User manual KASPERSKY LAB KASPERSKY ANTI-VIRUS 5.6 FOR SENDMAIL WITH MILTER API - ADMINISTRATOR GUIDE

KASPERSKY LAB Kaspersky Anti-Virus® 5.6 for Sendmail with Milter API ADMINISTRATOR'S MANUAL KASPERSKY ANTI-VIRUS® 5.6 FOR SENDMAIL WITH MILTER API Administrator's manual © Kaspersky Lab http://www.kaspersky.com Revision date: March 2006 Contents CHAPTER 1. KASPERSKY ANTI-VIRUS® FOR SENDMAIL WITH MILTER API....... 6 1.1. What's new in version 5.6 ..................................................................................... 7 1.2. Hardware and software system requirements ..................................................... 7 1.3. Licensing policies................................................................................................... 9 1.4. Distribution kit ........................................................................................................ 9 1.5. Help desk for registered users ............................................................................ 10 1.6. Adopted conventions........................................................................................... 10 CHAPTER 2. TYPICAL DEPLOYMENT SCENARIOS ............................................... 13 2.1. Installing Kaspersky Anti-Virus on the same server with your mail system ...... 13 2.2. Installing Kaspersky Anti-Virus on a dedicated server....................................... 16 2.3. Installing Kaspersky Anti-Virus as a filter (single or additional).......................... 18 2.4. Installing Kaspersky Anti-Virus as Milter filter for several Sendmail servers..... 18 CHAPTER 3. INSTALLATION AND UNINSTALLATION OF KASPERSKY ANTIVIRUS ......................................................................................................................... 21 3.1. Software installation on a server running Linux.................................................. 21 3.2. Software installation on a server running FreeBSD or OpenBSD..................... 22 3.3. Installation process.............................................................................................. 22 3.4. Post-install setup ................................................................................................. 23 3.5. Location of application files and directories ........................................................ 24 3.6. Software uninstall ................................................................................................ 26 3.7. Uninstallation process ......................................................................................... 26 CHAPTER 4. THE PRINCIPLES OF APPLICATION OPERATION........................... 28 4.1. General message processing algorithm............................................................. 28 4.2. Creating groups for message processing........................................................... 29 4.3. Message status ................................................................................................... 31 4.4. Assigning actions for mail messages ................................................................. 31 CHAPTER 5. PRESET PROTECTION PROFILES..................................................... 33 5.1. High overall security profile ................................................................................. 33 5.2. High effective security profile .............................................................................. 34 4 Kaspersky Anti-Virus® for Sendmail with Milter API 5.3. Optimal operation profile ..................................................................................... 35 5.4. Top performance mode....................................................................................... 35 CHAPTER 6. USING KASPERSKY ANTI-VIRUS FOR SENDMAIL WITH MILTER API................................................................................................................ 37 6.1. Delivering disinfected messages to recipients ................................................... 37 6.2. Blocking infected messages ............................................................................... 39 6.3. Delivering protected messages........................................................................... 40 6.4. Sending notifications to senders, recipients, and administrator......................... 41 6.5. Filtering e-mail traffic by attachments ................................................................. 43 6.6. Updating the anti-virus database and application kernel ................................... 44 6.7. Backing up e-mail messages.............................................................................. 45 CHAPTER 7. ADDITIONAL SETUP ............................................................................. 47 7.1. Integrating the application into your mail system................................................ 47 7.2. Installing and uninstalling the Webmin module of Kaspersky Anti-Virus........... 50 7.3. Checking the configuration file syntax ............................................................... 