[Topic 100512]

Kaspersky Secure Mail Gateway

This section contains information about the Kaspersky Secure Mail Gateway.

[Topic 91686]

About Kaspersky Secure Mail Gateway

Kaspersky Secure Mail Gateway lets you deploy a virtual mail gateway and integrate it into the existing corporate mail infrastructure. The following is preinstalled on the virtual mail gateway: Operating system, mail server, and Kaspersky Lab anti-virus application.

Kaspersky Secure Mail Gateway protects incoming and outgoing email against malware and spam, performs content filtering of messages, and, when integrated with Kaspersky Anti Targeted Attack Platform (hereinafter also referred to as "KATA"), protects email against intrusions into the corporate IT infrastructure.

Kaspersky Secure Mail Gateway:

• Scans incoming and outgoing email messages for
  spam

  Unsolicited mass email messages mailings, most often including advertisements

  ,
  phishing

  A type of Internet fraud aimed at obtaining unauthorized access to users' confidential data.

  and malware, and, when integrated with KATA, scans messages for signs of
  targeted attacks

  Attack that targets a specific person or organization. Unlike mass attacks by computer viruses designed to infect as many computers as possible, targeted attacks can be aimed at infecting the network of a specific organization or even a specific server within the corporate IT infrastructure. A dedicated Trojan program may be written to stage each targeted attack.

  and intrusions into the corporate IT infrastructure.

  To promptly respond to new threats that have not yet been added to the anti-virus databases, protection components of Kaspersky Secure Mail Gateway can utilize information from

  Kaspersky Security Network

  An infrastructure of cloud services that provides access to the online Knowledge Base of Kaspersky Lab which contains information about the reputation of files, web resources, and software. The use of data from Kaspersky Security Network ensures faster responses by Kaspersky Lab applications to threats, improves the performance of some protection components, and reduces the likelihood of false alarms.

  .

• Integrates with
  Kaspersky Private Security Network

  A solution that allows users of Kaspersky Lab anti-virus applications to access Kaspersky Security Network databases without sending data from their computers to Kaspersky Security Network servers.

  (hereinafter also referred to as KPSN) for those organizations that cannot participate in Kaspersky Security Network (hereinafter also referred to as KSN).

  After integration with KPSN, Kaspersky Secure Mail Gateway can use the KSN reputation databases without sending data outside of the organization.

  If you want to purchase Kaspersky Private Security Network, you can contact Kaspersky Lab's partner specialists in your region.

• Integrates with
  Kaspersky Anti Targeted Attack Platform

  Solution designed for the protection of a corporate IT infrastructure and timely detection of threats such as zero-day attacks, targeted attacks, and complex targeted attacks known as advanced persistent threats (hereinafter also referred to as "APT").

  for detection of threats such as
  zero-day attacks

  An attack targeting the corporate IT infrastructure by exploiting zero-day vulnerabilities in software. These are software vulnerabilities that hackers find and exploit before the software vendor has a chance to release a patch.

  , targeted attacks, and complex targeted attacks known as
  advanced persistent threats

  A sophisticated targeted attack against the corporate IT infrastructure that simultaneously uses different methods to infiltrate the network, hide on the network, and gain unobstructed access to confidential data.

  (hereinafter also referred to as "APT").

  After integration with KATA, Kaspersky Secure Mail Gateway can send copies of messages to KATA for scanning. Based on the results of a KATA scan, Kaspersky Secure Mail Gateway can block individual messages.

  To purchase the Kaspersky Anti-Virus Targeted Attack Platform program, you can contact Kaspersky Lab's sales team.

• Detects and blocks spam, probable spam and mass mailings (including marketing mail-outs), deletes messages, and places copies of messages in Backup.
• Detects, blocks, and disinfects infected email messages and infected attachments, deletes messages and attachments, and places copies of messages in Backup.
• Detects and blocks messages whose attachments contain macros (for example, Microsoft Office files with macros), deletes messages or attachments, and places copies of messages in Backup.
• Detects and blocks messages containing encrypted objects, deletes messages or attachments, and places copies of messages in Backup.
• Detects and blocks messages containing archives, recognizes the types of files within archives (for example, files in the ZIP, RAR, TGZ, 7z, and QZIP formats), and blocks individual files within archives.
• Detects and blocks phishing or links to malicious websites, deletes messages, and places copies of messages in Backup.
• Performs content filtering of messages based on the name, type and size of attachments (Kaspersky Secure Mail Gateway can determine the actual format and type of attachment regardless of its extension), deletes messages containing attachments in a specific format or with a specific name, or messages larger than the permissible size, and places copies of messages in Backup.
• Detects and blocks messages containing signs of targeted attacks and intrusions into the corporate IT infrastructure (when integrated with KATA), deletes messages, and places copies of messages in Backup.
• Saves backup copies of messages in Backup based on the results of their processing by the
  Anti-Virus

  A Kaspersky Secure Mail Gateway component designed to detect viruses in email messages and email attachments.

  ,
  Anti-Spam

  A component of Kaspersky Secure Mail Gateway designed to detect messages categorized as spam.

  and
  Anti-Phishing

  A component of Kaspersky Secure Mail Gateway designed to detect messages categorized as phishing.

  modules, and based on the results of
  content filtering

  Filtering email messages based on message size, attachment file name mask, and attachment format. Based on the results of content filtering, you can restrict the forwarding of messages by the mail server.

  and KATA scans of messages.
• Saves messages from Backup to file and forwards messages to recipients.
• Places messages into Anti-Spam Quarantine and KATA Quarantine, and manages the Anti-Spam Quarantine and KATA Quarantine in the web interface.
• Processes mail in accordance with the rules defined for groups of senders and recipients.
• Lets you use email filtering rules to specify users and user groups from Microsoft Active Directory and generic LDAP to enable message routing for specific email accounts and user groups.
• Notifies the sender, recipients, and administrator about the detection of messages containing objects that are infected, password-protected, or cannot be scanned.
• Sends notifications to users regarding the results from their messages being scanned by program modules. Notifications may contain a list of the latest messages in Backup. You can configure the schedule for sending notifications.
• Updates program databases from Kaspersky Lab update servers or custom resources (HTTP and FTP servers) according to schedule or on demand.
• Receives application operation statistics via the SNMP protocol, and enables or disables forwarding of SNMP traps.
• Lets you configure the settings and manage the application via a web interface.
• Sends and receives messages via a secure TLS/SSL link.
• Lets you verify the authenticity of senders using
  SPF

  Comparison of IP addresses of message senders with the list of possible message sources, which has been created by the mail server administrator.

  ,
  DKIM

  Verification of the digital signature added to messages.

  , and
  DMARC

  Authentication performed to verify that the message was actually sent from the specified domain.

  technologies.
• Lets you sign outgoing email messages with DKIM signatures.
• Lets you add email disclaimers to outgoing and incoming messages.
• Adds dangerous attachment warnings to incoming messages.
• Retrieves user information from various domains and grants users access to a personal Backup.
• Lets you add, edit or delete information about domains (including local domains) and email addresses, configure Kaspersky Secure Mail Gateway settings for these domains and email addresses and configure email routing.
• Lets you configure TLS security modes for situations when Kaspersky Secure Mail Gateway receives messages from another server (acts in the Server role) or sends messages to another server (acts in the Client role), as well as configure TLS settings for individual domains.
• Lets you monitor the status of email traffic and usage of system resources and view lists of the latest detected threats in the web interface of the application.
• Lets you monitor the performance of the program via Kaspersky Security Center 10 SP2.
• Lets you view the application event Log and download it to the hard drive.
• Lets you upgrade the system via the web interface of Kaspersky Secure Mail Gateway.
• Lets you quickly configure the MTA using the Quick MTA Setup Wizard.
• Lets you add, change and delete TLS and DKIM encryption keys.
• Lets you generate and view reports on the email message processing rules.
• Lets you view the audit log in the program web interface.
• Lets you generate an archive containing information about Kaspersky Secure Mail Gateway operation for the purpose of sending it to Kaspersky Lab Technical Support.

Kaspersky Secure Mail Gateway is distributed in the format of OVA virtual machine templates (Open Virtual Appliance) or in a ZIP archive containing the virtual machine image intended for deployment on a Microsoft Hyper-V hypervisor.

Deployment of the image creates a virtual machine with a preinstalled CentOS 6.8 operating system, a mail server, and Kaspersky Security for Linux Mail Server application (hereinafter also referred to as "Kaspersky Security"). After deploying the virtual machine, you can configure it using the Initial Configuration Wizard.

[Topic 59365]

Distribution kit

The application is available from online stores of Kaspersky Lab (for example, http://www.kaspersky.com, in the eStore section) and from partner companies.

The content of the distribution kit may differ depending on the region in which the application is distributed.

If Kaspersky Secure Mail Gateway is purchased through an online store, the application is copied from the store's website. Information that is required for activating the application will be sent to you by email after your payment has been received.

[Topic 100501]

Modes of operation of Kaspersky Secure Mail Gateway

Kaspersky Secure Mail Gateway can run in normal mode, limited traffic mode, or certified mode.

In normal mode, Kaspersky Secure Mail Gateway is allowed to access the Internet and connect to the following servers outside the IT infrastructure of your organization:

• KSN database update servers.
• DNS servers.
• Kaspersky Secure Mail Gateway database update servers.

In certified mode, Kaspersky Secure Mail Gateway is not allowed to access the Internet and connect to servers outside the IT infrastructure of your organization.

In limited traffic mode, the settings of Kaspersky Secure Mail Gateway components that require Internet access take the following values by default:

• KSN usage is disabled.
• SPF, DKIM, and DMARC message authentication is disabled. Connection to DNS servers is prohibited.
• The Enforced Anti-Spam Updates service is disabled in the settings of the Anti-Spam component.
• Kaspersky Secure Mail Gateway receives database updates from Kaspersky Security Center or a local source of Kaspersky Secure Mail Gateway database updates.

In certified mode, Kaspersky Secure Mail Gateway is not allowed to access the Internet and connect to servers outside the IT infrastructure of your organization. Besides, when Kaspersky Secure Mail Gateway operates in certified mode, the administrator is not allowed to view the event Log from the administrator's menu of Kaspersky Secure Mail Gateway Management Console.

You can select the certified mode of operation of Kaspersky Secure Mail Gateway when deploying the image of a Kaspersky Secure Mail Gateway virtual machine.

[Topic 102291]

Kaspersky Secure Mail Gateway traffic limit

To switch Kaspersky Secure Mail Gateway to limited traffic mode:

1. In the main window of the application web interface, open the management console tree and select the Settings section and Protection subsection.
2. In the External Services section, click the Usage of KSN / KPSN link to open the Usage of KSN / KPSN window.
3. Select Do not use KSN / KPSN.
4. Click the Apply button.

