KL 036.2.

1: Kaspersky Secure Mail Gateway

KL 036.2.1

Kaspersky
Secure Mail
Gateway

Student guide
1
 KL 036.2.1: Kaspersky Secure Mail Gateway

ed
Table of contents

ut
1. Introduction ...................................................................................................................................... 3
1.1 How email works .............................................................................................................................. 3

ib
DNS .................................................................................................................................................. 3
Email operation basics ..................................................................................................................... 4

r
1.2 Mail Threat Protection ...................................................................................................................... 7

st
SMTP standards ............................................................................................................................... 8
Mail sender verification ...................................................................................................................11
1.3 Kaspersky Secure Mail Gateway operation principles ...................................................................15

di
2. How to deploy Kaspersky Secure Mail Gateway ............................................................. 27
2.1 OS installation and configuration (VA) ...........................................................................................28

re
2.2 Installing KSMG as an rpm/deb package (SA) ...............................................................................30
2.3 Configuring an email relay (VA) .....................................................................................................35
Direct integration ............................................................................................................................35
Integration after gateway ................................................................................................................40
or
2.4 Initial setup, activation ....................................................................................................................48

3. Protection management ............................................................................................................ 55

3.1 Lists ................................................................................................................................................55
d

3.2 Anti-Spam .......................................................................................................................................58

3.3 Antivirus and link scanning .............................................................................................................63
e

3.4 Anti-Phishing, Content Filtering and Mail Sender Authentication...................................................65

SPF .................................................................................................................................................70
pi

DKIM ...............................................................................................................................................70
DMARC...........................................................................................................................................71

4. Maintenance ................................................................................................................................... 72
co

4.1 Dashboard, logs and reports ..........................................................................................................72

4.2 Notifications and warnings..............................................................................................................77
4.3 Backup ............................................................................................................................................80

5. Advanced settings ....................................................................................................................... 86

be

5.1 Encryption and DKIM ......................................................................................................................86

5.2 Accounts .........................................................................................................................................92
5.3 Scaling and maintenance ...............................................................................................................95
5.4 Integration with other systems ......................................................................................................102
tto
No

1
 KL 036.2.1: Kaspersky Secure Mail Gateway

Acronyms and conventions

ed
AD Active Directory

ut
DMZ DeMilitarized Zone

DNS Domain Name System

ib
IT Information Technology

KATA Kaspersky Anti Targeted Attack

r
KPSN Kaspersky Private Security Network

st
KSMG Kaspersky Secure Mail Gateway

KSN Kaspersky Security Network

di
Sandbox Kaspersky Anti Targeted Attack Sandbox
SIEM Security Information and Event Management

re
or
e d
pi
co
be
to
t
No

2
 KL 036.2.1: Kaspersky Secure Mail Gateway

ed
1. Introduction

ut
ib
1.1 How email works

r
Let's briefly discuss the basic principles of email operation: how a message travels from the sender to the
recipient. This is important for understanding how Kaspersky Secure Mail Gateway fights junk mail.

st
DNS

di
re
or
e d
pi
co
be

The main function of DNS is to resolve domain names into IP addresses. DNS also has many other
functions and various resource records are used for them. For example, A records are used to resolve
names into IPv4 addresses. For email to work, an MX record is required, where the domain administrator
specifies the DNS name of the domain mail server (there may be several of them). When a mail server
to

needs to deliver a message, the first thing it does is determine the recipient's domain based on the right
side of the mail address and sends a DNS query for its MX record. It resolves the received server name
into the IP address and connects to it to deliver the message. These are basic email interactions.

DNS also helps mail administrators protect their domains from unauthorized use. For example, we will
t

study SPF, DKIM and DMARC email authentication methods that use DNS TXT records (for SPF, you
can also select a special SPF resource record).
No

3
 KL 036.2.1: Kaspersky Secure Mail Gateway 1. Introduction

Email operation basics

ed
ut
r ib
st
di
re
or

In a nutshell, a message goes from the sender to the recipient as follows. A user composes a message in
d

a mail client (Mail User Agent, MUA). The mail client sends the message using SMTP (or LMTP, which is
less common) to the server where the Mail Transfer Agent (MTA) is installed. The MTA adds the
Received header where it specifies its data. Every MTA along the message’s delivery path does the
e

same, which allows you to trace it. Next, the MTA uses DNS to find the server responsible for the
recipient's domain, and sends the message there using SMTP. If this recipient's server stores user
pi

mailboxes, the path ends there. The recipient connects to the mail server using a mail client and picks up
the message using IMAP, POP3 or MAPI over HTTP (in the recent versions of Microsoft Exchange).
co
be
t to
No

4
 KL 036.2.1: Kaspersky Secure Mail Gateway 1. Introduction

Mail relaying

ed
ut
r ib
st
di
re
or

A message’s path is often longer than we have described because the sender's MTA sends it to a mail
relay (which also acts as an MTA) instead of immediately transmitting it to the mailbox server. This
d

complicated scheme is necessary:

—
e

To protect sensitive information that mail messages contain.

— A relay does not store mail; if it is compromised, the damage is much less.
pi

— A relay is deployed on the edge of the network to receive mail from the internet, while a
mailbox server can be safely deployed inside the local network behind the DMZ.
— A relay can have very simple functionality, which makes it easier to configure and more
co

secure. You can use specialized hardware or virtual devices.

— On a relay, it is easier to check incoming mail for spam, malicious objects and links.
— To route email. For example, if the organization's mailbox servers are geographically distributed,
the relay will forward each message to the necessary server according to the specified rules.
be
t to
No

5
 KL 036.2.1: Kaspersky Secure Mail Gateway 1. Introduction

Mail relay rules

ed
ut
r ib
st
di
re
or

Rules are very important for a relay. Without them, it simply forwards arriving messages to their
destinations. It does not know whether an email is incoming or outgoing for the organization, or whether
d

this particular SMTP client is entitled to send email through it. Relays through which any SMTP client can
send a message are called open relays. Open relays are a godsend for spammers. They can send
e

messages through them at no extra cost.

pi

The main thing to do is to instruct your relay where the internet (untrusted network) is, where the trusted
network is and which domains it serves (local domains). For the relay, this means:
— It must accept email from the internet only for the local domains, and reject the rest
co

— Only SMTP clients from trusted networks can send messages anywhere via the relay

Then you need to understand how to distribute the received mail. The relay can deal with it in a standard
manner, i.e. make a DNS query to determine where to send mail for the recipient's domain, or it can use
internal rules with more complex logic. In terms of Postfix, which Kaspersky Secure Mail Gateway can be
be

integrated with, this is a transport map.

t to
No

6
 KL 036.2.1: Kaspersky Secure Mail Gateway 1. Introduction

1.2 Mail Threat Protection

ed
ut
r ib
st
di
re
or

Typical email threats are spam, phishing, malicious links and attachments. Targeted attacks are rarer, but
d

more dangerous; email is a penetration vector for them. They can use either phishing or malicious
objects, but the success rate of targeted attacks is higher because they are developed for a particular
e

organization. For example, attackers use the addressee’s name, the text is composed to imitate a
message that the employee expects to receive: an invoice for a recent order, a request from a partner, an
internal message from HR, etc.
pi

How to protect against these threats? There are two types of protection methods. First, email standards
and public services. Email standards impose certain requirements on the SMTP client, which spammers
co

do not always comply with. Some standards help authenticate a message or make sure its integrity has
not been violated: SPF, DKIM and DMARC. This guarantees that an email was really sent from the
mailbox specified as the sender. Public services include DNSBL and SURBL: denylists of IP addresses
from which spam is sent and denylists of dangerous URLs that were found in the message body,
respectively.
be

The other method is based on the security vendor's expertise implemented in a mail protection solution.
Such solutions analyze headers and text of a message and check attachments for malicious objects and
macros. Kaspersky Secure Mail Gateway combines Kaspersky expertise with automatic verification of the
SMTP client for compliance with all standards.
t to
No

7
 KL 036.2.1: Kaspersky Secure Mail Gateway 1. Introduction

SMTP standards

ed
ut
r ib
st
di
re
or

Let's analyze various checks that MTA usually performs during an SMTP session. An SMTP session is
d

quite simple. The MTA that sends an email is an SMTP client that connects to another MTA, an SMTP
server, on TCP port 25. Then they exchange commands: the client sends data, and the server responds
e

with a specific code. At each stage, the server can terminate the session by responding with a code that
starts with 4 (transient error, try later) or 5 (permanent error); a positive response starts with 2:
pi

1. The server responds to a client connection with a message that contains code 220 and the server
name
2. The client sends the ehlo command with its name
co

3. The client sends the mail from command with the sender's address
4. The client sends the rcpt to command with the recipient's address
5. The client sends the data command, to which the server should respond with code 354 to start
receiving the message
be

6. The client transmits the message and completes the transmission with a dot on a new line. If the
server accepts the message, it responds 250 OK; after that, it is the server that is responsible for
sending the message further
7. The client ends the session with the quit command
t to
No

8
 KL 036.2.1: Kaspersky Secure Mail Gateway 1. Introduction

Step 1. Session start

ed
ut
r ib
st
di
re
or

A properly configured MTA has both an A record and a PTR record for its IP in DNS. This is not an SMTP
requirement, but it is considered good practice. SMTP servers add this information to the Received field.
d

In step 1, the SMTP server may verify that the SMTP client's IP address has a DNS PTR record. It
resolves the resulting name back to an IP address. If these IP addresses match, then the verification has
e

succeeded; otherwise, the message still needs to be accepted, but the verification result can be taken
into account as one of the factors influencing the decision on whether the message is spam. Some
pi

legitimate MTAs may fail this check for various reasons; but in many cases a misconfigured host or a host
whose PTR record corresponds to a dynamic DNS name is a compromised non-mail server or part of a
spamming botnet. There is no one-size-fits-all solution here, and SMTP client verification should be
considered along with other measures.
co

Step 2. EHLO check

The SMTP server can verify that the name passed by the SMTP client in the ehlo command resolves into
the client’s IP: https://datatracker.ietf.org/doc/html/rfc5321#section-4.1.4. This is just a recommendation.
be
t to
No

9
 KL 036.2.1: Kaspersky Secure Mail Gateway 1. Introduction

Step 3. Sender verification

ed
ut
r ib
st
di
re
or

The domain can be checked by the sender’s address. The sender's domain must exist in DNS and there
must be an MTA that sends its mail, and the MTA must have the corresponding record in DNS.
d

Therefore, the SMTP server performs a DNS query to find the MX records associated with the sender's
domain, and if there is no MX record, it requests the A record according to the standard:
e

https://datatracker.ietf.org/doc/html/rfc5321#section-5.1.
pi
co
be
t to
No

10
 KL 036.2.1: Kaspersky Secure Mail Gateway 1. Introduction

Mail sender verification

ed
ut
r ib
st
di
re
or

SMTP is very simple and was developed at a time when little thought was given to security. For example,
d

you can specify an arbitrary sender address in an SMTP session on the condition that such a domain
exists in reality. The situation is complicated by the fact that a message has two sender-recipient pairs.
e

One pair is what the SMTP client transmits during the session in the mail from and rcpt to commands,
and the other pair is what is specified in the From and To fields of the message headers. The client
transmits the headers along with the message body after receiving code 354 from the server. SMTP does
pi

not require to check if the sender and recipient from the SMTP session match the data specified in the
message. Mail clients show the sender’s address from the headers. This means that it is easy to spoof
the sender and masquerade as a legitimate user or organization. And instead of, say,
co

[email protected] sender, the user will see an address of a familiar person or Google
technical support.
be
t to

To avoid sending phishing and spam, mail servers can use various protocols to authenticate senders and
verify messages. Let’s study each of them in detail.
No

11
 KL 036.2.1: Kaspersky Secure Mail Gateway 1. Introduction

SPF

ed
ut
r ib
st
di
re
or

Most often, spam or phishing is sent through cloud servers, from infected hosts or botnet nodes. Sender
Policy Framework (SPF) allows a client to verify that this SMTP server is entitled to forward mail from the
d

domain specified in the mail from address.

e

To make this work, administrators who do not want spam to be sent from their domains add a special
TXT record (or SPF, if the server supports it) to DNS. It contains information about the hosts that are
pi

allowed to send email on behalf of the domain.

The receiving party makes a DNS request to the sender's domain and the response says whether the
SMTP client has the right to send mail on behalf of this domain. The following results are possible:
co

— none—no SPF policy was published by the domain

— permerror—the domain’s published records could not be correctly interpreted
— temperror—a temporary error, for example, DNS timeout
— pass—the host is authorized to send mail
— softfail—an intermediate status between ‘fail’ and ‘none’;
be

— fail—the host is not authorized to send mail on behalf of the domain

This method is uncomplicated and does not require a lot of resources. However, it has its drawbacks,
which limit its efficiency. Some administrators do not specify SPF records for their domains; as a result,
some messages cannot be checked. Besides, a spammer can create a temporary domain and correctly
to

specify SPF.

