KASPERSKY Mail Gateway 5.6 User Manual

KASPERSKY LAB

Kaspersky® Mail Gateway 5.6

ADMINISTRATOR’S

GUIDE

KASPERSKY® MA I L GAT E W A Y 5 . 6

Administrator’s Guide

 Kaspersky Lab

http://www.kaspersky.com

Revision date: July, 2008.

Contents

CHAPTER 1. KASPERSKY® MAIL GATEWAY 5.6 ....................................................... 8

1.1. What‟s new in Kaspersky Mail Gateway 5.6 ...................................................... 10

1.2. Licensing policy ................................................................................................... 11

1.3. Hardware and software requirements ................................................................ 12

1.4. Distribution kit ...................................................................................................... 13

1.5. Help desk for registered users ............................................................................ 13

CHAPTER 2. APPLICATION STRUCTURE AND TYPICAL DEPLOYMENT

SCENARIOS .................................................................................................................. 15

2.1. Application architecture ....................................................................................... 15

2.2. The main application‟s algorithm ........................................................................ 17

2.3. Typical deployment scenarios ............................................................................. 20

2.3.1. Installing the application in a demilitarized zone .......................................... 21

2.3.2. Installing the application inside the corporate network‟s perimeter ............. 23

CHAPTER 3. INSTALLING THE APPLICATION ......................................................... 25

3.1. Installing the application on a server running Linux ........................................... 25

3.2. Installing the application on a server running FreeBSD ..................................... 26

3.3. Installation procedure .......................................................................................... 26

3.4. Configuring the application .................................................................................. 28

3.5. Installing the Webmin module to manage Kaspersky Mail Gateway ................ 30

CHAPTER 4. THE PRINCIPLES OF THE APPLICATION‟S OPERATION ............... 33

4.1. Creating groups of recipients/senders ................................................................ 33

4.2. General message processing algorithm ............................................................. 36

4.3. Operation of the anti-spam module .................................................................... 38

4.3.1. Analysis of formal signs ................................................................................ 39

4.3.2. Content filtration ............................................................................................ 40

4.3.3. Checks using external services .................................................................... 41

4.3.4. Urgent Detection System ............................................................................. 41

4.3.5. Recognition results and actions over messages ......................................... 42

4.4. Operation of the anti-virus scanning module ...................................................... 44

4 Kaspersky® Mail Gateway 5.6

CHAPTER 5. ANTI-VIRUS PROTECTION AND SPAM FILTRATION....................... 46

5.1. Updating the anti-virus and anti-spam databases .............................................. 46

5.1.1. Automatic updating of the anti-virus and anti-spam databases .................. 48

5.1.2. Manual updating of the anti-virus and anti-spam databases ...................... 49

5.1.3. Creating a network directory to store and share updates ........................... 50

5.2. Spam filtration ...................................................................................................... 51

5.2.1. Starting and managing the components of the anti-spam module ............. 52

5.2.2. Managing the filtration process .................................................................... 52

5.2.3. Mail filtration using black and white lists....................................................... 54

5.2.4. Managing the UDS service .......................................................................... 55

5.2.5. Managing the list of enabled DNSBL services ............................................ 56

5.2.6. Marking of messages containing spam ....................................................... 57

5.2.7. Blocking delivery of spam messages ........................................................... 57

5.2.8. Storage of spam message copies in the quarantine directory .................... 58

5.3. Anti-virus protection of e-mail traffic .................................................................... 59

5.3.1. Delivery of messages with clean or disinfected objects only ...................... 59

5.3.2. Replacement of infected objects by standard notifications ......................... 60

5.3.3. Blocking delivery for messages containing suspicious objects ................... 61

5.3.4. Delivery of notifications to the sender, administrator and recipients ........... 62

5.3.5. Additional filtering of objects by name and type .......................................... 63

5.3.6. Saving messages in the quarantine directory ............................................. 64

5.4. Combining spam filtration and anti-virus protection ........................................... 65

5.4.1. Maximum speed ........................................................................................... 65

5.4.2. Recommended mode ................................................................................... 67

5.4.3. Maximum protection ..................................................................................... 68

5.5. Additional features of Kaspersky Mail Gateway ................................................. 69

5.5.1. Automatically add incoming and outgoing e-mail to archives ..................... 69

5.5.2. Protection from hacker attacks and spam ................................................... 70

5.6. Managing product keys ....................................................................................... 71

5.6.1. Viewing information about product keys ...................................................... 72

5.6.2. Renewing your product key .......................................................................... 74

5.6.3. Removing a key ............................................................................................ 75

CHAPTER 6. ADVANCED APPLICATION SETTINGS .............................................. 76

6.1. Configuring anti-virus protection of e-mail traffic ................................................ 76

6.1.1. Setting up application timeouts .................................................................... 76

Contents 5

6.1.2. Setting performance restrictions .................................................................. 78

6.2. Setting up connection receiving interfaces ......................................................... 79

6.3. Setting up the routing table ................................................................................. 80

6.4. Checking the configuration file syntax ................................................................ 81

6.5. Syntax check in notification templates ................................................................ 81

6.6. Work with e-mail archives and the quarantine directory .................................... 82

6.7. Management of application working queue ........................................................ 85

6.8. Managing the application .................................................................................... 88

6.9. Control of application activity ............................................................................... 90

6.10. Customizing date and time formats .................................................................. 91

6.11. Reporting options .............................................................................................. 91

6.12. Adding supplementary information to messages ............................................. 93

6.13. Control of application activity via SNMP ........................................................... 94

CHAPTER 7. TESTING APPLICATION OPERABILITY ............................................. 97

7.1. Testing mail receipt and delivery using Telnet ................................................... 97

7.2. Testing the anti-spam filtration ............................................................................ 99

7.3. Testing the application using EICAR ................................................................ 100

CHAPTER 8. UNINSTALLING THE APPLICATION ................................................. 102

CHAPTER 9. FREQUENTLY ASKED QUESTIONS ................................................. 103

APPENDIX A. KASPERSKY MAIL GATEWAY CONFIGURATION FILE ................ 107

A.1. Section [path] .................................................................................................... 107

A.2. Section [locale] .................................................................................................. 108

A.3. Section [options] ................................................................................................ 108

A.4. Section [mailgw.access] ................................................................................... 109

A.5. Section [mailgw.antispam] ................................................................................ 114

A.6. Section [mailgw.forward] ................................................................................... 115

A.7. Section [mailgw.limits] ....................................................................................... 116

A.8. Section [mailgw.network] .................................................................................. 117

A.9. Section [mailgw.options] ................................................................................... 119

A.10. Section [mailgw.path] ...................................................................................... 121

A.11. Section [mailgw.timeouts] ............................................................................... 122

A.12. Section [mailgw.archive] ................................................................................. 124

A.13. Section [mailgw.snmp] .................................................................................... 125

A.14. Section [mailgw.policy] .................................................................................... 126

6 Kaspersky® Mail Gateway 5.6

A.15. Section [path mailgw.group:group_name] ..................................................... 136

A.16. Section [updater.path] ..................................................................................... 145

A.17. Section [updater.options] ................................................................................ 146

A.18. Section [updater.report] .................................................................................. 148

APPENDIX B. SUPPLEMENTARY INFORMATION ABOUT THE PRODUCT ....... 149

B.1. Distribution of the application files in directories .............................................. 149

B.2. Use of external configuration files..................................................................... 153

B.3. Control signals for the main application daemon ............................................. 155

B.4. Command line application management ......................................................... 155

B.5. Application statistics .......................................................................................... 156

B.6. SNMP traps for interaction with the application via SNMP .............................. 163

B.7. Mailgwd command line options ........................................................................ 164

B.8. Mailgwd return codes ........................................................................................ 165

B.9. Licensemanager command line options .......................................................... 167

B.10. Licensemanager return codes ........................................................................ 167

B.11. Keepup2date command line options.............................................................. 168

B.12. Keepup2date return codes ............................................................................. 169

B.13. Templates........................................................................................................ 170

B.14. Mailgw-tlv utility return codes .......................................................................... 180

B.15. Mailgw-mailq utility command line options ..................................................... 180

B.16. Mailgw-maila utility command line options ..................................................... 181

B.17. Mailgw-maila and mailgw-mailq return codes ................................................ 182

B.18. Special headers added by the anti-spam module ......................................... 183

B.19. Format of messages about anti-virus scanning and spam filtration .............. 185

B.20. Notifications about actions applied to the message ...................................... 187

APPENDIX C. SENDING SPAM TO THE GROUP OF SPAM ANALYSTS ............ 191

APPENDIX D. KASPERSKY LAB............................................................................... 193

D.1. Other Kaspersky Lab Products ........................................................................ 194

D.2. Contact Us ........................................................................................................ 205

APPENDIX E. LICENSE AGREEMENT ..................................................................... 206

APPENDIX F. SOFTWARE COMPONENTS FROM THIRD-PARTY VENDORS .. 212

F.1. Berkeley DB 1.85 library ................................................................................... 212

F.2. Libjpeg 6b library ............................................................................................... 213

Contents 7

F.3. Libungif library ................................................................................................... 215

F.4. Libevent library .................................................................................................. 215

F.5. Libspf2 library .................................................................................................... 216

F.6. Libpatricia library................................................................................................ 217

F.7. Pcre library ......................................................................................................... 218

F.8. Zlib library .......................................................................................................... 219

F.9. Expat library ....................................................................................................... 220

F.10. STLport library ................................................................................................. 220

F.11. OpenSSL library .............................................................................................. 221

F.12. FreeBSD libc library ........................................................................................ 223

F.13. Mcpp preprocessor program .......................................................................... 224

F.14. Libbind library .................................................................................................. 225

F.15. Snmp++v3.2.22 library .................................................................................... 226

F.16. Libdes-l-4.01a library ....................................................................................... 226

F.17. Crypt-1.02 library ............................................................................................. 227

F.18. AgentX++v1.4.16 library ................................................................................. 227

F.19. Agent++v3.5.28a library .................................................................................. 233

F.20. Universal Charset Detector (Mozilla) library ................................................... 235

Note
DNSBL (DNS based black hole list) is a database that lists IP

addresses of mail servers used for uncontrolled mass mailing. Such
servers receive mail from anyone and deliver it further to arbitrary
recipients. Use of DNSBL allows automatic blocking of mail from such
mail servers. Various services use different policies for generation of
such lists. Please examine carefully the policy of each service before you
start using it for mail filtration.

CHAPTER 1. KASPERSKY

®

MAIL

GATEWAY 5.6

Kaspersky® Mail Gateway 5.6, (henceforth referred to as Kaspersky Mail Gate-
way or the application), filters SMTP e-mail traffic to protect e-mail system users

against viruses and unwanted messages (spam). The application is a full­featured mail relay (compliant with IETF RFC internet standards) that runs under
the Linux and FreeBSD operating systems.

The application allows the user to:

 Scan e-mail messages for viruses, including both attached objects and

message bodies.

 Detect infected, suspicious, and password-protected attachments and

message bodies.

 Perform anti-virus processing (including disinfection) of infected objects

detected in e-mail messages by scanning.

 Filter e-mail traffic by the names and MIME types of attachments, and

apply specified processing rules to the filtered objects.

 Check each message including attached objects for signs typical of

spam.

 Check during anti-spam analysis the addresses of mail sender and re-

cipient (envelope), message size and various headers (including From
and To).

 Perform the following checks as a part of the anti-spam mail analysis:

 Presence of the sender‟s IP address in a DNS-based real time

black hole list (DNSBL).

Kaspersky® Mail Gateway 5.6 9

Attention!

Please remember that new viruses appear every day, and therefore
you are advised to maintain the anti-virus databases in an up-to-date

state. New updates are made available on Kaspersky Lab‟s update

servers every hour.

 availability of a DNS record for the sending server (reverse DNS

lookup);

 a check of the sender's IP address for compliance with the list of

addresses allowed for a domain, based on the Sender Policy
Framework (SPF);

 a check of addresses and links to web sites in the message text us-

ing the Spam URL Real-time Blocklists (SURBL) service.

 Scan also attached images, comparing them to the signatures of known

spam messages, and take the comparison results into account to de­termine the status of the message.

 Maintain archives of all e-mail messages sent and/or received by the

application, if required by the internal security policy of the company.

 Enable restrictions for SMTP connections, to provide protection against

hacking attacks and to prevent the application being used as an open e­mail relay for unsolicited e-mail messages.

 Limit the load on your server by configuring the application‟s settings

and SMTP parameters.

 Create white and black lists of senders and recipients applied during

processing of e-mail traffic.

 Notify senders, recipients, and the administrator about disinfected let-

ters, about messages containing infected, suspicious, or protected ob­jects, and also about errors that have occurred during mail scanning.

 Quarantine messages identified as spam or probable spam, formal or

blacklisted mail as well as messages containing infected and suspicious
objects.

 Update the anti-virus and anti-spam databases of Kaspersky Mail

Gateway. The application retrieves updates from Kaspersky Lab‟s up­date servers. You can also configure the application to update the data­bases from a local directory.

The application detects and cures infected objects using the anti-virus
database. During scans, the contents of each file are compared to the
sample code of known viruses contained in the database.

10 Kaspersky® Mail Gateway 5.6

Attention!

Kaspersky Lab‟s Linguistic Laboratory continues to work on improving

and supplementing the corpus of data used for spam detection. Effi-

cient spam fighting requires that you regularly update the application‟s

anti-spam databases. Updates for the databases are made available
on Kaspersky Lab‟s update servers every three minutes.

The anti-spam databases are used during analysis of message contents
(including Subject and other headers) and attached files. The applica­tion uses linguistic algorithms which compare the analyzed text with
sample messages, and search for typical words and word combinations.

The keepup2date component‟s function is to update the anti-virus and
anti-spam databases (see section 5.1 on p. 46).

 Configure and manage Kaspersky Mail Gateway, either from a remote

location using the Webmin web-based interface, or locally using stan­dard operating system tools such as using command line options, sig­nals, special command files or by modifying the application‟s configura­tion file.

 Monitor the antivirus protection, spam filtering status, application statis-

tics and logs both locally and remotely using the Webmin interface.

 Obtain configuration data and statistics on application activity via SNMP

and configure the application to generate and send SNMP traps upon
occurrence of certain events.

1.1. What’s new in Kaspersky Mail

Gateway 5.6

Kaspersky Mail Gateway has the following additional features as compared to
Kaspersky SMTP-Gateway 5.6:

 The application includes anti-spam module with the following features:

 Increased performance and stability.
 Low RAM requirements.
 Low level of Internet traffic (updates to Kaspersky Mail Gateway da-

tabases).

Kaspersky® Mail Gateway 5.6 11

 Improved filtration methods are used, namely:

 Algorithms for parsing of HTML objects in e-mail messages (in-

creasing the efficiency of protection against various spammer tricks
devised to bypass filtration systems).

 System for analysis of e-mail message headers.
 System for analysis of graphical attachments (GSG).
 Sender Policy Framework (SPF) and Spam URL Realtime Block-

lists (SURBL) services.

 Internal Urgent Detection System (UDS) service, which allows ob-

taining information about certain types of spam in real time.

 Individual settings available for user groups: certain scanning methods

can be enabled/disabled separately for every group; you can also define
the actions to be performed over e-mail messages.

 Collection of configuration data and statistics of application activity via

SNMP; the application can be configured to send SNMP traps when
certain events occur.

 Redesigned subsystem accepting incoming mail consumes fewer re-

sources and supports more simultaneous incoming connections.

1.2. Licensing policy

The licensing policy for Kaspersky Mail Gateway 5.6 limits product use based on
these criteria:

 Number of users protected by the application.
 E-mail traffic processed daily (MB/day).

Each type of license also has a time limit, typically one or two years from the
date of purchase.

At the time of purchase, you can specify which type of license limitation you re­quire (for example, by the daily e-mail traffic volume).

In addition, you can choose during product purchase whether your copy of
Kaspersky Mail Gateway will only perform anti-virus scanning of e-mail traffic, or
if it will also filter spam.

The application has slightly different configuration parameters depending on the
type of license you purchased. For instance, if the license is issued for a certain
number of users, you will have to create a list of addresses (domains) that will
be protected by the application against viruses and spam. The application will

12 Kaspersky® Mail Gateway 5.6

Attention!

Please note that the application‟s working queue, quarantine di­rectory, and archives of incoming and outgoing e-mail are not
included in the hard disk space required. If your network security
policy requires the use of these features, additional disk space will
be needed.

notify the administrator when the license limitations are reached: in this case,
when the number of protected accounts is exceeded.

1.3. Hardware and software

requirements

The minimum system requirements for normal operation of Kaspersky Mail
Gateway are as follows:

 Hardware requirements:

 Intel Pentium® processor (Pentium III or Pentium IV recom-

mended).

 At least 256 МB of available RAM.
 At least 100 MB of available space on your hard drive to install the

application.

 At least 500 MB of available space in the /tmp file system.