   The Usage of KSN / KPSN window closes.

5. In the External Services section, click the Allow connection to DNS server link to open the External Services window.
6. In the list on the right of the name of the Allow connection to DNS server setting, select No.
7. Click the Apply button.

   The External Services window closes.

8. In the Anti-Spam section, click any of the Use KSN, Use enforced Anti-Spam Updates Service, Use reputation filtering or Maximum scanning time links to open the Anti-Spam settings window.
9. In the External services settings group, in the Use enforced Anti-Spam Updates Service drop-down list, select No.
10. Click the Apply button.

    The Anti-Spam settings window closes.

11. In the main window of the application web interface, open the management console tree and select the Settings section and Database Update subsection.
12. In the Program Database Update Settings section, click the Update source link to open the Program database update settings window.
13. In the Update source settings group, select Kaspersky Security Center.
14. Clear the If inaccessible, use Kaspersky Lab servers check box.
15. Click the OK button.

    The Program database update settings window is closed.

Kaspersky Secure Mail Gateway starts running in limited traffic mode.

[Topic 90219]

Kaspersky Secure Mail Gateway interface

Kaspersky Secure Mail Gateway is managed using a web interface.

The main window of the web interface contains the following items:

• Management console tree in the left part of the main window of the application web interface.
• Workspace in the right part of the main window of the application web interface.

Kaspersky Secure Mail Gateway management console tree

The management console tree displays the sections of Kaspersky Secure Mail Gateway and subsections of functional components of Kaspersky Secure Mail Gateway.

Kaspersky Secure Mail Gateway management console tree displays the following sections:

• Monitoring—Section containing Kaspersky Secure Mail Gateway monitoring data.
• Rules—Section containing message processing rules.
• Domains—Section in which you can add, edit or delete information about domains and email addresses, configure Kaspersky Secure Mail Gateway settings for these domains and email addresses.
• Encryption Keys—Section in which you can add, edit or delete DKIM and TLS encryption keys.
• Backup—Section containing information about message Backup and a filter for finding messages in Backup.
• Message Queue—Section containing information about the message queue of the MTA mail agent and a filter for finding messages in the queue.
• Reports—Section containing reports on the operation of the mail server.
• Settings—Section that lets you configure Kaspersky Secure Mail Gateway settings.
• Quick MTA Setup—Setup wizard that configures the main MTA settings. You can use it to quickly integrate Kaspersky Secure Mail Gateway into your corporate mail infrastructure at the first startup of the Kaspersky Secure Mail Gateway web interface as well as redefine the MTA settings during subsequent startups of the Kaspersky Secure Mail Gateway web interface.

  After you complete all steps of the Quick MTA Setup, Kaspersky Secure Mail Gateway resets all values of MTA setting and replaces them with values that you specified in the Quick MTA Setup Wizard.

Workspace of the Kaspersky Secure Mail Gateway web interface window

The workspace contains information about the sections that you select in the management console and control elements for editing the application settings.

Settings in the workspace of the main window are grouped into settings groups for sections that let you manage Kaspersky Secure Mail Gateway settings.

[Topic 69238]

Application licensing

This section covers the main aspects of application licensing.

[Topic 73374]

About the End User License Agreement

The End User License Agreement (EULA) is a binding agreement between you and AO Kaspersky Lab, stipulating the terms on which you may use the program.

Read through the terms of the End User License Agreement carefully before you start using the application.

You can view the terms of the End User License Agreement in the following ways:

• During installation of Kaspersky Secure Mail Gateway.
• By reading the license.txt file. This file is included in the application's distribution kit.

By confirming that you agree with the End User License Agreement when installing the application, you signify your acceptance of the terms of the End User License Agreement. If you do not accept the terms of the End User License Agreement, you must abort application installation and must not use the application.

[Topic 69240]

About the license

A license is a time-limited right to use the application, granted under the End User License Agreement.

A current license entitles you to the following kinds of services:

• Use of the application in accordance with the terms of the End User License Agreement
• Getting technical support

The scope of services and application usage term depend on the type of license under which the application is activated.

The following license types are provided:

• Trial—Free license intended for trying out the application.

  A trial license is usually of limited duration. As soon as the license expires, all Kaspersky Secure Mail Gateway features are disabled. To continue using the application, you need to purchase a commercial license.

  You can activate the application under a trial license only once.

• Commercial—Pay-for license that is provided when you buy the application.

  When the commercial license expires, the application continues running with limited functionality (for example, Kaspersky Secure Mail Gateway database updates are not available). To continue using Kaspersky Secure Mail Gateway in fully functional mode, you must renew your commercial license.

We recommend renewing the license before its expiration to ensure maximum protection of your computer against security threats.

[Topic 73976]

About the license certificate

A License Certificate is a document provided together with a key file or activation code.

The License Certificate contains the following license information:

• Order number
• Details of the license holder
• Information about the application that can be activated using the license
• Limitation on the number of licensing units (devices on which the application can be used under the license)
• License start date
• License expiration date or license validity period
• License type

[Topic 91152]

About the key

A key is a sequence of bits with which you can activate and subsequently use the application in accordance with the terms of the End User License Agreement. A key is generated by Kaspersky Lab.

You can add a key to the application in one of the following ways: Apply a key file or enter an activation code.

After you add a key to the application, the key is displayed in the application interface as a unique alphanumeric sequence.

Kaspersky Lab can black-list a key over violations of the End User License Agreement. If the key has been black-listed, you have to add a different key to continue using the application.

There are two types of keys: active and additional.

An active key is the key that is currently used by the application. A trial or commercial license key can be added as the active key. The application cannot have more than one active key.

An additional key is a key that entitles the user to use the application, but is not currently in use. An additional key automatically becomes active when the license associated with the current active key expires. An additional key can be added only if the active key is available.

A key for a trial license can be added only as the active key. A key for a trial license cannot be added as an additional key.

An additional key can be added only if the active key is available.

Kaspersky Secure Mail Gateway uses keys of the following types:

• Fully-functional key. When this key is added, the application works in full-functionality mode, performing scans for spam, phishing, viruses and other types of malware.
• Key for Anti-Virus protection. When this key is added, the application scans messages for viruses and other threats but does not scan messages for spam. The status label assigned by the application to a message following a spam scan contains information about limited functionality.
• Key for Anti-Spam and Anti-Phishing protection. When this key is added, the application scans messages for spam and phishing but does not scan messages for viruses and other threats. The status label assigned by the application to a message following a scan for viruses and other threats contains information about limited functionality.

The type of additional key should match the type of the previously added active key. If the type of the additional key does not match the type of a previously added active key, the available application functionality changes in accordance with the type of the additional key when the additional key becomes active.

Anti-Spam and Anti-Virus databases are updated regardless of key type.

[Topic 69430]

About the activation code

An activation code is a unique sequence of 20 characters in the Latin alphabet and numerals. You enter an activation code to add a key that activates Kaspersky Secure Mail Gateway. You receive an activation code at the email address that you provided after purchasing Kaspersky Secure Mail Gateway or after ordering the trial version of Kaspersky Secure Mail Gateway.

To activate the application with an activation code, Internet access is required for connecting to Kaspersky Lab activation servers.

If your activation code is lost after the application is activated, you can restore the activation code. You may need an activation code for registration in Kaspersky CompanyAccount, for example. To restore an activation code, you must contact Kaspersky Lab Technical Support.

[Topic 69431]

About the key file

A key file is a file with the .key extension that you receive from Kaspersky Lab. Key files are designed to activate the application by adding a key.

You receive a key file at the email address that you provided when you bought Kaspersky Secure Mail Gateway or ordered the trial version of Kaspersky Security.

You do not need to connect to Kaspersky Lab activation servers in order to activate the program with a key file.

You can recover a key file if it is accidentally deleted. You may need a key file to register with Kaspersky CompanyAccount.

To recover a key file, do one of the following:

• Contact your license distributor
• Obtain a key file on the Kaspersky Lab website based on your existing activation code.

[Topic 144076]

About the subscription

A subscription for Kaspersky Secure Mail Gateway is a purchase order for the application with specific parameters (subscription expiration date, number of devices protected).

A subscription can be limited (for example, lasting one year) or unlimited (without an expiration date). To continue using Kaspersky Secure Mail Gateway after a limited subscription expires, you need to renew it. An unlimited subscription is extended automatically if prepayment is made on time.

When a limited subscription expires, you may be provided a grace period for renewal. During this grace period, the application remains fully functional.

To use Kaspersky Secure Mail Gateway based on a subscription, you must apply an activation code. After the activation code is applied, the active key is installed. The active key defines the license for using the application by subscription. An additional key can be installed only by using an activation code and cannot be installed using a key file or by subscription.

Activation codes purchased by subscription cannot be used for activating earlier versions of Kaspersky Secure Mail Gateway.

[Topic 98491]

About data provision

The application operates with the use of data whose transmission and processing requires the consent of the Kaspersky Secure Mail Gateway administrator.

You can view the list of data and the terms on which it is used as well as give consent to data processing in the following agreements between your organization and Kaspersky Lab:

• In the End User License Agreement (for example, when installing the application or upgrading the system in the Settings section, System Upgrade subsection of the main window of the application's web interface).

  According to the terms of the End User License Agreement that you have accepted, you consent to the automatic transmission to Kaspersky Lab of the information enumerated in the License Agreement under Data Submission. This information is needed to improve the level of mail server security.

• In the KSN Statement.

  If you agree to participate in Kaspersky Security Network, information collected during the application's operation on the computer is automatically forwarded to Kaspersky Lab. The KSN Statement specifies the list of data that is transmitted.

Kaspersky Lab protects any information received in this way as prescribed by law and applicable rules of Kaspersky Lab.

Kaspersky Lab uses any received information in anonymized form and as general statistics only. General statistics are automatically generated using original collected information and do not contain any personal data or other confidential information. The original information received is destroyed as new information is accumulated (once a year). General statistics are stored indefinitely.

User data may be present in the following Kaspersky Secure Mail Gateway components:

• Message queue (file names, email addresses of message senders and recipients, message texts).
• Backup (file names, email addresses of message senders and recipients, message texts).
• Application reports (file names, email addresses of message senders and recipients).
• Application event log (email addresses of message senders and recipients, names of attachment files, IP addresses of computers of message senders).
• Trace files (file names, paths to files, proxy server names, user account data, IP addresses of computers that connect to application database update sources, names and IP addresses of update sources, information about files downloaded and the download speed).
• Files storing settings of the connection to the LDAP server and proxy server (data of LDAP server and proxy server user accounts).