A DNS SPF record can include the following objects:

— MX – all mail servers of the domain, meaning, all servers listed in MX records
t

— A – all addresses which the specified A record resolves to

— ip4 – a particular IPv4 prefix
No

You can also import addresses of servers allowed for another domain. This feature is typically used when
configuring SPF for subdomains of a single parent domain.

12
 KL 036.2.1: Kaspersky Secure Mail Gateway 1. Introduction

DKIM

ed
ut
r ib
st
di
re
or

DomainKeys Identified Mail (DKIM) enables the receiving party to verify that the email has really come
from the infrastructure of the sender's domain and hasn’t been modified in transit. Here is a simplified
d

DKIM operation diagram. For a detailed description, see section Anti-Phishing, Content Filtering and Mail
Sender Authentication.
e

DKIM protection is based on asymmetric encryption. An administrator who wants to protect a domain
pi

specifies its public key in DNS. The mail server adds a DKIM header with the message signature and
other information to outgoing messages. The DKIM header contains the domain of the organization that
signed the message. The receiving MTA sends a DNS query to the domain specified in DKIM and
receives a public key. If the digital signature can be decrypted with this key, then the message really
co

came from the domain specified in the email.

The sender uses the digital signature to encrypt the hash of some headers (From is a must) and the
message body, and the recipient can calculate the hashes and compare the result with the original values
after decrypting the digital signature. If the calculated and decrypted hashes match, then the message
be

contents were not changed while it was delivered. The DKIM check is usually performed by mail servers,
but there are also add-ons for mail clients that use this authentication method.

RFC 6376 (DKIM Signatures) does not regulate how to use signature verification results; it's up to the
receiving side. They typically use a DMARC policy (see below).
to

DKIM weaknesses are similar to those of SPF: not everyone uses DKIM, and an attacker can create a
throwaway domain and configure everything correctly.
t
No

13
 KL 036.2.1: Kaspersky Secure Mail Gateway 1. Introduction

DMARC

ed
ut
r ib
st
di
re
We already told that SPF protects the sender's domain specified during an SMTP session, but does not
protect the domain specified in the From: header in any way. DKIM relies on its own headers and does
not attempt to regulate the contents of the From: header. Domain-based Message Authentication,
Reporting and Compliance (DMARC) uses SPF and DKIM information to protect the domain specified in
the From: header.
or
e d
pi
co
be

To configure DMARC, the administrator publishes a special TXT record. The receiving server takes the
to

domain part of the address specified in the From header and requests a DMARC record of this domain
from DNS. Next, the server compares the domains protected by SPF and/or DKIM (depends on the
DMARC policy) with the domain specified in the From header. If they do not match, it applies the policy
that is specified in the DMARC TXT record. Possible options:
— Do nothing (none)
t

— Treat the message as suspicious. A specific action is at the discretion of the receiving party, for
No

example, mark as spam (quarantine)

— Reject

14
 KL 036.2.1: Kaspersky Secure Mail Gateway 1. Introduction

1.3 Kaspersky Secure Mail Gateway operation principles

ed
Let’s briefly describe what Kaspersky Secure Mail Gateway does, its main components and operation
principles.

ut
r ib
st
di
re
or
ed

KSMG version 2.1 can detect confidential information in outgoing email. You can prevent users from
emailing specific file types (as simple attachments or archived). Forbidden information can also be
pi

detected in the message body. For example, phone numbers, IP and MAC addresses of network devices,
employee IDs, email addresses of internal users or services, passport numbers, dates of birth, bank card
numbers, and other confidential data. The filtering system is flexible thanks to support for masks and
co

regular expressions, as well as dictionaries. Sure, this is no substitute for a fully functional DLP system,
but enables you to prevent leakage of some critical data.

Dictionaries can contain file types, masks and regular expressions.

be
t to
No

15
 KL 036.2.1: Kaspersky Secure Mail Gateway 1. Introduction

ed
ut
r ib
st
di
re
Kaspersky Secure Mail Gateway is available in two implementations: Virtual Appliance and Standalone.
These implementations have almost identical functionality with slight differences. KSMG Virtual Appliance
is easier to install and maintain, and is ideal for novice administrators or when you need to deploy email
protection as quickly as possible. KSMG Standalone may be preferable for experienced administrators,
or
because it allows you to select the operating system and a mail server, and fine-tune the MTA.
ed
pi
co
be
to

KSMG Virtual Appliance is supplied as an ISO image that you can deploy as a virtual machine. It is based
on a Rocky Linux image with Postfix mail agent and Nginx web server pre-installed. All the necessary
settings are made in the web interface.
t
No

Kaspersky Secure Mail Gateway Standalone can be installed on other supported operating systems. You
can use a Postfix or Exim MTA. Integration with Postfix is performed automatically, while an Exim mail
server requires a manual integration with KSMG.

16
 KL 036.2.1: Kaspersky Secure Mail Gateway 1. Introduction

ed
ut
r ib
st
di
Several Kaspersky Secure Mail Gateway components download databases from Kaspersky servers.

re
They use a single update task that runs every 15 minutes by default. Anti-Spam databases are most
sensitive to the frequency of updates, and Kaspersky specialists publish them very often; other
components receive updates rarer.

KSN (Kaspersky Security Network) is a cloud reputation database for files, URLs and IP addresses. It
or
significantly reduces the time of update delivery from Kaspersky experts to the product. All KSMG
detection modules can use KSN. We will talk about KSN in more detail later.

When you update KSMG in the Virtual Appliance implementation, not only KSMG will be updated, but
also the Postfix MTA and the Rocky operating system. Note that KSMG settings will be preserved, but
d

manual adjustments to Postfix configuration will be reset.

e

If KSMG is deployed in the Standalone implementation, it is the administrator who is responsible for
updating the MTA, operating system and all other software products installed on the server.
pi
co
be
t to

The basic logic of mail traffic handling is configured in the rules. The administrator uses rules to fine-tune
the product behavior depending on the sender and recipient. They have settings for all components and
No

notification settings. For example, an administrator can set up to add a text warning about confidentiality
to the end of messages from employees who often communicate with external contractors. It makes
sense to create a rule for outgoing mail, because from the protection point of view, KSMG does not

17
 KL 036.2.1: Kaspersky Secure Mail Gateway 1. Introduction

distinguish between messages that came from the internet and from inside the organization. Outgoing

ed
mail can be skipped or checked with weaker settings to take load off KSMG. Perhaps the most important
check for outgoing mail is content filtering, which reduces the risk of confidential data leakage.

ut
r ib
st
di
re
or
d

Rule conditions describe recipients and senders. Conditions can be based on the following parameters:
— Sender’s or recipient’s address;
e

— Account or LDAP group of the sender or recipient;

— IP address (IP range) of the client from which the mail server received the message.
pi

To use LDAP in the rules, integrate KSMG with your LDAP server beforehand. We will describe this later
in our course.
co

You can use masks and regular expressions for mail addresses: in a condition that applies to all
addresses, you can specify *. The re: prefix must precede regular expressions. For example, if you know
that the testing department of ABC Inc. uses email addresses that look like userXXXX, where XXXX
stands for a numeric sequence, you can make a rule with the following condition for this department:
be

re:^user[0-9][email protected]

where ^ means that we are searching for the string at the beginning of the address, and addresses like
[email protected] are to be excluded. Then there is a range of symbols in the brackets that corresponds
to a numeral from 0 to 9. Since one symbol is not enough, the brackets are followed by the + sign, which
specifies that there can be several symbols. After the numerals, there is @ with the domain part of the
to

address.

The same can be rewritten as follows (in a more universal form):

re:^user\[email protected]
t
No

Where \d stands for ‘any digit’.

18
 KL 036.2.1: Kaspersky Secure Mail Gateway 1. Introduction

ed
ut
r ib
st
di
re
All mail passing through KSMG can be additionally forwarded to hidden recipients (you can specify one or
several addresses). You can use the BCC setting, for example, to additionally check mail in a third-party
or
system that cannot be integrated with KSMG.

You can configure rules to filter messages to be forwarded to hidden recipients. In this case, you need to
specify addresses of hidden recipients in the mail filtering rule.
e d
pi
co
be
to

KSMG processes the rules one by one according to their priority. First, it checks a message against the
t

rule that has priority 1. To do this, it takes each sender-recipient pair of the message. If the pairs do not
match the rule conditions, the conditions of the following rule on the list are checked, etc. If a message
No

has several recipients who are mentioned in different rules, each of them will receive (or will not receive)
the message according to the settings of the corresponding rule. The last rule named Default works for
all pairs, and this behavior cannot be changed; besides, you cannot delete this rule. When setting up the

19
 KL 036.2.1: Kaspersky Secure Mail Gateway 1. Introduction

system, remember that this rule will be used in emergencies. For example, if the LDAP server is

ed
inaccessible and email addresses cannot be matched to the users, all messages will be scanned with the
settings of the Default rule.

The KSMG 2.1 interface has become more informative: the page with the list of rules shows which
protection modules each rule uses. You don’t need to open each rule to check the protection mechanisms

ut
involved. You can also see how many sender and recipient addresses each rule includes. The rightmost
column contains a note where you can briefly describe the actions performed, specify the request number
according to which the administrator created this rule, and so on.

r ib
st
di
re
or
e d
pi

The administrator configures rules to specify how each module should check a message, and the actions
that will be applied to the message based on the results. Typical actions are Skip (and add a tag to
co

the subject), Delete the message or Reject.

— Skip — email the message.
— Delete — delete the message and all attachments.
— Reject — reject the message and notify the sender about a problem either using SMTP codes or
be

by sending a bounce report.

Other actions to be performed on the message depend on the anti-malware module used. We’ll talk about
them later.

Some settings can only be set at the product level, and they will apply to all traffic, regardless of the rules.
to

They are located in Settings | General | Protection. For example, you can disable a module entirely for
all traffic for testing, or change the level of antivirus heuristics, which affects scanning thoroughness and
hence performance of the whole system.
t
No

20
 KL 036.2.1: Kaspersky Secure Mail Gateway 1. Introduction

ed
ut
r ib
st
di
re
The general schema is as follows. For each message, KSMG checks every sender-recipient pair against
or
rule conditions, starting with the rule that has priority 1 and further on. If no rule matches the
sender-recipient pair, KSMG scans the message according to the Default rule settings. This means that
the same message is handled differently for different recipients.
de
pi
co
be
t to
No

KSMG adds its headers to each message. In addition to the standard MTA headers, there are diagnostic
headers that contain a lot of information about message scanning. You can also find almost the same
diagnostic data on the Events | Mail traffic page of the KSMG console and in the system log of the
virtual machine. Headers come in very handy when a user asks the administrator why a message ended

21
 KL 036.2.1: Kaspersky Secure Mail Gateway 1. Introduction

up in spam. Looking through the log of a highly loaded server in search of a specific entry can be a very

ed
time-consuming task. The administrator can use diagnostic information in the headers to find out:
— Which rule KSMG used for processing the message
— The sender's address used in the SMTP session
— Checkup results of individual modules

ut
— Which modules were not used when scanning the message and why
— If the message was scanned with up-to-date databases
— The spam rating of the message and why it received it

ib
Headers contain a lot of service information, and KSMG allows you to remove specific headers when
sending email outside the corporate network.

r
st
di
re
or
e d
pi

The Add X-headers to message headers option allows you to select whether to add any KSMG
X-headers to all processed messages. This option is useful if you need to globally prohibit adding
co

headers, for example, for security reasons so as not to disclose information about the corporate
infrastructure. The administrator can select to override this option in each individual rule: when a rule is
triggered, message headers can be deleted, added or modified.

Individual MIME headers can also be added to each part of a message. Kaspersky Secure Mail Gateway
adds the X-KSMG-AntiVirus-Status header if anti-malware scanning returns one of the following results:
be

Infected, Error or Encrypted. This option depends on the previous one (Add X-headers to message
headers). If you disable the Add X-headers to message headers option, the option to add the X-KSMG-
AntiVirus-Status header is disabled automatically.

