User manual KASPERSKY LAB KASPERSKY MAIL GATEWAY 5.5 - ADMINISTRATOR GUIDE

KASPERSKY LAB Kaspersky® Mail Gateway 5.5 ADMINISTRATOR'S GUIDE KASPERSKY® MAIL GATEWAY 5.5 Administrator's Guide © Kaspersky Lab http://www.kaspersky.com Revision date: June, 2006 Contents CHAPTER 1. KASPERSKY® MAIL GATEWAY 5.5....................................................... 7 1.1. What's new in Kaspersky Mail Gateway 5.5 ........................................................ 8 1.2. Licensing policy ..................................................................................................... 9 1.3. Hardware and software requirements .................................................................. 9 1.4. Distribution kit ...................................................................................................... 10 1.5. Help desk for registered users ............................................................................ 11 1.6. Conventions......................................................................................................... 11 CHAPTER 2. APPLICATION STRUCTURE AND TYPICAL DEPLOYMENT SCENARIOS .............................................................................................................. 13 2.1. Application architecture ....................................................................................... 13 2.2. The algorithm of application functioning ............................................................. 15 2.3. Typical deployment scenarios............................................................................. 17 2.3.1. Installing the application along corporate network perimeter...................... 17 2.3.2. Installing the application inside your mail system........................................ 19 CHAPTER 3. INSTALLING THE APPLICATION......................................................... 21 3.1. Installing the application on a server running Linux ........................................... 21 3.2. Installing the application on a server running FreeBSD..................................... 22 3.3. Installation procedure .......................................................................................... 23 3.4. Configuring the application.................................................................................. 24 3.5. Installing the Webmin module to manage Kaspersky Mail Gateway ................ 26 CHAPTER 4. THE PRINCIPLES OF PROGRAM OPERATION ................................ 29 4.1. Creating groups of recipients/senders................................................................ 29 4.2. General message processing algorithm............................................................. 32 4.3. Operation of the Spamtest filter .......................................................................... 35 4.3.1. Message header analysis ............................................................................ 36 4.3.2. Analysis of message content ....................................................................... 36 4.3.3. Spamtest filter actions .................................................................................. 37 4.4. Operation of the AV module................................................................................ 38 CHAPTER 5. ANTI-VIRUS PROTECTION AND SPAM FILTRATION....................... 40 4 Kaspersky® Mail Gateway 5.5 5.1. Updating the anti-virus and content filtration databases .................................... 40 5.1.1. Automatic updating of the anti-virus and content filtration databases ........ 42 5.1.2. Manual updating of the anti-virus and content filtration databases............. 43 5.1.3. Creating a shared directory for storing and sharing database updates...... 44 5.2. Spam filtration...................................................................................................... 44 5.2.1. Marking of messages containing spam ....................................................... 45 5.2.2. Blocking delivery of spam messages........................................................... 46 5.2.3. Storage of spam message copies in the quarantine directory.................... 46 5.3. Anti-virus protection of email traffic ..................................................................... 47 5.3.1. Delivery of messages with clean or disinfected objects only ...................... 48 5.3.2. Replacement of infected objects with standard notifications....................... 49 5.3.3. Blocking delivery for messages containing suspicious objects................... 49 5.3.4. Delivery of notifications to the sender, administrator and recipients........... 50 5.3.5. Additional filtering of objects by name and type .......................................... 51 5.3.6. Saving messages in the quarantine directory.............................................. 52 5.4. Combining spam filtration and anti-virus protection ........................................... 54 5.4.1. Maximum speed ........................................................................................... 54 5.4.2. Recommended mode................................................................................... 55 5.4.3. Maximum protection ..................................................................................... 56 5.5. Additional features of Kaspersky Mail Gateway................................................. 58 5.5.1. Automatically add incoming and outgoing mail to archives ........................ 58 5.5.2. Protection from hacker attacks and spam ................................................... 59 5.6. Managing license keys........................................................................................ 60 5.6.1. Viewing information about license keys....................................................... 60 5.6.2. Renewing your license ................................................................................. 