 Software requirements:

 One of the following operating systems for 32-bit platforms:

o Red Hat Enterprise Linux Server 5.
o Fedora 7.
o SUSE Linux Enterprise Server 10.
o OpenSUSE Linux 10.3.
o Debian GNU/Linux 4 r1.
o Mandriva 2007.
o Ubuntu 7.10 Server Edition.
o FreeBSD 5.5, 6.2.

Kaspersky® Mail Gateway 5.6 13

 One of the following operating systems for 64-bit platforms:

o Red Hat Enterprise Linux Server 5.
o Fedora 7.
o SUSE Linux Enterprise Server 10.
o OpenSUSE Linux 10.3.

 Perl interpreter, version 5.0 or higher (www.perl.org), bzip2 utility

for unpack spam filtration bases, and the which utility for application
installation.

 Webmin version 1.070 or higher (www.webmin.com) to install the

remote administration module (optional).

1.4. Distribution kit

You can purchase the product either from our dealers or at one of our online
stores (for example, www.kaspersky.com/store – follow the E-store link).

If you purchase our application online, you will download it from Kaspersky Lab's
website. Your product key will be sent to you by e-mail after payment.

The License Agreement constitutes a legal agreement between you and Kasper­sky Lab, containing the terms and conditions under which you may use the pur­chased software.

1.5. Help desk for registered users

Kaspersky Lab offers an extensive service package enabling registered custom­ers to boost the productivity of Kaspersky Mail Gateway.

After purchasing the product key, you become entitled to receive the following
services for the validity period of your key:

 new versions of the application provided free of charge.
 phone or e-mail support on matters related to the installation, configura-

tion, and operation of the product you have purchased. You can contact
the Technical Support service for consulting using any of the following
methods:

 Make a phone call to Technical Support.

14 Kaspersky® Mail Gateway 5.6

Note

Kaspersky Lab does not give advice on the performance and use of your operat­ing system, third party applications or other technologies.

 Create and send a request using the Technical Support web site

(http://www.kaspersky.com/helpdesk) or your personal user cabi­net.

 notifications about new software products from Kaspersky Lab, and

about new virus outbreaks. This service is provided to users who sub­scribe to Kaspersky Lab‟s e-mail newsletter service.

CHAPTER 2. APPLICATION

STRUCTURE AND TYPICAL
DEPLOYMENT SCENARIOS

The correct configuration of the application, and its efficient operation, require
knowledge of its structure and internal algorithms. It is also important for the ap-

plication‟s deployment within an existing corporate e-mail system. This chapter
discusses in detail the application‟s structure, architecture and operating princi-

ples, as well as typical deployment scenarios.

2.1. Application architecture

A review of the application‟s functionality must be preceded by a description of its

internal architecture.
Kaspersky Mail Gateway is a fully-featured Mail Transfer Agent (MTA), able to

receive and route e-mail traffic, which also scans e-mail messages for viruses,
and filters spam.

The application uses SMTP protocol commands (RFC 2821), the Internet mes­sage format (RFC 2822), MIME format (RFC 2045-2049, 2231, 2646), and satis­fies the requirements for e-mail relays (RFC 1123). In compliance with anti-spam
recommendations (RFC 2505 standard), the application uses access control
rules for SMTP clients to prevent the use of this application as an open relay. In
addition, Kaspersky Mail Gateway supports the following SMTP protocol exten­sions:

 Pipelining – enhances performance of servers supporting this mode of

operation (RFC 2920).

 8-bit MIME Transport – processes code tables of national language

characters (RFC 1652).

 Enhanced Error Codes – provides more informative explanations of pro-

tocol errors (RFC 2034).

 DSN (Delivery Status Notifications) – decreases bandwidth usage and

provides more reliable diagnostics (RFC 1891, 3461-3464).

 SMTP Message Size – Decreases the server load and increases trans-

fer rate (RFC 1870).

16 Kaspersky® Mail Gateway 5.6

Note

The RFC documents mentioned above are available at: http://www.ietf.org.

The application includes these components:

 mailgw – the main application component – a fully-featured e-mail relay

with built-in anti-virus protection and spam filtering.

 licensemanager – the component which manages product keys (their

installation, removal, and statistics).

 keepup2date – the component that updates the anti-virus and anti-spam

databases, by downloading the updates either from Kaspersky Lab‟s

update servers or from a local directory.

 Webmin module – for remote administration of the application using a

web-based interface (optional installation). This component allows the
user to configure and manage the database updating process, specify
the actions to be performed on detected objects, and monitor the appli­cation‟s operation.

The main application component (see Fig.1), in turn, consists of these modules:

 Receiver, which receives incoming e-mail.
 Sender, which sends out messages which have passed anti-virus scan-

ning and spam filtering.

 AS module which performs anti-spam analysis of e-mail, its classifica-

tion and processing.

 AV module, the anti-virus engine.
 Scanning module, which acts with the AS and AV modules to process

messages, providing anti-virus scanning and spam filtering of e-mail
traffic.

Figure 1. General architecture of Kaspersky Mail Gateway

Application structure and typical deployment scenarios 17

2.2. The main application’s

algorithm

The application works as follows (see Fig. 2):

1. The e-mail agent receives e-mail messages via the SMTP protocol, and
passes them to the Receiver module.

Figure 2. Working queue of Kaspersky Mail Gateway

2. The Receiver module performs preliminary e-mail processing using the
following criteria:

 presence of the sender‟s IP address in the list of blocked and/or

trusted addresses including masks;

 compliance with the access restrictions specified for SMTP connec-

tions (see section 5.5.2 on p. 70);

 compliance of the message size (and the total number of messages

within the session) with the limits specified in the application‟s set­tings;

 compliance of the number of open sessions (both the total number

from all IP addresses, and from a single IP address) with the limits
specified in the application‟s settings.

If the message satisfies the preliminary processing requirements, it is
sent to the working queue to be processed by the scanning module.

If the option to archive all incoming e-mail has been selected, a copy of
any message added to the working queue will be automatically pre­served in the archive of received messages.

Blind carbon copies of each message can also be sent to a specified list
of e-mail addresses before scanning of the received mail.

18 Kaspersky® Mail Gateway 5.6

3. The Scanning module receives a message from the working queue and
transfers it to the anti-spam module for inspection.

The anti-spam module consists of the following components:
 Filtration master process and filtering processes which perform ac-

tual mail analysis.

 Licensing daemon which verifies the presence of a valid key file

and compliance with the restrictions defined in the key.

 Daemon processing SPF requests.
 Auxiliary programs and scripts including the script compiling the

anti-spam databases.

The main component of the anti-spam module is the filtering master
process (mailgw-process-server) performing the following functions:

 Monitoring of requests for connection to filtering processes from the

application Scanning module.

 Launch of new filtering processes when there are no more avail-

able ones.

 Control of the status of running filtering processes.
 Termination of child processes upon an appropriate signal.

Filtering process (ap-mailfilter) receives at launch message header and
body, scans them and returns the results.

If message sender should be checked for compliance with the existing
SPF policy, the filtering process sends a request to SPF daemon
(mailgw-spfd), which performs necessary queries to DNS server and re­turns the results to the filtering process.

Message analysis and application of rules defined by the parameters in
configuration file are only performed when a valid product key is pre­sent.

All license-related checks are performed by the licensing module (kas-
license) upon request from a filtering process.

Having finished message processing, a filtering process keeps running
expecting a new request. A filtering process is terminated after it has
handled the maximum number of messages specified for a single proc­ess (usually 300) or if it remains idle for a long time.

The AS module assigns to message a certain status based on the in­spection results, and returns the message to the Scanning module,

Application structure and typical deployment scenarios 19

Attention!
If you have only purchased a license for anti-virus scanning of e-

mail traffic, spam filtering will not be performed. Messages will be
delivered directly to the AV module for scanning, and any configura­tion parameters which apply to the anti-spam module are ignored.

Note

The creation of a copy of a message in backup storage or the quaran­tine directory does not block delivery of the original message to the
recipient. An additional action blocking its delivery must be specified
to prevent message delivery to the recipient.

which breaks it into its components and passes them to the AV module
for analysis.

4. The AV module scans the objects and, if this option is enabled, disin­fects them when necessary.

5. The Scanning module handles messages according to the status (see
section 4.2 on p. 36) assigned to each part of the message during
analysis by the AS and AV modules. Possible actions include blocking
message delivery, deleting infected objects, modifying message head­ers, and moving the message to the quarantine directory. The actions to

be applied are specified in the application‟s configuration file. Each

processed message is then added to the ready-to -send message
queue.

6. If the application‟s configuration specifies that detected messages are to
be saved in quarantine, a copy of the scanned message will be saved in
the quarantine directory concurrently with its transfer to the ready-to­send queue. The application creates separate quarantine directories for
messages identified as spam or probable spam (after anti-spam analy­sis), and for messages containing infected or suspicious objects (after
anti-virus scanning).

7. The Sender module receives each message from the ready-to-send
queue, and transfers it via the SMTP protocol to the onward e-mail
agent to be delivered to local end users or rerouted to other mail serv­ers.

8. If your network security policy requires logging of all outgoing e-mail
traffic, a copy of each message will be automatically stored in the ar­chive of sent messages after it is dispatched (see Fig. 3).

20 Kaspersky® Mail Gateway 5.6

Attention!
The application, being an e-mail relay, does not include a local e-mail delivery

agent (MDA). Therefore, all deployment scenarios require an e-mail system
(or e-mail systems) to deliver e-mail messages to local users within protected
domains.

Figure 3. Saving messages to the archives of received / sent messages

2.3. Typical deployment scenarios

Depending upon the network architecture, there are two options for installing
Kaspersky Mail Gateway:

 install the application within a demilitarized zone (DMZ) acting as a

buffer between the internal corporate LAN and the external network;

 install the application inside the perimeter of the corporate network, as

part of your existing e-mail system.

In each of the above cases the application can be installed:

 on the same server as the running e-mail system;
 on a dedicated server.

The sections below discuss these scenarios in detail and describe their advan­tages.

Application structure and typical deployment scenarios 21

Attention!
You must set up restrictions for the e-mail transfer agent (MTA) re-

ceiving e-mail from Kaspersky Mail Gateway via port 1025, so that it
accepts messages exclusively from Kaspersky Mail Gateway (e.g.,
configure mail receipt from the localhost (127.0.0.1) interface only).
Otherwise, it will be possible to bypass the application with a connec­tion established directly from the external network through port 1025.

2.3.1. Installing the application in a

demilitarized zone

The main advantage of this deployment option is that it improves the overall per­formance of your e-mail system, by minimizing the number of transfer cycles for
e-mail messages. It also provides additional protection for data, because the
existing corporate mail server in that case has no connection to the Internet.

This is an overview of how to install the application and the e-mail system on the
same server, so that they work together:

1. Configure all interfaces of Kaspersky Mail Gateway to listen on port 25
for incoming e-mail traffic from all IP addresses which match the
relevant MX records for the protected domain.

2. The application will filter spam and scan e-mail, and then transfer
processed messages to the corporate e-mail system via a different port
(e.g., 1025).

3. The e-mail system, configured to use a local interface, delivers
messages to users.

Follow these steps to install the application and the e-mail system on the same
server:

 Configure the application to receive e-mail via port 25 on all the server‟s

network interfaces. To do this, specify the following value in the
[mailgw.network] section of the configuration file:

ListenOn=0.0.0.0:25

 Specify in the routing table that all scanned messages will be trans-

ferred to the e-mail system via port 1025. To do this, specify the follow­ing value in the [mailgw.forward] section of the application‟s configura­tion file:

ForwardRoute=<company_mask> [localhost:1025]

where: <company_mask> is the mask for recipient addresses.

22 Kaspersky® Mail Gateway 5.6

Attention!
These are the default application configuration settings for this deployment

scenario, which will be stored in the configuration file by the installation proc­ess.

 Change the settings of the existing e-mail system to receive messages

only from the application via port 1025. This will ensure that all incoming
e-mail messages are received, and that they are delivered to local users
within the protected domains of the company.

 Set up the existing e-mail system to transfer all the messages it re-

ceives to the application via port 25. This will ensure anti-virus scanning
and anti-spam filtering of all outgoing e-mail messages from local users.

 Specify a list of all corporate local domains as the value for the Pro-

tectedDomains option in the [mailgw.forward] section of the applica-

tion configuration file ("*" and "?" wildcards can be used). E-mail mes­sages for the specified domains will be scanned.

When the application is installed on a dedicated server, its operation algorithm is
identical to when it is installed on the same server as the e-mail system, but the
settings will differ. The IP address of the server on which the application is in­stalled, must be included in MX records corresponding to the protected domain.

To install the application on a dedicated server:

 Configure the application to receive mail via port 25 on all the server‟s

network interfaces, by specifying the following value in the
[mailgw.network] section of the application‟s configuration file:

ListenOn=0.0.0.0:25

 Specify in the routing table that all scanned messages must be trans-

ferred to the e-mail system via port 25, by setting the following value in
the [mailgw.forward] section of the application‟s configuration file:

ForwardRoute=<company_mask> [host:25]

where: <company_mask> is the mask for recipient addresses, and will
generally be of the form *@company.com

host – name of your corporate e-mail server.

 Specify the list of all local corporate domains as the value for the Pro-

tectedDomains option in the [mailgw.network] section of the applica-

tion configuration file ("*" and "?" wildcards can be used). e-mail mes­sages for the specified domains will be scanned.

Application structure and typical deployment scenarios 23

Attention!
This is the most convenient deployment scenario, especially if Kaspersky Mail

Gateway is installed at the same time as the network is deployed and the com­pany‟s e-mail system is installed.

Attention!
This deployment scenario is recommended if you are sure of the reliability of

your e-mail system. Installing the application in this configuration will not affect
the stability of your e-mail system.

2.3.2. Installing the application inside the

corporate network’s perimeter

One advantage of installing the application inside the corporate perimeter is that
there is no external access to the information that the application is running on
the server, or to its configuration. Additionally, if the application is installed on a
dedicated server, the load of performing anti-virus scanning can be distributed
amongst several servers.

This is how the application and the e-mail system work together if they are in­stalled on the same server:

1. Duplicate your e-mail system and configure one of the copies to listen
on port 25, and receive e-mail messages via all available interfaces.

2. This e-mail system forwards all incoming messages through the local in­terface via a different port (port 1025, for instance) to the application for
scanning and spam filtering.

3. The application filters spam, scans the e-mail messages for viruses and
forwards scanned and processed messages to the second e-mail sys­tem copy, which receives e-mail on a different port (e.g., port 1026).

4. The second e-mail system delivers e-mail to the local users.

Installing the application on a dedicated server is similar to the above procedure.
Additionally when installing the application on a dedicated server, you can create
and run several copies of the application on different servers, enabling you to
distribute the load of anti-virus processing and spam filtering amongst these sev­eral servers.

To deploy the application on a dedicated server:

Specify the list of all local corporate domains as a value for the Protect­edDomains option in the [mailgw.network] section of the application

24 Kaspersky® Mail Gateway 5.6

Attention!
Deploying Kaspersky Mail Gateway may require changes to the settings for e-

mail clients throughout company, to ensure that all outgoing e-mail messages
are delivered to the application. These messages will be transferred to the exter­nal network after an anti-virus scan and spam filtration.

Attention!

If the network includes installed firewalls or demilitarized zones (DMZ‟s), it is

necessary to provide e-mail clients and internal and external network servers
with access to the installed application to ensure joint operation and routing of
the e-mail traffic.

configuration file ("*" and "?" wildcards can be used). E-mail messages
for the specified domains will be scanned.

Attention!
After installing the application from the rpm package, you must run the postin-

stall.pl script to perform post-installation configuration. The default location of
the postinstall.pl script is in the /opt/kaspersky/mailgw/lib/bin/setup/ directory (in
Linux) and in the
/usr/local/libexec/kaspersky/mailgw/setup directory (in FreeBSD).

CHAPTER 3. INSTALLING THE

APPLICATION

Before installing Kaspersky Mail Gateway, it is necessary to:

 Make sure that your system meets the hardware and software require-

ments (see section 1.3 on p. 12).

 Configure your Internet connection. The application distribution package

does not contain the anti-virus and anti-spam databases, which are re­quired to perform anti-virus protection and filter spam.

 Log on to the system as root, or as a privileged user.

3.1. Installing the application on a

server running Linux

For servers running the Linux operating system, Kaspersky Mail Gateway is dis­tributed in two different installation packages, depending on the type of your
Linux distribution.

To install the application under Linux Red Hat, Linux SUSE or Linux Mandriva,
use the rpm package.

To initiate installation of Kaspersky Mail Gateway from the rpm package, enter
the following at the command line:

# rpm -i <distribution_package_file_name>

In Linux Debian and Linux Ubuntu, the installation is performed from a deb pack­age.