The X-MS-Exchange-Organization-SCL header contains information about the probability that the
to

message is spam. The header values range from -1 to 9. The higher the value, the more likely the
message is spam: -1 means either that the message is definitely not spam, or that it was sent from a
trusted address; and 9 means it is definitely spam. The X-MS-Exchange-Organization-SCL header can
notify MS Exchange about the results of antispam scanning. Note that you don’t need to additionally
configure MS Exchange. MS Exchange will process the message in accordance with the specified SCL
t

value.
No

Remember that any manipulations with the headers will change messages. And any changes to the
headers, which are used to calculate the DKIM signature, invalidate this signature. This imposes
restrictions on the location of the gateway where KSMG is installed in relation to the server that checks

22
 KL 036.2.1: Kaspersky Secure Mail Gateway 1. Introduction

DKIM or signs outgoing messages. Messages must be signed after all headers have been specified.

ed
DKIM signature must be verified before any system starts changing headers. Adding a new header
doesn’t affect the signature.

ut
r ib
st
di
re
or
d

Message scan rules have priority over the global header management settings.
e

You can specify which headers to delete either explicitly or use a mask or regular expression.
pi

To change a header value, you must specify its name explicitly. The Modify headers function helps not
only edit values, but also add new headers.

For example, you can add the X-MS-Exchange-Organization-PCL header. PCL stands for Phishing
co

Confidence Level. This header will notify the MS Exchange mail server about suspected phishing.
be
t to
No

23
 KL 036.2.1: Kaspersky Secure Mail Gateway 1. Introduction

ed
ut
r ib
st
di
re
or
The user data is centrally stored in a directory service, most often Active Directory. If you connect KSMG
to Active Directory, it will be able to:
1. Request information using LDAP
d

2. Authenticate domain users (single sign-on)

3. Perform additional antispam checks (prevent Active Directory spoofing)
e

Information received using LDAP significantly simplifies managing conditions in the rules. You can, for
pi

example, specify not only individual mailboxes, but entire Active Directory groups, and this condition will
be dynamically updated when the group is modified on the LDAP server. And if we are talking about an
individual user, it is much more convenient to use the autocomplete function after typing a part of the user
name instead of typing the whole address with the risk of making a mistake.
co

In scenarios 1 and 3, KSMG periodically queries the Active Directory domain controller to receive the
information listed on the slide. This information is cached on KSMG to prevent overloading the domain
controller; so if KSMG needs information about a domain user or group, it will query the local cache
instead of the domain controller.
be

Scenario 2 allows KSMG to authenticate an Active Directory user. In this case, a user who has access to
the KSMG console does not need to enter the password when logging on; the data of the current
Windows session (Single Sign-On or SSO) is used instead. The administrator can also grant ordinary
users access to the console via SSO: then they will be able to see contents of their backup storages and
configure their own allow and deny lists.
to

Another less obvious action is to check if a user exists using the LDAP cache. We will describe this later
in our course.
t
No

24
 KL 036.2.1: Kaspersky Secure Mail Gateway 1. Introduction

ed
ut
r ib
st
di
re
To get access to the basic KSMG functionality, you need to install a license key or add an activation
code. What exactly works with the key is shown on the slide. Note that mail will still be sent when a key
expires; only the protection modules will be disabled.
or
ed
pi
co
be

To improve scanning and performance and reduce false positives, KSMG uses KSN, a proprietary cloud
to

reputation database. You need to manually enable use of KSN in the settings. Interaction with KSN
involves a two-way information exchange: KSMG sends IP addresses, attachment hashes and URLs
from email messages to the cloud; in response, it receives their reputation. The KSN database is huge
and new data appears first there; somewhat later, the product can download it in the form of databases
from update servers.
t
No

Not only the anti-malware scan module benefits from quicker signature updates, but also less obvious
modules, such as spam filtering. Spam is extremely short lived nowadays, because spammers attempt to
avoid detection this way. Spammers often use new IP addresses and domains to send emails. Such
mailing is most effective at the very beginning, until information about the sender reaches antispam

25
 KL 036.2.1: Kaspersky Secure Mail Gateway 1. Introduction

databases. After that, mailing effectiveness decreases significantly, because most messages get filtered

ed
out on mail servers and do not reach users. This is why spammers constantly create new domains and IP
addresses, trying to send the maximum number of messages in the shortest possible time. The KSMG
anti-spam module has other mechanisms designed to resist spam, which we will describe later.

ut
You can select to send extended statistics to KSN to further improve the detection rate. In this case,
KSMG will additionally send anonymized mail traffic statistics, including some message headers and
metadata (the size of the message and its parts), the database version and information about errors in
the product.

r ib
st
di
re
or
d
e
pi
co
be
t to
No

26
 KL 036.2.1: Kaspersky Secure Mail Gateway 2. How to deploy Kaspersky Secure Mail Gateway

2. How to deploy Kaspersky Secure Mail

ed
Gateway

ut
r ib
st
di
re
or
You already know that KSMG is delivered in two implementations: as an ISO image (Virtual Appliance)
and as an installation package (Standalone).

If you select the Virtual Appliance option, you can deploy KSMG on one of the supported virtual platforms.
The image is all set up, you just need to fine-tune it: specify your network settings and MTA parameters,
d

and then activate. The first and third steps are quite simple, most of the attention we will pay to
configuring the MTA.
e

If you select the Standalone option, you need to install a supported operating system and MTA and
pi

configure them beforehand. KSMG is deployed after the operating system and MTA are fully prepared
and configured.

Both KSMG versions are activated in the same way.

co
be
t to
No

Regardless of the selected installation option, you need to think over the service architecture in advance.
You need to understand where KSMG will be located in the mail infrastructure. There are two main

27
 KL 036.2.1: Kaspersky Secure Mail Gateway 2. How to deploy Kaspersky Secure Mail Gateway

scenarios: install KSMG as an edge gateway and then it will receive mail directly from the internet, or

ed
deploy KSMG behind the corporate edge mail gateway. We will discuss each of these scenarios in detail.

Since KSMG is a relay, it must route mail traffic. Determine in advance which traffic (which recipient
domains and subdomains) to direct where (relays on remote sites or mailbox servers).

ut
2.1 OS installation and configuration (VA)

r ib
st
di
re
or
ed
pi

You can install the KSMG virtual machine on the supported versions of VMware vSphere and Microsoft
co

Hyper-V. KSMG 2.1 supports a new virtualization platform: RED Virtualization.

The minimum hardware requirements are shown on the slide. In this configuration, KSMG can handle
traffic of 10 messages (with an average size of 300KB) per second at most.
be

When KSMG is installed in Standalone mode, performance will largely depend on the settings of the
operating system, mail server and hardware platform.
t to
No

28
 KL 036.2.1: Kaspersky Secure Mail Gateway 2. How to deploy Kaspersky Secure Mail Gateway

ed
ut
r ib
st
di
re
or
KSMG Virtual Appliance is supplied as a bootable ISO image. When it starts, a setup wizard appears,
which prompts you for the disk where you want to deploy the system and helps you configure the
necessary network parameters and perform initial setup.
d

KSMG Standalone is distributed as a deb or rpm package to be installed on a prepared system. The
administrator configures it before deploying KSMG. The installation script integrates KSMG into the
existing system and configures Postfix (for example, adds milter). Before deploying KSMG, send a test
e

message to make sure the MTA is properly installed and configured; email must be delivered without
issues.
pi

At the end of installation (regardless of the selected implementation), you need to set an administrator
password and confirm or change the default cluster port TCP 9045. KSMG nodes will use this port for
co

interactions within the cluster if you install multiple KSMG nodes. You will not be able to change this port
after the product is installed. Kaspersky Secure Mail Gateway nodes installed from different distributions
(Virtual Appliance and Standalone) cannot be merged into a single cluster. Keep this in mind when
deploying the system.

The Standalone distribution can also be deployed in a virtual environment.

be
t to
No

29
 KL 036.2.1: Kaspersky Secure Mail Gateway 2. How to deploy Kaspersky Secure Mail Gateway

2.2 Installing KSMG as an rpm/deb package (SA)

ed
ut
r ib
st
di
re
KSMG supports multiple operating systems and integration with two mail servers: Exim and Postfix.
Select the most familiar operating system and mail server unless your choice is restricted by a corporate
policy or local regulations. The correct choice will minimize time spent on troubleshooting.
or
e d
pi
co

You can integrate the mail gateway with mail filtering and processing systems in several ways. When
connecting to the MTA, you need to select how and when the MTA will send messages to the filtering
be

system.

With after-queue and before-queue integrations, the filtering system receives a message, processes it
and performs one of the following actions:
— Sends the message back to the MTA
to

— Quarantines or deletes the message

— Rejects the message and sends the corresponding code/status to the MTA

The difference between after-queue and before-queue integrations is when the MTA sends a message for
t

processing: before it is queued or after.

No

30
 KL 036.2.1: Kaspersky Secure Mail Gateway 2. How to deploy Kaspersky Secure Mail Gateway

ed
ut
r ib
st
di
re
or
After-queue integration is usually used in high-loaded systems so as not to lose incoming mail during
peak hours. After-queue integration allows you to balance the load among multiple servers, thus freeing
up the MTA processor.
e d
pi
co
be
t to
No

Milter integration allows administrators to efficiently add new filters to the mail processing chain.

31
 KL 036.2.1: Kaspersky Secure Mail Gateway 2. How to deploy Kaspersky Secure Mail Gateway

ed
ut
r ib
st
di
re
or
Deployment of Kaspersky Secure Mail Gateway Standalone distribution consists of two stages: preparing
the system together with installing the KSMG package, and running the post-installation setup script.

The first part of the procedure is fairly standard. The only surprise you mustn’t overlook is installation of a
d

web server. Mail gateways often have no web servers because administrators separate roles between
servers. KSMG requires Nginx for its web interface, where most KSMG settings are configured.
e
pi
co
be
to

By default, KSMG only provides English interface. For many administrators, this is enough. If necessary,
you can select another localization and install it additionally; we’ll tell about this later.
t
No

After the KSMG package has been installed, proceed to initial setup.

32
 KL 036.2.1: Kaspersky Secure Mail Gateway 2. How to deploy Kaspersky Secure Mail Gateway

ed
ut
r ib
st
di
re
or
Run the post-installation script, accept the license agreements, and specify the main settings for
Kaspersky Secure Mail Gateway:

1. Select the installed web server;

d

2. Specify parameters of interactions within the cluster: IP address and port (note that you will not
be able to change them later);
e

3. Select the port where the web interface will be available;

pi

4. Set the method of integration with the web server;

co

5. Specify the administrator’s password.

Cluster communication settings must be specified even if you do not plan to use multiple KSMG nodes.
The cluster is required in any case, even if you use one node only.

When specifying the administrator’s password, pay attention to the KSMG requirements for its length and
be

complexity.
t to
No

33
 KL 036.2.1: Kaspersky Secure Mail Gateway 2. How to deploy Kaspersky Secure Mail Gateway

ed
ut
r ib
st
di
re
or
How you can integrate KSMG with MTA depends on the MTA. Integration with Postfix is only possible in
automatic mode, while Exim can be integrated with KSMG either manually or automatically.
ed
pi
co
be
t to
No

It is good practice to save backup copies of configuration files before modifying them.

34
 KL 036.2.1: Kaspersky Secure Mail Gateway 2. How to deploy Kaspersky Secure Mail Gateway

2.3 Configuring an email relay (VA)

ed
Direct integration

ut
r ib
st
di
re
or
e d

You can integrate KSMG into the mail flow in two ways: connect directly to the internet or install behind
the edge MTA. In the former case, KSMG can check senders’ addresses using SPF (and DMARC as a
pi

consequence) and reject unwanted messages during the SMTP session, which is recommended by
SMTP. In the latter case, KSMG cannot see the real IP of the sender in incoming mail, so it is the edge
gateway that should perform SPF checks; also, KSMG will not be able to reject unwanted email in this
case, messages can only be deleted.
co

Let's explain this in more detail. According to SMTP, there is a clear division of responsibility between
mail servers. If an MTA gives a positive response to the end of message transmission symbol (.) during
an SMTP session, then it undertakes to deliver the message to its destination. If it has accepted a
message, but cannot deliver it, the MTA is obliged to notify the sender that the message has not reached
be

the recipient. It creates a bounce message and sends it to the SMTP mail from address. Imagine that
KSMG should reject messages with malicious attachments. When the edge gateway receives a message,
it then connects to KSMG. KSMG checks the email, and if it finds a malicious attachment, it returns code
550 to the gateway at the end of the SMTP session. The edge gateway has to create a bounce message
and return it to the sender. This poses extra load on the server and potentially leads to other problems:
the address in mail from can be spoofed and the bounce message will go to a recipient who did not send
to

the original message, which can be considered as spamming, and your MTA may be blocklisted.
Therefore, KSMG should quietly delete unwanted messages in defiance of SMTP requirements if there is
an edge mail server in front of it.