51 7.4. Defining an e-mail scan policy ............................................................................ 52 7.5. Adjusting scan thoroughness.............................................................................. 52 7.6. Selecting objects to scan..................................................................................... 53 7.7. Selecting objects to be filtered and assigning actions........................................ 54 7.8. Configuring backup options................................................................................. 55 7.9. Configuring database and kernel module updates ............................................ 56 7.10. Customizing notifications................................................................................... 57 7.10.1. Notification templates ................................................................................. 60 7.10.2. Customizing notification templates ............................................................ 62 7.10.2.1. Macros.................................................................................................. 62 7.10.2.2. Iteration constructs............................................................................... 63 7.10.2.3. Scope of visibility for an iterative statement ........................................ 64 7.10.2.4. Variables .............................................................................................. 65 7.10.2.5. Language syntax ................................................................................. 66 7.10.2.6. Notification macros for the application ................................................ 68 7.11. Reporting options .............................................................................................. 69 7.12. Parameters of update report generation .......................................................... 71 7.13. Statistics parameters......................................................................................... 73 7.14. Restarting Kaspersky Anti-Virus ....................................................................... 75 7.15. Managing the application from the command line ........................................... 76 Contents 5 7.16. Localization of displayed date and time format ................................................ 77 7.17. Additional informational header fields in messages......................................... 78 7.18. Troubleshooting................................................................................................. 78 7.19. Application control via SNMP............................................................................ 79 CHAPTER 8. USING LICENSES.................................................................................. 83 8.1. Viewing license key information.......................................................................... 84 8.2. License extension................................................................................................ 85 8.3. License key removal............................................................................................ 87 CHAPTER 9. COMPATIBILITY WITH OTHER KASPERSKY LAB APPLICATIONS ......................................................................................................... 88 CHAPTER 10. VERIFYING PROPER OPERATION OF THE ANTI-VIRUS.............. 90 CHAPTER 11. FREQUENTLY ASKED QUESTIONS................................................. 92 APPENDIX A. ADDITIONAL INFORMATION.............................................................. 98 A.1. Application configuration file kavmilter.conf ....................................................... 98 A.2. Default group configuration file default.conf..................................................... 102 A.3. Error return codes ............................................................................................. 106 A.4. Keepup2date return codes ............................................................................... 108 A.5. Command line options for licensemanager ..................................................... 108 A.6. Licensemanager return codes.......................................................................... 109 A.7. Description of the MIB (Management Information Base) objects.................... 110 APPENDIX B. KASPERSKY LAB............................................................................... 113 B.1. Other Kaspersky Lab Products ........................................................................ 114 B.2. Contact Us......................................................................................................... 119 APPENDIX C. LICENSE AGREEMENT .................................................................... 