To initiate installation of Kaspersky Mail Gateway from the deb package, enter
the following at the command line:

# dpkg -i <distribution_package_file_name>

26 Kaspersky® Mail Gateway 5.6

Attention!
The procedure of application setup under Mandriva distributions has some pe-

culiarities. You might have to perform some additional configuration to ensure
the correct functioning of the application on such systems (please see Chapter 9
on p. 103 for details).

Attention!
Installation errors can occur for a number of reasons. If an error message is

displayed, firstly make sure that your computer satisfies the hardware and
ware requirements (see section 1.3 on p. 12) and that you have logged on to the
system as root.

After you enter the command, the application will be installed automatically.

3.2. Installing the application on a

server running FreeBSD

The distribution file for installing Kaspersky Mail Gateway on servers running
FreeBSD OS is supplied as a pkg package.

To initiate installation of Kaspersky Mail Gateway from a pkg package, enter one
of the following at the command line:

# pkg_add <package_name>

After you enter the command, the application will be installed automatically.

3.3. Installation procedure

The application installer script applies these steps:

Step 1. Preparing the system

At this stage, the installation script creates the system group and user account
for the application. The default group is klusers and the default user account is
kluser. In future, the application will start under this user account (not root) to
provide additional security for your system.

Installing the application 27

Attention!
If you installed the application from an rpm package, you should run the postin-

stall.pl script (present by default in the /opt/kaspersky/mailgw/lib/bin/setup/ direc­tory in Linux and in /usr/local/libexec/kaspersky/mailgw/setup in FreeBSD) to
perform the next step, Post-installation tasks.

Step 2. Copying application files to destination directories

on your server

The installer starts copying the application files to the destination directories on

your server. For a detailed description of the application‟s directories, see section

B.1 on p. 149.

Step 3. Post-installation tasks

The post-installation configuration includes these steps:

 Configuring the main application component (see section 3.4 on p. 28).
 Installing and registering the product key.

If you do not have a product key at the time of installation (for example,
if you purchased the application via the Internet and have not yet re­ceived the license key), you can activate the application after installation
and before its first use: for details, see section 5.6 on p. 71. Please note
that if the key is not installed, the anti-virus and anti-spam databases
cannot be updated and the main application component cannot be
started during the installation process. In this case it must be done
manually, after the license key is installed.

 Configuring the keepup2date component.
 Installation (updating) of the anti-virus and anti-spam databases.

You must install the anti-virus and anti-spam databases before using
the application (see section 5.6 on p. 71). The procedure of detecting
and disinfecting viruses relies on the anti-virus database which contains
the descriptions of all currently known viruses, and the methods of disin­fecting these viruses. Anti-virus scanning and processing of e-mail
messages cannot be performed without the anti-virus database. The
anti-spam database is used for spam detection, which analyzes the
contents of messages and attached files to identify the signs of unsolic­ited e-mail.

 Installing the Webmin module.

The Webmin module for remote management of the application can be
installed correctly only if the Webmin application is located in the default

28 Kaspersky® Mail Gateway 5.6

Attention!
If after installation, Kaspersky Mail Gateway has not started working as required,

check the configuration settings. Pay special attention to the port number you
specified for receiving e-mail traffic. You should also view the application log file
for error messages.

Attention!
If you are using the rpm installation package, enter the following command to

start post-installation configuration (in Linux):

# /opt/kaspersky/mailgw/lib/bin/setup/postinstall.pl

In FreeBSD:

# /usr/local/libexec/kaspersky/mailgw/setup/postinstall.pl

directory. After the module is installed, you will receive detailed instruc­tions on how to configure it to work with the application.

 Launching the main application component.

After these steps are properly completed, a message on the server console will
indicate that installation has been successful.

3.4. Configuring the application

Immediately after the application‟s files have been copied to your server, the
system configuration process will start. The configuration process will either be
started automatically or, if the package manager (such as rpm) does not allow
the use of interactive scripts, some additional actions will have to be performed
by the administrator. All settings are stored in the mailgw.conf file which is in­stalled by default in the /etc/opt/kaspersky/ directory in Linux, and in the
/usr/local/etc/kaspersky/ directory in FreeBSD.

The configuration procedure includes the following tasks:

 Specifying (by the administrator) the full domain name of the server that

will be used to identify the application in SMTP commands when creat­ing the DSN and notifications: this is the Hostname parameter in the
[mailgw.network] section of the mailgw.conf configuration file.

 Assigning addresses to be used by the application:

 Assign the Postmaster address ([mailgw.network] section,

Postmaster parameter).

Installing the application 29

 Assign the sender‟s return address for notifications

([mailgw.policy] section, NotifyFromAddress parameter).

 Define the administrator‟s address ([mailgw.policy] section, Ad-

minNotifyAddress parameter).

 Allow incoming e-mail to the specified domain ([mailgw.access]

section, RelayRule parameter).

 Defining the interface and port on which to listen for incoming e-mail

traffic ([mailgw.network] section, ListenOn parameter). The port name
and the IP address should be entered in the format <x.x.x.x:z>,

where:

x.x.x.x is the IP address, and
z is the port number.

 Specifying local network identifiers. This value is used to assign rules

for message delivery and processing ([mailgw.access] section, Re-
layRule parameter), for example, rules specific to your organization
concerning e-mail processing, or blocking e-mail messages from certain
domains. Specify the values using the following formats: <x.x.x.x> or
<x.x.x.x/y.y.y.y>, or <x.x.x.x/y>,

where:

x.x.x.x is the IP address, and
y.y.y.y or y is the subnet mask.

 Specifying (when necessary) the server to which all processed mes-

sages will be forwarded ([mailgw.forward] section, the ForwardRoute
parameter). Type the host name in the format: <x.x.x.x:z>,

where:

x.x.x.x is the IP address, and
z is the port number.

 Specifying the proxy server name ([updater.options] section,

ProxyAddress parameter). This option is necessary for computers

connected to the Internet via a proxy server.

 Confirmation of UDS installation and use.

UDS service allows blocking spam in a timely manner before updates to
Kaspersky Mail Gateway databases are downloaded. You are advised
to disable UDS checks only if the method considerably decreases the
filtration server performance or if the server cannot contact the UDS

30 Kaspersky® Mail Gateway 5.6

Attention!
To increase UDS efficiency, specify regular launch of the task that

determines the time for access to UDS servers (see section 5.2.4 on
page 55).

Attention!
After the system is installed and configured, it is recommended that you check

the settings for Kaspersky Mail Gateway and test its performance. For more
details, see Chapter 7 on page 97.

servers of Kaspersky Lab. Please refer to section 4.3.4 on page 41 for
details on UDS service.

 Modifying the application configuration file to fine-tune the operation of

the AV and AS modules (optional).

If all the above steps have been successfully completed, the configuration file will
contain all settings that are required to start working with the application.

During Kaspersky Mail Gateway 5.6 installation you can choose to use saved
settings of previous product version 5.5.139 installed earlier. In that case you will
be offered to:

 Specify the path to the configuration file of an earlier version.
 Move or copy files from the queue, archives and Quarantine of the ear-

lier version to the corresponding directories of the new one.

 Use UDS because that feature was introduced in version 5.6 (see

above).

Application databases will be downloaded as well.
If the configuration file of an earlier version is not available or if you do not wish

to use it, post-install setup will consist of the steps described above.

3.5. Installing the Webmin module to

manage Kaspersky Mail
Gateway

The activity of Kaspersky Mail Gateway can be controlled remotely via a web
browser using Webmin.

Installing the application 31

Note

The Webmin module is the file mailgw.wbm, which is installed by default in the
/opt/kaspersky/mailgw/share/contrib/ directory (for Linux distributions), or the
/usr/local/share/mailgw/contrib/ directory (for FreeBSD distributions).

Webmin is a program which simplifies the administration of Linux/Unix systems.
The software has a modular structure, and supports connection of new or cus­tomized modules. Additional information about Webmin can be obtained, and its
distribution package downloaded, from the official program web site at:

www.webmin.com.

Kaspersky Mail Gateway‟s distribution package contains a Webmin module that
can either be connected during the application‟s post-installation configuration

(see section 3.3 on p. 26) if the system already has Webmin installed, or at any
time later after Webmin is installed.

The following part of this manual contains a detailed description of the procedure
necessary to connect the Webmin module for administration of Kaspersky Mail
Gateway.

If the default settings were used during Webmin installation, the program can be
accessed from a web browser using HTTP / HTTPS to connect to port 10000, as
soon as the installation procedure is finished.

To install the Webmin module to control Kaspersky Mail Gateway:

1. Use your web browser to access Webmin with administrative privileges.

2. Select the Webmin Configuration tab in the program menu, and then
proceed to the Webmin Modules section.

3. Select the From Local File option in the Install Module section and
click (see Figure 4).

Figure 4. Install Module section

4. Select the path to the Webmin module of the product and click ОК.

32 Kaspersky® Mail Gateway 5.6

A message on the display will confirm the successful installation of the Webmin
module.

You can access the settings of Kaspersky Mail Gateway by clicking its icon
within the Others tab (see Figure 5).

Figure 5. The icon of Kaspersky Mail Gateway in the Others tab

Note

The anti-virus and spam filtering functionality of Kaspersky Mail Gateway de­pends on the configuration file settings. Changes to the configuration file can be
made either locally or remotely (using the Webmin remote administration mod­ule).

CHAPTER 4. THE PRINCIPLES

OF THE APPLICATION’S
OPERATION

This chapter describes in more detail how the application works and the interac­tion between its components, and gives information required for correct software
setup.

4.1. Creating groups of

recipients/senders

A Recipients/Senders group is defined as a specified list of recipient/sender e­mail addresses. A particular e-mail message may be assigned to a particular
group depending on whether this group contains the message sender‟s address
(or sender IP) or the recipient‟s address, which are specified in the MAIL FROM
and RCPT TO parts of the message header.

The administrator can specify individual rules for processing each e-mail mes­sage depending on the group of recipients/senders. Therefore, it is particularly
important that the addresses are associated with the correct group.

When processing a message, the application searches through the list of ad­dresses for each specific group. If it finds a matching combination of
sender/recipient addresses, the rules defined for this group will be applied to the
e-mail message.

The configuration file contains the [mailgw.policy] section that implicitly defines
the policy group, which determines the default rules for processing e-mail mes­sages.

34 Kaspersky® Mail Gateway 5.6

Attention!
Both the section [mailgw.policy], and all the parameters specified in the sec-

tion, are mandatory.

The [mailgw.policy] section does not contain names of senders and recipients.
The section [mailgw.policy] defines the default rules which are applied to all
messages which do not belong to other groups explicitly described in
[mailgw.group:group_name] sections.

All parameters in [mailgw.group:group_name] sections are optional. If a pa­rameter value in such a section is not specified, it will be taken from the corre­sponding parameter in the [mailgw.policy] section.

The configuration file included in the application‟s installation package contains

the following rules in the policy group. Messages which are not assigned to an­other group will be processed using the following rules (defined in the
[mailgw.policy] section):

 Check all e-mail messages for indications of spam.
 Scan all e-mail messages for viruses.
 Deliver to recipients just messages which contain clean or disinfected

objects only.

 Remove the following from messages: infected objects, objects which

caused errors during their analysis, suspicious objects and password­protected and damaged objects.

 Notify recipients and the administrator about infected, suspicious, pro-

tected or filtered objects in messages and any objects which caused er­rors during analysis.

The parameters of the policy group can be altered, and new groups created. To
process e-mail messages belonging to different groups of recipients/senders
using different rules, you will have to create several groups.

To create a new group of user addresses:

1. Create a section [mailgw.group:group_name] in the configuration file.

2. Specify sender addresses (address masks, IP addresses, host names,
masks for host names, subnets) and recipient addresses (address
masks) as the values of Senders and Recipients parameters. To de­fine several addresses or address masks, each record must be entered
in a new line:

Senders=user1@example.com

Senders=*@internal.local

Senders=ip 192.168.0.1

The principles of the application’s operation 35

Attention!
If you leave the Senders or Recipients parameter in a group descrip-

tion empty, e.g.:

Senders=

then no messages will be processed using the rules specified for that
group. To use the default value for a parameter, delete (or place a
comment mark before) the corresponding parameter from the group
description.

Attention!
If a sender/recipient address fits several groups, the application will

use the rules for the first of those groups.

Attention!
If a message has several recipients belonging to different groups,

virtual copies of the initial message will be created to match the num­ber of such groups. Each copy will be processed individually, accord­ing to the rules specified by the particular group.

Senders=ip 192.168.0.0/255.255.0.0

Senders=host example.com

Senders=network MyNetwork

Recipients=*@management.local

Recipients=help@helpdesk.local

"*" and "?" wildcards may be used to define masks. If a group descrip­tion contains no Recipients or Senders parameter, the application will

use the default value, "*@*" (i.e. all addresses). At least one of the
Senders or Recipients parameters must be specified.

If you have added other groups to the configuration file, the application will proc­ess messages from these groups as follows:

1. The application first compares the message address(es) with addresses
in the groups created by the administrator. If the recipient/senders
addresses pair is found in a specific group, the rules defined for that
group will be applied to the message.

2. If the message addresses do not match any group created by the
administrator, the message will be processed according to the rules
described in the policy group.

Figure 6 demonstrates the sequence of actions applied by the application to a
received e-mail message.

36 Kaspersky® Mail Gateway 5.6

Figure 6. Message processing

4.2. General message processing

algorithm

This section discusses how the application processes e-mail messages. When
the server receives an e-mail message, the scanning module:

1. Determines which group of recipients this message belongs to.

2. If the message has multiple recipients belonging to different groups,
several virtual copies of this message are created to match the number

The principles of the application’s operation 37

Attention!
If you have only purchased a license for anti-virus scanning of e-mail

traffic, spam filtering will not be performed. Messages will be immedi­ately delivered to the AV module for scanning (Step 4). The applica­tion will ignore any configuration parameters which apply to the anti­spam module.

of groups, so that the respective group rules for anti-spam filtering and
anti-virus scanning can be applied to each of the copies.

3. Then the application transfers the message for analysis by the anti­spam module.

Please refer to section 4.3 on page 38 for details on the operation of the
anti-spam module.

After processing, the anti-spam filter returns messages to the scanning
module.

If a message has been assigned the status of Spam, Probable Spam,
Formal or Blacklisted and the application is configured to block such
messages (the BlockMessage parameter is assigned the as/spam,
as/probable, as/formal, as/blacklisted value), then anti-virus message
scanning will be skipped. Further actions of the application are de­scribed in Step 8.

4. Using a built-in MIME format identifier (MIME, RFC2822, UUE), the
application divides the message into its components: headers, message
body and attachments.

5. If the application is configured to filter objects by name and/or
attachment type, it will apply the specified filtering rules for this
message. If the message meets the filter conditions, the object will be
assigned the Filtered status and will not be subjected to further anti­spam scanning.

6. Each of the received objects is then sent to the AV module that
analyzes each object and returns the status assigned to it.

7. Depending on the status assigned to each object, the application
performs actions as specified in the settings for the respective group
(please see section 4.4 on page 44 for basic actions of the AV module)
in the configuration file.

8. After the anti-virus scan of all the message‟s components, and the
execution of required actions on those components, an additional action
can be performed on the message as a whole:

 Add label to the message title (Subject) in accordance with the re-

sults of its anti-spam analysis (see section 4.3.5 on page 42).

38 Kaspersky® Mail Gateway 5.6

 Append additional informational fields to the message‟s header or

body (see section 6.12 on p. 93).

 Block delivery of messages to the recipients; see section 5.2.7 on

p. 57 for an example of blocking the delivery of spam messages,
and section 5.3.3 on p. 61 for messages containing infected ob­jects.

 Create and send notifications to the sender, administrator, and re-

cipient (see example in section 5.3.4 on p. 62).

 Quarantine a message; see section 5.2.8 on p. 58 for an example

of quarantining spam messages, and section 5.3.6 on p. 64 for
messages containing infected objects.

4.3. Operation of the anti-spam

module

Spam filtration by the anti-spam module is performed during the third step of the
procedure described in section 4.2 on p. 36. This section contains a brief over­view of the spam detection technologies implemented in the application, namely:

 Analysis of formal signs (see section 4.3.1 on page 39).
 Content filtration (see section 4.3.2 on page 40).
 Checks involving external services (see section 4.3.3 on page 41).
 Urgent Detection System technology (see section 4.3.4 on page 41).
 During all inspection stages, message analysis is performed according

to the required filtering intensity, defined in the application configuration
file (SpamRateLimit option in the [mailgw.policy] or
[mailgw.group:group_name] section).

The following degrees of filtering intensity are available:

 Minimum (SpamRateLimit=minimum).
 Standard (SpamRateLimit=standard).
 High (SpamRateLimit=high).
 Maximum (SpamRateLimit=maximum).

The application decides if a message contains spam based on several signs
detected in mail by the anti-spam module. The higher is filtering intensity, the
smaller is the number of signs required to recognize a message as spam. When

The principles of the application’s operation 39

Note
The Standard level of filtering intensity is recommended.