Now, let’s proceed to direct integration.

t
No

35
 KL 036.2.1: Kaspersky Secure Mail Gateway 2. How to deploy Kaspersky Secure Mail Gateway

Access control

ed
ut
r ib
st
di
re
It is important to properly configure access control for an MTA that receives mail from the internet so that
it does not become an open relay. KSMG does not accept any mail by default; the administrator must
specify local domains for which it can receive mail from untrusted (from the mail system viewpoint) nodes.
To allow outgoing mail traffic, the administrator draws up a list of trusted nodes that can send mail
through KSMG anywhere.
or
Lists of local domains and trusted networks are configured in different ways for KSMG Virtual Appliance
and Standalone. In the Virtual Appliance implementation, the administrator configures all settings only
using the KSMG web interface. In the Standalone implementation, the administrator will have to edit the
Postfix or Exim configuration files.
ed
pi
co
be
t to
No

When an SMTP client connects to KSMG and starts transmitting data, the gateway checks the domain
specified in rcpt to and if it is a local domain, the message will be processed. If KSMG has accepted a
message for delivery, it should know where to send it. There are two options. By default, a gateway sends

36
 KL 036.2.1: Kaspersky Secure Mail Gateway 2. How to deploy Kaspersky Secure Mail Gateway

a DNS query to get MX records for the recipient's domain and send the email to the respective mail

ed
servers. The other option is to explicitly specify mail server addresses for a domain in KSMG. If KSMG
acts as an edge gateway, choose any of these options.

MTA settings

ut
r ib
st
di
re
or
e d

The Basic MTA Settings section contains general settings independent of the integration type, except a
few parameters that we will describe in the context of KSMG position in the mail flow. These are
pi

parameters of the Postfix configuration file, which apply to all nodes of the KSMG cluster.
— Domain name
co

Name of the mail domain. In most cases, it is the domain part of the hostname that the
administrator specified during the image deployment.
— Use FQDN of cluster nodes
If you enable this option, the FQDN of the cluster node that Postfix will determine locally will be
used for myhostname instead of the Hostname parameter specified below
be

— Hostname
This is the myhostname Postfix parameter that determines the server name used in SMTP
session greetings and the sender address in messages created locally within the system, for
example, KSMG status notifications
to

— Trusted networks
These are networks and/or nodes that can use KSMG to send outgoing mail. If direct integration
is used, these are usually internal nodes.
t

The Built-in MTA menu is only available if the product is installed as a Virtual Appliance. In Standalone
implementation, the administrator performs all described operations manually, by modifying the operating
No

system settings and MTA configuration files.

37
 KL 036.2.1: Kaspersky Secure Mail Gateway 2. How to deploy Kaspersky Secure Mail Gateway

ed
ut
r ib
st
di
re
or
In the Domains section, you can specify the domains whose mail must be accepted and what to do with it
afterwards (routing). First, let's sort out what to accept. Let's say we want to receive mail for the abc.lab
domain; then we need to select the Domain record type for it and enable the Local domain option. But
KSMG will not accept mail for any subdomains of abc.lab in this case. You can list them explicitly in the
same way as the root domain, or select Record type: Subdomain with the abc.lab value — then KSMG
d

will be able to receive mail for all subdomains, i.e. *.abc.lab.

e
pi
co
be
t to
No

And now, the second part: what to do with an accepted message. Let us remind you that KSMG uses
DNS by default to determine the next hop. If it is undesired to use DNS, enable the Email routing option

38
 KL 036.2.1: Kaspersky Secure Mail Gateway 2. How to deploy Kaspersky Secure Mail Gateway

in the domain settings and specify where and how to send mail. You can set the next hop explicitly as

ed
FQDN or IP. Only one address can be specified. If the receiving side is fault tolerant and consists of
several servers, you have two options:
— Specify the load balancer address in the Host box
— Configure KSMG to look for mail servers using DNS

ut
In the latter case, specify the domain name for which MX records are configured in the Host field and
enable the MX lookup option; then KSMG will request MX records for this domain name and will transfer
email messages to the MX servers it receives in the response instead of sending all mail to a particular

ib
host.

r
st
di
re
or
e d
pi
co

To make KSMG check outgoing mail too, do not forget to configure the internal mail servers accordingly.
In case of a successful attack on your organization, you will reduce the risks that attackers will be able to
send phishing messages or malware through your servers. Also, scanning outgoing mail by the content
filtering module will significantly reduce the risk of confidential information leakage.
be
t to
No

39
 KL 036.2.1: Kaspersky Secure Mail Gateway 2. How to deploy Kaspersky Secure Mail Gateway

Integration after gateway

ed
ut
r ib
st
di
re
or

If KSMG is located behind an edge gateway, it receives all incoming mail from it and forwards outgoing
d

mail to it. As with the direct integration, KSMG routes incoming messages to corporate servers within the
perimeter.
e
pi
co
be
t to
No

Kaspersky Secure Mail Gateway version 2 or earlier can verify users only by means of the SMTP
protocol. Starting with version 2.1, KSMG can verify users using LDAP cache. The slide explains
verification using the SMTP protocol. Let's get down to the details.

40
 KL 036.2.1: Kaspersky Secure Mail Gateway 2. How to deploy Kaspersky Secure Mail Gateway

ed
ut
r ib
st
One of the tasks of an edge gateway is to verify that the message recipient exists and the message can

di
be delivered to the user's mailbox. There are no mailboxes on the gateway, so it can check the recipients
indirectly using one of the following methods. The most frequently used check is SMTP.

re
If the recipient's mailbox does not exist, the simplest solution is to instruct the edge gateway reject such a
message in response to the rcpt to command at the SMTP session stage. This way, the gateway saves
on mail processing: it does not keep an open session to accept the whole message, saves traffic and
computing resources. If the edge gateway does not verify the recipient and transfers the message further,
another mail server will find out that the message cannot be delivered. But the edge gateway is not the
or
original sender and it has someone else's message that no one wants to accept. According to SMTP, it
must generate a bounce message to notify the real sender that the message cannot be delivered. This is
not the best option.

If the edge gateway verifies recipients using SMTP, KSMG helps it. Let’s explain this.
e d
pi
co
be
t to
No

Imagine a simple situation when the next hop for the edge gateway is Microsoft Exchange that stores
mailboxes and ‘knows’ for sure which recipients exist. When an external MTA connects to the edge
gateway to transmit a message for a local user, the gateway waits for the list of recipients in the rcpt to

41
 KL 036.2.1: Kaspersky Secure Mail Gateway 2. How to deploy Kaspersky Secure Mail Gateway

command. It does not respond to this command immediately, suspends the session and establishes a

ed
connection to Exchange. In this additional session, it also reaches the rcpt to stage and if the response
code is 250 OK, it means that Exchange has confirmed that the recipient exists. Then the gateway
terminates the session with Exchange and returns to the SMTP client. The gateway also responds with
code 250, after which the session continues and the client transmits the entire message.

ut
r ib
st
di
re
or
e d

Now let's supplement our example with KSMG deployed between the edge gateway and Exchange.
KSMG does not ‘know’ anything about mailboxes and the only1 way it can verify a recipient is to establish
pi

an SMTP session to the next hop, i.e. Exchange. The general scheme is as follows: the edge gateway
receives a list of recipients from the sender, keeps the session open and simultaneously establishes an
SMTP session with KSMG. KSMG does the same: does not reply to the rcpt to command from the
gateway and checks the recipient on Exchange. If Exchange confirms that the message can be delivered,
co

KSMG responds with code 250 to the gateway, which terminates the session with KSMG and responds to
the sender that it is possible to proceed.

KSMG will not verify the recipient if the edge gateway is specified in the Trusted networks field in the
Basic MTA settings of the web console. If the gateway is specified as a trusted host, KSMG will simply
accept all messages without checking the recipients, and if a message cannot be delivered, it will
be

generate a bounce message.

t to
No

1 Postfix can verify recipients using LDAP, but you need to configure such verification on KSMG in technical support mode.

42
 KL 036.2.1: Kaspersky Secure Mail Gateway 2. How to deploy Kaspersky Secure Mail Gateway

ed
ut
r ib
st
di
re
If a company uses Active Directory, KSMG can synchronize with AD servers, receive detailed information
or
about users via the LDAP protocol, and maintain an LDAP cache. This cache will be used to verify if a
local user exists.

In addition to LDAP cache, KSMG can verify users against local records stored on KSMG and configured
by the administrator. A LDAP cache is a more usable and scalable option.
d

If a message is sent to an existing user, it will be forwarded to the internal mail server. Otherwise, the
e

message will be rejected with an SMTP error.

pi
co
be
t to
No

43
 KL 036.2.1: Kaspersky Secure Mail Gateway 2. How to deploy Kaspersky Secure Mail Gateway

Verification is performed when an incoming message is received: the SMTP gateway establishes a TCP

ed
connection to KSMG and starts standard message exchange, after it receives the “rcpt to” message,
KSMG must verify the existence of the specified user. Now there is no need to pause the exchange of
messages with the mail gateway or try to connect to the Exchange server that serves internal users.
KSMG queries the local cache, which is synchronized with AD periodically in order to remain up to date.
This check doesn’t require contacting the Exchange server.

ut
r ib
st
di
re
or
d

KSMG can verify recipients’ email addresses not only for domain users, but also for specified contacts.
e

You can also use this function to reject any mail except messages sent to the specified addressees (you
can specify them manually or import from a file).
pi
co
be
t to
No

44
 KL 036.2.1: Kaspersky Secure Mail Gateway 2. How to deploy Kaspersky Secure Mail Gateway

If integrated behind the gateway, KSMG cannot rely on DNS when deciding where to send mail. Why? If

ed
email is outgoing, KSMG will make a DNS query, find out the recipient's mail server and simply send the
message directly, bypassing the gateway. To prevent this, open the Basic MTA Settings section and
specify the gateway address in the Email destination address field. Then KSMG will send all mail there.

ut
r ib
st
di
re
or

But another problem arises: if all email goes to the gateway, what about incoming messages? According
d

to the settings, KSMG will send mail back to the gateway and the pathway will loop. To prevent this,
configure routing rules in the Domains section and explicitly specify which server is responsible for the
e

mail of each particular domain. The principle is similar to a network routing table: if there is an entry for
some subnet in the transport table, then the packet goes through the specified gateway; if there are no
entries for this direction, the packet goes to the default gateway. In the case of email, the default gateway
pi

is the Email destination address.

co
be
t to
No

45
 KL 036.2.1: Kaspersky Secure Mail Gateway 2. How to deploy Kaspersky Secure Mail Gateway

ed
ut
r ib
st
di
re
The transport tables are available in the domain settings. The Basic MTA Settings include the Email
or
destination address, which can be specified as an IP or domain name. In the latter case, you can
enable the MX lookup option and then KSMG will be able to send mail through several gateways using
the same mechanism that was described for the transport tables.
d
e
pi
co
be
t to
No

When integrating KSMG into the incoming mail flow, configure KSMG to relay mail sent to local domains
to internal mail servers. Also, reconfigure the edge gateway to forward incoming mail to KSMG instead of
internal mail servers.

46
 KL 036.2.1: Kaspersky Secure Mail Gateway 2. How to deploy Kaspersky Secure Mail Gateway

ed
ut
r ib
st
di
re
or
Do not forget to configure the internal servers to send outgoing mail to KSMG for scanning.
d
e
pi
co
be
t to
No

47
 KL 036.2.1: Kaspersky Secure Mail Gateway 2. How to deploy Kaspersky Secure Mail Gateway

2.4 Initial setup, activation

ed
ut
r ib
st
di
re
or

When you open the KSMG console for the first time, you will be prompted to create a cluster. Even if
d

there is only one node, add it to the cluster and make it the control node. You can add another node to
the cluster at any time; just specify the cluster interaction address and port. The same port must be used
e

for all cluster nodes. Another requirement is that cluster communication interfaces must belong to the
same subnet.
pi

A cluster cannot consist of nodes where different implementations of Kaspersky Secure Mail Gateway are
installed (Virtual Appliance and Standalone).
co
be
t to
No

48
 KL 036.2.1: Kaspersky Secure Mail Gateway 2. How to deploy Kaspersky Secure Mail Gateway

ed
ut
r ib
st
di
re
KSMG Virtual Appliance supports multiple web interface languages out of the box; you don’t need to
install any additional language packs.
or
KSMG Standalone provides only English web interface by default. If you need another language for the
web interface, install the necessary language pack.

To find out what localizations are supported, see the online help.
ed
pi
co
be
t to

Add the license key on the Settings | General | Licensing page. If the key is correct, the control node
No

will display information about the key and synchronize it with other cluster nodes. The Settings tab
permits configuring notifications about key expiration.

49
 KL 036.2.1: Kaspersky Secure Mail Gateway 2. How to deploy Kaspersky Secure Mail Gateway

ed
ut
r ib
st
di
re
or
Configuring updates is not a must. The task runs according to its schedule (every 15 minutes by default)
and downloads updates from Kaspersky servers on the internet. The Database update section displays
information about the status of the databases on all cluster nodes.
d
e
pi
co
be
t to
No

The default update settings should be suitable in most cases. You can use a custom update source for
KSMG if it is deployed in an isolated network segment and cannot receive updates from the internet.