121 CHAPTER 1. KASPERSKY ANTIVIRUS® FOR SENDMAIL WITH MILTER API Kaspersky Anti-Virus® for Sendmail with Milter API (hereinafter also referred to as Kaspersky Anti-Virus, application) provides anti-virus protection for e-mail traffic handled by Sendmail with Milter API running on a Linux/Unix server. Kaspersky Anti-Virus running on a mail server will... · · Intercept incoming and outgoing e-mail messages handled by the server. Scan e-mail traffic for viruses using the anti-virus engine. The application scans the entire message as well as message objects, including the header, body, and attachment (depending on the anti-virus policy). Back up e-mail messages prior to performing any action related to antivirus protection, including blocking and rejecting messages. The administrator can then restore original messages from these backup copies. Handle infected objects of e-mail messages detected during the scan. Filter e-mail messages. This version of the product filters messages by MIME type, size, and name of attachments. Notify the senders and administrators about the results of anti-virus treatment and message filtering. The application may also send detailed notifications using an external mail agent. Provide general statistics and reports on application performance. · · · · · The advanced features of Kaspersky Anti-Virus allow the administrator to perform the following tasks: · · Configure the application from a remote location through the web interface of the Webmin application. Customize templates for sending notifications to senders, recipients, and administrators using a special language. Kaspersky Anti-Virus® for Sendmail with Milter API 1.1. What's new in version 5.6 Kaspersky Anti-Virus 5.6 for Sendmail with Milter API has these additional features, compared to version 5.0: · · · · Simple processing rules for e-mails can be grouped, depending upon the message's senders and recipients, to provide complex processing. Additional options have been added for processing messages containing suspicious objects Additional statistics are recorded for all messages processed by the application. The SNMP protocol can be used to get read-only access to application configuration and statistic data; the application can be configured to send SNMP-traps when specific events occur. 1.2. Hardware and software system requirements For smooth operation of Kaspersky Anti-Virus, your mail server must meet the following hardware and software requirements: Minimum hardware requirements for application operation: · · · Intel Pentium 133 MHz processor or higher 32 MB RAM 100 MB available space on your hard drive (this amount does not include space necessary for storing backup message copies). Minimum hardware requirements for a mail server with about 800 MB of traffic per day 1 (250-300 mail accounts (addresses)): · · Celeron (Mendocino) 400 MHz processor 512 MB RAM The following scheme is used to calculate daily traffic: average message size is 60 KB, during 10-hour period, with 25 scan processes working in parallel, about 13200 messages are processed, which totals to 800 MB. 1 8 Kaspersky Anti-Virus® for Sendmail with Milter API · 100 MB of available space on your hard drive (for Kaspersky Anti-Virus operation). Optimal hardware requirements: · For a mail server with about 800 MB of traffic per day (250-300 mail accounts (addresses)): · · · 2xPentium Xeon 1,8 GHz processor 1 GB RAM 8 GB of available space on your hard drive (this amount does not include space necessary for storing backup message copies). · For a mail server with about 400 MB of traffic per day2 (100-150 mail accounts (addresses)): · · Pentium III 900 MHz processor 512 MB RAM. Software requirements: · One of the following operating systems: · · · · · · · · · · · Red Hat Enterprise Linux Advanced Server 4. Red Hat Linux 9.0. Fedora Core 3. SuSE Linux Enterprise Server 9.0. SuSE Linux Professional 9.2. Debian 3.1. Mandrakelinux 10.1. FreeBSD 4.10, 5.4. OpenBSD 3.6. Sendmail version 8.11.x or higher with Milter API (installed) Webmin program (www.webmin.com) (installed) to manage Kaspersky Anti-Virus from a remote location. The following scheme is used to calculate daily traffic: average message size is 60 KB, during 10-hour period, with 25 scan processes working in parallel, about 6600 messages are processed, which totals to 400 MB. 2 Kaspersky Anti-Virus® for Sendmail with Milter API · The following utilities should be installed in your system: bc, sed, tr, cut, du, grep, awk. 1.3. Licensing policies Kaspersky Anti-Virus' licensing policies limit product use based on one of these criteria: · · number of users protected by the application. e-mail traffic processed daily (MB/day). Each type of licensing is also time-limited, typically for one or two years from the date of purchase. You can purchase only one type of the license, for example, by the amount of daily email traffic. The application has slightly different configuration parameters depending on the type of license you have purchased. For instance, if the license is issued for a certain number of users, you will have to create a list of addresses (domains) for which the application will provide protection. 