When it connects to DNS, SURBL, and DNSBL servers, Kaspersky Secure Mail Gateway uses the IP addresses and FQDN names of domains that contact these servers.

Managing the application via the management console of Kaspersky Secure Mail Gateway in Technical Support Mode with super-user account privileges lets you manage dump settings. A dump is generated during application crashes and may be needed to analyze the causes of the crash. The dump may include any data, including fragments of messages and files analyzed.

The corporate LAN administrator is responsible for access to this information.

By default, dump generation in Kaspersky Secure Mail Gateway is disabled.

Data of the email message queue currently being processed by Kaspersky Secure Mail Gateway as well as data of LDAP server and proxy server user accounts are stored in Kaspersky Secure Mail Gateway in unencrypted form.

Such data can be accessed from the Kaspersky Secure Mail Gateway Management Console in Technical Support Mode with super-user account privileges.

The administrator of Kaspersky Secure Mail Gateway must personally ensure the security of such data.

The administrator of Kaspersky Secure Mail Gateway is responsible for access to this information.

Data about events and processes of Kaspersky Secure Mail Gateway is logged and stored in the following Kaspersky Secure Mail Gateway logs:

• Event log
• Trace log

[Topic 89483]

Viewing information about the license and added keys

To view information about the license and added keys,

in the main window of the application web interface, open the management console tree and select the Settings section and Licensing subsection.

The following key details appear in the Active Key section of the workspace:

• Alphanumeric sequence of the key
• Key status
• License type
• Number of users
• Application activation date
• Key expiration date
• Number of days until key expiration

[Topic 144930]

Updating of license and added keys information

To update the license and the added keys information, follow these steps:

1. In the main window of the application web interface, open the management console tree and select the Settings section and Licensing subsection.
2. Press the Refresh button in the upper right corner of the window.

Information about the license and the added keys will be updated.

[Topic 91150]

Adding a key file

To add a key file:

1. In the main window of the application web interface, open the management console tree and select the Settings section and Licensing subsection.
2. Click the Add a key file button.

   The Add a key window opens.

3. Click the Browse button.

   The file selection window opens.

4. Select the key file that you want to add.
5. Click the OK button.

Once added, a key can have active or additional status. The first key to be added automatically becomes active. You can use the application as soon as you add an active key.

After adding an active key, you can add an additional key. The additional key automatically becomes active on expiration of the license. This ensures that protection is maintained in the period between expiration and renewal of the license.

You can now activate the program with an activation code. You are advised to activate the application using a key file.

[Topic 144190]

Adding an activation code

To add an activation code:

1. In the main window of the application web interface, open the management console tree and select the Settings section and Licensing subsection.
2. Click the Add an activation code button.

   The Activate with an activation code window opens.

3. In the Activation code. field, enter the application activation code in the format XXXXX-XXXXX-XXXXX-XXXXX, where X can be letters of the Latin alphabet (A-Z, except O and I (uppercase i)) or numbers (0-9).
4. Click the OK button.

The activation code will be sent to Kaspersky Lab activation servers for verification.

If the code you entered is invalid, the Activate with an activation code window will display a message informing you that an invalid code was entered. In this window, you can try to enter the activation code again.

If the code you entered is valid, you will see the terms of the End User License Agreement corresponding to the entered activation code. The Activate with an activation code window closes.

You can also activate the application with a key file. You are advised to activate the application using a key file.

[Topic 91151]

Removing a key

To remove a key:

1. In the main window of the application web interface, open the management console tree and select the Settings section and Licensing subsection.
2. In the workspace of the window, select the check box next to the key that you want to delete.
3. Click the Delete button.

   The Deleting the key / activation code window opens.

4. Click the Yes button.

The selected key is removed.

If you remove the active key and an additional key has been added for Kaspersky Secure Mail Gateway, the additional key automatically becomes active.

If you remove the active and additional keys, you cannot use the application functionality available under your license.

[Topic 100499]

Modes of Kaspersky Secure Mail Gateway operation under license

Kaspersky Secure Mail Gateway can operate in various modes depending on the license.

Unlicensed

Kaspersky Secure Mail Gateway runs in this mode from the time when you install the application and start its web interface and until you add an active key.

Kaspersky Secure Mail Gateway does not scan email messages in Unlicensed mode.

Trial license

In this mode, Kaspersky Secure Mail Gateway scans email messages and updates databases.

When the trial license key expires, Kaspersky Secure Mail Gateway stops scanning email messages and updating databases.

In order for Kaspersky Secure Mail Gateway to resume operation, you have to install a commercial license key.

Commercial license

In this mode, Kaspersky Secure Mail Gateway scans email messages and updates databases.

When the commercial license key expires, Kaspersky Secure Mail Gateway continues scanning email messages but stops updating databases.

To resume database updates, add a new commercial license key or renew the existing commercial license key.

Kaspersky Secure Mail Gateway supports the following types of commercial license keys:

• Fully-functional key. When this key is added, the application works in full-functionality mode, performing scans for spam, phishing, viruses and other types of malware.
• Key for Anti-Virus protection. When this key is added, the application scans messages for viruses and other threats but does not scan messages for spam. The status label assigned by the application to a message following a spam scan contains information about limited functionality.
• Key for Anti-Spam and Anti-Phishing protection. When this key is added, the application scans messages for spam and phishing but does not scan messages for viruses and other threats. The status label assigned by the application to a message following a scan for viruses and other threats contains information about limited functionality.

Black list of keys

A key can be added to the black list of keys in a number of cases. If this has happened, Kaspersky Secure Mail Gateway stops scanning email messages but continues attempts to update databases in case the key is removed from the black list of keys.

As soon as the key has been removed from the black list of keys, Kaspersky Secure Mail Gateway resumes scanning of email messages in accordance with the valid license.

After scanning of email messages in Kaspersky Secure Mail Gateway is disabled, the following functionality remains available: the mail transfer agent (MTA), the connection to the LDAP server, the event log, and Kaspersky Secure Mail Gateway operation reports. You also have access to all Kaspersky Secure Mail Gateway settings (except the protection settings) via the web interface.

[Topic 92700]

Notifications that the license expires soon

The application checks the license validity period after each update. When the number of days specified in the Send notification setting remains until license expiration, the application starts sending notifications to the email addresses of Kaspersky Secure Mail Gateway administrator.

By default, the application starts sending license expiration notifications 30 days before license expiration.

License expiration notifications are sent once a day.

The application stops sending license expiration notifications in the following cases:

• You have added a key whose validity period exceeds the validity period of the previous key and the value of the Send notification setting.
• License has expired. In this case, the application sends a notification that the license has expired.

To configure the start date for sending notifications, edit the header or text of the notification about an expiring license:

1. In the main window of the application web interface, open the management console tree and select the Settings section and Notifications subsection.
2. In the License Expires Soon section, click any link to open the Notification settings.
3. In the Subject field, type the header of the expiring license notification.
4. In the Message field, type the text of the expiring license notification.
5. In the Send notification list, specify the number of days until license expiry that you want to start receiving the notification.
6. Click the Save button.

   The Notification settings window closes.

To enable or disable delivery of license expiration notifications:

1. In the main window of the application web interface, open the management console tree and select the Settings section and Notifications subsection.
2. In the License Expires Soon section, do one of the following:
   • Flip on the toggle switch next to the name of the License Expires Soon group of settings if you want to enable delivery of license expiration notifications.
   • Flip off the toggle switch next to the name of the License Expires Soon group of settings if you want to disable delivery of license expiration notifications.

If an additional key is installed in the application, the notification is not sent. After the expiry of the active key, the additional key automatically becomes active.

If the additional key validity period expires before the application is configured to start sending notifications, the first notification is sent at the time when the active key is replaced with the additional key.

[Topic 144226]

Purchasing a license

Kaspersky Secure Mail Gateway is included in the following comprehensive solutions for security and system administration from Kaspersky Lab:

• Kaspersky TOTAL Security for Business.
• Kaspersky Security for Mail Servers.

To select a comprehensive solution that is most suitable for your organization, consult with specialists of a Kaspersky Lab partner company. The contact details and addresses of partners are provided on the Kaspersky Lab website at https://www.kaspersky.co.uk/partners/distribution.

[Topic 90436]

Mail server protection status

In the Monitoring section of the main window of the Kaspersky Secure Mail Gateway web interface, the following information on the status of mail server protection is displayed in the right part of the workspace:

• Operating status of the Anti-Spam module, up-to-date status of the Anti-Spam module databases, and the number of messages in Anti-Spam Quarantine.
• Operating status of the Anti-Virus module, and up-to-date status of Anti-Virus module databases.
• Status of the connection with the server hosting the KATA component, the number of messages in KATA Quarantine (if you are using Kaspersky Anti Targeted Attack Platform).
• Operating status of the Anti-Phishing module, and up-to-date status of the Anti-Phishing module databases.
• Status of the connection with Kaspersky Security Network or Kaspersky Private Security Network (if you are using Kaspersky Private Security Network).
• Information about the last update of application databases.
• Status of the connection to LDAP servers
• License validity period and a license expiration notification if the license is about to expire
• Information about the status of transmission and reception of messages by the MTA.

If you have activated the application, the Anti-Spam, Anti-Virus, and Anti-Phishing modules are enabled by default, and message transmission and receipt is enabled for the MTA mail agent.

Page top

[Topic 83813]

Getting started with the application web interface

After installation and initial configuration of the application, you can begin working with the web interface of Kaspersky Secure Mail Gateway.

To begin working with the web interface of the application:

1. Enter the following address into the address line of the browser:

   https://<IP-address-of-deployed-appliance>/ksmg, using the IP address received during application installation.

   A web interface login page opens, prompting you to enter the user name and password of the web address administrator.

2. In the User name field, type Administrator.
3. In the Password field, enter the password that was set during application installation.
4. Click the Log in button.

The main page of the Kaspersky Secure Mail Gateway web interface opens.

[Topic 88761]

Integrating Kaspersky Secure Mail Gateway into the corporate mail infrastructure

Kaspersky Secure Mail Gateway is integrated into the existing corporate mail infrastructure and is not a standalone mail system. For example, Kaspersky Secure Mail Gateway does not deliver email messages to recipients and does not manage user accounts.

You can integrate Kaspersky Secure Mail Gateway into the corporate mail infrastructure in one of the following ways:

• Directly.
• Through an edge gateway on which SMTP verification of recipient email addresses is enabled.

  Before configuring integration of Kaspersky Secure Mail Gateway via an edge gateway, specify whether or not SMTP verification of recipient email addresses is enabled on the edge gateway to which Kaspersky Secure Mail Gateway will be relaying messages from internal domains.