62 5.6.3. Removing a license key ............................................................................... 63 CHAPTER 6. ADVANCED APPLICATION SETTINGS .............................................. 64 6.1. Configuring anti-virus protection of mail traffic.................................................... 64 6.1.1. Using the iCheckerTM technology................................................................. 64 6.1.2. Setting up application timeouts .................................................................... 65 6.1.3. Setting performance restrictions .................................................................. 66 6.2. Setting up connection receiving interfaces ......................................................... 67 6.3. Setting up the routing table ................................................................................. 68 6.4. Checking the configuration file syntax ................................................................ 69 6.5. Syntax check in notification templates................................................................ 70 6.6. Work with email archive and the quarantine directory ....................................... 70 Contents 5 6.7. Management of application working queue........................................................ 73 6.8. Managing the application .................................................................................... 75 6.9. Control of application activity............................................................................... 77 6.10. Customizing date and time formats .................................................................. 77 6.11. Reporting options .............................................................................................. 78 6.12. Additional informational header fields in messages......................................... 80 CHAPTER 7. TESTING APPLICATION OPERABILITY ............................................. 81 7.1. Testing the application using Telnet ................................................................... 81 7.2. Testing the Spamtest filter................................................................................... 83 7.3. Testing the application using EICAR .................................................................. 84 CHAPTER 8. UNINSTALLING THE APPLICATION ................................................... 86 CHAPTER 9. FREQUENTLY ASKED QUESTIONS................................................... 88 APPENDIX A. SUPPLEMENTARY INFORMATION ABOUT THE PRODUCT......... 95 A.1. Distribution of the application files in directories................................................. 95 A.2. Kaspersky Mail Gateway configuration file ........................................................ 99 A.3. Use of external configuration files..................................................................... 116 A.4. Control signals for the smtpgw component...................................................... 117 A.5. Control files........................................................................................................ 118 A.6. Application statistics.......................................................................................... 118 A.7. Command line options for the smtpgw component ......................................... 124 A.8. Smtpgw return codes........................................................................................ 125 A.9. Command line options for licensemanager ..................................................... 126 A.10. Licensemanager return codes........................................................................ 127 A.11. Keepup2date command line options ............................................................. 128 A.12. Keepup2date return codes ............................................................................. 129 A.13. Format of messages about template syntax check-up.................................. 129 A.14. Return codes for the kltlv utility....................................................................... 131 A.15. Command line options of the klmailq utility.................................................... 132 A.16. Command line options for the klmaila utility................................................... 133 A.17. Return codes for the klmaila and klmailq utilities ........................................... 134 A.18. Special headers added by the Spamtest filter ............................................... 134 A.19. Format of messages about anti-virus scanning and spam filtration.............. 136 A.20. Notifications about actions applied to the message ...................................... 137 6 Kaspersky® Mail Gateway 5.5 APPENDIX B. KASPERSKY LAB............................................................................... 140 B.1. Other Kaspersky Lab Products ........................................................................ 141 B.2. Contact Us......................................................................................................... 148 APPENDIX C. LICENSE AGREEMENT .................................................................... 