Note

Apart from the intensity level, filtering result is also affected by the methods used for
spam recognition. When false positives occur you should consider the methods
employed for spam recognition.

the specified filtering intensity is lower, the same set of signs can only result in
message identification as suspicious (Probable Spam) or even normal.

Higher level of filtering intensity can be used in cases, when the application does
not detect spam or when it recognizes spam as suspicious mail (Probable
Spam). However, the probability of false positives in that case also becomes
higher and normal mail can be recognized as spam.

Lower intensity degree decreases the probability of false positives but it in­creases the possibilities for spam to bypass the filter.

4.3.1. Analysis of formal signs

The method uses a set of rules based on examination of certain message head­ers and their comparison with sets of headers typical of spam messages. In addi­tion to header analysis, the application takes into account message structure,
size, presence of attachments and other similar signs.

The method also provides for analysis of data transmitted by the sender during
an SMTP session. In particular, the following information is estimated:

 IP address of the server that has sent the message, and whether it is

included into black list of recipients;

 IP addresses of intermediate relay servers obtained from the Received

headers;

 e-mail addresses of message sender and recipients transmitted in

SMTP session commands;

 presence of the sender's and recipients' addresses in white or black

lists;

 conformity of the addresses transmitted during SMTP session to the set

of addresses specified in message headers and a number of other
checks.

40 Kaspersky® Mail Gateway 5.6

Note

The purpose of spam filtering is to decrease the volume of unwanted messages
in the mailboxes of your users. It is impossible to guarantee detection of all
spam messages, because too strict criteria would inevitably cause filtering of
some normal messages as well.

4.3.2. Content filtration

Message analysis employs the algorithms of content filtering: the application
uses artificial intelligence technologies to analyze the actual message content
(including the Subject header), and its attachments (attached files) in the follow­ing formats:

 plain text (ASCII, not multibyte)
 HTML (2.0, 3.0, 3.2, 4.x, XHTML 1.0).

The application uses three main groups of methods to detect spam messages:

 Text comparison with semantic samples of various categories

(based on the search for key terms (words and word combinations) in
message body and their subsequent probabilistic analysis). The method
provides for heuristic search for typical phrases and expressions in text.

 Fuzzy comparison of a message being examined with a collection

of sample messages based on comparison of their signatures. The

method helps detect modified spam messages.

 Analysis of attached images.

All the data employed by Kaspersky Mail Gateway for content filter­ing: classification index (a hierarchical list of categories), message samples, typi­cal terms, etc. are stored in the application databases.

The principles of the application’s operation 41

Note

The group of spam analysts at Kaspersky Lab works nonstop to supplement and
improve Kaspersky Mail Gateway databases. Therefore, you are advised to up­date the databases regularly.

You can also send to Kaspersky Lab samples of spam messages, which
Kaspersky Mail Gateway has failed to recognize as well as the samples of mes­sages erroneously classified as spam. The data will help us improve Kaspersky
Mail Gateway databases and react in a timely manner to new types of spam.
Please refer to Appendix C on page 191 for details on forwarding sample mes­sages.

4.3.3. Checks using external services

In addition to the analysis of message text and headers, Kaspersky Mail Gate­way allows a number of the following checks involving external network services:

 availability of a DNS record for message sender's IP (reverse DNS

lookup);

 the presence of the sender's IP address in a DNS-based real time black

hole list or lists (DNSBL);

 a check of the sender's address for compliance with SPF (Sender Policy

Framework) policy for the domain containing the server used to send
the message;

 a check of addresses and links to sites in message text for the presence

in the Spam URL Realtime Blocklists database – www.surbl.org;

 recognition of e-mail messages using the UDS (Urgent Detection Sys-

tem) technology.

All the checks listed above, except for UDS, are based on the use of the DNS
protocol and as a rule they require no additional network configuration.

4.3.4. Urgent Detection System

Urgent Detection System is an original technology of spam detection developed
and supported by Kaspersky Lab. It is based on the following principles:

 A message being analyzed is used to select a collection of properties,

which can be used to identify the message. The set of properties may
include header information, text fragments and other information about
the message being processed.

42 Kaspersky® Mail Gateway 5.6

Note

Since the product does not transmit to external servers any data that
could allow viewing the recipients or the text of the processed mail, the
use of this method does not pose any risk to the safety or confidential­ity of your information.

Note

The UDS technology allows filtering of known spam before updates to
Kaspersky Mail Gateway databases become available.

 Filtration server uses the properties thus collected to generate a small

UDS request and sends it to one of UDS servers of Kaspersky Lab.

 The UDS server checks the received request against a database of

known spam. If the request matches a known spam sample, a message
will be sent to the filtration server informing that the e-mail is very likely
to be spam. The information will be taken into account during assign­ment of a certain status to e-mail.

A filtration server interacts with UDS servers of Kaspersky Lab via UDP using
port 7060 for communication. In order to use UDS, a filtration server must be
able to establish outgoing connections through that port.

Information about available UDS servers is added to Kaspersky Mail Gateway
databases. The choice of an individual UDS to be used for message analysis is
performed automatically on the basis of the response time of accessible UDS
servers.

4.3.5. Recognition results and actions over

messages

The analysis procedure results in assignment of one of the following statuses to
a message:

 Spam – message recognized as spam.
 Probable Spam – message contains some spam signs; however, it

cannot be unambiguously identified as spam.

 Formal (automatically generated letter) – message is formal, for exam-

ple, it is a mail server notification informing about mail delivery or inabil­ity to deliver it or about message infection with a virus. The category in­cludes messages sent automatically by mail clients. Such messages
are usually not considered to be spam.

The principles of the application’s operation 43

Note

Although the product is being constantly developed in order to improve spam
recognition and decrease the number of false positives from the filter, it is not
possible to eliminate altogether the probability of recognizing normal messages
as spam. Therefore, you are advised to use with caution the actions deleting
messages.

Attention!

Preservation of all useful mail must be the top priority task for the system ad­ministrator because the loss of a single important message may cause more
trouble for the end user than receipt of a dozen of spam messages. To avoid
the loss of necessary mail, you are advised to use only non-destructive actions
with mail identified after content analysis as spam or probable spam.

 Blacklisted – message received from an address present in a black list.
 Not detected – a message that has no sufficient spam signs to be rec-

ognized as spam. No actions are specified for messages with such
status.

Messages that have received the Not detected status (the message has not
been recognized as spam), are always transferred to the specified recipient. In
that case the letter must also contain no infected or suspicious objects revealed
during anti-virus scanning.

Each e-mail message can be assigned just one of the above statuses. The appli­cation records the status assigned to a message after analysis to a special X-
SpamTest-Status-Extended header. Please refer to section B.18 on page
183 for details about the headers added to mail messages after filtering.

After recognition, the application may perform one of the following actions over a
message:

 add a text mark in the message subject field;
 append special headers to the message;
 delete message.

System administrator can define which of the listed actions will be performed
over messages with a specific status.

In addition to actions related to mail routing, the administrator can specify the
actions for message modification, which can be helpful both for visualization of
recognition results and for use in combination with the filters in client e-mail soft­ware of end users:

 Add a label to the message subject field.

44 Kaspersky® Mail Gateway 5.6

Attention!
You are advised to update the anti-virus databases regularly, to maximize the

efficiency of anti-virus functionality with respect to new viruses. Updates for the
anti-virus databases are made available on Kaspersky Lab‟s update servers
every hour.

Note

An object can be assigned the Disinfected status only if the cure mode
has been enabled for infected objects.

 Add to message special X-SpamTest-* headers. The headers can be

used later for automatic mail processing by the e-mail software of end
users. Please refer to section B.18 on page 183 for details about the
headers added to mail messages after filtering.

4.4. Operation of the anti-virus

scanning module

The AV module checks message components for the presence of viruses.
During the scanning and disinfection of detected infected objects the AV module

uses the anti-virus databases, which contain descriptions of all currently known
viruses and methods for disinfecting objects containing them.

By default, the application‟s AV module only scans your e-mail traffic; it does not
cure infected objects.

To enable disinfection, set the AVCure parameter in the [mailgw.group:
group_name] section of the configuration file to true. If disinfection has been
successful, the object is assigned Disinfected status.

An object may be assigned one of the following statuses in the process of its
scanning:

 Clean – object is clean.
 Infected – object is infected and cannot be disinfected or its disinfection

has not been attempted.

 Disinfected – infected object has been successfully disinfected.

 Suspicious – object is suspected of being infected with an unknown vi-

rus or with a new modification of a known virus.

The principles of the application’s operation 45

Attention!
The action can only be defined for objects with Disinfected status (Ac-

tionDisinfected parameter).

 Protected – scanning failed because the object is password-protected

(e.g., it is an archive).

 Error – object is an error occurred during the scan.
 Not_checked – object has not been scanned because anti-virus checks

have been disabled.

The actions performed by the AV module on an object which has passed scan­ning are determined by the corresponding options in the configuration file (Ac-
tionInfected, ActionSuspicious, etc.). Each message status has a correspond­ing option. The following actions are available:

 cure – replace the infected object in a message with a disinfected one;

 pass – transfer the object without modifications, no actions will be ap-

plied to the object;

 remove – remove the object from the e-mail message;
 placeholder – replace the object with a notification generated from a

template.

Attention!

To perform the tasks described, some changes must be made to the applica­tion‟s configuration file, following which the application must be restarted to ap­ply the modifications.

Attention!
In the examples below, it is assumed that the administrator has completed all

required post-installation tasks and the application operates correctly.

CHAPTER 5. ANTI-VIRUS

PROTECTION AND SPAM
FILTRATION

Kaspersky Mail Gateway can provide anti-virus protection and spam filtering for
e-mail traffic transferred through your organization‟s mail server.

The tasks implemented by Kaspersky Mail Gateway may be divided into three
major groups:

1. Updates of the anti-spam and anti-virus databases used for spam
filtering, anti-virus scanning and disinfection of objects.

2. Spam filtering.

3. Anti-virus protection of e-mail traffic.

Each of these groups comprises more specific tasks. In this chapter, we will dis­cuss some typical tasks that the administrator can combine and enhance in ac­cordance with the needs of his/her organization.

This guide describes how to locally configure and start tasks from the command
line. Issues related to starting and managing tasks from remote computers using
the Webmin application are not discussed in this document.

5.1. Updating the anti-virus and anti-

spam databases

Kaspersky Mail Gateway uses the anti-virus and anti-spam databases while
processing e-mail traffic.

Anti-virus protection and spam filtration 47

Note

The keepup2date component supports Basic authentication for connections
through a proxy server.

Note

Updates for the anti-spam databases are made available on Kaspersky Lab‟s
update servers every three minutes. Updates for the anti-virus databases of
Kaspersky Mail Gateway are made available on Kaspersky Lab‟s update serv­ers every hour.

Attention!
We strongly recommend that the keepup2date component is configured to up-

date the databases every three minutes!

The anti-spam database is employed for spam filtering, which requires the analy­sis of the contents of message bodies and attached files to identify unsolicited e­mail.

The anti-virus databases are employed during scanning and disinfection of in­fected objects; they contain descriptions of all currently known viruses and the
methods of disinfection for objects affected by those viruses.

The keepup2date component is included in Kaspersky Mail Gateway to provide

for software updates. The updates are retrieved from Kaspersky Lab‟s update

servers, e.g.:

http://downloads1.kaspersky-labs.com/
http://downloads2.kaspersky-labs.com/
ftp://downloads1.kaspersky-labs.com/ etc.

The updcfg.xml file included in the installation package lists the URLs of all avail­able update servers.

To update the anti-virus and content filtration databases, the keepup2date com­ponent selects an address from the list of update servers and tries to download
updates from that server. If the server is currently unavailable, the application
connects to another server on the list, until it succeeds.

After connection to an update server, keepup2date identifies available updates
and downloads them.

After a successful update, the command specified by the value of the PostUp-
dateCmd parameter in the [updater.options] section of the configuration file will
be executed. By default, this command starts compilation of the anti-spam mod­ule databases and automatically restarts the application. The restart is necessary
to make the application use the updated anti-spam databases. Kaspersky Mail

48 Kaspersky® Mail Gateway 5.6

Note

All settings of the keepup2date component are stored in the [updater.*] sec­tions of the configuration file.

Gateway anti-virus databases are loaded without restart. Incorrect modification of
this parameter may prevent the application from using the updated databases or
cause it to function erroneously.

If you have purchased a license for Kaspersky Mail Gateway to provide only anti­virus scanning of e-mail traffic, downloading of updates for the anti-spam data­bases can be disabled. To do so, assign the values AVS, AVS_OLD, CORE,

Updater, and BLST to the UpdateComponentsList parameter in the [up­dater.options] section:

[updater.options]

UpdateComponentsList=AVS, AVS_OLD, CORE, Updater,
BLST

If your network has a complicated structure, you are advised to download up­dates from Kaspersky Lab‟s update servers every three minutes and place them
in a network directory. Other networked computers can be configured to copy
their updates from that directory. For detailed instructions on how to implement
this scenario, see section 5.1.3 on p. 50.

The updating process can either be scheduled to run automatically using the
cron utility (see section 5.1.1 on p. 48), or started manually from the command
line (see section 5.1.2 on p. 49). Starting the keepup2date component requires
root user privileges.

5.1.1. Automatic updating of the anti-virus

and anti-spam databases

Regular automatic updates for the anti-virus and anti-spam databases can be
scheduled using the cron utility.

Example:

Configure the cron utility to update automatically your anti-virus and anti­spam databases every three minutes. An update server should be selected
from the updcfg.xml file by default. Only errors occurring in the component
operation should be recorded in the system log. Keep a general log of all
task starts. Output no information to the console.

Anti-virus protection and spam filtration 49

To perform the above task, do the following:

1. In the application‟s configuration file, specify the following values for
these parameters:

[updater.options]

KeepSilent=true

[updater.report]

Append=true

ReportLevel=1

2. Edit the cron task file for the root user by typing this command: crontab

-u root -e and add the following line:

In Linux:

*/3 * * * * /opt/kaspersky/mailgw/bin/mailgw­keepup2date

In FreeBSD:

*/3 * * * * /usr/local/bin/mailgw-keepup2date

5.1.2. Manual updating of the anti-virus and

anti-spam databases

You can start updating your anti-virus and anti-spam databases from the com­mand line at any time.

Example:

start updating of the anti-virus and anti-spam databases, save the results of
updating in the /tmp/updatesreport.log file.

To accomplish the task, log in as root (or any other privileged user) and enter at
the command line:

# mailgw-keepup2date -l /tmp/updatesreport.log

If you need to update the anti-virus and anti-spam databases on several servers,
it may be more convenient to download the updates from an update server once,
save them to a shared directory, and mount the directory within the file system of
every server running Kaspersky Mail Gateway. Then it will be sufficient to launch
the update script, having first specified the mounted directory as the source of
updates. Please see section 5.1.3 on p. 50 for details of how to create a shared
directory for updates.

50 Kaspersky® Mail Gateway 5.6

Attention!
These and other similar tasks can be accomplished remotely using the Webmin

remote administration module.

Note

Please keep in mind that for Kaspersky Mail Gateway 5.6 only anti-virus and
anti-spam databases will be updated.

Example:

start updating the anti-virus and anti-spam databases from the local direc­tory /home/kluser/bases. If the directory is inaccessible or empty, update the

databases from Kaspersky Lab‟s update servers. Save the results to the

/tmp/updatesreport.log file.

To accomplish the task, log in as root (or any other privileged user) and do the
following:

1. Mount the shared directory containing the anti-virus database updates
as the local directory /home/kluser/bases.

2. In the application configuration file, specify the following values for
these parameters:

[updater.options]

UpdateServerUrl=/home/kluser/bases

UseUpdateServerUrl=true

UseUpdateServerUrlOnly=false

3. Enter the following at the command line:

# mailgw-keepup2date -l /tmp/updatesreport.log

5.1.3. Creating a network directory to store

and share updates

Kaspersky Mail Gateway supports copying of updates to databases and applica­tion modules into a network directory for sharing and storage. That directory can
be specified as the source of updates for the Kaspersky Mail Gateway 5.6 instal­lations on network computers as well as other applications of Kaspersky Lab
(versions 6.0 and 7.0).

To ensure that local computers are correctly updated from the shared directory,
the directory must have the same file structure as Kaspersky Lab‟s update serv­ers. This task deserves a detailed explanation.

Anti-virus protection and spam filtration 51

Note

If other applications (versions 6.0 and 7.0) of Kaspersky Lab will be up­dated from the shared directory, the keepup2date component must be
started as follows:

#mailgw-keepup2date –x <rdir>

Note

Users may set up their e-mail clients to transfer labeled messages to
corresponding directories.

Example:

create a shared local directory which local computers will use as the source
to update their anti-virus and anti-spam databases.