1.4. Distribution kit You can purchase Kaspersky Anti-Virus for Sendmail with Milter API either from our distributors or in our Internet-shop www.kaspersky.com. When purchasing a retail box, you will receive the following distribution kit: · · · · a sealed envelope with an installation CD (or a set of floppy disks) containing software product files; dministrator's guide; license key written on the installation CD or a floppy disk; license agreement. Before you unseal the envelope containing the CD (or floppy disks), be sure to thoroughly review the license agreement. When purchasing Kaspersky Anti-Virus in the Web-shop, you download the product from Kaspersky Lab's website. The distribution file contains the application and the license key. The License Agreement (LA) is a legal agreement between you (either an individual or a single entity) and the manufacturer (Kaspersky Lab Ltd.) 10 Kaspersky Anti-Virus® for Sendmail with Milter API describing the terms under which you may use the anti-virus product which you have purchased. Make sure to read the terms of the License Agreement! If you do not agree to the terms of this LA, Kaspersky Lab is not willing to license the software product to you and you should return the unused product to your Kaspersky Anti-Virus dealer for a full refund, making sure the envelope with CD (or diskettes) is sealed. If you have unsealed the envelope, you have agreed to all the terms of the LA. 1.5. Help desk for registered users Kaspersky Lab offers a large service package, enabling registered users to efficiently use Kaspersky Anti-Virus. If you register and purchase a subscription, you will be provided with the following services for the period of your subscription: · · · · daily virus-definition database updates via e-mail; product upgrades; phone and e-mail advice on matters related to your software installation, configuration and performance; information about new Kaspersky Lab products and new computer viruses (for those who subscribe to our newsletter). Kaspersky Lab does not give advice on the performance and use of your operating system or various other technologies. 1.6. Adopted conventions The text in this document is formatted in accordance with its meaning. The table 1 below lists the conventions adopted for use in the text. Kaspersky Anti-Virus® for Sendmail with Milter API Table 1. Conventions Style Bold type Purpose Menu titles, menu items, window titles, parts of dialog boxes, etc. Note. Additional information, notes. Attention! In order to perform the action, 1. 2. Step 1. ... Task, example Information that should be paid special heed. Description of procedure for user's steps and possible actions. Statement of problem, example for using the software features. Solution to a defined problem. Solution [key] ­ key purpose. Text of information messages and the command line Command line keys. Text of configuration files, informative messages, and the command line. CHAPTER 2. TYPICAL DEPLOYMENT SCENARIOS Kaspersky Anti-Virus can be rolled out using the following methods, depending on the initial configuration of your mail system and specific needs of your organization: · on the same server your mail system is on: this scenario is used by default if you have a configured Sendmail system on your server (see section 2.1 on page 13). on a dedicated server: use this method if your mail server is under a high load (see section 2.2 on page 16). In this case you can also use Kaspersky Anti-Virus to process mail traffic of several Sendmail servers (see section 2.4 on page 18). · Note that in both cases the application will function identically, regardless of the deployment scenario you choose. They differ only in the method of interaction between Kaspersky Anti-Virus and Sendmail. To configure Kaspersky Anti-Virus, consider other Milter filters integrated into your mail system. If you have such filters, you can install Kaspersky Anti-Virus as: · · a single Milter filter; together with other Milter filters: if you have other mail filters, for example, Kaspersky Anti-Spam (see section 2.3 on page 18). The sections below describe each scenario in detail. 2.1. Installing Kaspersky Anti-Virus on the same server with your mail system When describing the operation and configuration of Kaspersky AntiVirus in this guide, it is assumed that Kaspersky Anti-Virus has been installed on the same server as your mail system. Typical deployment scenarios 13 Kaspersky Anti-Virus processes incoming and outgoing mail as follows: 1. 2. 3. Email traffic forwarded from other servers or from users arrives at Sendmail. The mail system then forwards messages to Kaspersky Anti-Virus through Milter API for anti-virus processing. Kaspersky Anti-Virus scans and handles email messages and, depending on the settings, sends them back through Milter API to the mail system. The anti-virus application can generate and send notifications using an external mail agent. The mail system then routes mail traffic to either external mail servers or mailboxes of local users. 