50
 KL 036.2.1: Kaspersky Secure Mail Gateway 2. How to deploy Kaspersky Secure Mail Gateway

ed
ut
r ib
st
di
re
There is one more important element in KSMG operation: integration with LDAP. You know from the first
or
chapter that KSMG can download information from LDAP as a client and authenticate domain users as a
server. In both cases, KSMG uses Kerberos for authentication. NTLM client authentication can also be
used in the case of Single Sign-On, but it is generally considered insecure. Let’s briefly describe some of
the Kerberos principles that will help you understand how KSMG integrates with LDAP.
ed
pi
co
be
t to
No

The central part of Kerberos authentication is the Key Distribution Center (KDC), which consists of an
Authentication Server (AS) and a Ticket Granting Server (TGS). In the case of Active Directory, the KDC
is located on the domain controller. The KDC is responsible for some domain, or realm in Kerberos terms.

51
 KL 036.2.1: Kaspersky Secure Mail Gateway 2. How to deploy Kaspersky Secure Mail Gateway

Within this domain, Kerberos can authenticate users to access services. There is a Principal entity in a

ed
Kerberos realm. When clients and services (for example, an SMB client and an SMB server) are assigned
the Principal role, they also receive unique names: a user principal name (UPN) and a service principal
name (SPN) respectively.

ut
When a user wants to access the service, the client sends a request to the AS. In response, the AS
creates a pair of messages: a TGT (ticket granting ticket) encrypted with the TGS key and another
message encrypted with the user's key. Both messages contain a randomly generated symmetric session
key.

ib
The client receives both messages. It cannot decrypt the TGT encrypted with the TGS key, but it can
decrypt the other message. The client uses the user’s password to create a secret key from a string
formed as follows: <password><salt><kvno>. The salt is a string that consists of the realm and principal,

r
and kvno is the key version number. So the client receives a session key, which it uses to encrypt a

st
message when interacting with TGS.

In the case of KSMG, there is no user to enter a password, so KSMG uses a ready user secret key, which
is stored in a keytab file.

di
The client receives a service ticket (ST) from TGS and uses it to communicate with the service it wants to
access. We have deliberately omitted a lot of details concerning Kerberos operation.

re
Some of the exchanged messages have both lifetime and a timestamp, so the time must be synchronized
on the client, the service and KDC.
or
e d
pi
co
be
to

KSMG needs a domain user account to authenticate via Kerberos. The administrator uses this account to
create a keytab file. It is better to create a service account with a complex password. Enable the option
Password never expires for it. To improve security, you can also select This account supports
Kerberos AES 256bit encryption, but this one is optional. To create a keytab file, use the ktpass utility
t

on a Windows Server within the domain. Note that:

No

1. The utility does not check if the value of the -princ parameter is specified correctly, so make sure
the user name is specified correctly (including the case), and the domain name is written in
capital letters. This is important because the utility uses the value of the -princ parameter to
create the salt required to generate the user's key. If characters have the wrong case in the salt,

52
 KL 036.2.1: Kaspersky Secure Mail Gateway 2. How to deploy Kaspersky Secure Mail Gateway

the user's key will also be incorrect and KSMG will not be able to decrypt messages from the

ed
Authentication Server (AS) with it.
2. The key encryption type -crypto AES256-SHA1 corresponds to the option that we have enabled
in the account properties.

ut
r ib
st
di
re
or
d

Prior to uploading the generated keytab file to KSMG in Settings | External services | LDAP Server
e

connections, make sure KSMG has forward and reverse DNS PTR records. Then specify the database
where the search starts in the Active Directory hierarchical structure for user account entries. For
pi

example, a specific Organizational Unit (OU), the container with all users, or root.

Starting with version 2.1, you can specify the attribute that Kaspersky Secure Mail Gateway will check for
co

the user's mail address: only the mail attribute, only the proxyAddresses attribute, or both.
be
t to
No

53
 KL 036.2.1: Kaspersky Secure Mail Gateway 2. How to deploy Kaspersky Secure Mail Gateway

ed
ut
r ib
st
di
re
or
The control node will upload the keytab file to the other nodes of the cluster. To make sure of success,
open the Nodes | External services page that shows LDAP status: the timestamps of successful
connection to the LDAP server and data caching for each node. KSMG uses cache to avoid sending too
many queries. To reset it, delete the LDAP connection settings in the LDAP server connections section
d

of the web interface, and then configure them anew.

e
pi
co
be
t to
No

54
 KL 036.2.1: Kaspersky Secure Mail Gateway 3. Protection management

3. Protection management

ed
ut
3.1 Lists

r ib
st
di
re
or
ed
pi

Kaspersky constantly analyzes junk mail and develops technologies to detect it, but in some cases, it is
more effective to simply block messages from unwanted senders. For example, if a sender cannot be
called a spammer, but their mail is undesirable for a particular organization or user. It is also easier to
filter out the flow of messages from a known spammer at the SMTP session stage to prevent overloading
co

KSMG. There are deny lists in KSMG for such cases.

In the opposite situation when there is no need to check a message because it is obviously legitimate,
use allow lists for trusted senders. But remember that a trusted sender may also be compromised.
be

There are two types of lists in KSMG: global, which are centrally drawn up by the administrator, and
personal, which users can configure for themselves. Personal lists work only if the administrator has
configured LDAP connection.
t to
No

55
 KL 036.2.1: Kaspersky Secure Mail Gateway 3. Protection management

ed
ut
r ib
st
di
re
or
Immediately after the installation, there are two rules in KSMG: Allowlist and Denylist. There are no
default conditions in them. The operation mode of the Allowlist rule is to skip without checking. This rule
should be handled carefully, because even a message from a trusted sender may contain phishing or a
malicious attachment. The operation mode of the Denylist rule is to reject without checking. It is safe and
d

reliable if conditions are configured correctly.

Kaspersky Secure Mail Gateway can forward messages to hidden recipients. In version 2 and earlier, this
e

is set up for the entire mail service. Starting with version 2.1, you can specify a hidden user in the rules.
Meaning, if such a rule is triggered, a message copy is sent to the addresses specified in the BCC field of
pi

the rule. You can use this function, for example, to forward suspicious emails to third-party systems for
additional scanning.
co
be
t to
No

56
 KL 036.2.1: Kaspersky Secure Mail Gateway 3. Protection management

ed
ut
r ib
st
di
re
Sometimes, individual users may complain about particular spammers. If it is not necessary to block such
a sender for the whole organization, the administrator can add it to the user's denylist in the User lists
or
section. There are also personal allow lists. Note that there is a significant difference between the
Allowlist rule and a user's allow list: if a message matches the Allowlist rule, KSMG will not check it at
all, and if the sender is in a user’s allow list, then KSMG will only skip Anti-Spam scanning, and all other
modules will work according to their settings.
ed
pi
co
be
to

Administrators can give control of personal lists to users and relieve themselves of this responsibility.
t

Even if a user adds some senders to the allow list by mistake, this will not lead to compromising the
organization's network, because only the Anti-Spam module will skip such messages, while behavior of
No

the other modules is controlled by the administrator.

57
 KL 036.2.1: Kaspersky Secure Mail Gateway 3. Protection management

To enable users access their allow and deny lists, configure the corresponding options in the Personal

ed
accounts | Allowlists and denylists. After that, they will be able to log on to the KSMG web console
using Single Sign-On and access their lists via a limited interface.

The administrator can set up an action for denylisted messages: reject or delete, with or without a backup

ut
copy.

ib
3.2 Anti-Spam

r
st
di
re
or
e d
pi

The fight against spam is a classic example of a contest between attack and defense tools, when
attackers are constantly improving their techniques in response to new protection features. The protection
task is complicated by the fact that spam is very difficult to detect for sure. The target person plays the
co

crucial role in spam, and attackers often use various techniques to hide their information from machine
detection, but make it easily readable for a human. There is also a gray area between explicit spam and
ordinary mail, where only the addressee can decide whether a message is welcome or not. For example,
organizations often send out messages to advertise their services, but they are not mass and may be
useful for someone.
be

New Anti-Spam functionality appears in response to new spamming techniques; as of now, the module is
based on several specialized technologies that use regularly updated heuristics.

KSMG version 2.0 features protection against Active Directory spoofing (sender name substitution) and
Unicode spoofing (domain substitution using Unicode characters). Active Directory spoofing exploits the
to

functionality of mail clients that show the sender's name (if it is specified in the headers) instead of email
address. For example, if the From: field contains Alex Smith <[email protected] >, the mail client will
display only Alex Smith. An attacker can send mail from another legitimate address, but specify the same
name in the From: field: Alex Smith <[email protected] >, and the user will not notice the difference.
To detect such an attack, KSMG uses Active Directory data to compare the sender's name from the
t

headers with the name of the user who owns the specified address according to Active Directory. It also
checks email using other Anti-Spam heuristics, because if you just check if a name is bound to a mailing
No

address, there will be false positives if a sender from another organization is a namesake of your
company’s employee.

58
 KL 036.2.1: Kaspersky Secure Mail Gateway 3. Protection management

Unicode spoofing exploits the fact that many Unicode characters look similar to some ASCII characters.

ed
For example, you can register domain xn--bc-6kc.lab, which will be displayed as abc.lab, but the first
letter is the Cyrillic a. KSMG checks if there are any Unicode characters in the domain parts of mail
addresses in the smtp from field received during an SMTP session and in the headers From:, Sender:,
Reply-To:.

ut
It is very important that Anti-Spam has the fastest possible access to data about ongoing spam
campaigns. Databases are not the most convenient way to get this information. When spam analysts
detect a new spam campaign, they create the respective record. A robot processes this record and adds

ib
it to the databases, which are then tested with Kaspersky mail protection products. If the tests show that
the products are working stably and the databases are OK, the record is uploaded to the update servers.
Only after that, KSMG will be able to download the databases when the update task runs next time (which
happens every 15 minutes by default).

r
st
To speed up the process, KSMG has two technologies that complement each other: KSN and Moebius.
Let's explain what Moebius is.

KSMG regularly queries special Kaspersky servers to check if there is fresh data on spam campaigns. If

di
yes, KSMG downloads raw data from the servers and compiles it locally. It is a special set of databases
that is not related to the other databases and does not affect the product stability. The Moebius
technology provides only up-to-the-minute information that a few hours later gets into the usual databases

re
published on the Kaspersky update servers.or
d
e
pi
co
be
to

Kaspersky Secure Network receives the message fingerprint from KSMG and returns a response with the
message reputation. KSN databases are huge and cannot be loaded to KSMG along with regular
updates.
t
No

59
 KL 036.2.1: Kaspersky Secure Mail Gateway 3. Protection management

ed
ut
r ib
st
di
re
In order to solve the non-trivial task of detecting unwanted mail, the Anti-Spam module uses several
highly specialized technologies, and the decision is made contrary to the proverb "From a hundred rabbits
you can't make a horse, a hundred suspicions don't make a proof." Anti-Spam technologies analyze a
or
message and output their suspicions; the degree of confidence is expressed in the form of a spam rating.
If the sum of {rabbits} scores exceeds the threshold, Anti-Spam treats the message as undesired.
d
e
pi
co
be
t to
No

Anti-Spam assigns a category to a message based on its spam rating and you can select an action for
each category: spam (when the sum score hits 100), probable spam (the message rating is insufficient to
treat it as spam: from 80 to 100) and mass mailing.

60
 KL 036.2.1: Kaspersky Secure Mail Gateway 3. Protection management

ed
ut
r ib
st
di
re
Most of the Anti-Spam settings are hidden. The administrator can only select actions for different types of
unsolicited messages and to some extent control the speed of message processing by the module. For
example, you can disable image processing to reduce the load on KSMG: there is not so much graphic
or
spam nowadays, while images can often be found in ordinary messages, and their processing takes
much more resources than text processing. If you know that the DNS server used by KSMG is heavily
loaded and responds with delays, you can reduce the DNS timeout in Settings | General | Protection |
External services to speed up processing, but in this case KSMG will not be able to authenticate
messages for which it does not receive a timely response from DNS. Conversely, you can increase the
d

timeout to maximize the number of messages that KSMG authenticates using DNS.
e

Choose the fastest responding DNS servers (unless other restrictions are imposed). These are typically
either the company's own DNS servers or the provider's DNS servers.
pi
co
be
t to

Kaspersky Secure Mail Gateway can put a message to backup when the antispam module is triggered.
No

This can be useful, for example, when you need to find out why a legitimate email was treated as spam.