To accomplish the task, log in as root (or any other privileged user) and do the
following:

1. Create a local directory.

2. Define the following parameter values in the application configuration
file:

[updater.options]

RetranslateComponentsList =KAS303, AVS, AVS_OLD,
CORE, Updater, BLST

3. Run the keepup2date component as follows:

# mailgw-keepup2date -u <rdir>

where <rdir> is the full path to the directory created.

4. Grant read-only access to the directory for local computers on your
network.

5.2. Spam filtration

This section contains sample tasks demonstrating the application‟s functionality

related to spam filtering. The examples show the main mechanisms used by the
application to combat spam, and in particular:

 spam filtration and organization of user groups;
 marking of messages identified as spam, probable spam, formal or

blacklisted mail with special labels in the Subject header;

 blocking of delivery for messages identified as spam, probable spam,

formal or blacklisted mail;

52 Kaspersky® Mail Gateway 5.6

 saving of messages identified as spam, probable spam, formal or black-

listed mail in the quarantine directory.

The section also includes information about the procedure used by the anti-spam
module components and about the parameters controlling the anti-spam module.

5.2.1. Starting and managing the

components of the anti-spam module

The main components of the anti-spam filtration server including:

 the filtering master process (mailgw-process-server)
 licensing daemon (mailgw-kas-license)
 the SPF daemon (mailgw-spfd)

are launched at the operating system start-up by a special script, which is named
and located differently in Linux and FreeBSD operating systems. The Linux op­erating system uses the mailgw script located in the
/opt/kaspersky/mailgw/lib/bin/ directory (the /etc/init.d/mailgw link can be used,
too), while the FreeBSD operating system employs the mailgw.sh script in the
/usr/local/etc/rc.d/ directory.

The administrator can use the said scripts with the command line parameters
described below to start, stop or restart the main components of the filtration
server:

 start – start the main components of the filtration server.
 stop – stop operation of the main components of the filtration server.
 restart – restart the main components of the filtration server; the action

is identical to running the stop and start actions one after another.

5.2.2. Managing the filtration process

The main purpose of the anti-spam module is detection of unwanted messages
in e-mail stream. The module has an advanced system of settings for configura­tion of spam recognition and its further processing:

 The level of spam recognition intensity (SpamRateLimit parameter in

the [mailgw.policy] section). The application decides whether a mes­sage contains spam on the basis of several signs revealed in it by the
scanning module (please refer to section 4.3 on page 38 for details).

Anti-virus protection and spam filtration 53

 Addition of ProbableSpam or Obscene marks to the header of mes-

sages recognized as mail belonging to the corresponding category after
checks (SpamMarkProbable and SpamMarkObscene parameters re­spectively).

 Verification of information about message sender in DNS and DNS-

based services: DNSBL, SPF, etc (SpamUseDNS parameter).

 Checks of the sender IP address using a set of DNSBL services

(SpamCheckDNSBL parameter).

 Check of sender IP presence in DNS (SpamCheckHostInDNS parame-

ter).

 Check of sender IP using SPF (Sender Policy Framework) (Spam-

CheckSPF parameter).

 Check of sender IP address presence using SURBL (Spam URL Real-

time Blocklists) (SpamCheckSURBL parameter).

 Analysis of message headers checking them for:

 List of undisclosed recipients in message headers (SpamHeader-

sToUndisclosed parameter).

 Groups of digits in the sender‟s or recipient‟s address (SpamHead-

ersFromOrToDigits parameter).

 Missing domain part in address (SpamHeadersFromOrToNoDo-

main parameter).

 Long text in message subject (SpamHeadersSubjectTooLong pa-

rameter).

 Multiple spaces and dots in message subject (SpamHeadersSub-

jectWSOrDots parameter).

 Digital identifier or time label in message subject (SpamHeaders-

SubjectDigitIDOrTimestamp parameter).

 Text in Chinese, Korean, Thai or Japanese in message headers

(SpamHeadersMarkAllChinese, SpamHeadersMarkAllKorean,
SpamHeadersMarkAllThai, SpamHeadersMarkAllJapanese pa­rameters).

 Addition to message header of a prefix describing its status assigned by

the anti-spam module after scanning (MarkSubject parameter).

 Maximum size (Kb) of messages scanned for spam presence (Spam-

CheckSizeLimit parameter).

54 Kaspersky® Mail Gateway 5.6

 Definition of individual groups of senders/recipients whose mail will be

handled using custom rules (the [mailgw.group:group_name] section
is used), including filtration based on black or white lists (please refer to
section 5.2.3 on page 54 for details).

5.2.3. Mail filtration using black and white

lists

White list of senders is used to specify explicitly the addresses that provide mail
which should not be scanned for presence of spam signs. The list can include,
for example, IP addresses of e-mail servers used to relay mail in corporate LAN
or the addresses of internal mailing lists.

During application configuration, white lists are created using specifically defined
groups for which anti-spam and/or anti-virus scanning is disabled
(CheckSpam=false, CheckAV=false).

Black list of senders has the opposite meaning. Administrators of the filtration
server can add to the list addresses which spammers use to distribute their mail
and computers spreading viruses.

Black lists are implemented through definition of an appropriate set of Connec-
tRule rules with specified deny action.

Example:
Task:

 Create a group of senders whose mail will be treated as belonging to a

white list. Criterion including senders in white list: any host of the

10.10.0.0/16 subnet.

 Create a group of senders whose mail will be treated as belonging to a

black list. Criterion including senders in black list: host with the

10.10.138.99 address.

 Messages from the white list should not be scanned for presence of

spam or viruses; they should be forwarded to recipients unchanged.

 Messages from the black list should not be accepted.

To accomplish the task, perform the following steps:

o Define the level of spam filtration intensity setting the corresponding pa-

rameter in the [mailgw.policy] section of the configuration file to the fol­lowing value:

SpamRateLimit=standard

Anti-virus protection and spam filtration 55

2. In the [mailgw.access] section specify a ConnectRule to reject a ses­sion when connection is established with the 10.10.138.99 address:

[mailgw.access]

...

ConnectRule=deny for ip 10.10.138.99

...

3. Create the [mailgw.group:whitelist] section which defines the follow­ing rules for processing of mail for the users included into the whitelist
group:

[mailgw.group:whitelist]

Recipients=*

Senders=ip 10.10.0.0/16

CheckSpam=false

CheckAV=false

5.2.4. Managing the UDS service

Checking the access time of UDS servers

The application uses the uds-rtts.sh script to check the time required for access
to the UDS servers of Kaspersky Lab. Collected data is used to select the most
suitable server for UDS queries.

Script launch command in Linux:

# /opt/kaspersky/mailgw/lib/bin/kas-filter/uds-rtts.sh -q

In FreeBSD:

# /usr/local/libexec/kaspersky/mailgw/kas-filter/\
uds-rtts.sh -q

To increase the efficiency of the UDS server you should configure the task
checking the UDS server access time to run regularly, for example, using cron.

The recommended interval between task starts is every 10-15 minutes.

Checking UDS server availability

To check if a UDS server is available (i.e. it can be accessed), run the uds-rtts.sh
script with the -a option as follows:

In Linux:

# /opt/kaspersky/mailgw/lib/bin/kas-filter/uds-rtts.sh -a

56 Kaspersky® Mail Gateway 5.6

In FreeBSD:

# /usr/local/libexec/kaspersky/mailgw/kas-filter/\
uds-rtts.sh -a

Restarting as kluser

uds-rtts: OK, updated 1 records.

uds-rtts: uds.kaspersky-labs.com available rtt=4103

uds-rtts finished successfully.

5.2.5. Managing the list of enabled DNSBL

services

Checks of sender IP address presence in DNSBL are performed on two levels:

 When an incoming connection is established (provided that an appro-

priate rule is specified in the ConnectRule parameter), please see sec­tion Appendix A on page 107.

 When the anti-spam module checks a message (the check also in-

cludes verification of IP addresses mentioned in the Received header of
the message). You can define for each group of users whether the ap­plication will run checks involving DNSBL services for that group.

Management of the DNSBL services used by the application belongs to general
settings of the anti-spam module. The list of available services is common for all
user groups.

Each DNSBL service is defined through its address where queries are sent and
its corresponding rating.

Service rating determines how trustworthy the service is in the opinion of the
administrator. When a sender‟s IP address is checked in DNSBL, Kaspersky Mail
Gateway sends a query to all the services included in the list. When the results
are returned, it sums up the rating values of the services, which have recognized
the specified IP address as a source of spam mail.

When IP address presence in DNSBL is checked at connection establishment,
the in_dnsbl rule (see section Appendix A on page 107) will be applied if the
sum of ratings of the triggered DNSBL services reaches 100 or exceeds the
value.

If IP address presence in DNSBL is checked by the anti-spam module, message
sender is assumed to be included in the black list and the letter receives black­listed status if the sum of ratings of triggered DNSBL services reaches 100 or
exceeds the value. The status is assigned irrespectively of the results returned
by checks using other methods.

Anti-virus protection and spam filtration 57

If the sum of ratings of the triggered DNSBL services exceeds 100, the sender
will be assumed to be included into black list and the corresponding message will
receive the blacklisted status independently from the results returned by other
checks based on various methods. Some filtering intensity levels also allow
situations when the sum of ratings for services which contain the sender in their
black lists is less than 100. In that case information about sender presence in
black lists is used as an additional sign only and such mail is recognized as
spam if there are more signs revealed by other checks.

5.2.6. Marking of messages containing

spam

Example:

 Filter spam using the standard degree of filtering intensity.
 Modify the Subject header of messages identified as spam or probable

spam.

To perform the above task, do the following:

Specify the level of spam filtering intensity, by setting the Spam-
RateLimit parameter value in the [mailgw.policy] section of the con­figuration file. Then define the mail processing rules:

SpamRateLimit=standard

CheckSpam=true

MarkSubject=spam,probable

5.2.7. Blocking delivery of spam messages

Example:

 Filter spam; specify the standard degree of filtering intensity.
 Block the delivery of messages identified as spam or probable spam, for

users in the managers group.

 Block the delivery of spam messages only, for all other users.

To perform the above task, do the following:

1. Specify the level of filtering intensity. To do so, specify the following
parameter value in the [mailgw.policy] section of the configuration file:

SpamRateLimit=standard

58 Kaspersky® Mail Gateway 5.6

2. Create the [mailgw.group:managers] section, which will define the
rules for processing the e-mail of users included in the managers
group:

[mailgw.group:managers]

Recipients=*@managers.example.com

CheckSpam=true

BlockMessage=as/spam,as/probable

Mail processing rules for all other users will also be defined by the
[mailgw.policy] section:

[mailgw.policy]

CheckSpam=true

BlockMessage=as/spam

5.2.8. Storage of spam message copies in

the quarantine directory

Storing message copies in the quarantine directory can be combined with block­ing e-mail delivery, but not necessarily. In the first case messages identified as
spam or probable spam will not reach the mailboxes of recipients, but are saved
in the quarantine directory. In the second case, the messages will be delivered to
end users and message copies will be preserved in quarantine.

Example:

 Filter spam; specify the standard degree of filtering intensity.
 Copy all messages identified as spam, probable spam, formal or black-

listed mail to the quarantine directory.

 Block the delivery of messages identified as spam or probable spam.

To perform the above task, do the following:

1. Specify the level of filtering intensity, by setting the following parameter
value in the [mailgw.policy] section of the configuration file:

SpamRateLimit=standard

2. Specify the following parameter values in the [mailgw.policy] section of
the configuration file:

[mailgw.policy]

CheckSpam=true

BlockMessage=as/spam,as/probable

Anti-virus protection and spam filtration 59

Attention!
Blocked and quarantined messages that have been assigned the status Spam,

Probable Spam, Formal or Blacklisted by the anti-spam module may contain
viruses, as their anti-virus scanning will be skipped after performance of these
actions.

QuarantineMessage=as/spam,as/probable,as/formal,
as/blacklisted

5.3. Anti-virus protection of e-mail

traffic

This section contains examples of Kaspersky Mail Gateway‟s anti-virus protec­tion of e-mail traffic. The settings described in the examples can be combined to
produce more sophisticated e-mail traffic protection schemes.

5.3.1. Delivery of messages with clean or

disinfected objects only

Example:

 Scan all the server‟s incoming and outgoing e-mail traffic for viruses.
 Cure infected objects.
 Remove from e-mail messages all infected objects which could not be

cured.

 Deliver messages to recipients containing clean and disinfected objects

only.

To perform the above task, specify the following parameter values in the
[mailgw.policy] section:

1. Define the anti-virus scanning mode for all e-mail messages:

CheckAV=true

2. Enable disinfection mode for infected objects:

AVCure=true

3. Specify the operations, which must be performed with the objects:

ActionDisinfected=cure

ActionInfected=remove

60 Kaspersky® Mail Gateway 5.6

Note

Notifications can be delivered to the administrator, message recipient and
sender, informing them of the detection of infected or suspicious objects (see
section 5.3.4 on p. 62). Also, messages containing infected, suspicious or
password-protected objects can be saved in the quarantine directory (see
section 5.3.6 on p. 64).

ActionSuspicious=remove

ActionProtected=remove

ActionError=remove

BlockMessage=

5.3.2. Replacement of infected objects by

standard notifications

Task:

 Scan all e-mail traffic on the server for viruses, and cure infected ob-

jects in e-mail messages.

 Objects which cannot be cured, and suspicious, damaged or password-

protected objects, must be deleted and replaced with a standard notifi­cation.

Solution: To perform the above task, specify the following parameter values in
the [mailgw.policy] section:

1. Define the anti-virus scanning mode for all e-mail messages:

CheckAV=true

2. Enable disinfection mode for infected objects:

AVCure=true

3. Specify the operations, which must be performed with the objects:

ActionDisinfected=cure

ActionInfected=placeholder

ActionSuspicious=placeholder

ActionProtected=placeholder

ActionError=placeholder

BlockMessage=

Anti-virus protection and spam filtration 61

Note

In addition to replacing infected and suspicious objects with standard
sages, the application can deliver notifications to the administrator with in­formation about the detection of the objects (see section 5.3.4 on p. 62) and
save the messages containing the objects in the quarantine directory (see
section 5.3.6 on p. 64).

Attention!
While implementing this task, please note that if a message contains several

objects, one of which cannot be disinfected or is suspicious or password
protected, the delivery of the whole message will be blocked.

5.3.3. Blocking delivery for messages

containing suspicious objects

Example:

 Scan all e-mail traffic on the server for viruses, and cure infected ob-

jects in e-mail messages;

 Block the delivery of messages containing objects which cannot be

cured, and suspicious, damaged or password-protected objects.

To perform the above task, specify the following parameter values in the
[mailgw.policy] section:

1. Define the anti-virus scanning mode for all e-mail messages:

CheckAV=true

2. Enable disinfection mode for infected objects:

AVCure=true

3. Specify the operations, which must be performed with the objects:

ActionDisinfected=cure

ActionInfected=pass

ActionSuspicious=pass

ActionProtected=pass

ActionError=pass

BlockMessage=av/infected,av/suspicious,
av/protected,av/error

62 Kaspersky® Mail Gateway 5.6

Note

The application can also be configured to send notifications to the administrator
with information about the detection of infected or suspicious objects (see
tion 5.3.4 on p. 62) and save the messages containing those objects in the
quarantine directory for later delivery to Kaspersky Lab for examination (see
section 5.3.6 on p. 64).

5.3.4. Delivery of notifications to the

sender, administrator and recipients

Example:

 Scan all e-mail traffic on the server for viruses, and cure all infected ob-

jects.

 Deliver messages to recipients containing only clean and disinfected

objects.

 Delete all objects which cannot be cured, as well as suspicious, dam-

aged or password-protected objects.

 Notify the senders, recipients and the administrator about cured, incur-

able, deleted and suspicious and damaged objects in e-mail messages.

To perform the above task, specify the following parameter values in the
[mailgw.policy] section:

1. Enable disinfection mode for infected objects:

AVCure=true

2. Specify the operations, which must be performed with the objects:

ActionDisinfected=cure

ActionInfected=remove

ActionSuspicious=remove

ActionProtected=remove

ActionError=remove

BlockMessage=

3. Specify the cases in which notifications should be sent, and their recipi­ents:

NotifyAdmin=av/disinfected,av/infected,
av/suspicious,av/protected,av/error

Anti-virus protection and spam filtration 63

NotifyRecipient=av/disinfected,av/infected,
av/suspicious,av/protected,av/error

NotifySender=av/disinfected,av/infected,
av/suspicious,av/protected,av/error

5.3.5. Additional filtering of objects by

name and type

E-mail messages frequently contain objects for which virus infection is highly
probable (e.g., executable files). To avoid infection, you are advised to configure
the application to filter e-mail by name and/or attachment types, and save these
objects in a separate directory.

There are also objects which cannot be infected with viruses (e.g., plain text
files). To reduce the load on the server during anti-virus scanning of e-mail mes­sages, you are advised to specify the types and/or the names of such attach­ments in advance so that the application does not scan them.