4. During the installation on the same server with Sendmail, Kaspersky Anti-Virus automatically makes the necessary changes to its own configuration and configuration of Sendmail. If you want to specify custom parameters of the socket to be used for interaction between Sendmail and Kaspersky Anti-Virus, you will need to make the following changes: · If you use sendmail.cf, add the following lines to the file: #kav-begin: KAVMilter O InputMailFilters=KAVMilter O Milter.macros.connect=j, _, {daemon_name}, {if_name}, {if_addr} O Milter.macros.helo={tls_version}, {cipher}, {cipher_bits}, {cert_subject}, {cert_issuer} O Milter.macros.envfrom=i, {auth_type}, {auth_authen}, {auth_ssf}, {auth_author}, {mail_mailer}, {mail_host}, {mail_addr} O Milter.macros.envrcpt={rcpt_mailer}, {rcpt_host}, {rcpt_addr} XKAVMilter, S=inet:@,F=T,T=S:10s;R:5m;E:5m #kav-end where is the name or IP address of the local host; the following values are possible: localhost, 127.0.0.1, IP address of the server is a network socket port For this configuration, it is recommended to use local unix socket. In order to implement it, add the following strings to the sendmail.cf file: #kav-begin: KAVMilter 14 Kaspersky Anti-Virus® for Sendmail with Milter API O InputMailFilters=KAVMilter O Milter.macros.connect=j, _, {daemon_name}, {if_name}, {if_addr} O Milter.macros.helo={tls_version}, {cipher}, {cipher_bits}, {cert_subject}, {cert_issuer} O Milter.macros.envfrom=i, {auth_type}, {auth_authen}, {auth_ssf}, {auth_author}, {mail_mailer}, {mail_host}, {mail_addr} O Milter.macros.envrcpt={rcpt_mailer}, {rcpt_host}, {rcpt_addr} XKAVMilter, S=unix:,F=T,T=S:10s;R:5m;E:5m #kav-end or #kav-begin: KAVMilter O InputMailFilters=KAVMilter O Milter.macros.connect=j, _, {daemon_name}, {if_name}, {if_addr} O Milter.macros.helo={tls_version}, {cipher}, {cipher_bits}, {cert_subject}, {cert_issuer} O Milter.macros.envfrom=i, {auth_type}, {auth_authen}, {auth_ssf}, {auth_author}, {mail_mailer}, {mail_host}, {mail_addr} O Milter.macros.envrcpt={rcpt_mailer}, {rcpt_host}, {rcpt_addr} XKAVMilter,S=local:,F=T,T=S:10s; R:5m;E:5m #kav-end where is the path to socket file. · If you use sendmail.mc, add the following lines to this file: dnl kav-begin: KAVMilter dnl define(`_FFR_MILTER', `true')dnl INPUT_MAIL_FILTER(`KAVMilter', `S=local:, F=T,T=S:10m;R:15m;E:15m')dnl dnl kav-end dnl or dnl kav-begin: KAVMilter dnl Typical deployment scenarios 15 define(`_FFR_MILTER', `true')dnl INPUT_MAIL_FILTER(`KAVMilter', `S=unix:, F=T,T=S:10m;R:15m;E:15m')dnl dnl kav-end dnl where is the path to the socket file. · In the [kavmilter.global] section of the kavmilter.conf configuration file, make the following changes: ServiceSocket=unix: or ServiceSocket=local: where is a path to the socket file. If you specify custom settings for the interaction socket, do not forget to delete from the Sendmail configuration file those strings which were automatically added by Kaspersky Anti-Virus during its installation. 2.2. Installing Kaspersky Anti-Virus on a dedicated server If your mail server's load is consistently high, it is more reasonable to install Kaspersky Anti-Virus on a dedicated server in order to avoid server malfunction, because anti-virus processing of mail traffic consumes considerable server resources. If Kaspersky Anti-Virus is installed on a dedicated server, it operates as follows: 1. The email thread arrives at the mail server with Sendmail installed. 2. Sendmail then forwards messages to Kaspersky Anti-Virus through a network socket. 3. The processed mail thread, together with anti-virus notifications, is sent back to the mail system for further delivery. If Kaspersky Anti-Virus is installed on a dedicated server, you must use a network socket for email traffic to be received and delivered via Sendmail. Configure Sendmail as follows: · If you use sendmail.cf, add the following lines to this file: #kav-begin: KAVMilter 16 Kaspersky Anti-Virus® for Sendmail with Milter API O InputMailFilters=KAVMilter O Milter.macros.connect=j, _, {daemon_name}, {if_name}, {if_addr} O Milter.macros.helo={tls_version}, {cipher}, {cipher_bits}, {cert_subject}, {cert_issuer} O Milter.macros.envfrom=i, {auth_type}, {auth_authen}, {auth_ssf}, {auth_author}, {mail_mailer}, {mail_host}, {mail_addr} O Milter.macros.envrcpt={rcpt_mailer}, {rcpt_host}, {rcpt_addr} XKAVMilter, S=inet:@,F=T,T=S:10s;R:5m;E:5m #kav-end where is an IP address of the network socket, and is a network socket port. · If you use sendmail.mc, add the following lines to this file: dnl kav-begin: KAVMilter dnl define(`_FFR_MILTER', `true')dnl INPUT_MAIL_FILTER(`KAVMilter', `S=inet: @, F=T,T=S:10m;R:15m;E:15m')dnl dnl kav-end dnl where is an IP address of the network socket, and is a network socket port. · In the [kavmilter.global] section of the configuration file, make the following changes: Kaspersky Anti-Virus ServiceSocket= inet: @ where is an IP address of the network socket, and is a network socket port. When Kaspersky Anti-Virus runs on a dedicated server it needs sendmail-compatible mail agent to send notifications to the administrator. Make sure you have