• Through an edge gateway on which SMTP verification of recipient email addresses is disabled.

You can configure the basic settings of Kaspersky Secure Mail Gateway integration into the corporate mail infrastructure using the Quick MTA Setup Wizard as well as integrate Kaspersky Secure Mail Gateway into the corporate mail infrastructure through the web interface of the application.

After you complete all steps of the Quick MTA Setup, Kaspersky Secure Mail Gateway resets all values of MTA setting and replaces them with values that you specified in the Quick MTA Setup Wizard.

[Topic 99105]

Direct integration using a Quick Setup Wizard

Direct integration is the type of integration where Kaspersky Secure Mail Gateway receives email messages directly from the Internet and redirects them to internal mail servers, and also receives messages from internal mail servers and redirects them to the Internet.

To configure direct integration of Kaspersky Secure Mail Gateway into the corporate mail infrastructure:

1. In the main window of the application web interface, open the management console tree and select the Quick MTA Setup section.
2. In the Integrating Kaspersky Secure Mail Gateway into mail infrastructure section, select Integrate directly.
3. Click the Start integration link to begin performing the steps of the wizard.

[Topic 100459]

Step 1. Adding local domains (relay_domains)

At this step, add local domains of your organization for which Kaspersky Secure Mail Gateway will be receiving email messages from the outside. Kaspersky Secure Mail Gateway will receive messages only for the domains you specified. Messages intended for other domains are rejected.

If local domains are not specified, Kaspersky Secure Mail Gateway will not be receiving messages for your internal mail servers.

To add local domains of your organization:

1. Click the Add a domain link to open the Adding a domain window.
2. In the Enter domain name field, type the name of the domain for which Kaspersky Secure Mail Gateway will be receiving messages.

   Type the domain names in FQDN format.

3. Click the OK button.
4. The Adding a domain window closes.

The domain names have to be entered one at a time. Repeat the process of adding domain names to the list for all domain names that you are adding.

Click the Save and go to Configuration of email routing link to proceed to the next step of the wizard.

[Topic 100460]

Step 2. Configuring email routing (transport_map)

Configure email routing at this step.

By default, Kaspersky Secure Mail Gateway uses the settings of your DNS server for email routing. You can manually configure email routing. To do so, you must create a transport map. In the transport map, enter the names of the domains for which the email messages are intended and then enter the IP addresses or fully qualified domain names (FQDN) to which Kaspersky Secure Mail Gateway will be redirecting messages intended for these domains.

To configure email routing:

1. Click the Add a record to the transport map link to open the Email routing window.
2. In the Enter domain name field, type the name of the domain for which email messages are intended.

   Type the domain names in FQDN format.

3. In the Enter email destination address (IPv4, domain name or FQDN) field, enter the IP address or the domain name of the server to which you want to configure routing of email.

   You can enter an IPv4 address (for example, 192.0.0.1 or 192.0.0.0/16), domain name or FQDN.

4. In the Enter the port number to connect with the email destination address field, select the port number.

   The default value is 25.

5. Select one of the following options:
   • Do not enable MX lookup.
   • Enable MX lookup (for domain names or FQDNs).
6. Click the OK button.
7. The Email routing window closes.

Transport map records are added one at a time. Repeat the process of adding records to the transport map for all records that you are adding.

Click the Save and go to Adding trusted networks and network hosts link to proceed to the next step of the wizard.

[Topic 100462]

Step 3. Adding trusted networks and network hosts (mynetworks)

At this step, create a list of trusted networks and network hosts that are allowed to send email messages via Kaspersky Secure Mail Gateway.

As a rule, these are internal networks and network hosts of your organization.

For example, you can specify the IP addresses of Microsoft Exchange servers used at your organization.

If trusted networks are not specified, Kaspersky Secure Mail Gateway will not be receiving messages from internal mail servers and redirect them outside the network of your organization.

To add a list of trusted networks and network hosts:

1. Click the Add a trusted network or network host link to open the Adding a trusted network window.
2. In the Enter email destination address (IPv4, domain name or FQDN) field, enter the network address or the subnet address.

   You can enter an IPv4 address (for example, 192.0.0.1 or 192.0.0.0/16), domain name or FQDN. .

3. Click the OK button.
4. The Adding a trusted network window closes.

Addresses are added one at a time. Repeat the process of adding addresses to the list for all addresses that you are adding.

Click the Save and go to Completing the integration link to proceed to the next step of the wizard.

[Topic 100463]

Step 4. Completing direct integration of Kaspersky Secure Mail Gateway

At this step, check the settings you have specified for integrating Kaspersky Secure Mail Gateway into the corporate mail infrastructure and confirm your choice.

When integration into the corporate mail infrastructure is completed, the following settings of Kaspersky Secure Mail Gateway are configured automatically:

• SPF authentication of message senders is enabled.
• SMTP verification of recipient email addresses is enabled.

After you complete all steps of the Quick MTA Setup, Kaspersky Secure Mail Gateway resets all values of MTA setting and replaces them with values that you specified in the Quick MTA Setup Wizard.

[Topic 99111]

Integration through an edge gateway (SMTP verification of recipient email addresses is enabled) with the help of a wizard

Integration through an edge gateway on which SMTP verification of recipient email addresses is enabled is a type of integration where Kaspersky Secure Mail Gateway receives messages from an intermediate gateway and relays them to internal mail servers, and also receives messages from internal mail servers and relays them to the edge gateway. In this case, SMTP verification of recipient email addresses is enabled on the edge gateway.

SMTP verification of recipient email addresses is used by mail systems to prevent reception of messages for nonexistent addresses.

To configure integration of Kaspersky Secure Mail Gateway into the corporate mail infrastructure through an edge gateway on which SMTP verification of recipient email addresses is enabled:

1. In the main window of the application web interface, open the management console tree and select the Quick MTA Setup section.
2. In the Integrating Kaspersky Secure Mail Gateway into mail infrastructure section, select Integrate through Edge Gateway.
3. Click the Start integration link to go to the SMTP Recipient Address Verification on the Edge Gateway section.
4. Select SMTP Recipient Address Verification is enabled on the Edge Gateway.
5. Click the Go to Adding local domains link to begin performing the steps of the wizard.

[Topic 100472]

Step 1. Adding local domains (relay_domains)

At this step, add local domains of your organization for which Kaspersky Secure Mail Gateway will be receiving email messages from the outside. Kaspersky Secure Mail Gateway will receive messages only for the domains you specified. Messages intended for other domains are rejected.

If local domains are not specified, Kaspersky Secure Mail Gateway will not be receiving messages for your internal mail servers.

To add local domains of your organization:

1. Click the Add a domain link to open the Adding a domain window.
2. In the Enter domain name field, type the name of the domain for which Kaspersky Secure Mail Gateway will be receiving messages.

   Type the domain names in FQDN format.

3. Click the OK button.
4. The Adding a domain window closes.

The domain names have to be entered one at a time. Repeat the process of adding domain names to the list for all domain names that you are adding.

Click the Save and go to Configuration of email routing link to proceed to the next step of the wizard.

[Topic 100473]

Step 2. Configuring email routing (transport_map)

Configure email routing at this step.

By default, Kaspersky Secure Mail Gateway uses the settings of your DNS server for email routing. You can manually configure email routing. To do so, you must create a transport map. In the transport map, enter the names of the domains for which the email messages are intended and then enter the IP addresses or fully qualified domain names (FQDN) to which Kaspersky Secure Mail Gateway will be redirecting messages intended for these domains.

To configure email routing:

1. Click the Add a record to the transport map link to open the Email routing window.
2. In the Enter domain name field, type the name of the domain for which email messages are intended.

   Type the domain names in FQDN format.

3. In the Enter email destination address (IPv4, domain name or FQDN) field, enter the IP address or the domain name of the server to which you want to configure routing of email.

   You can enter an IPv4 address (for example, 192.0.0.1 or 192.0.0.0/16), domain name or FQDN.

4. In the Enter the port number to connect with the email destination address field, select the port number.

   The default value is 25.

5. Select one of the following options:
   • Do not enable MX lookup.
   • Enable MX lookup (for domain names or FQDNs).
6. Click the OK button.

   The Email routing window closes.

Transport map records are added one at a time. Repeat the process of adding records to the transport map for all records that you are adding.

Click the Save and go to Entering the Edge Gateway address link to proceed to the next step of the wizard.

[Topic 100474]

Step 3. Entering address of your Edge Gateway (relayhost)

At this step, enter the address of your edge gateway. Kaspersky Secure Mail Gateway will be redirecting all messages to this address.

For example: 192.0.2.1 or domain.com.

If you have configured email routing for individual domains, Kaspersky Secure Mail Gateway will be redirecting email messages to the addresses specified for each domain.

To enter the address of an edge gateway:

1. In the entry field, specify the IP address or the domain name of the edge gateway.

   You can enter an IPv4 address (for example, 192.0.0.1 or 192.0.0.0/16), domain name or FQDN.

2. Select one of the following options:
   • Do not enable MX lookup.
   • Enable MX lookup (for domain names or FQDNs).

Click the Save and go to Adding trusted networks and network hosts link to proceed to the next step of the wizard.

[Topic 100475]

Step 4. Adding trusted networks and network hosts (mynetworks)

At this step, create a list of trusted networks and network hosts that are allowed to send email messages via Kaspersky Secure Mail Gateway.

As a rule, these are internal networks and network hosts of your organization.

For example, you can specify the IP addresses of Microsoft Exchange servers used at your organization.

If trusted networks are not specified, Kaspersky Secure Mail Gateway will not be receiving messages from internal mail servers and redirect them outside the network of your organization.

To add a list of trusted networks and network hosts:

1. Click the Add a trusted network or network host link to open the Adding a trusted network window.
2. In the Enter network address or network host address field, type the name of the domain for which email messages are intended.

   Type the domain names in FQDN format.

3. Click the OK button.
4. The Adding a trusted network window closes.

Addresses are added one at a time. Repeat the process of adding addresses to the list for all addresses that you are adding.

Click the Save and go to Completing the integration link to proceed to the next step of the wizard.

[Topic 100466]

Step 5. Completing the integration of Kaspersky Secure Mail Gateway through an edge gateway (SMTP verification of recipient email addresses is enabled)

At this step, check the settings you have specified for integrating Kaspersky Secure Mail Gateway into the corporate mail infrastructure and confirm your choice.

When integration into the corporate mail infrastructure is completed, the following settings of Kaspersky Secure Mail Gateway are configured automatically:

• SPF authentication of message senders is disabled.

  Do not enable SPF authentication of message recipients because the message sender is the edge gateway from which Kaspersky Secure Mail Gateway receives messages.