61
 KL 036.2.1: Kaspersky Secure Mail Gateway 3. Protection management

ed
ut
r ib
st
di
re
or
KSMG accesses DNS to:
— Find the server responsible for a message (using an MX record or if FQDN is specified in the
transport map)
— Perform basic SMTP checks for the client's IP address and the sender's domain
d

— Authenticate an email message using SPF, DKIM, and DMARC

e

If KSMG is deployed behind an edge gateway, it will not be able to perform basic checks or properly
authenticate messages. If the gateway has a private address (according to RFC 1918), DNS checks and
pi

authentication (except DKIM) are disabled automatically. If you specify a public address for the gateway,
KSMG will treat it as an SMTP client from the internet and verify messages, but DMARC uses SPF
checks, which will never succeed.
co
be
t to
No

62
 KL 036.2.1: Kaspersky Secure Mail Gateway 3. Protection management

3.3 Antivirus and link scanning

ed
ut
r ib
st
di
re
or

The antivirus module scans mail attachments for malicious code and can check documents for macros.
d

This module uses a standard set of technologies: signature databases, heuristics and KSN.
e
pi
co
be
t to

The administrator can configure actions for different attachment categories and disable archive scanning
No

to improve performance. This is a security risk, but you can mitigate it by using the Content Filtering
module. It is more efficient because it does not unpack an archive and check whether the contents are
good or bad; instead, this module can simply delete the entire archive if a packed file has a dangerous
extension.

63
 KL 036.2.1: Kaspersky Secure Mail Gateway 3. Protection management

ed
ut
r ib
st
di
re
The administrator can select what action KSMG will perform on the object when the anti-malware module
is triggered.

If the Skip or Reject action is selected, the message can be placed to the backup storage. If SSO is
configured, a user can access their personal backup and read stored messages in the text form; the
or
dangerous parts won’t be available, naturally. Access to the backup storage will allow the users to
understand that a message was blocked by the anti-malware scan module rather than lost.
d
e
pi
co
be
t to

A message that triggers the link scanning module can also be placed into the backup; the recipient can
No

find out about this either when checking the personal backup storage, or from a report (digest) about new
objects in the backup that can be emailed regularly.

64
 KL 036.2.1: Kaspersky Secure Mail Gateway 3. Protection management

ed
ut
r ib
st
di
re
KSMG scans email body for unwanted links. These are links that lead to harmful sites, sites with adware
or
or sites with legitimate programs that can be used for malicious purposes. You can exclude the last two
categories from scanning in the Settings | General | Protection | Link scanning.
d

3.4 Anti-Phishing, Content Filtering and Mail Sender

e

Authentication
pi
co
be
t to
No

65
 KL 036.2.1: Kaspersky Secure Mail Gateway 3. Protection management

Actions of the anti-phishing module are similar to those performed by the link scanning module, with the

ed
only difference that the anti-phishing module is designed to detect links that are confusingly similar to
legitimate links. For example, a phishing link may be disguised itself as the address of an online bank.
The difference may be in one character indistinguishable to the human eye, for example, 0 and o, or 1
and l.

ut
r ib
st
di
re
or
ed

The main task of the Content Filtering module is to block dangerous attachments. KSMG can block
attachments by mask or by object type. In the latter case, KSMG checks the internal structure of a file
pi

rather than its MIME type or extension. This requires more resources, but you can be sure that unwanted
objects will not penetrate into the organization or propagate outside, regardless of their names.

Enabling content filtering for outgoing mail will block a possible leakage of confidential information; for
co

example, you can block sending of office documents. Of course, this is not a full-fledged DLP system, but
it allows you to impose some restrictions.
be
t to
No

66
 KL 036.2.1: Kaspersky Secure Mail Gateway 3. Protection management

ed
ut
r ib
st
di
re
or
Starting with Kaspersky Secure Mail Gateway version 2.1, the content filtering module supports masks
and regular expressions. The administrator can configure KSMG to prevent internal users from sending
out confidential data such as passport numbers, internal phones, bank card numbers, and so on.
d

Let's analyze an example of a regular expression that detects the number of a Visa bank card. At first
glance, this set of characters has nothing to do with a bank card number, but let's see.
e

[ -]*4[ -]*(?:[0-9][ -]*){15}

pi

Contents of square brackets defines a set of alternative elements to search for. In this case, there are two
characters: a space and a minus.
co

The asterisk after the square brackets indicates that there may be zero or more such characters in the
text. Meaning, a card number may be preceded with minuses or spaces.

Then there's 4, which may also be followed by minuses or spaces, because the number of a Visa bank
card consists of 16 digits and starts with 4.
be

You can see that any digits in this regular expression can be separated by any number of minuses and/or
spaces.

Then there are 15 more digits (which may also be separated by minuses and/or spaces). The number in
curly brackets indicates how many times the preceding parenthesized pattern repeats.
to

And finally there is the "?:" construct inside the parentheses. It prevents the regex module from capturing
the matched pattern for backreference, because we will not use it anywhere, and capturing would be just
a waste of resources in this case.

We recommend that you don’t use more than 10 expressions in a rule, or more than 15 conditions in an
t

expression; or a string longer than 1000 characters.

No

67
 KL 036.2.1: Kaspersky Secure Mail Gateway 3. Protection management

ed
ut
r ib
st
di
re
or
The content filtering module can also detect the type of attached files. KSMG checks file contents rather
than extension, which means that users will not be able to fool the module by renaming a file.

Kaspersky Secure Mail Gateway can detect the specified file types not only in ordinary attachments, but
d

also in archives.
e
pi
co
be
t to

You can add frequently used words, masks, regular expressions and sets of file types to dictionaries. This
simplifies administering, because you don’t have to specify the same regular expressions over and over
No

again if you need to use them in multiple rules; just draw up a dictionary to refer to.

68
 KL 036.2.1: Kaspersky Secure Mail Gateway 3. Protection management

ed
ut
r ib
st
di
re
You can use a dictionary when creating conditions instead of specifying their attributes manually.
or
ed
pi
co
be
to

When you create a condition, specify the attributes that you want to detect in messages. One or more
conditions form an expression. You can specify a list of expressions in the settings of the Content
Filtering module. KSMG allows you to create several filtering rules, and you can activate the content
filtering module in each of them.
t
No

Attributes: name and type of attachment; message size, subject, body and headers; To, From, and Cc
fields.

69
 KL 036.2.1: Kaspersky Secure Mail Gateway 3. Protection management

The condition can be triggered if the selected attribute matches/contains the specified value, or if the

ed
selected attribute doesn’t match/contain the specified value. For example, if office files aren’t attached.

An expression logically combines one or more conditions. An expression can be triggered either if all
conditions are met at the same time, or if at least one of the specified conditions is met. An expression

ut
specifies what to do with the message and its headers, whether to back it up.

You can create one or more expressions in content filtering module settings. Expressions are checked
one by one, according to their priorities. The check stops when the first match is detected.

r ib
st
di
re
or
e d

We have already mentioned that the main problem with mail authentication is that not all administrators
pi

(correctly) configure it for their domains. KSMG administrators can configure rule conditions so as to
enable mail authentication for some senders only; this will ensure limited but effective protection against
phishing. Note that the Mail Sender Authentication module can only work properly if KSMG acts as an
co

edge gateway.

This module combines all three authentication protocols: SPF, DKIM and DMARC. The administrator sets
up an action to be taken in case of violation of each of them.
be

SPF
KSMG receives the SPF record of the sender domain from DNS and checks whether the client is entitled
to send mail on behalf of the domain. The fail or softfail policy may be specified for unknown clients in the
SPF record. The KSMG administrator can configure how the product will react to the softfail policy. By
to

default, the Consider SPF softfail as violation option is disabled and KSMG applies the specified action
only if the SPF policy is fail.

DKIM
t
No

You know from the introduction that the DKIM signature is verified if a request to the domain specified in
the DKIM header (more precisely, in the d= key) returns a public key that can decrypt the signature and
the decrypted data from the signature matches the hash of the message contents. If the signature is
correct, the verification is passed and Anti-Spam writes dkim=pass to the X-KSMG-AntiSpam-Auth

70
 KL 036.2.1: Kaspersky Secure Mail Gateway 3. Protection management

header. The SHA-256 algorithm is used to calculate hash for DKIM. All DKIM verifiers must support keys

ed
from 512 to 2048 bits. Support for longer keys is possible (but not guaranteed). If you plan to use keys for
a long time, they must be at least 1024 bits long. Key length is a trade-off between cost, performance and
risks.

ut
Then the Mail Authentication module comes into play. It takes the verified domain from the d= key and
compares it with the domain part of the sender address specified in the From: field. The following
situations are possible here:
1. Domains match, the status of verification by the Mail Sender Authentication module for DKIM is

ib
pass
2. The domain in the DKIM header and the domain in the From: field share the same organization's
domain. For example, if abc.lab is specified in DKIM, and the From: field contains info.abc.lab,

r
they have a common domain abc.lab. The pair b.abc.lab and a.b.abc.lab also belongs to this

st
domain.
— In relaxed alignment mode, the status of verification by the Mail Sender Authentication
module for DKIM will be pass

di
— In strict alignment mode, the status of verification by the Mail Sender Authentication
module for DKIM will be Policy, domain mismatch
3. The domain in the DKIM header and the domain in the From field do not have a common

re
organization domain, the status of verification by the Mail Sender Authentication module for
DKIM will be Policy, domain mismatch

If DKIM check returns Policy, domain mismatch, KSMG considers that there is no signature. By default,
KSMG does not react in any way to the absence of a signature, but you can change this: enable the
or
option Consider absence of DKIM signature as authentication violation.

DMARC
d

DMARC relies upon the SPF and DKIM verification results. If the sender's domains in the mail from
e

SMTP command and From: header match, and if at least one of the SPF or DKIM checks of the Mail
Sender Authentication module is passed successfully, the DMARC check is also considered passed.
pi

If the administrator configures individual actions for SPF, DKIM, DMARC checks, the final result depends
on the option Consider DMARC authentication result as primary. If this option is enabled and the
DMARC verification completes successfully, the actions specified for SPF or DKIM will be ignored even if
co

one of these checks fails. If the option is disabled, KSMG will apply the actions of each individual check.
be
t to
No

71
 KL 036.2.1: Kaspersky Secure Mail Gateway 4. Maintenance

4. Maintenance

ed
ut
4.1 Dashboard, logs and reports

ib
The administrator can get sufficient information about the protection status and mail traffic processing
from the KSMG web console without having to connect to the virtual machine console.

r
st
di
re
or
e d
pi
co

The KSMG dashboard is a set of widgets that you can add, remove, resize and fine-tune. By default, it
gives a general idea of the system health, the volume of mail traffic per unit of time (if it is abnormal, you
should check the system) and the number of detections. A widget can display traffic as the number of
messages or their total size per time interval.

The administrator can create several dashboard layouts and switch between them using the menu in the
be

upper right corner.

t to
No

72
 KL 036.2.1: Kaspersky Secure Mail Gateway 4. Maintenance

ed
ut
r ib
st
di
re
or
The Events section contains mail traffic and system events.

Mail traffic events are message processing records with basic information from the headers, the rule
according to which KSMG processed the message and the results of all protection module checks.
d

System events contain data about the KSMG operation: database updates, LDAP synchronization status,
application launch, exporting/importing of settings.
e

The events represented in the Events section are stored in the KSMG database. To prevent events from
pi

overflowing the database, there are restrictions on the size of the table with mail events, on the number of
records for system events and on the lifetime of mail events.
co

Additionally, some logs are stored in the file system of the KSMG virtual machine:

/var/log/ksmg-messages — mail traffic and system events together. The same information as in the web
interface

/var/log/ksmg-important — important errors: database updates, licensing, etc.

be

/var/log/ksmg-traces — KSMG trace file

/var/log/kaspersky/ksmg/extra — a folder with additional traces. File names quite clearly show which
component they pertain to. These traces are included in the archive with diagnostic information to be sent
to

to Kaspersky specialists. But they can also help the administrator; for example, webapi.log gives more
information about LDAP synchronization errors than standard web interface messages.
t
No

73
 KL 036.2.1: Kaspersky Secure Mail Gateway 4. Maintenance

ed
ut
r ib
st
di
re
or
A highly loaded system has a large number of entries in the mail traffic log. Filters simplify work with the
log. Filter events to find what you need.
e d
pi
co
be
t to
No

In the Events section, you can filter mail traffic and system events and export them to CSV.

74
 KL 036.2.1: Kaspersky Secure Mail Gateway 4. Maintenance

ed
ut
r ib
st
di
re
or
Kaspersky Secure Mail Gateway writes authentication events to the system log. Thus, the administrator
can quickly understand who tried to access KSMG and when. This capability is required when conducting
an audit.
d
e
pi
co
be
to

The report comes in handy when you need to provide statistics about the operation of the organization's
mail system: how many messages were scanned, how many objects were detected, and so on. These
reports can also be used when planning the organization's IT and cybersecurity budgets.
t
No

75
 KL 036.2.1: Kaspersky Secure Mail Gateway 4. Maintenance

ed
ut
r ib
st
di
re
or
The Message queue consists of messages that KSMG accepted for delivery but could not send to the
next hop for some reason. For example, because of communication problems, a high load on the KSMG
or the receiving node, incorrect configuration of the receiving node or greylisting. If the Anti-Spam module
decides that an email message may be spam, but needs more information, it can suspend the delivery
d

and wait for fresh data from KSN. These messages are also put in the queue.