150 CHAPTER 1. KASPERSKY® MAIL GATEWAY 5.5 Kaspersky® Mail Gateway 5.5 is designed to filter SMTP mail traffic protecting mail system users from viruses and unwanted messages (spam). The application is a full-featured mail relay (compliant with IETF RFC internet standards) that runs under Linux and FreeBSD operating systems. The application allows the user to: · · · · · · · · Check email messages for presence of spam signs, including attached objects and message bodies. Use the technology of DNS black lists (RBL) to filter spam. Create white lists and black lists of senders/recipients for use by the application while processing email traffic. Scan email messages for viruses, including attached objects and message bodies. Detect infected, suspicious, corrupted, attachments and message bodies. and password-protected Perform anti-virus processing (including disinfection) of infected objects revealed in email messages by scanning. Provide additional email traffic filtering by names and MIME types of attachments and apply certain processing rules to the filtered objects. Maintain archives of all email messages sent and/or received by the application, if this is required by the internal security policy of the company. Enable restrictions for SMTP connections providing protection against hacking attacks and preventing application use as an open mail relay for unsolicited email messages. Limit the load on your server by configuring the application settings and SMTP parameters. Notify senders, recipients, and the administrator about messages containing infected, suspicious, or corrupted objects. Quarantine messages identified as spam or probable spam as well as messages containing infected, suspicious or corrupted objects. Update the anti-virus and content filtration databases. The application retrieves updates from the update servers of Kaspersky Lab. You can also set the application up to update the databases from a local directory. · · · · · 8 Kaspersky® Mail Gateway 5.5 The application detects and cures infected objects using the anti-virus database. During scans, the contents of each file are compared to the sample code of known viruses contained in the database. Please keep in mind that new viruses appear every day and therefore we recommend maintaining the anti-virus databases in an up-to-date state. New updates are made available on Kaspersky Lab update servers every hour. The content filtration databases are employed for analysis of message contents (including Subject and other headers) and attached files. The application uses to that effect linguistic algorithms based on comparison with sample messages and search for typical terms (words and word combinations). The linguistic laboratory continues to work on improving and supplementing the corpus of data used for spam detection. Efficient spam fighting requires regular updating of the content filtration databases. Updates for the databases are made available on Kaspersky Lab update servers every 20 minutes. The keepup2date component serves for updating of the anti-virus and content filtration databases (see section 5.1 on p. 40). · Configure and manage Kaspersky Mail Gateway either from a remote location using Webmin web-based interface, or locally, using standard OS tools such as command line options, signals, by creating special command files or by modifying the configuration file of the application. Monitor the antivirus protection, and spam filtering status, view the application statistics and logs both locally and remotely using Webmin interface. · 1.1. What's new in Kaspersky Mail Gateway 5.5 Kaspersky Mail Gateway has been enhanced with the following additional features as compared with Kaspersky SMTP-Gateway 5.5: · · Checking email traffic for spam presence using the content filtration databases with an opportunity to specify the degree of filtering intensity. Marking of messages identified as spam or probable spam using special headers including an opportunity to use different methods with various groups of senders/recipients. 9 · · Storage of messages identified as spam or probable spam in the quarantine directory. Blocking of delivery to recipients for messages identified as spam or probable spam. 1.2. Licensing policy The licensing policy for Kaspersky Mail Gateway includes a system of product use limitations based on the following criteria: · · Number of users protected by the application Email traffic processed daily (MB/day). Each type of licensing is also limited by a certain period (typically one year or two years after the date of purchase). You can purchase a license limited by one of the above criteria (for example, by the daily mail traffic volume). In addition, you can define during product purchase whether your Kaspersky Mail Gateway will only perform anti-virus scanning of email traffic or it will also filter spam. The application has slightly different configuration parameters, depending on the type of license you have purchased. Thus, if the license is issued for a certain number of users, you will have to create a list of addresses (domains) that will be protected by the application against viruses and spam The application will notify the administrator when the traffic volume reaches critical values or the number of protected accounts is exceeded. 1.3. Hardware and software requirements Minimum system requirements for normal operation of Kaspersky Mail Gateway are as follows: · · · Intel Pentium® processor (Pentium III or Pentium IV recommended). At least 256 B of available RAM At least 100 MB of available space on your hard drive to install the application. Please note that the application working queue, quarantine directory, and archives of incoming and outgoing email are not included in the hard disk space required. If your network 10 Kaspersky® Mail Gateway 5.5 security policy requires the use of the above features, additional disk space will be needed. · · at least 500 MB of available space in the /tmp file system. One of the following operating systems: · · · · · · · · · · Red Hat Enterprise Linux Advanced Server 4. Red Hat Linux 9.0. Fedora Core 4. SuSE Linux Enterprise Server 9.0 (SP3). SuSE Linux Professional 10.0. Debian GNU/Linux 3.1r1. Mandriva 2006. FreeBSD 4.11, 5.4, 6.0. Perl interpreter, version 5.0 or higher (www.perl.org) and the which utility to install the application. Webmin version 1.070 or higher (www.webmin.com) to install the remote administration module (optional. 