• DMARC authentication of domains from which Kaspersky Secure Mail Gateway receives messages is disabled.

  Do not enable DMARC authentication of domains because Kaspersky Secure Mail Gateway receives messages from an intermediate gateway.

• SMTP verification of recipient email addresses is enabled.

  Do not disable SMTP verification of recipient email addresses because SMTP verification of recipient email addresses is enabled on the edge gateway.

After you complete all steps of the Quick MTA Setup, Kaspersky Secure Mail Gateway resets all values of MTA setting and replaces them with values that you specified in the Quick MTA Setup Wizard.

[Topic 99112]

Integration through an edge gateway (SMTP verification of recipient email addresses is disabled) with the help of a wizard

Integration through an edge gateway on which SMTP verification of recipient email addresses is disabled is a type of integration where Kaspersky Secure Mail Gateway receives messages from an edge gateway and relays them to internal mail servers, and also receives messages from internal mail servers and relays them to the edge gateway. In this case, SMTP verification of recipient email addresses is disabled on the edge gateway.

SMTP verification of recipient email addresses is used by mail systems to prevent reception of messages for nonexistent addresses.

To configure integration of Kaspersky Secure Mail Gateway into the corporate mail infrastructure through an edge gateway on which SMTP verification of recipient email addresses is disabled:

1. In the main window of the application web interface, open the management console tree and select the Quick MTA Setup section.
2. In the Integrating Kaspersky Secure Mail Gateway into mail infrastructure section, select Integrate through Edge Gateway.
3. Click the Start integration link to go to the SMTP Recipient Address Verification on the Edge Gateway section.
4. Select SMTP Recipient Address Verification is disabled on the Edge Gateway.
5. Click the Go to configuring email routing link to begin performing the steps of the wizard.

[Topic 100469]

Step 1. Configuring email routing (transport_map)

Configure email routing at this step.

By default, Kaspersky Secure Mail Gateway uses the settings of your DNS server for email routing. You can manually configure email routing. To do so, you must create a transport map. In the transport map, enter the names of the domains for which the email messages are intended and then enter the IP addresses or fully qualified domain names (FQDN) to which Kaspersky Secure Mail Gateway will be redirecting messages intended for these domains.

To configure email routing:

1. Click the Add a record to the transport map link to open the Email routing window.
2. In the Enter domain name field, type the name of the domain for which email messages are intended.

   Type the domain names in FQDN format.

3. In the Enter email destination address (IPv4, domain name or FQDN) field, enter the IP address or the domain name of the server to which you want to configure routing of email.

   You can enter an IPv4 address (for example, 192.0.0.1 or 192.0.0.0/16), domain name or FQDN.

4. In the Enter the port number to connect with the email destination address field, select the port number.

   The default value is 25.

5. Select one of the following options:
   • Do not enable MX lookup.
   • Enable MX lookup (for domain names or FQDNs).
6. Click the OK button.

   The Email routing window closes.

Transport map records are added one at a time. Repeat the process of adding records to the transport map for all records that you are adding.

Click the Save and go to Entering the Edge Gateway address link to proceed to the next step of the wizard.

[Topic 100470]

Step 2. Entering address of your Edge Gateway (relayhost)

At this step, enter the address of your edge gateway. Kaspersky Secure Mail Gateway will be redirecting all messages to this address.

For example: 192.0.2.1 or domain.com.

If you have configured email routing for individual domains, Kaspersky Secure Mail Gateway will be redirecting email messages to the addresses specified for each domain.

To enter the address of an edge gateway:

1. In the entry field, specify the IP address or the domain name of the edge gateway.

   You can enter an IPv4 address (for example, 192.0.0.1 or 192.0.0.0/16), domain name or FQDN.

2. Select one of the following options:
   • Do not enable MX lookup.
   • Enable MX lookup (for domain names or FQDNs).

Click the Save and go to Adding trusted networks and network hosts link to proceed to the next step of the wizard.

[Topic 100471]

Step 3. Adding trusted networks and network hosts (mynetworks)

At this step, create a list of trusted networks and network hosts that are allowed to send email messages via Kaspersky Secure Mail Gateway.

As a rule, these are internal networks and network hosts of your organization.

For example, you can specify the IP addresses of Microsoft Exchange servers used at your organization.

If trusted networks are not specified, Kaspersky Secure Mail Gateway will not be receiving messages from internal mail servers and redirect them outside the network of your organization.

To add a list of trusted networks and network hosts:

1. Click the Add a trusted network or network host link to open the Adding a trusted network window.
2. In the Enter network address or network host address field, type the name of the domain for which email messages are intended.

   Type the domain names in FQDN format.

3. Click the OK button.

   The Adding a trusted network window closes.

Addresses are added one at a time. Repeat the process of adding addresses to the list for all addresses that you are adding.

Click the Save and go to Completing the integration link to proceed to the next step of the wizard.

[Topic 100468]

Step 4. Completing the integration of Kaspersky Secure Mail Gateway through an edge gateway (SMTP verification of recipient email addresses is disabled)

At this step, check the settings you have specified for integrating Kaspersky Secure Mail Gateway into the corporate mail infrastructure and confirm your choice.

When integration into the corporate mail infrastructure is completed, the following settings of Kaspersky Secure Mail Gateway are configured automatically:

• SPF authentication of message senders is disabled.

  Do not enable SPF authentication of message recipients because the message sender is the edge gateway from which Kaspersky Secure Mail Gateway receives messages.

• DMARC authentication of domains from which Kaspersky Secure Mail Gateway receives messages is disabled.

  Do not enable DMARC authentication of domains because Kaspersky Secure Mail Gateway receives messages from an intermediate gateway.

• SMTP verification of recipient email addresses is disabled.

  Do not enable SMTP verification of recipient email addresses because SMTP verification of recipient email addresses is disabled on the edge gateway.

After you complete all steps of the Quick MTA Setup, Kaspersky Secure Mail Gateway resets all values of MTA setting and replaces them with values that you specified in the Quick MTA Setup Wizard.

[Topic 90250]

Kaspersky Secure Mail Gateway Monitoring

This section provides information on mail traffic monitoring, the latest threats detected, and system resources.

[Topic 89098]

Mail traffic monitoring

To evaluate the current status of Kaspersky Secure Mail Gateway mail traffic:

1. In the main window of the application web interface, open the management console tree and select the Monitoring section.
2. In the workspace, select the Email Traffic tab.
3. Select one of the periods for which you want to display information about mail traffic.

   You can view information about mail traffic for the following periods: hour, day, week or 30 days.

4. Select the option for displaying information in charts.

   You can view the by quantity or by size charts of detected messages.

5. Select the status labels of messages (for example, Clean, Infected, With spam or all messages) information about which you want to view.

The workspace displays mail traffic charts for the selected period.

[Topic 89099]

Monitoring of the latest detected threats

To view the list of the latest detected threats:

1. In the main window of the application web interface, open the management console tree and select the Monitoring section.
2. In the workspace, select the Latest Threats Detected tab.

The Latest infected objects detected list is displayed – the last 5 objects detected.

[Topic 89100]

Monitoring of system resources usage

To evaluate current usage of system resources:

1. In the main window of the application web interface, open the management console tree and select the Monitoring section.
2. In the workspace, select the System Resources tab.
3. Select check boxes next to the types of data that you want to see in the system load chart (for example, you can select CPU, RAM, Swap or all options at once).
4. Select check boxes next to the types of data that you want to see in the network interfaces load chart (for example, you can select Sending, Receiving or all options at once).

The workspace displays the System and Network Interfaces charts with the data you selected.

[Topic 144230]

Monitoring the status of services and operation of the MTA mail agent

In the Monitoring section of the Kaspersky Secure Mail Gateway web interface, the following information on the status of mail server protection is displayed in the right part of the workspace:

• Operating status of the Anti-Spam module, up-to-date status of the Anti-Spam module databases, and the number of messages in Anti-Spam Quarantine.
• Operating status of the Anti-Virus module, and up-to-date status of Anti-Virus module databases.
• Status of the connection with the server hosting the KATA component, the number of messages in KATA Quarantine (if you are using Kaspersky Anti Targeted Attack Platform).
• Operating status of the Anti-Phishing module, and up-to-date status of the Anti-Phishing module databases.
• Status of the connection with Kaspersky Security Network or Kaspersky Private Security Network (if you are using Kaspersky Private Security Network).
• Information about the last update of application databases.
• Status of the connection to LDAP servers
• License validity period and a license expiration notification if the license is about to expire
• Information about the status of transmission and reception of messages by the MTA.

If you have activated the application, the Anti-Spam, Anti-Virus, and Anti-Phishing modules are enabled by default, and message transmission and receipt is enabled for the MTA mail agent.

[Topic 88778]

Using message processing rules

A message processing rule (hereinafter also "the rule") is a specific multitude of pairs of addresses of senders and recipients whose email messages are processed by Kaspersky Secure Mail Gateway by applying the same values of settings. For a rule to be assigned to an email message, the addresses of the sender and recipient must be specified in the rule settings.

By default, the application contains the following preset message processing rules:

• WhiteList—Process messages from the white list.
• BlackList—Process messages from the black list.
• Default—Process messages according to settings predefined by Kaspersky Lab.

When processing an email message, Kaspersky Secure Mail Gateway checks each rule for the sender-recipient pair of addresses beginning with the highest-priority rule (1). If no match is found, Kaspersky Secure Mail Gateway checks the pair of addresses of the rule with the next highest priority (2). As soon as it finds the sender-recipient pair of addresses in any rule, the application applies the processing settings configured in that rule to the message.

If none of the rules contains the "sender - recipient" pair of addresses, the message is processed according to the preset settings of the Default rule.

For each rule, you can specify your own settings for processing email messages.

[Topic 88114]

Creating message processing rules

To create a message processing rule:

1. In the main window of the application web interface, open the management console tree and select the Rules section.
2. Click the Create button in the upper part of the workspace.

   A new message processing rule opens.

3. Select the General rule settings section.
4. In the Rule Name (required) field, enter the name of the new rule.

   The rule must have a unique name in the list of Kaspersky Secure Mail Gateway rules.

5. In the Rule Description field, enter the rule description.
6. In the Rule Mode settings group, select one of the following message processing options:
   • Use the settings of scan modules, if you want the application to process messages according to this rule using the settings of the Anti-Spam, Anti-Phishing, and Anti-Virus engines and content filtering settings configured for this rule.