According to the SMTP standard, there are some intervals when the server can try to send a queued
e

message to the recipient and the more it tries, the longer becomes the interval between the attempts. If
you are sure that the next hop is ready to receive a message, you can send it from the queue manually,
pi

without waiting for the mail system to do it. You can also delete a message from the queue.
co
be
t to
No

76
 KL 036.2.1: Kaspersky Secure Mail Gateway 4. Maintenance

4.2 Notifications and warnings

ed
ut
r ib
st
di
re
or

KSMG can send notifications about system health for the administrator to react to arising issues in a
d

timely manner, as well as notifications about mail traffic scanning: details of the selected detection types.
e

All notifications are disabled by default. The administrator can enable system notifications and configure
the list of recipients in the Settings | Monitoring | System notifications.
pi
co
be
t to
No

77
 KL 036.2.1: Kaspersky Secure Mail Gateway 4. Maintenance

ed
ut
r ib
st
di
re
To set up notifications about mail traffic, at the top of the Rules page, click the link Detects notifications
and enable the option Send notifications. After that, configure notifications about the necessary types of
or
detections in the rules. There are four templates for mail traffic notifications:
— General list of recipients
— Email recipients
— Email sender
—
d

Additional email addresses

The notification template for the general list is the most informative and is intended for administrators.
e

You can edit templates and use macros.

pi
co
be
t to
No

Each rule has the Notifications section where administrators can configure notifications for various types
of detections. They can select different recipients for each notification type: the sender or recipients of the
checked email; the general list from the Detects notifications section, or an arbitrary list of recipients.

78
 KL 036.2.1: Kaspersky Secure Mail Gateway 4. Maintenance

ed
ut
r ib
st
di
re
A disclaimer is some text that KSMG adds to each email processed according to the respective rule. Two
templates are available by default: about the risk of confidential information disclosure and about potential
danger of the message. You can change the default texts or add custom disclaimers in the Rules | Email
Disclaimer section. You can select where to add a disclaimer: to the beginning of the message or to its
or
end. Note that such an addition violates the message integrity and its DKIM signature becomes incorrect;
this is why KSMG deletes the DKIM signature when adding a disclaimer.
e d
pi
co
be
to

KSMG adds a disclaimer regardless of the scanning result. A warning is another kind of a note added to a
message that has a specific status:
t

— Encrypted message
No

— Phishing
— Infected message
— Anti-Virus scan errors detected
— A message with links

79
 KL 036.2.1: Kaspersky Secure Mail Gateway 4. Maintenance

Warnings, just like disclaimers, are configured at the rule level.

ed
ut
r ib
st
di
re
or
Disclaimers are already written by default. The administrator can modify the text as necessary.
e d

4.3 Backup
pi
co
be
to

KSMG stores a copy of the original message into the backup before processing it. Administrators specify
which message categories to back up in the rules. You can find the list of stored backup copies on the
t

Backup page of the console. The protection modules that have detected something wrong in a message
No

are also specified here. There is a filter where you can use values from the table columns (note that not
all columns are displayed by default).

80
 KL 036.2.1: Kaspersky Secure Mail Gateway 4. Maintenance

ed
ut
r ib
st
di
re
or
To prevent the storage from growing uncontrollably, you can restrict its size and message retention time.
When any of these parameters reaches the limit, KSMG starts deleting the oldest messages. The
maximum time a message can be stored in the backup (if the disk size allows) is about 3 years (1100
days).
ed
pi
co
be
to

Usually, administrators check the backup if a user complains that a message has not been delivered;
t

cybersecurity experts may need to view backed up messages when responding to an incident.
No

81
 KL 036.2.1: Kaspersky Secure Mail Gateway 4. Maintenance

ed
ut
r ib
st
di
re
or
Administrators can make sure the email is safe (for example, if it was deleted by Anti-Spam) and send it
to the recipient as is; in case of an incident, they can forward it as an attachment to a security specialist.
e d
pi
co
be
t to
No

The following view options are available: plain text, raw and HTML. If a message was backed up by the
anti-malware module, you can view it in plain text only. In HTML mode, you can download external
objects using links.

82
 KL 036.2.1: Kaspersky Secure Mail Gateway 4. Maintenance

ed
ut
r ib
st
di
re
Information about sending an object from backup storage is saved with the object. The administrator can
view who forwarded a message, when and to whom; this data is necessary when analyzing email
or
incidents.
ed
pi
co
be
t to

If you click an entry on the list, detailed information about the message opens: the module that backed
the message up and important headers. The link Search for associated events in the upper right corner
No

opens the corresponding mail traffic event. Backward links are also available: the administrator can get
from an event in the mail log to a related object in the backup.

83
 KL 036.2.1: Kaspersky Secure Mail Gateway 4. Maintenance

ed
ut
r ib
st
di
re
or
If it is inconvenient to respond to user requests, you can grant users access to their backup storages so
that they can check for themselves if there are any important messages there.

Administrators can configure Single Sign-On and enable access to personal backup storages in the
d

Settings | Personal accounts section. Users will then be able to log on to the KSMG console and use a
limited interface. In the backup storage, a user can find backup copies of messages that KSMG
disinfected, deleted, or removed an attachment.
e

The administrator can grant the users permissions to delete messages from the personal backup and
pi

send messages to themselves. Both these actions have limitations. A user cannot send an unsafe
message, for example, if the Antivirus has found a threat (however, an attachment with a macro is not
considered dangerous) or the message contains a malicious or phishing link. When a user deletes a
co

message from the personal storage, it is just hidden; only an administrator can delete a backup copy for
good.
be
t to
No

84
 KL 036.2.1: Kaspersky Secure Mail Gateway 4. Maintenance

ed
ut
r ib
st
di
re
or
The users don’t have to constantly check their personal backup storages to check if some non-spam
email has been blocked. The mail administrator can configure emailing a digest to periodically notify
users about new objects in their personal backup storages.
ed
pi
co
be
t to
No

85
 KL 036.2.1: Kaspersky Secure Mail Gateway 5. Advanced settings

5. Advanced settings

ed
ut
5.1 Encryption and DKIM

r ib
st
di
re
or
d
e
pi

Sensitive information is often sent by email: addresses, personal data or trade secrets. If adversaries
intercept unencrypted traffic, they can read, modify or forge a message. Mail servers can encrypt
connections to protect traffic. Most servers do this, but to ensure backward compatibility, a public SMTP
server should not require encryption from a client when delivering mail locally according to the RFC 2487
co

standard.
be
t to
No

86
 KL 036.2.1: Kaspersky Secure Mail Gateway 5. Advanced settings

ed
ut
r ib
st
di
re
or
A public SMTP server only listens on port 25 and must accept unencrypted connections along with
encrypted ones. To let a client know that the server can encrypt the connection, it announces support for
the STARTTLS command at the beginning of each SMTP session. The client can take advantage of this
opportunity and request the server’s certificate to establish a secure connection. After the STARTTLS
d

command, the connection uses the same port 25, but becomes encrypted.

To establish a secure session, mail servers use certificates. SMTP clients do not typically require server
e

authentication, only encryption is important; so it is enough for the server to provide a self-signed
certificate. If a client can validate the server’s certificate via the certification authority, this ensures an
pi

additional level of protection.

For KSMG Virtual Appliance, encryption is configured using the web interface of Kaspersky Secure Mail
co

Gateway. For KSMG Standalone, the administrator configures encryption in the MTA (Postfix or Exim).
be
t to
No

87
 KL 036.2.1: Kaspersky Secure Mail Gateway 5. Advanced settings

ed
ut
r ib
st
di
re
KSMG Virtual Appliance works in accordance with SMTP standards by default: it announces the
STARTTLS command, but does not require the client to establish an encrypted connection. If KSMG
or
accepts mail only from a limited number of clients that support encryption, you can enforce the TLS
requirement (Require TLS Encryption).

For additional protection, KSMG can request a certificate from the client. During a session, it passes a list
of certificates signed by trusted certification authorities, and the client checks its own certificates to select
d

the one signed by an authority from the list. If the client has such a certificate, the verification completes
successfully. Depending on the value of the option Requesting client TLS certificate, KSMG either
e

requires a certificate, or requests but does not terminate the session if the client does not provide one. It
is possible to require a certificate only if KSMG works with a limited number of clients that have a correct
pi

certificate.

Now let's study how encryption works when KSMG acts as an SMTP client.
co

KSMG does not require encryption by default; meaning, if the server does not announce the STARTTLS
command, the message is sent unsecured. To minimize the leakage risk, change the value of the Client
TLS Security level option so that KSMG requires encryption:
— Require TLS Encryption and don’t verify certificate
be

It is enough for KSMG that the server provides any certificate; the main thing is that the transmitted
data is encrypted.
— Require TLS Encryption and verify certificate
KSMG requires encryption and checks that the certificate provided by the server has not expired,
has not been revoked, and is signed by a trusted certification authority.
to

If the SMTP server requests a client certificate, the situation is similar to what we discussed above: the
server sends a list of trusted certification authorities and KSMG provides a certificate signed by one of
them if available.
t

KSMG that acts as a client uses only the certificate marked Use as client certificate. KSMG can use any
No

certificate available in its repository both as a server certificate and as a client certificate; but a server
certificate can be self-signed, while a client certificate must be signed by a trusted certification authority.

88
 KL 036.2.1: Kaspersky Secure Mail Gateway 5. Advanced settings

ed
ut
r ib
st
di
— Create a self-signed certificate
re
To add a certificate to the KSMG repository, click Create certificate and select one of the options:
or
— Import a PFX certificate
— Create a CSR request

If you select the CSR option, KSMG will create a file to be sent to a certification authority that will create a
certificate. Then import the received certificate into KSMG.
e d
pi
co
be
t to
No

In case of KSMG Standalone, the DKIM digital signature is configured using MTA tools; KSMG doesn't
control this.

89
 KL 036.2.1: Kaspersky Secure Mail Gateway 5. Advanced settings

ed
ut
r ib
st
di
re
KSMG automates most of the steps required to create a DKIM digital signature. You can create a pair of
RSA keys in Settings | Built-in MTA | DKIM keys. A 2048-bit key will be generated. 2048 bits is the
maximum key length that all DKIM implementations support. You can import longer keys (up to 4096
or
bits), but their support cannot be guaranteed (section 3.3.3 of RFC # 6376).

The private key is kept secret on KSMG; the public key is used in the next step.
ed
pi
co
be
t to

Go to Settings | Built-in MTA | Domains. On the DKIM records tab, add a record: specify an arbitrary
No

selector name and select the created DKIM key.

90
 KL 036.2.1: Kaspersky Secure Mail Gateway 5. Advanced settings

The selector allows a domain to have multiple keys. Thanks to the selector, the signing server selects the

ed
necessary private key to sign a message, and the server that receives the message finds the necessary
public key in DNS, because the selector is included in the DKIM DNS record.

You can use selectors to logically divide a single domain space and separate different entities like local

ut
offices, mailing services, etc.

Selectors also facilitate DKIM key rotation. The key is the most important part of DKIM. A compromised
key compromises the entire mechanism, so in addition to strict access requirements, the key must be

ib
rotated periodically. Even if it falls into the hands of adversaries, they will not be able to use it for a long
time. However, you can't just replace an old key with a new one and change the DNS record. It is good
practice to leave the old key available for a few days along with the new one, because messages signed
with the old key may not reach the recipients immediately. The receiving server may be overloaded or

r
have other temporary difficulties. That’s where different selectors configured for the old and new keys

st
come in handy.

di
re
or
e d
pi
co

KSMG will create a DNS record automatically. This record will be formatted as a BIND zone file:
be

Record
DNS name Record class Data
type

IN (meaning, an internet class

to

<selector>._domainkey.<domain> TXT v=DKIM1;k=rsa…

record)

If you use a Microsoft DNS server, it is enough to add only the data of this record; but if you add the entire
record, the receiving party will still get the public key.
t
No

91
 KL 036.2.1: Kaspersky Secure Mail Gateway 5. Advanced settings

5.2 Accounts

ed
ut
r ib
st
di
re
or
You may need SSH access to the KSMG virtual machine for debugging or to consult operating system
logs. Access to the KSMG console is not provided.