1.4. Distribution kit You can purchase the product either from our dealers (retail box) or at one of our online stores (for example, www.kaspersky.com ­ follow the E-store link). The retail box contains: · · · · sealed envelope containing the installation CD with the product a copy of this Administrator's Guide license key file bundled with the distribution package or recorded to a special floppy disk License Agreement. Before you unseal the envelope containing the CD, make sure you have carefully read the License Agreement . If you purchase our application online, you will download it from Kaspersky Lab's website; the copy also contains this manual. Your license key is either included in the installation package or will be sent to you by email after payment. 11 The License Agreement constitutes a legal agreement between you and Kaspersky Lab containing the terms and conditions under which you may use the purchased software. Please review the License Agreement carefully! If you do not agree to the terms of the License Agreement, you may return the box containing Kaspersky Mail Gateway to your dealer where you have purchased it for a full refund provided that the envelope with the installation CD has not been unsealed. By opening the sealed envelope containing the installation CD, or by installing the application, you confirm that you have accepted all the terms and conditions of the License Agreement. 1.5. Help desk for registered users Kaspersky Lab offers an extensive service package enabling registered customers to boost the productivity of Kaspersky Mail Gateway. If you purchase a subscription you will be provided with the following services for the period of your subscription: · · · new versions of this software product provided free of charge phone or email support on matters related to the installation, configuration, and operation of the product you have purchased notifications about new software products from Kaspersky Lab, and about new virus outbreaks. This service is provided to users who have subscribed to the Kaspersky Lab email newsletter service. Kaspersky Lab does not give advice on the performance and use of your operating system or other technologies. 1.6. Conventions Various formatting conventions are used throughout the text of this document depending on the purpose of a particular element. Table 1 below lists the formatting conventions used. 12 Kaspersky® Mail Gateway 5.5 Table 1. Conventions Style Bold type Meaning Menu titles, menu items, window titles, parts of dialog boxes, etc. Note. Additional information, notes. Information requiring special attention. Procedure description for user's steps and possible actions. Attention! In order to perform the action, 1. 2. Step 1. ... Task, example Solution Statement of a problem, example for using the software features. Solution to a defined problem. Command line keys. Text of configuration files, information messages and the command line. [key] ­ key purpose. Text of information messages and the command line CHAPTER 2. APPLICATION STRUCTURE AND TYPICAL DEPLOYMENT SCENARIOS Correct application setup and its efficient operation require knowledge of its structure and internal algorithms. It is also important for application deployment within an existing corporate email system. This chapter contains a detailed discussion of the application's structure, architecture and operating principles as well as typical scenarios of its deployment. 2.1. Application architecture The review of the application functionality must be preceded by a description of its internal architecture. Kaspersky Mail Gateway is a full-featured Mail Transfer Agent (MTA) able to receive and route email traffic scanning email messages for viruses and filtering spam. Kaspersky Mail Gateway uses SMTP protocol commands (RFC 2821), Internet message format (RFC 2822), MIME format (RFC 2045-2049, 2231, 2646), and satisfies the requirements to mail relays (RFC 1123). In compliance with antispam recommendations (RFC 2505 standard), the application employs access control rules for SMTP clients to prevent the use of this application as an open relay. In addition, Kaspersky Mail Gateway supports the following SMTP protocol extensions: · · · · · Pipelining ­ enhances performance of servers supporting this mode of operation (RFC 2920). 8-bit MIME Transport ­ processes national language characters code tables (RFC 1652). Enhanced Error Codes ­ provides more informative explanations of protocol errors (RFC 2034). DSN (Delivery Status Notifications) ­ decreases bandwidth usage and provides more reliable diagnostics (RFC 1891, 3461-3464). SMTP Message Size ­ Decreases the load and increases transfer rate (RFC 1870). 14 Kaspersky® Mail Gateway 5.5 RFC documents http://www.ietf.org. mentioned above are available at: The application includes the following components: · · · smtpgw ­ the main component ­ a full-featured mail relay with built-in anti-virus protection and spam filtering. licensemanager ­ component for managing license keys (installation, removal, viewing statistics). keepup2date ­ component that updates the anti-virus and content filtration databases by downloading the updates from the Kaspersky Lab's update servers or a local directory. Webmin module for remote administration of the application using a web-based interface (optional installation). This component allows the user to configure and manage the anti-virus and content filtration databases updates, specify actions to be performed on the objects depending on their status and monitor the results of the application's operation. Receiver (incoming mail receiver). Sender (module for sending scanned messages, which have passed antivirus scanning and spam filtering). Spamtest filter (module filtering spam messages). AV module (the anti-virus engine). Scanning