     The following settings groups are displayed in the lower part of the workspace (if they were hidden previously). You can use them to configure Kaspersky Secure Mail Gateway settings for a rule:

     • Anti-Spam.
     • Anti-Virus.
     • KATA protection.
     • Anti-Phishing.
     • Content Filtering.
     • Notifications.
     • Email Disclaimer.
     • Insecure Message Warning.
     • Mail Sender Authentication.
   • Reject without scanning — if you want the application to reject the message without scanning when processing the message according to this rule.
   • Delete without notifying the sender, if you want the application to delete messages without notifying the sender when processing messages according to this rule.
   • Skip from scanning — if you want the application to deliver messages to recipients without scanning them when processing messages according to this rule.

     The Email Disclaimer section is displayed in the lower part of the workspace, in which you can configure disclaimers for messages processed according to this rule.

7. Click the Create button in the lower part of the workspace.

The rule is created and added to the list of rules in the Rules section.

In order for a rule to be used by Kaspersky Secure Mail Gateway, you have to configure the list of message senders and the list of message recipients for this rule.

You can also create a rule by copying an existing rule or editing its settings.

By default, the rule is assigned the highest priority of all previously created rules. You can change the rule priority level.

In order for the settings you have configured to be used during operation of Kaspersky Secure Mail Gateway, make sure that the rule for which you have configured settings is enabled. By default, the new rule is disabled and not used during operation of the application.

[Topic 94016]

Creating a copy of a message processing rule

To create a copy of a message processing rule:

1. In the main window of the application web interface, open the management console tree and select the Rules section.
2. Select the check box in the line with the name of the rule that you want to copy.
3. Click the Copy button in the upper part of the workspace.
4. In the General rule settings section, in the Rule Name (required) field, change the rule name.

   The rule must have a unique name in the list of Kaspersky Secure Mail Gateway rules.

5. Click the Create button in the lower part of the workspace.

A copy of the rule is created and added to the list of rules in the Rules section.

You can edit the rule description, rule settings, and Kaspersky Secure Mail Gateway settings for this rule.

By default, the rule is assigned the highest priority of all previously created rules. You can change the rule priority level.

In order for the settings you have configured to be used during operation of Kaspersky Secure Mail Gateway, make sure that the rule for which you have configured settings is enabled. By default, the new rule is disabled and not used during operation of the application.

[Topic 94141]

Configuring lists of message senders and recipients for a rule

In order for a rule to be used by Kaspersky Secure Mail Gateway, you have to configure the lists of message senders and recipients for this rule.

You can configure lists of message senders and recipients as follows:

• Create lists of message senders and recipients. You can add IP addresses of message senders and email addresses and LDAP accounts of message senders and recipients to lists.
• Copy addresses from lists of message senders and recipients to clipboard and paste addresses from clipboard into lists of message senders and recipients.
• Remove addresses from lists of message senders and recipients. You can remove individual addresses from lists, clear the lists of message senders and recipients, and also remove LDAP accounts from the List of senders' LDAP accounts and the List of recipients' LDAP accounts in the process of configuring lists of message senders and recipients.

[Topic 88117]

Adding email addresses

To add email addresses to lists of message senders and recipients:

1. In the main window of the application web interface, open the management console tree and select the Rules section.
2. In the list of rules, click the name of the rule to open the rule for which you want to manage the list of message senders and recipients.
3. Select the General rule settings section.
4. Select the list to which you want to add email addresses:
   • Senders — if you want to add email addresses to the list of message senders.
   • Recipients — if you want to add email addresses to the list of message recipients.
5. Under the list name, click the button with the icon corresponding to the type of the sender's or recipient's address, and select Email addresses in the context menu of the button.
6. Type the email address in the field to the right of the Email addresses icon.

   The email addresses are entered one at a time. Repeat the process of adding addresses to the list for all email addresses that you are adding.

   You can use the symbols "*" and "?" to create an address mask, and regular expressions beginning with the prefix "reg:".

   Regular expressions are not case-sensitive.

7. Click the Add button on the right of the entry field.

   Once added, the email address appears in the list you have selected with the Email addresses icon.

8. To undo the last action, click the Undo last link under the list you have selected.
9. After adding all email addresses to the list, click the Apply button in the lower part of the workspace.

Changes made to the lists of message senders or recipients are saved in the message processing rule that you are configuring.

In order for the settings you have configured to be used during operation of Kaspersky Secure Mail Gateway, make sure that the rule for which you have configured settings is enabled.

[Topic 94174]

Adding IP addresses

You can add IP addresses only to the list of message senders. IP addresses cannot be added to the list of message recipients.

To add IP addresses to the list of message senders:

1. In the main window of the application web interface, open the management console tree and select the Rules section.
2. In the list of rules, click the name of the rule to open the rule for which you want to manage the list of message senders and recipients.
3. Select the General rule settings section.
4. In the Senders section, click the button with the icon for the sender address type, and select IP addresses in the context menu of the icon.
5. In the field on the right of the IP addresses icon, enter the IP address of the message sender.

   IP addresses should be entered one at a time. Repeat the process of adding addresses to the list for all IP addresses that you are adding.

   You can enter an IPv4 address (for example: 192.0.0.1 or 192.0.0.0/16), an IPv6 address (for example: 2607:f0d0:1002:51::4), or subnet address in CIDR format (for example: fc00::/7).

6. Click the Add button on the right of the entry field.

   The IP address you have added appears in the list of message senders with the IP addresses icon.

7. To undo the last action, click the Undo last link under the list of message senders.
8. After adding all IP addresses to the list, click the Apply button in the lower part of the workspace.

Changes made to the lists of message senders or recipients are saved in the message processing rule that you are configuring.

In order for the settings you have configured to be used during operation of Kaspersky Secure Mail Gateway, make sure that the rule for which you have configured settings is enabled.

[Topic 94175]

Adding LDAP accounts

To add LDAP accounts to lists of message senders and recipients:

1. In the main window of the application web interface, open the management console tree and select the Rules section.
2. In the list of rules, click the name of the rule to open the rule for which you want to manage the list of message senders and recipients.
3. Select the General rule settings section.
4. Select the list to which you want to add LDAP accounts:
   • Senders, if you want to add LDAP accounts to the list of message senders.
   • Recipients — if you want to add LDAP accounts to the list of message recipients.
5. Under the list name, click the button with the icon corresponding to the type of the sender's or recipient's address, and select LDAP accounts in the context menu of the button.
6. Click the Find button on the right of the entry field.

   This opens a window depending on the list to which you are adding LDAP accounts:

   • Edit list of senders for rule, if you want to add LDAP accounts to the list of message senders.
   • Edit list of recipients for rule, if you want to add LDAP accounts to the list of message recipients.
7. In the window that opens, in the Sender's LDAP account or Recipient's LDAP account field, enter a search string for searching accounts in the external directory service.
8. Click the Find button on the right of the entry field.

   The list of accounts that have been found is displayed in the field under the Find button.

9. Select the LDAP accounts that you want to add to the list of message senders or recipients.

   You can select several LDAP accounts.

10. Click the Add to list button under the list.

    The selected accounts are displayed in a list:

    • List of senders' LDAP accounts, if you want to add LDAP accounts to the list of message senders.
    • List of senders' LDAP accounts — if you want to add LDAP accounts to the list of message recipients.
11. Click OK in the lower part of the window.
    • Edit list of senders for rule, if you want to add LDAP accounts to the list of message senders.
    • Edit list of recipients for rule, if you want to add LDAP accounts to the list of message recipients.

    The window in which you added LDAP accounts closes.

    The LDAP accounts that you have added appear in the list of addresses with the LDAP accounts icon.

12. To undo the last action, click the Undo last link under the list of addresses.
13. Click the Apply button in the lower part of the workspace.

Changes made to the lists of message senders or recipients are saved in the message processing rule that you are configuring.

In order for the settings you have configured to be used during operation of Kaspersky Secure Mail Gateway, make sure that the rule for which you have configured settings is enabled.

[Topic 94224]

Removing LDAP accounts from the list of LDAP accounts

You can remove LDAP accounts from lists of senders and recipients in message processing rules and also from lists of LDAP accounts in the Edit list of senders for rule and Edit list of recipients for rule windows while configuring lists of message senders and recipients for a rule.

To remove LDAP accounts from lists of LDAP accounts:

1. In the main window of the application web interface, open the management console tree and select the Rules section.
2. In the list of rules, click the name of the rule to open the rule for which you want to manage the list of message senders and recipients.
3. Select the General rule settings section.
4. Select the list in which you want to manage LDAP accounts:
   • Edit list of recipients for rule—To manage LDAP accounts of message senders.
   • Recipients—To manage LDAP accounts of message recipients.
5. Under the list name, click the button with the icon corresponding to the type of the sender's or recipient's address, and select LDAP accounts in the context menu of the button.
6. Click the Find button on the right of the entry field.

   This opens a window depending on the list in which you are managing LDAP accounts:

   • Edit list of senders for rule—To manage LDAP accounts of message senders.
   • Edit list of recipients for rule—To manage LDAP accounts of message recipients.
7. In the lower part of the window, select the LDAP accounts that you want to remove from the list:
   • List of senders' LDAP accounts, if you are removing LDAP accounts from the list of message senders.
   • List of recipients' LDAP accounts, if you are removing LDAP accounts from the list of message recipients.

   You can select several LDAP accounts.

8. Click the Delete from List button under the list.

   The selected accounts are removed from the selected list.

9. Click OK in the lower part of the window.
   • Edit list of senders for rule, if you are removing LDAP accounts from the list of message senders.
   • Edit list of recipients for rule, if you are removing LDAP accounts from the list of message recipients.

   The window in which you deleted LDAP accounts closes.

   The deleted LDAP accounts are also removed from the list of addresses of message senders or recipients for the rule you selected.

10. To undo the last action, click the Undo last link under the list of addresses.
11. Click the Apply button in the lower part of the workspace.

Changes made to the list of message senders or recipients are saved in the message processing rule that you are configuring.

In order for the settings you have configured to be used during operation of Kaspersky Secure Mail Gateway, make sure that the rule for which you have configured settings is enabled.

[Topic 94147]

Copying and pasting addresses

To copy an address from the list of senders or recipients in a message processing rule:

1. In the main window of the application web interface, open the management console tree and select the Rules section.
2. In the list of rules, click the name of the rule to open the rule for which you want to manage the list of message senders or recipients.
3. Select the General rule settings section.
4. Select the list from which you want to copy addresses to clipboard:
   • Senders, if you want to copy addresses from the list of message senders.
   • Recipients, if you want to copy addresses from the list of message recipients.
5. Click the Export link under the selected list to open the Export entries to clipboard window.
6. In the Select type list, select the type of addresses that you want to copy:
   • Email addresses, if you want to copy email addresses.
   • IP addresses, if you want to copy IP addresses (only from the list of message senders).
   • LDAP accounts, if you want to copy LDAP accounts.