To configure SSH access, create a key pair in any convenient way, for example, using PuTTYgen, or the
d

ssh-keygen command in OpenSSH client under Windows (the password is optional). Open the contents
of the generated public key, copy the data and paste it to Settings | Application access | SSH access.
The control node synchronizes the key with the other cluster nodes, and you can access any node using
e

the command
pi

ssh root@<node address>

co
be
t to

It is not easy to manage access to many different systems. KSMG supports Single Sign-On (SSO) — in
this case, logon with Windows user accounts.
No

There are two options here: NTLM and Kerberos authentication. NTLM is considered less secure, so let’s
focus on Kerberos.

92
 KL 036.2.1: Kaspersky Secure Mail Gateway 5. Advanced settings

ed
ut
r ib
st
di
re
To use SSO, create a dedicated domain account, disable password expiration in its properties
(Password never expires) and enable the option This account supports Kerberos AES256 bit
encryption.
or
Create a keytab file using the ktpass utility on a Windows Server in the domain. When creating a keytab
file for SSO, the same rules are used as for LDAP integration (see Initial setup, activation). The difference
is that you need to specify the service principal name (SPN) instead of a user account for the principal.
SPN identifies the service running on KSMG (HTTP in this case, because we are talking about
authentication in the web console). The ktpass utility binds SPN to the user account specified in the -
d

mapuser key.
e

Upload the generated keytab file using the page Settings | Application access | Single Sign-On login.
This configuration fits a KSMG cluster with a single node.
pi
co
be
t to
No

If your cluster has several nodes, the keytab must contain records about each of them, because you can
upload only one file through the web interface of the control node, which then distributes it to the other
cluster nodes.

93
 KL 036.2.1: Kaspersky Secure Mail Gateway 5. Advanced settings

SPNs of these records will correspond to different cluster nodes, while the keys will be the same.

ed
Therefore, if a cluster consists of several nodes, the +dumpsalt parameter is added to the ktpass
command that we described earlier, which instructs ktpass to display the salt on the screen. ktpass uses
this salt (-rawsalt parameter) to create encrypted keys for the other KSMG cluster nodes. SPN of all
nodes are bound to the same user.

ut
r ib
st
di
re
or
e d

The KSMG web interface provides granular access for employees who perform different tasks. For
example:
pi

— An administrator with all permissions

— A security specialist who needs to see details of KSMG detections
— A manager interested in summarized statistics
co

— A technical support employee from the IT department who works with user requests.

Role-based access control (RBAC) allows you to implement the principle of least privilege when
employees with a specific role have a minimal set of permissions that allow them to perform their tasks.

There are two roles in KSMG by default: Superuser with full permissions and Viewer who has read-only
be

permissions. The administrator can create other roles and fine-tune their permissions. Permissions are
grouped for the user’s convenience, for example: KSMG settings, rules, backup, etc.

KSMG has only one built-in account: administrator. To grant access to more accounts, configure LDAP
integration and Single Sign-On, or create a new local account (this option is available starting with KSMG
version 2.1).
t to
No

94
 KL 036.2.1: Kaspersky Secure Mail Gateway 5. Advanced settings

ed
ut
r ib
st
di
re
In the Accounts section, you can edit roles and assign them to LDAP users. A user can have several
roles.
or
5.3 Scaling and maintenance
e d
pi
co
be

The KSMG virtual machine with minimal system requirements allows processing 10 messages per
second at most (this estimation presumes that the average message size is 300KB). You can increase
to

the throughput either by adding resources to the virtual machine, or by adding another virtual machine to
the KSMG cluster. The latter option is preferable because:
— It provides fault tolerance
— Virtual machine maintenance is more convenient in a cluster
t

You can turn off one of the nodes relatively painlessly.

No

— Small clustered virtual machines are easier to move, take snapshots, etc. compared to a large
virtual machine (monster vm)

95
 KL 036.2.1: Kaspersky Secure Mail Gateway 5. Advanced settings

The KSMG cluster operates in Active-Active mode, meaning, all cluster nodes process mail traffic on an

ed
equal basis. Every node has its own database, its own logs. There is one control node in the cluster,
which, in addition to traffic processing, provides the web interface and distributes settings and license
keys to other nodes. Also, the control node collects information from all cluster nodes and displays it in
the web interface: mail events, system events, objects in backup storages. This information is not cached
on the control node, and if there is no connection between the control node and a secondary node, data

ut
from that node will not be displayed.

r ib
st
di
re
or
After the installation, a KSMG node is in the ‘out of cluster’ state. To add a node to the cluster, go to the
Nodes section in the web interface of the control node and add the IP address of the respective KSMG
virtual machine. All cluster nodes must be on the same subnet and have the same cluster communication
d

port. When the control node connects to a new KSMG virtual machine, it downloads the certificate
fingerprint from it. The administrator must make sure certificate fingerprints are the same in the web
e

interfaces of the control node and the new node.

There is no hard limit on the number of nodes in a cluster, but a KSMG cluster works optimally if it has no
pi

more than 20 virtual machines.

Since all nodes are equal in a cluster, you can assign one of the secondary nodes the control role at any
co

time. In the web interface of the previous control node, make it secondary, because there cannot be two
control nodes. The cluster configuration will be updated within a minute.
be
t to
No

96
 KL 036.2.1: Kaspersky Secure Mail Gateway 5. Advanced settings

If you contact technical support, engineers may ask you to send diagnostic information from the KSMG

ed
virtual machine. This is an archive with information about the application, the system and various logs.

Prior to reproducing the problem, change the diagnostic level to Debug in Nodes | Get diagnostic
information. With the Debug level, more data will get into the KSMG logs. After you collect the

ut
diagnostic information, do not forget to set the level back to Error.

The archive with diagnostic information may contain sensitive data. Delete them if necessary. There will
be three folders in the archive:

ib
— klinfo
These are exported application settings, including rules with lists of recipients and senders, as well
as database statistics

r
— sysinfo

st
Various information about the system: processes, disk configuration, network settings, MTA Postfix
settings, the passwd file, files of the cron scheduler

di
— logs
The entire /var/log folder is copied here, including the ksmg-messages and ksmg-traces files,
where KSMG writes the metadata of messages.

re
If you suspect that KSMG has been compromised or a hardware failure has occurred, the KSMG integrity
check task comes in handy. You can find it in the Nodes | Integrity check section. The integrity check
task verifies that all KSMG files are available on the disk and have not been modified. If there are some
alterations, the administrator will see a link to the task report.
or
e d
pi
co
be

The main KSMG data (events and backed up and quarantined messages) is stored in a PostgreSQL
database. Each data type is limited in size. When the limit is reached, the old data is deleted. If you want
to store more data, you can use a larger disk and increase the data storage limits.
to

The table on the slide shows the approximate values of data restrictions in the PostgreSQL database
depending on the available disk size. You can adjust values as follows:
— Backup
t

Backup copies of messages that KSMG saves prior to processing a message. To configure, go to
Settings | General | Backup.
No

97
 KL 036.2.1: Kaspersky Secure Mail Gateway 5. Advanced settings

— Anti-Spam quarantine

ed
Messages that KSMG suspends in the queue while waiting for information from KSN to make the
decision later. This setting is in Settings | General | Protection | Anti-Spam
— KATA quarantine

ut
A quarantine storage for messages that are awaiting an answer from KATA (if KSMG is integrated
with KATA). To configure it, go to Settings | External services | KATA Protection.
— Events

ib
Mail and system events: Settings | Logs and events | Events.

To check how much space is currently occupied in the KATA and Anti-Spam quarantine storages, go to

r
the Message queue section.

st
di
re
or
e d
pi
co

A dedicated 25GB partition is allocated for the KSMG logs (the /var/log folder), so even if their data takes
up all the space for some reason, it will not affect the system performance.
be

To prevent the system logs from growing uncontrollably, the logrotate utility is configured in KSMG.
When the specified size is reached, logrotate rotates the log, i.e. compresses it and deletes the original,
then creates a new empty file where the system starts writing new data. Old archived logs should also be
deleted periodically. The rotate parameter set up in the configuration files located in the /etc/logrotate.d/
folder regulates this: it specifies how many old compressed logs to store. You can find the KSMG log
rotation settings in the file /etc/logrotate.d/ksmg-syslog. This file has sections with settings for different
to

log types.

If your corporate policy requires that logs are stored longer than a 25GB partition permits, configure
sending logs to a dedicated syslog server.
t
No

98
 KL 036.2.1: Kaspersky Secure Mail Gateway 5. Advanced settings

ed
ut
r ib
st
di
re
or
Update depends on the KSMG implementation deployed. If KSMG Standalone is used, the operating
system, MTA and all other related software need to be updated separately, because they are not included
in KSMG distributions.
ed
pi
co
be
to

Run the check_fs_and_packages.py script to perform a compatibility check before the update; this will
help increase probability of update success. The script outputs a list of incompatible objects that must be
deleted manually before you start the KSMG update procedure.
t
No

99
 KL 036.2.1: Kaspersky Secure Mail Gateway 5. Advanced settings

ed
ut
r ib
st
di
re
If the same KSMG release is updated, use its web interface. If you need to upgrade to a newer release,
or
you can either install the new version of KSMG on a new server, or update KSMG on the existing server.
In any case, you’ll have to export and then import KSMG settings.
e d
pi
co
be
to

KSMG settings apply to all cluster nodes, and failure of the control node will not lead to data loss.
However, you should back up settings in case it turns out that reconfiguration brought about some issues.
You can make a backup either by making a snapshot of the virtual machine, or by exporting settings. But
note that a snapshot is not actually fit for this purpose: it takes up much disk space, and it is advisable to
t

turn off the virtual machine before making it. It is much easier to export settings and store them
No

separately, for example, in a version control system.

Exported settings will also be of help if you need to reinstall KSMG on another hardware platform: install
KSMG from scratch, and then import the settings.

100
 KL 036.2.1: Kaspersky Secure Mail Gateway 5. Advanced settings

An upgrade to a new major version of KSMG also presumes that the administrator installs the new

ed
version and then imports the settings.

Note that exported settings only contain rule settings, including global allow and deny lists, as well as
personal lists. You will have to configure from scratch all network interface and MTA settings and create

ut
new encryption keys. Simply copying configuration files from /etc/postfix will not work, because these
files are overwritten whenever the administrator makes changes in the web interface. KSMG Virtual
Appliance creates Postfix files based on templates stored in /opt/kaspersky/ksmg-appliance-
addon/share/templates/ and MTA settings from the PostgreSQL database.

r ib
st
di
re
or
ed
pi

If you are migrating from KSMG 1.1 to KSMG 2.1 and need to export settings, first make sure that you
have all the patches for KSMG 1.1 installed. The settings of version 1 are compatible with the settings of
co

version 2 only if Maintenance Release 3 is installed.

Install KSMG 2.1, configure the network, MTA, create DKIM encryption keys and import the old settings
that you’ve exported from version 1.1 MR3. Then make sure the rules have the necessary settings,
because some of the functionality differs in versions 1 and 2.
be
t to
No

101
 KL 036.2.1: Kaspersky Secure Mail Gateway 5. Advanced settings

5.4 Integration with other systems

ed
ut
r ib
st
di
re
Events available in the KSMG web interface provide detailed information about mail checks. SIEM allows
cybersecurity specialists to see the bigger picture. To make KSMG forward events to SIEM, configure
syslog in Technical support mode. You can find instructions in the documentation:
https://support.kaspersky.com/ksmg/2.1/151504.
or
d
e
pi
co
be
to

After configuring event publication to SIEM, analysts will be able to see information about KSMG
t

detections there: metadata of messages and check details from various modules.
No

Starting with version 2.1, Kaspersky Secure Mail Gateway additionally provides the following information:
scanned links and MIME parts of messages, hashsums of attachments and MIME parts of messages,
and attachment names.

102
 KL 036.2.1: Kaspersky Secure Mail Gateway 5. Advanced settings

ed
ut
r ib
st
di
re
Integration with KATA is described in detail in course KL 425. ‘Kaspersky Anti Targeted Attack Platform,
Kaspersky EDR’. Let’s only focus on some aspects here. KSMG uses KATA to improve the level of
detection thanks to the wide range of technologies available in the platform, including a sandbox. KATA
gets a more efficient integration with the mail system, because KSMG pre-processes and filters
or
messages.
d
e
pi
co
be
to

When KSMG receives an email, it first checks it itself. Further options partly depend on the KATA
integration settings. In the Settings | External services | KATA protection | Settings section, you can
t

specify which messages to send to KATA: only those where KSMG hasn't found anything, or all
messages. In this context, ‘all messages’ means messages that are of interest to KATA. These are
No

messages with links and attachments that match specific masks.

KATA protection is disabled in the KSMG rules by default.

103
 KL 036.2.1: Kaspersky Secure Mail Gateway 5. Advanced settings

ed
ut
ib r
st
di
re
or
d e
pi
co
be
t to
No

v.1.8.7

104