Filtering of objects is performed using name masks (IncludeByName, Exclude-
ByName parameters) and MIME types (IncludeByMime, ExcludeByMime pa­rameters).

Example:

 Delete .exe and .reg attachments from the e-mail of users in the man-

agers group.

 For users in the accounts group, delete all attached objects except for

.doc files .

 For users in the sales group, block messages containing attached .exe

files.

To perform the above task, do the following:

Create in the application‟s configuration file three

[mailgw.group:group_name] sections, which will contain processing
rules for the e-mail of users in the managers, accounts and sales
groups respectively:

[mailgw.group:managers]

Recipients=*@managers.example.com

IncludeByName=*.exe

IncludeByName=*.reg

ActionFiltered=remove

…

64 Kaspersky® Mail Gateway 5.6

[mailgw.group:accounts]

Recipients=*@accounts.example.com

ExcludeByName=*.doc

ActionFiltered=remove

…

[mailgw.group:sales]

Recipients=*@sales.example.com

IncludeByName=*.exe

BlockMessage=av/filtered

5.3.6. Saving messages in the quarantine

directory

Kaspersky Mail Gateway can be configured to store messages with specified
statuses in the quarantine directory.

This feature may be used, for example, if an infected attachment containing im­portant data was detected during anti-virus scanning. Attempting to disinfect the
file may corrupt the data. The message can be isolated in a separate directory
and subsequently sent to Kaspersky Lab for analysis. Our experts will probably
be able to disinfect the file, and preserve the data‟s integrity.

Example:

 Scan all e-mail traffic on the server for viruses and cure all infected ob-

jects.

 Deliver messages to the recipients containing only clean and disinfected

objects.

 Messages with incurable attachments or suspicious, damaged or pass-

word-protected objects must be saved in the quarantine directory
/opt/quarantine; delivery of these messages must be blocked.

To perform the above task, do the following:

1. Create the directory /opt/quarantine, which will be used to store blocked
messages, and grant the right to write to that directory to the account
used to run the application (kluser by default).

2. Enable the cure mode for infected objects, by setting the following pa­rameter value in the [mailgw.policy] section of the configuration file:

AVCure=true

Anti-virus protection and spam filtration 65

Note

The application settings described in this section are provided as examples only;
the administrator should adapt them as necessary.

3. Specify these parameter values in the [mailgw.policy] section of the
configuration file:

ActionDisinfected=cure

ActionInfected=pass

ActionSuspicious=pass

ActionProtected=pass

ActionError=pass

BlockMessage=

av/infected,av/suspicious,av/protected,av/error

QuarantineMessage=av/infected,av/suspicious,
av/protected,av/error

AVQuarantinePath=/opt/quarantine

5.4. Combining spam filtration and

anti-virus protection

The choices of application mode, of level of anti-virus scanning and of spam fil­tering intensity depend both on the volume of e-mail traffic to be processed by
the application, and the corporate security policy. Three modes demonstrated in
this section illustrate methods for combining spam filtration with anti-virus protec­tion of e-mail traffic.

5.4.1. Maximum speed

The mode allows high performance anti-virus scanning and spam filtration, which
may be necessary for processing a large volume of e-mail messages. The secu­rity level in this case is reduced, because the application does not cure infected
objects, but just sends notifications about their detection.

In this mode, the application:

 filters e-mail traffic for spam; the degree of filtering intensity is mini-

mum;

 blocks messages identified as spam;

66 Kaspersky® Mail Gateway 5.6

 marks messages identified as probable spam, formal or blacklisted mail

using special labels in the Subject header;

 performs anti-virus scanning of e-mail attachments, but does not at-

tempt to cure infected objects;

 filters and blocks delivery of messages containing the most dangerous

attachment types (an external file is used to define the list of dangerous
objects) and for messages containing infected attachments;

 notifies recipients about messages which have been blocked.

To enable this mode:

1. Specify the following parameter value in the [mailgw.policy] section of
the configuration file:

SpamRateLimit=minimum

2. Create a file List1 which contains a list of the most likely sources of vi­ruses, for example:

*.exe

*.bat

*.com

*.scr

*.bin

*.dll

3. Specify the following parameter values in the [mailgw.policy] section of
the configuration file:

AVCure=false

AVScanArchives=false

AVScanMailBases=false

CheckAV=true

CheckSpam=true

IncludeByName=file:<path to file>/List1

MarkSubject=probable,formal,blacklisted

ActionFiltered=pass

ActionInfected=pass

ActionSuspicious=pass

ActionProtected=pass

ActionError=pass

BlockMessage=av/infected,av/filtered,as/spam

Anti-virus protection and spam filtration 67

Note

The presence of several groups of senders/recipients
([mailgw.group:group_name] sections) slows down processing of e-mail
traffic. When high performance is required, you are advised to use the de­fault group only ([mailgw.policy] section) to specify the e-mail processing
rules.

NotifyRecipient=av/infected,av/filtered

5.4.2. Recommended mode

The mode gives the optimal balance between server performance and security.
In this mode, the application:

 filters e-mail traffic looking for spam; the degree of filtering intensity is

standard;

 marks messages identified as spam, probable spam, formal or black-

listed mail using special labels in the Subject header;

 performs anti-virus scanning and disinfection of e-mail attachments;
 replaces suspicious objects, and infected objects which cannot be

cured, with a standard notification;

 blocks delivery for messages containing password-protected attach-

ments and attached objects that cause errors during scanning; these at­tachments are added to the quarantine directory;

 notifies recipients about blocked messages.

To enable this mode:

1. Specify the following parameter value in the [mailgw.policy] section of
the application‟s configuration file:

SpamDetection=standard

2. Specify the following parameter values in the [mailgw.policy] section:

AVCure=true

AVScanArchives=true

AVScanMailBases=true

CheckAV=true

CheckSpam=true

MarkSubject=spam,probable,formal,blacklisted

ActionDisinfected=cure

68 Kaspersky® Mail Gateway 5.6

ActionInfected=placeholder

ActionSuspicious=placeholder

ActionProtected=pass

ActionError=pass

BlockMessage=av/protected,av/error

QuarantineMessage=av/protected,av/error

NotifyRecipient=av/protected,av/error

5.4.3. Maximum protection

In the maximum protection mode the speed of e-mail traffic processing is lower.
However, the mode provides the best protection for users against spam and vi­ruses. In this mode the application:

 filters e-mail traffic looking for spam; the degree of filtering intensity is

maximum;

 blocks delivery for messages identified as spam, probable spam, formal

or blacklisted mail and adds them to the quarantine directory;

 performs anti-virus scanning and disinfection of e-mail attachments;
 removes the following from messages: infected attachments which can-

not be cured; suspicious or password-protected objects, and objects
which caused errors during scanning;

 notifies message recipients and the administrator about infected, suspi-

cious and password-protected attachments, and objects which caused
errors during scanning.

To enable that mode:

1. Specify the following parameter value in the [mailgw.policy] section of
the configuration file:

SpamRateLimit=maximum

2. Specify the following parameter values in the [mailgw.policy] section of
the configuration file:

AVCure=true

AVScanArchives=true

AVScanMailBases=true

CheckAV=true

CheckSpam=true

MarkSubject=spam,probable,formal,blacklisted

Anti-virus protection and spam filtration 69

ActionDisinfected=cure

ActionInfected=remove

ActionSuspicious=remove

ActionProtected=remove

ActionError=remove

BlockMessage=as/all

QuarantineMessage=as/all

NotifyRecipient=av/infected,av/suspicious,
av/protected,av/error

NotifyAdmin=av/infected,av/suspicious,
av/protected,av/error

5.5. Additional features of

Kaspersky Mail Gateway

In addition to its main functions, of spam filtering and anti-virus scanning of e­mail traffic, the application can also perform these tasks:

 logging of received and sent e-mail;
 forwarding of all received e-mail;
 enabling restrictions for SMTP connections, preventing both hacker at-

tacks and the use of the application as an open relay for sending unau­thorized e-mail.

5.5.1. Automatically add incoming and

outgoing e-mail to archives

If the security policy of your organization includes archiving e-mail traffic proc­essed by the server, the application can be configured to add all e-mail mes­sages to archives. If necessary, the administrator can view all messages in ar­chives.

If the auto archiving option is enabled, copies of the following messages will be
archived:

 All incoming messages including spam or infected objects, without addi-

tionally notifying the administrator. Archiving these messages is enabled
when the path to the archive directory is specified as the value of the
IncomingArchivePath parameter in the [mailgw.archive] section).

70 Kaspersky® Mail Gateway 5.6

Attention!
Before you enable automatic archiving, make sure that there is enough space in

your server‟s file system to accommodate the archive.
Do not forget to purge this directory occasionally to remove old messages, and

to compress necessary files (the frequency at which this is required depends on
the intensity of e-mail traffic in your network).

 All outgoing messages, including messages delivered to recipients,

messages blocked because of a virus or spam, and notification mes­sages generated by the application. Archiving these messages is en­abled when the path to the archive directory is specified as the value of
the OutgoingArchivePath parameter in section [mailgw.archive]).

 All received messages before their scanning. The application starts

adding mail to archive if you specify a list of e-mail addresses (address)
where blind carbon copies of the mail will be sent (IncomingBcc option
in the [mailgw.archive] section).

5.5.2. Protection from hacker attacks and

spam

To provide the highest level of security for your e-mail system, you are advised to
modify the configuration file to extend the application‟s anti-virus functionality. To
protect your server from hacker attacks or, for example, to prevent spam being
relayed through your server, configure the following options:

 ConnectRule in the [mailgw.access] section. The parameter defines

application behaviour during establishment of an SMTP session.

 HeloRule in the [mailgw.access] section. The parameter defines the

application response to HELO/EHLO commands received from a client.

 MailfromRule in the [mailgw.access] section. The parameter defines

the application‟s behaviour in response to an attempt to send a mes­sage from a source (passed with the MAIL FROM command) with a
domain name which does not match the actual IP address or MX host
corresponding to that domain.

 RelayRule in the [mailgw.access] section. The parameter defines

rules for client access to the gateway. The correct settings of this option
are essential to prevent the application‟s use as a publicly open e-mail
relay.

Anti-virus protection and spam filtration 71

Attention!
Kaspersky Mail Gateway WILL NOT work without a key!

Attention!
A detailed discussion of the syntax of these parameters is provided in the de-

scription of the configuration file (see Appendix A on p. 107).

Attention!
DNSBL service (DNS-based Blackhole List) is a database that lists IP ad-

dresses of mail servers used for uncontrolled mass mailing. Such servers re­ceive mail from anyone and deliver it further to arbitrary recipients. Use of
DNSBL allows automatic blocking of mail from such mail servers. Various ser­vices use different policies for generation of such lists. Please examine care­fully the policy of each service before you start using it for mail filtration.

If a certain address is constantly used for sending spam and the administration
of the server used for spam distribution takes no preventive steps, you can
inform RBL about the spammer. The latter will be added to the database and
the record will allow automatic blocking of incoming e-mail sent from that mail
server.

You are also advised to enable restrictions for SMTP connections (see section

6.1.2 on p. 78).
Application version 5.6 supports the technology of DNS black lists. This technol-

ogy allows the blocking of incoming e-mail sent from unsafe servers registered in
the DNSBL database as servers sending spam. The list of DNSBL services is
specified in the DNSBlackList parameter, in the [mailgw.access] section of the
application configuration file.

5.6. Managing product keys

The right to use Kaspersky Mail Gateway is determined by the product key. The
key is included in the application‟s distribution kit and entitles you to use the ap­plication from the day on which you purchased it and installed the key.

After the key expires, the application will continue to work as before, except that
the anti-virus and anti-spam databases will no longer be updated. That is, the
application will still be able to scan e-mail messages for viruses, filter spam and
disinfect infected objects, but will be unable to use databases issued after the
key expiration date. Therefore, you may not be protected against new viruses
that appear after the license expired, and the anti-spam module will be unable to
filter new spam types.

72 Kaspersky® Mail Gateway 5.6

To protect your network‟s computers against new viruses and efficiently filter
spam, you are advised to renew the key for Kaspersky Mail Gateway.

The key gives you the right to use the application. It contains information related
to the license you have purchased, including the type of license, the key expiry
date, and information about dealers.

In addition to the right to use the application during the period of key validity, you
will have the following benefits:

 twenty-four-hour technical support;
 hourly updates of the anti-virus databases, and updates to the anti-

spam database made available every three minutes;

 timely notifications about new virus threats.

For all these reasons, it is essential to extend your product key before it expires.
One way to manage licenses is to install an additional key, which the application
will start to use as soon as the current active key expires (see section 5.6.2 on p.

74).

5.6.1. Viewing information about product

keys

You can view information about installed product keys in the reports of the
mailgw component. Each time the main application component starts it loads the

license key and displays its contents in the report.
More detailed information about the status of license keys may be obtained using

licensemanager, a special component of the application.
All information about keys may be viewed either on the server‟s console, or re-

motely from any networked computer that has access to the Webmin module.

To view information about all installed product keys, enter the following in the
command line:

In Linux:

# /opt/kaspersky/mailgw/bin/mailgw-licensemanager -s

in FreeBSD:

# /usr/local/bin/mailgw-licensemanager -s

The server console will display information similar to the following:

Kaspersky license manager for Linux. Version

5.6.0/RELEASE

Copyright (C) Kaspersky Lab, 1997-2008.

Anti-virus protection and spam filtration 73

Portions Copyright (C) Lan Crypto

License info:

Product name: Kaspersky Mail Gateway

Expiration date: 02-06-2008, expires in 34 days

Active key info:

Product name: Kaspersky Mail Gateway

Key file 00086CA1.key

Type: Commercial

Expiration date: 02-06-2008

Serial: 0007-000487-00086CA

To view information about a particular key, enter, the following in the command
line:

in Linux:

# /opt/kaspersky/mailgw/bin/mailgw-licensemanager -k
00053E3D.key

where 00053E3D.key is the name of the product key file.

in FreeBSD:

# /usr/local/bin/mailgw-licensemanager -k
00053E3D.key

The server console will display information similar to the following:

Kaspersky license manager. Version 5.6.0/RELEASE

Copyright (C) Kaspersky Lab. 1998-2008.

Portions Copyright (C) Lan Crypto

Product name: Kaspersky Mail Gateway

Creation date: 02-12-2007

Expiration date: 02-06-2008

Serial 0007-000487-00086CA

Serial 02B1-000454-00053E3

Type: Commercial

Lifespan: 91

74 Kaspersky® Mail Gateway 5.6

5.6.2. Renewing your product key

Renewing the Kaspersky Mail Gateway key gives you the right to re-enable full
product functionality, and to resume the additional services listed in section 5.6
on p. 71.

The validity period of the key depends on the product you bought, and the type
of the license you purchased. The license for Kaspersky Mail Gateway is usually
issued for one year.

To renew the Kaspersky Mail Gateway key:

Contact the company that sold you the application and renew your key
for Kaspersky Mail Gateway.

or:
Purchase a key directly from Kaspersky Lab. Write a letter of request to

the Sales Department of our company at sales@kaspersky.com or fill in
the corresponding form on our website (www.kaspersky.com), in the
section E-Store  Renew Your License. After your payment is re­ceived, we will send a license key to the e-mail address indicated in the
corresponding field of your license renewal form.

To install a new license key, enter the following in the command line:
in Linux:

# /opt/kaspersky/mailgw/bin/mailgw-licensemanager -a

00053E3D.key
where 00053E3D.key is the name of the product key file.

in FreeBSD:

# /usr/local/bin/mailgw-licensemanager -a
00053E3D.key

If the installation is successful, the server console will display information similar
to the following:

Kaspersky license manager. Version 5.6.0/RELEASE

Copyright (C) Kaspersky Lab. 1998-2008.

Portions Copyright (C) Lan Crypto

Key file 00053E3D.key is successfully registered

You are advised to update the anti-virus database after the installation.
If you want to install a new key before the current one expires, it can be added as

a backup key. The backup key will be activated immediately after the current one
expires. The term of validity for the additional key starts from the activation date.
You can install only one backup key.

Anti-virus protection and spam filtration 75

If you have installed two keys (the current and an additional one), information
about both of them can be viewed on the server console.

5.6.3. Removing a key

To remove the current license key and the backup key (if it is installed), enter the
following in the command line:

in Linux:

# /opt/kaspersky/mailgw/bin/mailgw-licensemanager -da

in FreeBSD:

# /usr/local/bin/mailgw-licensemanager -da

If the component removes the license key(s) successfully, the server console will
display the following (or similar) information:

Kaspersky license manager. Version 5.6.0/RELEASE

Copyright (C) Kaspersky Lab. 1998-2008.