module, which acts in combination with the Spamtest filter and AV module to process messages, including anti-virus scanning and spam filtering of mail traffic. · The smtpgw component (see Fig.1), in its turn, consists of the following modules: · · · · · Figure 1. General architecture of Kaspersky Mail Gateway Application structure and typical deployment scenarios 15 2.2. The algorithm of application functioning The application works as follows (see Fig. 2): 1. The mail agent receives email messages via the SMTP protocol and passes them to the Receiver module. Figure 2. Working queue of Kaspersky Mail Gateway 2. The Receiver module performs preliminary email processing using the following criteria: · · · presence of the sender's IP address in the list of blocked and/or trusted addresses including masks; compliance with the access restrictions specified for SMTP connections (see section 5.5.2 on p. 59); compliance of the email message size (as well as the mail session in general and the total number of messages within the session) with the limits specified in the application settings; compliance of the number of open sessions (both from all IP addresses and a single IP address) with the limits specified in the application settings. · If the message satisfies the preliminary processing requirements, it is sent to the working queue to be processed by the scanning module. If all incoming mail should be archived, a copy of any message added to the working queue will be automatically preserved in the archive of received messages. 3. The scanning module receives a message from the working queue and transfers it to the Spamtest filter for inspection. The filter assigns to it a 16 Kaspersky® Mail Gateway 5.5 specific status and returns the message to the scanning module, which then breaks it into individual components and passes them to the AV module for analysis. If you have only purchased a license for anti-virus scanning of email traffic, spam filtering will not be performed. Messages will be immediately delivered to the AV module for analysis. The application will ignore then configuration parameters, which apply to the Spamtest filter. 4. 5. The AV module scans the objects and, if this option is enabled, disinfects them, when necessary. The scanning module handles messages according to the status (see section 4.2 on p. 32) assigned to each object or message during analysis by the Spamtest filter and the AV module (blocks message delivery, deletes infected objects, modifies message headers, adds messages to the quarantine directory, etc.). The actions to be applied are defined in the application configuration file. Each processed message is then added to the ready-to-send message queue. If saving in the quarantine is specified as the action to be performed on a message, a copy of the scanned message will be saved in the quarantine directory concurrently with its transfer to the ready-to-send queue. The application creates a separate quarantine directory for messages identified as spam or probable spam and messages containing infected, suspicious or corrupted objects. Creation of message copy in backup storage or quarantine directory does not block delivery of the original message to the recipient. An additional action blocking its delivery has to be specified, if you want to prevent message delivery to the recipient. 7. The Sender module receives each message from the ready-to-send queue and transfers it via the SMTP protocol to the onward mail agent to be delivered to local end users or rerouted to other mail servers. If your network security policy requires logging of all outgoing email traffic, a copy of each message will be automatically saved after its delivery to the archive of sent messages (see Fig. 3). 6. 8. Application structure and typical deployment scenarios 17 Figure 3. Saving messages to the archives of received / sent messages 2.3. Typical deployment scenarios Depending upon the network architecture, the following options for installation of Kaspersky Mail Gateway are possible: · install the application along corporate network perimeter in the demilitarized zone (DMZ) acting as a buffer between internal corporate LAN and external network); install the application inside your existing mail system. to the same server with a running email system; to a dedicated server. · · · In each of the above cases the application can be installed: The sections below discuss in detail the above scenarios and describe their advantages. The application, being a mail relay, does not include a local mail delivery agent (MDA). Therefore, no matter which of the deployment scenarios is used, a mail system (or mail systems) that delivers email messages to the local users within the protected domains is required! 2.3.1. Installing the application along corporate network perimeter The main advantage of this option is that it improves the overall performance of your mail system because it minimizes the number of transfer cycles for email messages. 18 Kaspersky® Mail Gateway 5.5 In this case the existing corporate mail server has no connection to the Internet; that means additional protection of your data. Moreover, demilitarized zones (DMZ) may be set up. To install the application and the mail system on the same server, the following algorithm is provided to ensure their joint operation: 1. Configure all interfaces of Kaspersky Mail Gateway to listen on port 25 for incoming email traffic from all IP addresses matching the relevant MX records for the protected domain. The application filters spam and scans email. Then it transfers the processed messages to the corporate mail system via a different port (e.g., 1025). You have to set up restrictions for the mail transfer agent (MTA) receiving mail from Kaspersky Mail Gateway via port 1025 so that it accepts messages exclusively from Kaspersky Mail Gateway. Otherwise, there will be an opportunity to bypass the protection with a connection established directly from external network through port 1025. 