symbolic link or binary file /usr/sbin/sendmail which is used to send notifications. Typical deployment scenarios 17 2.3. Installing Kaspersky Anti-Virus as a filter (single or additional) Kaspersky Anti-Virus can be installed as either a single filter or together with other filters. If other mail filters have been installed on your system, you should carefully define their sequence based on filter settings. If you are installing Kaspersky Anti-Virus ahead of another filter, note that antivirus processing can affect the contents of the email thread: some elements of email messages (headers, body, etc.) can be changed, notifications generated by the anti-virus software can be added to the thread, and some messages can be deleted or rejected for further processing. Therefore, another filter located behind Kaspersky Anti-Virus will deal with a processed, and therefore altered, email thread. Consider this factor when configuring filters behind the anti-virus application. For example, you may exclude notifications generated by Kaspersky Anti-Virus from filtering. If you are installing Kaspersky Anti-Virus behind another filter, set the first filter to forward the email thread to Kaspersky Anti-Virus via a socket. In this case, Kaspersky Anti-Virus receives the email thread that has been processed and changed by the first filter. Configure Milter filters installed on your mail server as follows: 1. Configure Sendmail and Kaspersky Anti-Virus socket options as described in section 2.1 on page 13. 2. Configure other mail filters installed on your mail server either behind or ahead of the anti-virus software to transmit the email thread via a respective socket. 2.4. Installing Kaspersky Anti-Virus as Milter filter for several Sendmail servers Kaspersky Anti-Virus can be used to scan the traffic of several mail servers. This scenario can provide anti-virus protection for a distributed mail system, but account must be taken both of the application load caused by several mail servers, and compliance with licensing conditions. If the license policy is based on the number of accounts, the Kaspersky Anti-Virus configuration file should specify the domains of all users whose mail traffic is processed by the protected 18 Kaspersky Anti-Virus® for Sendmail with Milter API mail servers. If the license policy is based on e-mail traffic volume, the total mail traffic of all servers must be less than the maximum specified by the license. In this scenario, mail will be processed as follows: 1. The email traffic arrives at several mail servers with Sendmail installed. 2. Each server forwards its messages to Kaspersky Anti-Virus for anti-virus processing, via a network socket. 3. After processing, Kaspersky Anti-Virus sends checked messages, together with anti-virus notifications, back to the mail server for further delivery. To implement this scenario: 1. In the kavmilter.conf configuration file of Kaspersky Anti-Virus set ServiceSocket parameter, as shown below: ServiceSocket=inet:@ where is the network socket port, and is the IP address, of the host. 2. Amend the configuration of all Sendmail servers which mail traffic will be protected by Kaspersky Anti-Virus: · If you use sendmail.cf file, add the following lines to this file: #kav-begin: KAVMilter O InputMailFilters=KAVMilter O Milter.macros.connect=j, _, {daemon_name}, {if_name}, {if_addr} O Milter.macros.helo={tls_version}, {cipher}, {cipher_bits}, {cert_subject}, {cert_issuer} O Milter.macros.envfrom=i, {auth_type}, {auth_authen}, {auth_ssf}, {auth_author}, {mail_mailer}, {mail_host}, {mail_addr} O Milter.macros.envrcpt={rcpt_mailer}, {rcpt_host}, {rcpt_addr} XKAVMilter, S=inet:@,F=T,T=S:10s;R:5m; E:5m #kav-end where is the IP address of the network socket used for interaction with Kaspersky Anti-Virus, and is the network socket port. Typical deployment scenarios 19 · If you use sendmail.mc, add the following lines to this file: dnl kav-begin: KAVMilter dnl define(`_FFR_MILTER', `true')dnl INPUT_MAIL_FILTER(`KAVMilter', `S=inet:@, F=T,T=S:10m;R:15m;E:15m')dnl dnl kav-end dnl where is the IP address of the network socket used for interaction with Kaspersky Anti-Virus, and is the network socket port. CHAPTER 3. INSTALLATION AND UNINSTALLATION OF KASPERSKY ANTI-VIRUS Prior to beginning the installation of Kaspersky Anti-Virus for Sendmail with Milter API, we recommend the following preparations for your system: · Make sure that your system meets the hardware and software requirements for installation of the Kaspersky Anti-Virus (please see section 1.2 on page 7). Enter the system as superuser (root). · 3.1. Software installation on a server running Linux There are two different installation packages of Kaspersky Anti-Virus supplied for various for Linux distributions. In order to start the installation of Kaspersky Anti-Virus from a .rpm package, enter the following text in the command line: # rpm ­i In order to start the installation of Kaspersky Anti-Virus from a .deb package, enter the following text in the command line: # dpkg ­i