Portions Copyright (C) Lan Crypto

Active key was successfully removed

To remove a backup key, enter the following in the command line:
in Linux:

# opt/kaspersky/mailgw/bin/mailgw-licensemanager -dr

in FreeBSD:

# /usr/local/bin/mailgw-licensemanager -dr

The server console will display the following (or similar) information:

Kaspersky license manager. Version 5.6.0/RELEASE

Copyright (C) Kaspersky Lab. 1998-2008.

Portions Copyright (C) Lan Crypto

Additional key was successfully removed

Attention!
Restart the application to apply modified settings.

Attention!
All timeout settings are located in the [mailgw.timeouts] section of the applica-

tion configuration file.

CHAPTER 6. ADVANCED

APPLICATION SETTINGS

This chapter discusses in detail the advanced settings of Kaspersky Mail Gate­way. In contrast to the main settings that provide the application functionality,
advanced settings can be configured optionally at the administrator‟s discretion.

6.1. Configuring anti-virus protection

of e-mail traffic

Application parameters in the [mailgw.policy] section define modes for mes­sage scanning and disinfection. They also and enable/disable the scanning of
archives and e-mail attachments (the AVScanArchives and AVScanMailBases
parameters respectively).

6.1.1. Setting up application timeouts

By setting up various timeouts, the administrator can:

 Limit the maximum period during which the application will attempt to

deliver unsent outgoing messages (MaximalBackoffTime parameter, in
seconds).

 Limit the minimum time which should elapse before the application will

attempt to re-send undelivered messages (MinimalBackoffTime pa­rameter).

 Specify the interval during which the application will try to deliver mes-

sages, at the frequency defined by the MinimalBackoffTime and
MaximalBackoffTime parameters (MaximalQueueLifetime option).

Advanced application settings 77

After this period elapses, the unsent message will be removed from the
ready-to-send queue. If necessary, a DSN message about the initial
message delivery failure will be generated.

 Specify timeouts for intercepting various network operations (for the

Sender and Receiver modules), such as:
 Network reading timeout (ReadTimeout option). The default time-

out specified in the application‟s configuration file is the optimal

value for most cases and it is advisable not to alter it.

 Network writing timeout (WriteTimeout option). The default timeout

specified in the application„s configuration file is the optimal value

for most cases, and it is advisable not to alter it.

 Specify timeouts used by the application to send messages:

 Maximum time for receiving data from the remote server when es-

tablishing an SMTP session (SendingInitialTimeout option).

 Maximum time to start an e-mail session (command HELO/EHLO)

(SendingHelloTimeout option).

 Timeout for receiving a response from the remote server to the

MAIL FROM command (SendingMailTimeout option).

 Timeout for defining the recipient (RCPT TO command) (Send-

ingRcptTimeout option).

 Timeout for initiating data transfer (DATA command) (Sending-

DataInitiationTimeout option).

 Timeout for stopping data transfer (CRLF.CRLF sequence) to the

remote server (SendingDataTerminationTimeout option).

 Timeout for quitting the current e-mail session (QUIT command)

(SendingQuitTimeout option).

 Specify timeouts used by the application to receive messages:

 Timeout for starting the DATA command (ReceivingDataInitia-

tionTimeout option).

 Timeout for stopping data transfer by the remote server (Receiv-

ingDataTerminationTimeout option).

 Timeout for waiting for the HELO/EHLO, MAIL FROM, RCPT TO

and QUIT commands from the remote server (ReceivingCom-
mandTimeout option).

 Timeout for object processing by the AV module (ScanTimeout option).

78 Kaspersky® Mail Gateway 5.6

Attention!
You can find all restriction settings in the [mailgw.limits] section of the applica-

tion‟s configuration file.

 Specify timeouts used by the application during communication with

DNS servers:
 Timeout for sending a query to DNS server and arrival of its re-

sponse (DNSNetworkTimeout option).

 Timeout for the total time it takes to receive response from DNS

server for all attempts (DNSResolveTimeout option).

 Timeout for storage of a DNS record in DNS cache (DNSCache-

MaximalTTL option).

 Timeout for storage of a DNS record for unreachable servers in

mailgw cache (UnreachableCacheTTL option).

6.1.2. Setting performance restrictions

Kaspersky Mail Gateway allows the administrator to set certain limits when work­ing with the application, which may reduce the load on the server and increase
performance. In addition, the application of network restrictions may prevent
some types of virus outbreaks and DOS attacks, which attempt to paralyze mail
servers with huge volumes of e-mail traffic.

You can set the following restrictions:

 Number of objects simultaneously processed by the Receiver, Sender

and AV modules (the IncomingSessions, OutgoingSessions, and
AntiviralSessions options, respectively).

 Maximum number of message hops (MaximalIncomingHops option).

Set this parameter to avoid looping due to incorrect configuration of the
routing table.

 Limit the maximum size for messages received by the server (Maximal-

IncomingMessageSize option), and the total number of messages re-
ceived during one e-mail session (MaximalIncomingMessagesPer­Session option).

 Limit the number of recipients of a single message (MaximalIncoming-

RcptsPerMessage option). This parameter prevents spam addressed

to your users).

 Maximum size of a single e-mail session (MaximalIncomingSession-

Size option).

Advanced application settings 79

 Maximum number of simultaneous connections from

the same IP (or host) that are processed by the Receiver and by the
Sender modules (MaximalIncomingSessionsPerlP and MaximalOut-
goingSessionsPerHost options respectively).

 Minimum size of available disk space on the partition where the applica-

tion‟s working queue is stored (the MinimalQueueFreeSpaceSize op-
tion). If during the application‟s operation the queue size increases to
the point that the available space is below this value, the application will
temporarily suspend receipt of new messages until the value returns to
the specified limits.

If the e-mail traffic at your server exceeds the specified limits, you are advised to
decrease the number of objects being simultaneously processed by the AV mod­ule (AntiviralSessions parameter) and the number of hops for a single message
(MaximalIncomingMessageSize option). This will increase the application‟s
performance and the message processing speed.

If your server has a low-speed Internet connection, the following actions are rec­ommended:

 Decrease the number of objects being simultaneously processed by the

Receiver and Sender modules (IncomingSessions and OutgoingSes-
sions options).

 Decrease the maximum number of incoming messages received during

a single session (MaximalIncomingMessagesPerSession option).

6.2. Setting up connection receiving

interfaces

The set of interfaces and ports on which the application receives connections is
defined by the ListenOn parameter in the [mailgw.network] section of the ap­plication‟s configuration file. By default, Kaspersky Mail Gateway listens for con-
nections on port 25 using all available interfaces.

If a particular interface is to be used, rather than all available interfaces, or if it is
necessary to use a port other than 25, additional settings configuration must be
performed.

For instance, To make the application wait for connections on port 1025 of inter­face 192.168.0.1:

assign the following value to the ListenOn parameter in the
[mailgw.network] section:

ListenOn=192.168.0.1:1025

80 Kaspersky® Mail Gateway 5.6

To use several particular interfaces, create several ListenOn parameter records
in the configuration file, for instance:

ListenOn=192.168.0.1:25

ListenOn=10.0.0.1:25

6.3. Setting up the routing table

The application does not include a local agent for message delivery, and there­fore all incoming e-mail messages must be transferred to the local host on which
the agent is installed.

The rules for transferring (routing) are set by the ForwardRoute parameter in the
[mailgw.forward] section.

This parameter is specified using one of the following formats:

ForwardRoute=<address_mask> <recipient>

ForwardRoute=<address_mask> [<recipient>]

ForwardRoute=<address_mask> [<recipient>:<port>]

where:

<address_mask> – the address of the recipient of the messages (wild­cards "*" and "?" can be used; if the parameter is assigned the value
any, then any recipient‟s address may be used).

<recipient> is the name of the domain containing the mail server, to
which (according to MX records) the e-mail must be sent.

[<recipient>:<port>] is the delivery point, using the recipient‟s IP ad­dress or host name, and port number.

For example, if you create the following record in section [mailgw.forward]:

ForwardRoute=*@example.com [localhost:1025]

then all e-mail messages to example.com will be sent to port 1025 of the local
host after processing by the application.

If several routing rules must be specified, create several copies of the For-
wardRoute parameter in the configuration file.

For example, if the section [mailgw.forward] contains these entries:

ForwardRoute=*@example.com [localhost:1025]

ForwardRoute=*@example.net [somehost.example.com]

ForwardRoute=*@example.org example.com

Advanced application settings 81

Attention!
When more than one rule applies to a message, the rule used is the first one

where the specified domain matches the domain of the message recipient.

the following processing rules will be followed:

 forward all e-mail messages for domain example.com to port 1025 of

the local host after processing by the application.

 forward all e-mail messages for domain example.net to port 25 of host

somehost.example.com after processing by the application.

 forward all e-mail messages for domain example.org to MX-host of

domain example.com after processing by the application (the domain
will be determined at the time the message is sent).

 forward all other messages to the corresponding MX-hosts after anti-

virus scanning and spam filtering.

6.4. Checking the configuration file

syntax

Use the -k or --check-config key in the command line of the mailgwd appli­cation component to check the syntax of its configuration file.

If the configuration file contains no errors, no information will be output to the
server console.

If the check reveals errors, the list of errors will be displayed in the console.

6.5. Syntax check in notification

templates

The application allows syntax checks of notification templates to be made by the

mailgw-tlv utility, which is installed by default in the directory
/opt/kaspersky/mailgw/bin/ (in Linux distributions) or in /usr/local/bin/ (for

FreeBSD distributions).

82 Kaspersky® Mail Gateway 5.6

To check the syntax of a notification template, enter the following in the com­mand line:

in Linux:

> /opt/kaspersky/mailgw/bin/mailgw-tlv ./dsn.tmpl

in FreeBSD:

> /usr/local/bin/mailgw-tlv ./dsn.tmpl

The utility will output, to the server console, a report similar to the example be­low:

Kaspersky Template Language Verifier, version

5.6.12/RELEASE,

Copyright (C) Kaspersky Lab, 1997-2008

Parsing error: Unexpected end of line in the declara­tion, line 63

If a template check is successful, the utility will report that template syntax is cor­rect. In case of errors it will display a description of possible failure. The utility‟s
return codes are described in section B.13 on p. 170.

6.6. Work with e-mail archives and

the quarantine directory

The mailgw-maila utility allows the management of objects stored in the quaran­tine directories, or in the archives of incoming/outgoing messages. The mailgw-
maila utility is installed by default to the /opt/Kaspersky/mailgw/bin/ directory (in
Linux) or /usr/local/bin/ directory (in FreeBSD).

It has the following functionality:

 Reviewing the whole storage contents, or information about certain

messages, for example, in Linux:

> /opt/kaspersky/mailgw/bin/mailgw-maila

--show-all --archive­path=/var/opt/kaspersky/mailgw/arch_in

In FreeBSD:

> /usr/local/bin/mailgw-maila

--show-all --archive­path=/var/db/kaspersky/mailgw/arch_in

Advanced application settings 83

The following (or similar) information will be output to console:

Kaspersky Mail Archives Manager, version

5.6.12/RELEASE,

Copyright (C) Kaspersky Lab, 1997-2008

--QueueID--Status-Size-------ArrivalTime---------

------Sender.../Recipient...

jFDpgGKo70777 av/suspicious 1065 Mon, 12 Dec 2007
15:13:51 +0300 10.0.0.1 <test@example.com> ->
<test2@example.com>

jFDpg4Hc04120 av/error 1056 Mon, 12 Dec 2007
15:13:51 +0300 10.0.0.1 <test@example.com> ->
test2@example.com

Total: 2 archived messages, 11425 bytes.

The utility outputs information about messages in a storage directory in
the following format:

ID STATUS SIZE DATE IP <SENDER> -> <RECIPIENT>

where:

ID – identification number of a stored message

STATUS – message status reflecting its current state.

A stored message may have any of the following statuses:

o incoming – message from the archive of incoming mail;
o outgoing – message from the archive of outgoing mail;
o as/spam – message with the Spam status, assigned by the

anti-spam module;

o as/probable – message with the status Probable Spam,

assigned by the anti-spam module;

o as/formal – message with the Formal status assigned by

the anti-spam module;

o as/blacklisted – message with the Blacklisted status

assigned by the anti-spam module;

o av/clean – message with the Clean status, assigned by the

AV module;

84 Kaspersky® Mail Gateway 5.6

o av/disinfected – message with the Disinfected status,

assigned by the AV module;

o av/infected – message with the Infected status, assigned

by the AV module;

o av/suspicious – message with the Suspicious status,

assigned by the AV module;

o av/protected – message with the Protected status, as-

signed by the AV module;

o av/error – message with the Error status, assigned by the

AV module;

o av/filtered – message with the Filtered status, assigned

by the AV module.

SIZE – message size (may be specified in bytes, kilobytes, or
megabytes as determined by the respective prefixes);

DATE – time and date that the message was received by the appli-
cation;

IP – IP address of message sender;
SENDER – message sender‟s address;
RECIPIENT – message recipient‟s address (the field may contain

several values).

 Removal of all messages, or a specified message, from storage, for ex-

ample, in Linux:

> /opt/kaspersky/mailgw/bin/mailgw-maila

--remove-all=jHrWPC7s86253 --archive­path=/var/opt/kaspersky/mailgw/arch_in

In FreeBSD:

> /usr/local/bin/mailgw-maila

--remove-all --archive­path=/var/db/kaspersky/mailgw/arch_in

The following (or similar) information will be output to console:

Kaspersky Mail Archives Manager, version

5.6.12/RELEASE,

Copyright (C) Kaspersky Lab, 1997-2008

Total: 4586 archived messages have been removed.

Advanced application settings 85

Attention!
If the --send-id command line option is specified, the selected message must

pass anti-virus scanning and anti-spam filtering procedure before it is deliv­ered to the recipient. To send a message from storage without anti-virus
scanning and anti-spam filtration, use the -send-id-without-check command
line option.

Note

Descriptions of command line options for mailgw-maila utility can be found
in section B.16 on p. 181, and its return codes are described in section B.17
on p. 182.

 Sending of all messages/certain messages from storage directories to

their original recipients, for example, in Linux:

> /opt/kaspersky/mailgw/bin/mailgw-maila

--send-id=jHrWPC7s86253 --archive­path=/var/opt/kaspersky/mailgw/arch_in

In FreeBSD:

> /usr/local/bin/mailgw-maila

--send-id=jHrWPC7s86253 --archive­path=/var/db/kaspersky/mailgw/arch_in

The following (or similar) information will be output to console:

Kaspersky Mail Archives Manager version

5.6.19/RELEASE,

Copyright (C) Kaspersky Lab, 1997-2008

Message with QueueID jHrWPC7s86253 will be sent
asap.

6.7. Management of application

working queue

While the application is running, it creates a working queue of messages for
processing by the anti-spam and AV modules.

The mailgw-mailq utility, which is installed by default in the directory

/opt/kaspersky/mailgw/bin/ (in Linux distributions) or in /usr/local/bin/ (for

86 Kaspersky® Mail Gateway 5.6

FreeBSD distributions) allows the management of messages in the working
queue.

It has the following functionality:

 Reviewing the contents of the working queue, or supplying information

on specific messages in it.

To display information about all messages in the working queue, enter
the following in the command line (in Linux):

> /opt/kaspersky/mailgw/bin/mailgw-mailq

--show-all

In FreeBSD:

> /usr/local/bin/mailgw-mailq --show-all

The utility will output to the server console a report similar to the exam­ple below:

Kaspersky Mail Queue Manager, version

5.6.12/RELEASE,

Copyright (C) Kaspersky Lab, 1997-2008

--QueueID--Status-Size-------ArrivalTime---------

------Sender.../Recipient...

iAgUF4Oi21098 WFS 1570 Tue, 12 Feb 2007 10:42:30
+0000 10.0.0.28 <test2@scmsmtpgw1.example.com> ->
<test1@scmsmtpgw1.example.com>

iAgVF4Qs38118 WFC 897 Tue, 12 Feb 2007 10:42:31
+0000 10.0.0.16

<test2@scmsmtpgw1.example.com> ->
<test1@scmsmtpgw1.example.com>

iAgTF45Y97588 SND 1048 Tue, 12 Feb 2007 10:42:29
+0000 10.0.0.16 <test2@scmsmtpgw1.example.com> ->
<test1@scmsmtpgw1.example.com>

Total: 3 queued messages, 3515 bytes.

The application outputs information, about messages in the working
queue, in the following format:

ID STATUS SIZE DATE IP <SENDER> -> <RECIPIENT>

where:

ID – identification number of a queued message;
STATUS – message status reflecting its current state.

Advanced application settings 87

A message in working queue may have any of the following
statuses:

o WFC – message waiting for anti-spam filtration and anti-virus

scanning;

o CHK – message being scanned for virus presence;
o WFS – message waiting for creation of its virtual copies;
o SPL – message being used for creation of virtual copies;
o QUE – message waiting to be sent to its recipient;
o SND – message being sent.
SIZE – message size, which may be specified in bytes, kilobytes,

or megabytes as determined by the respective prefixes;

DATE – time and date that the message was added to the queue;
IP – IP address of message sender;
SENDER – message sender‟s address;
RECIPIENT – message recipient‟s address (the field may contain

several values).