3. The mail system, configured to use a local interface, will deliver messages to users. 2. The following steps are to be followed in order to install the application and the mail system on the same server: · Configure the application for mail receipt via port 25 on all network interfaces of the server. In order to do this, specify the following value in the [smtpgw.network] section of the configuration file: ListenOn=0.0.0.0:25 · Specify in the routing table transfer of all scanned messages to the mail system via port 1025. In order to do this, specify the following value in the [smtpgw.forward] section of the application configuration file: ForwardRoute=*@company.com [host:1025] where: *@company.com is the mask for recipient addresses host ­ name of the your corporate mail server. · Change the settings of the existing mail system for receiving messages from the application via port 1025. This will ensure receipt of all incoming mail messages and delivery of these messages to the local users within the protected domains of the company. Set up the existing mail system to transfer all messages it receives to the application via port 25. This will ensure anti-virus scanning and antispam filtering of all outgoing mail messages from the local users. · Application structure and typical deployment scenarios 19 · Specify the list of all corporate local domains as a value for the ProtectedDomains option in the [smtpgw.forward] section of the application configuration file ("*" and "?" wildcards can be used). Mail messages for the specified domains will be scanned. Application configuration for this deployment scenario implemented by default during the installation process. will be The operation algorithm of the application, when the latter is installed on a dedicated server, is identical to its operation on the same server with an email system, but the settings for this scenario will differ. IP address of the server, where the application is installed must be included in MX records corresponding to the protected domain. In order to install the application on a dedicated server: · Configure the application for mail receipt via port 25 on all network interfaces of the server. In order to do this, specify the following value in the [smtpgw.network] section of the application configuration file: ListenOn=0.0.0.0:25 · Specify in the routing table transfer of all scanned messages to the mail system via port 25. In order to do this, specify the following value in the [smtpgw.forward] section of the application configuration file: ForwardRoute=*@company.com [host:25] where: *@company.com is the mask for recipient addresses host ­ name of the your corporate mail server. · Specify the list of all corporate local domains as a value for the ProtectedDomains option in the [smtpgw.network] section of the application configuration file ("*" and "?" wildcards can be used). Mail messages for the specified domains will be scanned. This deployment scenario is the most convenient one, especially if the installation of Kaspersky Mail Gateway is performed at the same time with the deployment of the network and of the company's mail system. 2.3.2. Installing the application inside your mail system If the application is installed inside your mail system, there is no access from outside to the information about the application running on the server and its 20 Kaspersky® Mail Gateway 5.5 configuration. Besides, if the application is installed inside the mail system on a dedicated server, this provides for the possibility to distribute the load among several servers performing anti-virus scanning. The following algorithm is provided for joint operation of the application and the mail system installed on the same server: 1. 2. Duplicate your mail system and configure one of the copies to listen on port 25 and receive email messages via all available interfaces. This mail system forwards all incoming messages through the local interface via a different port (port 1025, for instance) to the application for scanning and spam filtering. The application filters spam, scans the email messages for viruses and forwards scanned and processed messages to the second mail system copy, which receives mail on a different port (e.g., port 1026). The second mail system delivers email to the local users. 3. 4. This deployment scenario is recommended if you are sure of the reliability of your mail system. The installation of the application will not affect the stability of your mail system. Application setup on a dedicated server is similar to the above procedure. Besides, when installing the application on a dedicated server, you can create and run several copies of the application on different servers. This can help you distribute the anti-virus processing and spam filtering load among several servers. To implement this scenario of application deployment: Specify the list of all corporate local domains as a value for the ProtectedDomains option in the [smtpgw.network] section of the application configuration file ("*" and "?" wildcards can be used). Mail messages for the specified domains will be scanned. Deploying Kaspersky Mail Gateway may require changes of the settings for the mail clients throughout the company so that all outgoing mail messages are delivered to the application, which will transfer the messages to the external network after an anti-virus scan and spam filtration. If the network includes installed firewalls or demilitarized zones (DMZ's), it is necessary to provide mail clients and internal and external networks servers with access to the installed application to ensure joint operation and routing of the mail traffic.