user is the client host name [127.0.0.1] is the client IP address.
Enter at the command line:
MAIL FROM: <sender_address>
You will see the following (or similar) information:
250 2.1.0 OK
Enter at the command line:
RCPT TO: <recipient_address>
You will see the following (or similar) information:
250 2.1.0 OK
Enter in the command line:
DATA
You will see the following (or similar) information:
354 Start mail input; end with <CRLF>.<CRLF>
Enter in the command line:
From:xz@example.com
To: xz@example.com
Subject: test
test
.
You will see the following (or similar) information:
250 2.1.0 OK
Page 99
Testing application operability 99
Test phrase in the Subject header
Response of the anti-spam module
Subject: spam is bad do not send it
or
Subject: t h i s i s n o t s p a m
Based on the analysis, the message will be assigned the Spam status.
Subject: News and special events May
Based on the analysis, the message will be assigned the Probable Spam status.
Subject: Out of Office AutoReply
Based on the filter‟s analysis, the mes­sage will be assigned the status Not de- tected. The label [--Formal Messages--] will be added to its Subject header
Text of the Subject header con­tains invective.
Based on the filter‟s analysis, the mes­sage will be assigned the status Not de- tected. The label [--Obscene--] will be added to its Subject header/
4. If the response is 250 2.1.0 OK, the test message has been success­fully accepted by the server. After this, the message will be checked by the anti-spam module, scanned for viruses and then sent to the recipi­ent in accordance with the routing table. You are advised to check mes­sage delivery. To verify the results, view the application statistics. One message will be added to the totals for scanned and sent messages.
7.2. Testing the anti-spam filtration
To test the Spamtest filter functionality, you must create e-mail messages con­taining specific phrases in the Subject header. Table 3 below contains a sum­mary of test phrases and the corresponding Spamtest responses.
Table 3. Test messages
Having sent a message with a test phrase in the Subject, you should check that the message has been processed in accordance with the specified rules: for in­stance, that the application has changed the specified message headers; or that the message has been added to the quarantine directory. If the application does not function properly, you should consult Kaspersky Lab‟s Technical Support.
Page 100
100 Kaspersky® Mail Gateway 5.6
Attention! Never use real viruses to test the operation of your anti-virus application!
Furthermore, you can test filtration using a special GTUBE (Generic Test for Unsolicited Bulk E-mail) template. Test of spam filtration using GTUBE is identi­cal to the tests of anti-virus software based on EICAR test virus.
Create an e-mail message containing the following string (without spaces or hy­phenation):
XJS*C4JDBQADN1.NSBN3*2IDNEN*GTUBE-STANDARD-ANTI-UBE-TEST-E­MAIL*C.34X
and send it to an e-mail account protected by Kaspersky Mail Gateway. After analysis the message will receive the SPAM status and the application will apply to it the action specified in the policy assigned for the account.
7.3. Testing the application using
EICAR
This test "virus" has been developed by (The European Institute for Computer Anti-Virus Research) specifically to verify the functioning of anti-virus software.
It IS NOT A VIRUS and contains no code that may harm your computer. How­ever, most anti-virus products identify it as a virus, according to The European Institute for Computer Antivirus Research.
The test "virus" can be downloaded from the official EICAR site at:
http://www.eicar.org/anti_virus_test_file.htm. If you have no Internet access, you
can create a test "virus" manually, by entering the line below into any text editor and save the file as eicar.com:
X5O!P%@AP[4\PZX54(P^)7CC)7}$EICAR-STANDARD-ANTIVIRUS-TEST­FILE!$H+H*
The file that you downloaded from the EICAR website, or created in a text editor as described above, contains the body of a standard test "virus". The anti-virus application will detect it, flag it as Infected and perform the specified action for objects with this status.
To test the application's response to objects with other statuses, modify the body of the standard test "virus" by adding one of the prefixes below (see Table 4).
Loading...