 Removal of all messages, or a specified message, from the working

queue.

To remove all messages from the working queue, enter the following in
the command line (in Linux):

> /opt/kaspersky/mailgw/bin/mailgw-mailq -­remove-all

In FreeBSD:

> /usr/local/bin/mailgw-mailq --remove-all

The utility will output to the server console a report similar to the exam­ple below:

Kaspersky Mail Queue Manager, version

5.6.12/RELEASE,

Copyright (C) Kaspersky Lab, 1997-2008

Total: 12 queued messages have been removed.

88 Kaspersky® Mail Gateway 5.6

Attention!
A message can only be removed from the queue if its status is

WFC, WFS or QUE .

Attention!
A message can be sent ahead of the general queue only if it has

the status QUE (expects delivery to the recipient).

Note

Descriptions of command line options for mailgw-mailq utility can
be found in section B.15 on p. 180, and its return codes are de­scribed in section B.17 on p. 182.

 Send all or selected messages ahead of the general queue, for exam-

ple, in Linux:

> /opt/kaspersky/mailgw/bin/mailgw-mailq

--send-id=jHrWPC7s86253

In FreeBSD:

> /usr/local/bin/mailgw-mailq

--send-id=jHrWPC7s86253

The following (or similar) information will be output to console:

Kaspersky Mail Queue Manager, version

5.6.12/RELEASE,

Copyright (C) Kaspersky Lab, 1997-2008

Message with QueueID jHrWPC7s86253 will be sent
asap.

6.8. Managing the application

While Kaspersky Mail Gateway is running, it can be managed using scripts, sig­nals, and the command line.

This section describes how to manage the application using scripts. For man­agement options using signals, see section B.3 on p. 155, and for information
about using files, see B.4 on p. 155).

Advanced application settings 89

Attention!
Application management using scripts requires privileged user (root) rights.

Value

Meaning

start

Start the application.

stop

Stop the application.

restart

Stop and then start the application.

reload

Reinitialize the main application component, reload the anti­virus database and the configuration file, and restart the
anti-spam module.

reload-bases

Reload the anti-virus databases and restart the anti-spam
module.

status

Request the application‟s status.

stats

Request the application‟s statistics.

recv-off

Suspend the operation of the Receiver module.

recv-on

Resume the operation of the Receiver module.

send-off

Suspend the operation of the Sender module.

If you use the Linux distribution package to run the management script, enter the
following at the command line:

# /opt/kaspersky/mailgw/lib/bin/mailgw <action>

or use the link:

# /etc/init.d/mailgw <action>

If you use the FreeBSD distribution package, run the management script by en­tering the following:

# /usr/local/etc/rc.d/mailgw.sh <action>

Table 1 contains possible values of the <action> parameter:

Table 1. Management script parameters

90 Kaspersky® Mail Gateway 5.6

Value

Meaning

send-on

Resume the operation of the Sender module.

check-off

Suspend the operation of the scanning module.

check-on

Resume the operation of the scanning module.

clear-stats

Reset statistics.

post-update

Load Kaspersky Mail Gateway databases after their suc­cessful downloading.

Attention!
You can control timeouts of the watchdog process using the application com-

mand line options. See section B.6 on p. 163 for details.

When the Receiver module is suspended, mail servers will be unable to establish
connection with Kaspersky Mail Gateway to transfer messages to recipients
within your e-mail system. Messages already added to the work queue will be
treated as normal, that is scanned for viruses and spam signs, processed in ac­cordance with the existing rules and forwarded to the recipients (unless the rules
block their delivery).

When the Sender module is suspended, the application stops transmitting proc­essed messages. Processed messages will be preserved in the work queue of
outgoing messages. Suspension of the Sender module does not affect the Re­ceiver module. Receipt of messages from mail servers will not be suspended.

When the scanning module is suspended, e-mail messages accepted by the
Receiver module will be transferred directly to the Sender module for subsequent
delivery to recipients. Anti-virus scanning, spam filtering and message process­ing will not be performed.

6.9. Control of application activity

A special watchdog process ensures that individual application modules function
correctly while the software is running. As soon as the application starts, it cre­ates a child process to monitor the application. If after a specified interval the
parent process receives no confirmation of correct operation from any module,
the watchdog process restarts the application.

Advanced application settings 91

Level

Level de­scription

Letter symbol

Meaning

0

Fatal Errors

F

Only information regarding critical
errors which terminate the pro­gram, due to the impossibility of

6.10. Customizing date and time

formats

Kaspersky Mail Gateway generates reports on the activity of every component.
This information always contains the date and time of report generation.

By default, Kaspersky Mail Gateway displays the date and time using the strftime
standard:

 %H:%M:%S – displayed time format.
 %d-%m-%Y – displayed date format.

The administrator can customize how time and date information are displayed in
the [locale] section of the application configuration file. You can specify one of
the following formats:

 %I:%M:%S %P – display time in 12-hour format (TimeFormat parame-

ter).

 %y/%m/%d or %m/%d/%y – display date (DateFormat parameter) as

yy/mm/dd or mm/dd/yy, respectively).

6.11. Reporting options

The performance of the main application component is recorded either in the
application log file in plain text format (LogFilename option in the
[mailgw.options] section) or in the system log (syslog). The data is not logged if
the LogFilename option is not defined (LogFilename=).

To customize the output data, change the report detail level (LogLevel option in
the [mailgw.options] section).

Report detail level is a number that defines the level of reported details for ap­plication performance data. Each subsequent level of detail contains all the de­tails from the previous level, and adds new information.

Table 2 below lists the possible report detail levels.

Table 2. Report detail levels

92 Kaspersky® Mail Gateway 5.6

Level

Level de­scription

Letter symbol

Meaning

executing an action. For example,
a component is infected, or scan­ning, database loading, or product
key loading failed.

1

Errors

E

Information about other errors that
may or may not lead to application
shutdown, for example, file scan
errors.

2

Warning

W

Notifications about errors that may
lead to the application shutdown
(product key expiration warning,
out-of-disk-space warning, etc.).

3

Info, Notice

I

Important informational mes­sages, such as whether a compo­nent is running or inactive, the
path to the configuration file, latest
changes in the scan area, data­base updates, product keys, sta­tistics summary.

4

Activity

A

Messages on scanning of files
according to the report detail level.

9

Debug

D

All debug messages.

Information about fatal errors is always displayed, regardless of the report detail
level. The optimal level is level 4, which is also the default level.

Information messages may be divided into the following types:

 Messages about actions on e-mail messages.
 Notifications about system events.
 Other messages (component start, loading of databases, return codes,

etc.).

The output format for each of the levels of detail listed above is as follows:

 for messages about actions on e-mail messages:

[date time detail_level] envelope-id: MESSAGE;

Advanced application settings 93

 for all other types of message:

[date time detail_level]: MESSAGE,

where:
 [date time detail_level] gives the date and the time (in the

format specified by the administrator in the [locale]) section, and
the letter indicating the report detail level.

 envelope-id – e-mail message identifier in the working queue of

the application, which identifies the e-mail message.

 MESSAGE – message text that may have different formats depend-

ing on the message type.

For the text of report messages containing information about actions on e-mail
messages, see section B.20 on p. 187.

6.12. Adding supplementary

information to messages

The application supports two methods of adding supplementary information to e­mail messages:

 Adding an extension header field to the e-mail message.

The information may describe the application‟s version, date when the

anti-virus databases were last updated, or the time and result of anti­virus and anti-spam scanning of the message (determined by the
AddXHeaders parameter in the [mailgw.policy] section of the applica­tion configuration file).

Header format:

X-Anti-Virus: <product name and version>, bases:
<date of the last update to anti-virus databases in
YYYYMMDD format> #<the number of records in AV data­bases>, check: <scan date in YYYYMMDDTHHMMSS format>
<scanning status or not_checked>

where:

YYYY - year indicated in four-digit format;

MM – month;

DD – date;

HH – hour;

MM – minute;

94 Kaspersky® Mail Gateway 5.6

SS - second.

E.g.:

X-Anti-Virus: Kaspersky Mail Gateway, version

5.6.12/RELEASE, bases: 20080118T085614 #519212,
check: 20080118 clean

For detailed information about the headers added to messages by the
anti-spam module, please see section B.18 on page 183.

 Adding a disclaimer text to the e-mail message‟s body.

The information will be added as plain text; it may contain a statement
generated in accordance with the security policy (or other rules) of a
specific organization (the AddDisclaimer parameter in the
[mailgw.policy] section). The default message text notifies that the
message has been scanned by Kaspersky Mail Gateway. The adminis­trator can modify the information format (e.g., generate disclaimer mes­sage as a HTML text).

6.13. Control of application activity

via SNMP

Beginning with version 5.6, the application provides read-only access to the fol­lowing information via Simple Network Management Protocol (SNMP):

 Configuration of the application – information about all parameters from

all sections of the program configuration file.

 Activity statistics – statistical information about application operations.

Availability of the information via SNMP is defined by the SNMPServices pa­rameter in the [mailgw.snmp] section of the configuration file.

The application provides the following data accessible through SNMP:

 Information about configuration of the application.
 Statistics of application activity:

 Date of application launch (in ISO 8601 format).
 Time (seconds) passed since application start.
 Date of the last successful update (in ISO 8601 format).
 Total number of records in the current databases of Kaspersky Mail

Gateway.

Advanced application settings 95

Attention!
To ensure correct interaction with the application via AgentX, you are advised to

use the NET-SNMP version 5.1.2 or later.

 Release date of the current application database update (in ISO

8601 format).

Interaction via SNMP is implemented in Kaspersky Mail Gateway using an
SNMP subagent, which works in turn with SNMP master agent. Interaction pa­rameters are listed in the [mailgw.snmp] section of the configuration file:

 ConnectTo – the option defines the socket for interaction. A local file or

a network socket can be used. E.g.:

ConnectTo=unix:/path/to/dir/

or

ConnectTo=127.0.0.1:705

 PingInterval – interval (seconds) that the subagent will use between at-

tempts to connect to the master agent in case of disconnection.

 Timeout – timeout (seconds) for sending a request to the master agent.
 Retries – number of attempts to send a request to master agent.

The application can use as master any agent that supports the AgentX protocol.
In this section the NET-SNMP agent is used as an example. Interaction is per­formed through a local socket.

The following steps are necessary for configuration of the agent:

1. Modify the snmpd.conf configuration file adding the following lines to it:

master agentx

AgentXSocket tcp:localhost:705

rocommunity public

trapsink localhost

2. Modify the snmp.conf configuration file adding the following lines to it:

mibdirs +/opt/kaspersky/mailgw/share/snmp-mibs

mibs all

The /opt/kaspersky/mailgw/share/snmp-mibs (in Linux) or
/usr/local/share/mailgw/snmp-mibs path (in FreeBSD) defines the loca-

tion of MIB files of Kaspersky Mail Gateway. If you have installed the
application to a different directory, specify the path corresponding to
your configuration.

96 Kaspersky® Mail Gateway 5.6

Note

Detailed information regarding configuration of the NET-SNMP agent is avail­able at its official site http://www.net-snmp.org/. To display information about
snmpd.conf and snmp.conf use the program manual pages.

3. Restart NET-SNMP.

During data access via SNMP the following OID (object identifier) is used:

1.3.6.1.4.1.23668.1159

Administrator can configure the application to send SNMP traps when certain
events occur. Generation of SNMP traps is regulated by the SNMPTraps option
in the [mailgw.snmp] section of the configuration file. SNMP traps are gener­ated when the following events occur:

 Reloading of the anti-virus databases (TrapBasesReloaded, TrapBas-

esReloading) or application configuration (TrapConfigReloaded, Trap­ConfigReloading).

 Application start/stop (TrapStart, TrapStarting, TrapStop, TrapStop-

ping), critical error (TrapError).

CHAPTER 7. TESTING

APPLICATION OPERABILITY

After you install and configure Kaspersky Mail Gateway, it is recommended that
you test its settings and operability by using the following three methods:

 Telnet program.
 Mail messages containing test phrases in the Subject header.
 Templates GTUBE.
 EICAR test virus.

7.1. Testing mail receipt and

delivery using Telnet

To test the application operation using Telnet it is necessary to:

1. Connect to the server on which the application is installed using Telnet.
To do so, enter the following at the command line:

telnet <mailgw host address> <port>

where the <mailgw host address> and <port> are the values as­signed to the ListenOn option in the [mailgw.network] section of the
application configuration file.

2. After the connection is established, wait for a response from the main
application component. You will see the following information:

220 example.org ESMTP

where mailgw.company.com is the name of the server being tested.

3. After the connection to the server is confirmed, type the following at the
command line:

EHLO <fqdn>

where <fqdn> stands for a full domain name of the host, which estab­lishes connection.

98 Kaspersky® Mail Gateway 5.6

You will see the following (or similar) information:

250-example.org hello user [127.0.0.1]

250-ENHANCEDSTATUSCODES

250-PIPELINING

250-8BITMIME

250-SIZE 10485760

250 DSN

where:

mailgw.company.com is the name of the server being tested
user is the client host name
[127.0.0.1] is the client IP address.

 Enter at the command line:

MAIL FROM: <sender_address>

You will see the following (or similar) information:

250 2.1.0 OK

 Enter at the command line:

RCPT TO: <recipient_address>

You will see the following (or similar) information:

250 2.1.0 OK

 Enter in the command line:

DATA

You will see the following (or similar) information:

354 Start mail input; end with <CRLF>.<CRLF>

Enter in the command line:

From:xz@example.com

To: xz@example.com

Subject: test

test

.

You will see the following (or similar) information:

250 2.1.0 OK

Testing application operability 99

Test phrase in the Subject
header

Response of the anti-spam module

Subject: spam is bad do not send
it

or

Subject: t h i s i s n o t
s p a m

Based on the analysis, the message will
be assigned the Spam status.

Subject: News and special
events May

Based on the analysis, the message will
be assigned the Probable Spam status.

Subject: Out of Office AutoReply

Based on the filter‟s analysis, the mes­sage will be assigned the status Not de-
tected. The label [--Formal Messages--]
will be added to its Subject header

Text of the Subject header con­tains invective.

Based on the filter‟s analysis, the mes­sage will be assigned the status Not de-
tected. The label [--Obscene--] will be
added to its Subject header/

4. If the response is 250 2.1.0 OK, the test message has been success­fully accepted by the server. After this, the message will be checked by
the anti-spam module, scanned for viruses and then sent to the recipi­ent in accordance with the routing table. You are advised to check mes­sage delivery. To verify the results, view the application statistics. One
message will be added to the totals for scanned and sent messages.

7.2. Testing the anti-spam filtration

To test the Spamtest filter functionality, you must create e-mail messages con­taining specific phrases in the Subject header. Table 3 below contains a sum­mary of test phrases and the corresponding Spamtest responses.

Table 3. Test messages

Having sent a message with a test phrase in the Subject, you should check that
the message has been processed in accordance with the specified rules: for in­stance, that the application has changed the specified message headers; or that
the message has been added to the quarantine directory. If the application does
not function properly, you should consult Kaspersky Lab‟s Technical Support.

100 Kaspersky® Mail Gateway 5.6

Attention!
Never use real viruses to test the operation of your anti-virus application!

Furthermore, you can test filtration using a special GTUBE (Generic Test for
Unsolicited Bulk E-mail) template. Test of spam filtration using GTUBE is identi­cal to the tests of anti-virus software based on EICAR test virus.

Create an e-mail message containing the following string (without spaces or hy­phenation):

XJS*C4JDBQADN1.NSBN3*2IDNEN*GTUBE-STANDARD-ANTI-UBE-TEST-E­MAIL*C.34X

and send it to an e-mail account protected by Kaspersky Mail Gateway. After
analysis the message will receive the SPAM status and the application will apply
to it the action specified in the policy assigned for the account.

7.3. Testing the application using

EICAR

This test "virus" has been developed by (The European Institute for
Computer Anti-Virus Research) specifically to verify the functioning of anti-virus
software.

It IS NOT A VIRUS and contains no code that may harm your computer. How­ever, most anti-virus products identify it as a virus, according to The European
Institute for Computer Antivirus Research.

The test "virus" can be downloaded from the official EICAR site at:

http://www.eicar.org/anti_virus_test_file.htm. If you have no Internet access, you

can create a test "virus" manually, by entering the line below into any text editor
and save the file as eicar.com:

X5O!P%@AP[4\PZX54(P^)7CC)7}$EICAR-STANDARD-ANTIVIRUS-TEST­FILE!$H+H*

The file that you downloaded from the EICAR website, or created in a text editor
as described above, contains the body of a standard test "virus". The anti-virus
application will detect it, flag it as Infected and perform the specified action for
objects with this status.

To test the application's response to objects with other statuses, modify the body
of the standard test "virus" by adding one of the prefixes below (see Table 4).