   A list of addresses of the selected type appears in the field under the list of address types.

7. Select the addresses you want to copy.
8. Copy the addresses to clipboard.
9. In the lower part of the Export entries to clipboard window, click the Cancel button.

   The Export entries to clipboard window closes.

To paste addresses from clipboard to the list of message senders or recipients in a message processing rule:

1. In the main window of the application web interface, open the management console tree and select the Rules section.
2. In the list of rules, click the name of the rule to open the rule for which you want to manage the list of message senders and recipients.
3. Select the General rule settings section.
4. Select the list into which you want to paste addresses from clipboard:
   • Senders — if you want to paste addresses from clipboard into the list of message senders.
   • Recipients — if you want to paste addresses from clipboard into the list of message recipients.
5. Click the Import link under the selected list to open the Import records from clipboard window.
6. In the Select type list, select the type of addresses that you want to past from clipboard:
   • Email addresses — if you want to paste email addresses.
   • IP addresses — if you want to paste IP addresses (only from the list of message senders).
   • LDAP accounts — if you want to paste LDAP accounts.
7. Paste addresses from clipboard into the field under the list of address types.
8. In the lower part of the Export entries to clipboard window, click the Import button.

   The Import records from clipboard window closes.

   The addresses you have added appear in the list of message senders or recipients with icons corresponding to the types of addresses.

9. To undo the last action, click the Undo last link under the list of message senders or recipients.
10. Click the Apply button in the lower part of the workspace.

Changes made to the lists of message senders or recipients are saved in the message processing rule that you are configuring.

In order for the settings you have configured to be used during operation of Kaspersky Secure Mail Gateway, make sure that the rule for which you have configured settings is enabled.

[Topic 94151]

Deleting addresses

You can remove individual addresses from the lists of senders or recipients or clear the lists of senders and recipients in a message processing rule.

To remove addresses from the list of senders or recipients:

1. In the main window of the application web interface, open the management console tree and select the Rules section.
2. In the list of rules, click the name of the rule to open the rule for which you want to manage the list of message senders and recipients.
3. Select the General rule settings section.
4. Select the list from which you want to remove addresses:
   • Senders — if you want to remove addresses from the list of message senders.
   • Recipients — if you want to remove addresses from the list of message recipients.
5. In the list, select the address that you want to remove.
6. Click the removal icon on the right of the address that you want to remove.

   The address is removed from the list of message senders or recipients.

7. To undo the last action, click the Undo last link under the list of message senders or recipients.
8. Click the Apply button in the lower part of the workspace.

Changes made to the lists of message senders or recipients are saved in the message processing rule that you are configuring.

To clear the list of senders or recipients:

1. In the main window of the application web interface, open the management console tree and select the Rules section.
2. In the list of rules, click the name of the rule to open the rule for which you want to manage the list of message senders and recipients.
3. Select the General rule settings section.
4. Select the list from which you want to remove all addresses:
   • Senders — if you want to clear the list of message senders.
   • Recipients — if you want to clear the list of message recipients.
5. Click the link under the selected list to open the action confirmation window:
   • Clear list of senders — if you want to clear the list of message senders.
   • Clear the list of recipients — if you want to clear the list of message recipients.
6. Click the Yes button.

   The action confirmation window closes.

   All addresses are removed from the list of message senders or recipients.

7. To undo the last action, click the Undo last link under the list of message senders or recipients.
8. Click the Apply button in the lower part of the workspace.

Changes made to the lists of message senders or recipients are saved in the message processing rule that you are configuring.

In order for the settings you have configured to be used during operation of Kaspersky Secure Mail Gateway, make sure that the rule for which you have configured settings is enabled.

[Topic 88123]

Deleting message processing rules

To delete message processing rules:

1. In the main window of the application web interface, open the management console tree and select the Rules section.
2. Select the check box in the lines with the names of one or several rules that you want to delete.
3. Click the Delete button in the upper part of the workspace.

The selected message processing rules are deleted.

[Topic 88115]

Enabling and disabling a message processing rule

To enable or disable a message processing rule:

1. In the main window of the application web interface, open the management console tree and select the Rules section.
2. Do one of the following:
   • Flip on the toggle switch in the line with the name of the rule that you want to enable.
   • Flip off the toggle switch in the line with the name of the rule that you want to disable.

[Topic 88122]

Changing the message processing rule priority

To change the message processing rule priority:

1. In the main window of the application web interface, open the management console tree and select the Rules section.
2. Select the check box in the line with the name of the rule whose priority you want to change.
3. Click one of the following buttons in the upper part of the workspace:
   • Move Up, if you want to raise the priority of the rule by one level.

     The rule is moved one level up in the list of rules.

     Click the Move Up button as many times as you want to raise the priority of the rule.

   • Move Down, if you want to lower the priority of the rule by one level.

     The rule is moved one level down in the list of rules.

     Click the Move Down button as many times as you want to lower the priority of the rule.

[Topic 100458]

Domains and configuration of email routing

This section contains information on how to add domains and email addresses to a transport map, configure email routing for those domains, remove domains from the list, configure TLS security modes for incoming and outgoing email messages, and add a DKIM signature to messages.

By default, Kaspersky Secure Mail Gateway uses the settings of your DNS server for email routing. You can manually configure email routing. To do so, you must create a transport map. In the transport map, enter the names of the domains for which the email messages are intended and then enter the IP addresses or fully qualified domain names (FQDN) to which Kaspersky Secure Mail Gateway will be redirecting messages intended for these domains.

This section also describes configuration of email routing for local domains (relay_domains).

Local domains (relay_domains) are domains of your organization for which Kaspersky Secure Mail Gateway will be receiving email messages from the outside. Kaspersky Secure Mail Gateway will receive messages only for the domains you specified. Messages intended for other domains are rejected.

If local domains are not specified, Kaspersky Secure Mail Gateway will not be receiving messages for your internal mail servers.

[Topic 144188]

Adding a record to the transport map and configuring email routing (transport_map)

To add a record to the transport map and configure email routing:

1. In the main window of the application web interface, open the management console tree and select the Domains section.
2. Click the Add button.

   The record creation window opens.

3. In the Record type settings group, select one of the following record types:
   • Domain, if you want to add a domain to the transport map.
   • Subdomains of, if you want to add subdomains of a domain to the transport map.
   • Email address, if you want to add an email address to the transport map.
4. In the Domain/Email address field, enter the domain name and the name of subdomains in FQDN format, or the email address.
5. Select the check box next to the name of the Local domain setting if you want to add a local domain.
6. In the Email routing settings group, select the switch next to the name of the Configure email routing setting.
7. In the Protocol settings group, select one of the email transmission protocols:
   • SMTP, if you want to configure email transmission via the SMTP protocol.
   • LMTP, if you want to configure email transmission via the LMTP protocol.
8. In the Destination address and port number field, enter the IP address or the domain name of the server to which you want to configure routing of email.

   You can enter an IPv4 address (for example, 192.0.0.1 or 192.0.0.0/16), a subnet mask in CIDR notation (for example: fc00::/7), a domain name or FQDN.

9. In the MX lookup section, enable or disable MX record lookup. Select one of the following options:
   • Disabled, if you want to disable MX record lookup.
   • Enabled, if you want to enable MX record lookup.
10. If you are adding a domain or subdomains, in the TLS Encryption mode for all outgoing mail of the mail server settings group select one of the following options:
    • Use TLS Encryption mode, set for all outgoing mail from the server, if you want to use the TLS encryption mode set for all outgoing messages from the mail server for this domain.
    • Override TLS Encryption mode for this domain, if you want to configure a different TLS encryption mode for this domain.
11. If you have chosen to modify the TLS encryption mode for this domain, in the Override TLS Encryption mode for this domain list select the mode of TLS encryption of the connection that you want to set.
12. If you want to configure the DKIM signature for messages from addresses of this domain, in the DKIM signature for messages from domain addresses settings group, do the following:
    1. Click the Add button.

       The Creating DKIM signature for the domain window opens.

    2. In the Selector field, type the name that will help you find the DKIM signature.
    3. In the Key name list, select the DKIM key based on which the DKIM signature will be added to messages.
    4. Click the OK button.

       The Creating DKIM signature for the domain window closes.

13. Click Add in the lower part of the window.

The added record is displayed in the transport map.

[Topic 143890]

Adding a local domain (relay_domain)

To add a local domain of your organization:

1. In the main window of the application web interface, open the management console tree and select the Domains section.
2. Click the Add button.

   The record creation window opens.

3. In the Record type settings group, select Domain as the record type.
4. In the Domain/Email address field, type the name of the domain for which Kaspersky Secure Mail Gateway will be receiving email messages from the outside.

   Type the fully qualified domain name (FQDN).

5. Select the check box next to the name of the Local domain setting.

   Kaspersky Secure Mail Gateway will receive messages only for the domains you specified. Messages intended for other domains are rejected.

6. In the Email routing settings group, select the switch next to the name of the Configure email routing setting.
7. In the Protocol settings group, select one of the email transmission protocols:
   • SMTP, if you want to configure email transmission via the SMTP protocol.
   • LMTP, if you want to configure email transmission via the LMTP protocol.
8. In the Destination address and port number field, enter the IP address or the domain name of the server to which you want to configure routing of email.

   You can enter an IPv4 address (for example, 192.0.0.1 or 192.0.0.0/16), a subnet mask in CIDR notation (for example: fc00::/7), a domain name or FQDN.

9. In the MX lookup section, enable or disable MX record lookup. Select one of the following options:
   • Disabled, if you want to disable MX record lookup.
   • Enabled, if you want to enable MX record lookup.
10. In the TLS Encryption mode for all outgoing mail of the mail server settings group, select one of the following options:
    • Use TLS Encryption mode, set for all outgoing mail from the server, if you want to use the TLS encryption mode set for all outgoing messages from the mail server for this domain.
    • Override TLS Encryption mode for this domain, if you want to configure a different TLS encryption mode for this domain.
11. If you have chosen to configure a different TLS encryption mode for this domain, in the Override TLS Encryption mode for this domain list select the mode of TLS encryption of the connection that you want to set.
12. If you want to configure the DKIM signature for messages from addresses of this domain, in the DKIM signature for messages from domain addresses settings group, do the following:
    1. Click the Add button.

       The Creating DKIM signature for the domain window opens.

    2. In the Selector field, type the name that will help you find the DKIM signature.
    3. In the Key name list, select the DKIM key based on which the DKIM signature will be added to messages.
    4. Click the OK button.

       The Creating DKIM signature for the domain window closes.

13. Click Add in the lower part of the window.

The domain for which Kaspersky Secure Mail Gateway will be receiving messages appears in the list of domains.

[Topic 143891]

Deleting a record from the transport map

To delete a record from the transport map:

1. In the main window of the application web interface, open the management console tree and select the Domains section.
2. In the list of domains, select the check box next to each record that you want to delete from the transport map.
3. Click the Delete button.

   The Delete action confirmation window opens.

4. Click the Yes button.

The record will be removed from the transport map.

[Topic 100478]

Modifying email routing for a domain (transport_map)

To modify email routing for a domain:

1. In the main window of the application web interface, open the management console tree and select the Domains section.
2. Within the transport map, click the link with the domain name to expand the email routing settings for this domain.
3. In the Protocol settings group, select one of the email transmission protocols:
   • SMTP, if you want to configure email transmission via the SMTP protocol.
   • LMTP, if you want to configure email transmission via the LMTP protocol.
4. In the Destination address and port number field, enter the IP address or the domain name of the server to which you want to configure routing of email.

   You can enter an IPv4 address (for example, 192.0.0.1 or 192.0.0.0/16), a subnet mask in CIDR notation (for example: fc00::/7), a domain name or FQDN.

5. In the MX lookup section, enable or disable MX record lookup. Select one of the following options:
   • Disabled, if you want to disable MX record lookup.
   • Enabled, if you want to enable MX record lookup.
6. In the Destination address and port number field, type the IP address of the server to which you want to configure routing of email.

   You can enter an IPv4 address (for example, 192.0.0.1 or 192.0.0.0/16), domain name or FQDN.

7. Click OK in the lower part of the window.

Email routing will be modified for the domain.

[Topic 95398]

About using the TLS protocol in the operation of Kaspersky Secure Mail Gateway

TLS (Transport Layer Security) protocol is a protocol for encrypting the connection between two servers, which ensures secure transmission of data between network hosts on the Internet.

TLS session is a sequence of the following events:

1. The server from which email messages are sent (Client) establishes a connection to the server to which email messages are sent (Server).
2. Servers start interacting via the SMTP protocol.
3. The Client uses the STARTTLS command to offer the Server to use TLS during SMTP interaction.
4. If the Server is able to use TLS, it responds with the Ready to start TLS command and sends the Server certificate to the Client.
5. The Client receives the certificate and, if the necessary parameter values are specified within it, verifies the authenticity of the Server certificate.
6. The Client and the Server enable the data encryption mode.
7. The servers exchange data.
8. The session ends.

You can configure TLS security mode for situations when Kaspersky Secure Mail Gateway receives messages from another server (acts in the Server role) and sends messages to another server (acts in the Client role), as well as configure TLS settings for individual domains and domain groups that use the same IP address.

[Topic 95403]

Configuring TLS security for incoming email messages

To configure TLS security mode for situations when Kaspersky Secure Mail Gateway receives messages from another server (acts in the Server role):

1. In the main window of the application web interface, open the management console tree and select the Domains section.
2. Click any link to open the TLS settings window.
3. In the Server TLS security level settings group, select one of the following modes of TLS encryption of the connection between Kaspersky Secure Mail Gateway and the server that sends email messages:
   • No TLS Encryption if you do not want to use TLS encryption of the connection to the server that sends email messages.

     In this case, Kaspersky Secure Mail Gateway receives all messages in unencrypted form.

   • Accept TLS Encryption, if you want Kaspersky Secure Mail Gateway to prompt the server sending email messages to use TLS encryption of the connection.

     In this case, Kaspersky Secure Mail Gateway uses the STARTTLS command to offer the server that sends email messages to use TLS encryption, but accepts messages regardless of the server's response.

   • Require TLS Encryption, if you want Kaspersky Secure Mail Gateway to require that the server sending email messages must use TLS encryption of the connection.

     In this case, the server that is sending email messages (Client) uses the STARTTLS command to offer Kaspersky Secure Mail Gateway to use TLS encryption. Kaspersky Secure Mail Gateway responds with the Ready to start TLS command and sends the Server certificate to the Client and also requires the Client to verify the authenticity of the Server certificate. The encrypted TLS connection is established after the Client has verified the authenticity of the Server certificate.

4. In the Providing Server TLS certificate settings group, select the TLS certificate of the server to be sent by Kaspersky Secure Mail Gateway to the Client for authentication at the beginning of each TLS session.

   You can create or import a TLS certificate in the Encryption Keys section, TLS subsection of the main window of the Kaspersky Secure Mail Gateway web interface.

5. In the Requesting Client TLS certificate settings group, select one of the following options:
   • Do not request if you want Kaspersky Secure Mail Gateway not to request the client's TLS certificate.
   • Request if you want Kaspersky Secure Mail Gateway to request the client's TLS certificate but to still be able to redirect messages regardless of the certificate verification result.
   • Require if you want Kaspersky Secure Mail Gateway to require the client's TLS certificate and not forward messages on detecting an invalid name or invalid TLS certificate of the client.

     Set the Request or Require mode only if you are certain that the clients supported by your mail server can provide a verifiable TLS certificate.

6. Click the OK button.

[Topic 95406]

Configuring TLS security for outgoing email messages

To configure TLS security mode for situations when Kaspersky Secure Mail Gateway redirects messages from another server (acts in the Client role):

1. In the main window of the application web interface, open the management console tree and select the Domains section.
2. Click any link to open the TLS settings window.
3. In the Client TLS security level settings group, select one of the following modes of TLS encryption of the connection between Kaspersky Secure Mail Gateway and the server that receives email messages:
   • No TLS Encryption, if you do not want to use TLS encryption of the connection with the server that receives email messages.

     In this case, Kaspersky Secure Mail Gateway redirects all messages in unencrypted form.

   • Attempt TLS Encryption, if you want Kaspersky Secure Mail Gateway to attempt to establish a TLS session with the receiving mail server and, if the receiving server does not support TLS, redirect messages in unencrypted form.
   • Require TLS Encryption and don't verify certificate, if you want Kaspersky Secure Mail Gateway to redirect messages only if the receiving mail server supports TLS, but regardless of the authenticity of its TLS certificate.
   • Require TLS Encryption and verify certificate, if you want Kaspersky Secure Mail Gateway to redirect messages only if the receiving mail server supports TLS, its TLS certificate has been verified, and the certificate name matches the domain name of the server.

     Kaspersky Secure Mail Gateway does not redirect messages when these conditions are not satisfied.

4. Click the OK button.

[Topic 95402]

About the DKIM signature for outgoing messages

A DKIM signature for outgoing messages  is a digital signature added to messages sent from email addresses of a certain domain for purposes of identifying users by the name of the corporate domain.

DomainKeys Identified Mail (DKIM) technology combines several existing anti-phishing and anti-spam methods to improve the quality of classification and identification of legitimate email. Instead of a traditional IP address, DKIM technology adds a digital signature associated with the name of the corporate domain to the message for the purpose of identifying its sender.

[Topic 100393]

Enabling and disabling the DKIM signature for outgoing messages

To enable or disable the DKIM signature for outgoing messages:

1. In the main window of the application web interface, open the management console tree and select the Domains section.
2. In the upper part of the workspace, click the DKIM signature link to open the DKIM settings window.
3. Select one of the following options in the DKIM signature drop-down list:
   • Enabled, if you want to add the DKIM signature to outgoing messages.
   • Disabled, if you do not want to add the DKIM signature to outgoing messages.
4. Click the OK button.

The DKIM settings window closes.

[Topic 102272]

Preparing to add the DKIM signature to outgoing messages

You can configure the DKIM signature for messages in the web interface of Kaspersky Secure Mail Gateway.

The process of configuring the DKIM signature for messages consists of the following steps:

1. Enabling the DKIM signature for outgoing messages.
2. Creating or importing a DKIM key.
3. Adding the DKIM signature to messages sent from email addresses in a specific domain.

In order for the remote mail server to be able to verify the DKIM signature added to outgoing messages, you need to obtain the DNS record of the public DKIM key via the web interface of Kaspersky Secure Mail Gateway and add it to the settings of your DNS server.

To obtain the DNS record of the public DKIM key, do the following in the web interface of Kaspersky Secure Mail Gateway:

1. In the main window of the application web interface, open the management console tree and select the Domains section.
2. If the workspace shows the value of the setting as Disabled, do the following:
   1. Click the DKIM signature link to open the DKIM settings window.
   2. In the DKIM signature drop-down list, select Enabled.
   3. Click the OK button.

      The DKIM settings window closes.

3. In the list of domains, open the record editing window by clicking the link containing the name of the domain for whose addresses you want to configure the DKIM signature to be added to outgoing messages.
4. In the DKIM signature for messages from domain addresses settings group, click the Add button.

   The Creating DKIM signature for the domain window opens.

5. In the Selector field, type the name that will help you find the DKIM signature.
6. In the Key name list, select the DKIM key based on which the DKIM signature will be added to messages.
7. Click the OK button.

   The Creating DKIM signature for the domain window closes.

In the DKIM signature for messages from domain addresses settings group, the DNS record field displays the DNS record of the public DKIM key for the specific domain.

To add a public DKIM key to the settings of your DNS server:

1. Sign in to your DNS server under the administrator account.
2. Locate the page with information on updating DNS records of the domain for whose addresses you want to configure the DKIM signature to be added to outgoing messages.

   For example, this page can be named "DNS Management", "Name Server Management", or "Advanced Settings".

3. Find records in TXT format for the domain for whose addresses you want to configure the DKIM signature to be added to outgoing messages.
4. In the list of records in TXT format, add the DNS record of the public DKIM key for a certain domain with the following contents:

   <selector>._domainkey.<name of the domain for which you want to add the public DKIM key>. IN TXT ( "v=<DKIM version>; k=rsa; s=email" "p=<DNS record of the public DKIM key>" )

    

   Example of a DNS record for an opened DKIM key: mail._domainkey.example.com IN TXT ( "v=DKIM1; k=rsa; s=email; " "p=MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAtyb09IeTJtIxTEohP/wa8eZOuiFJxL3pjk+1R81ajQyTb4J8Dj23RbjOKCZGFdyJfj7MUUL9MpvAo6OL9KrfaF8ehR7MbHhaix1qPDfSP5a97vl9/6KR2TKJfi+0dQ/pMLJMbnXfdWeoDoDBUK0++B8HHCnSpLTxsH/YDOtjKaHFxbU6DMEICTiVBWR+yeWopdWi9kPNT5SJ5H" )

   See Document RFC 5617 for details on configuring settings of the DNS record of a public DKIM key.

5. Save changes.

The syntax of the sample DNS record is provided for purposes of adding it to the settings of a BIND DNS server. The syntax of the DNS record to be added to other DNS servers may differ slightly from the example provided.

[Topic 100439]

Adding the DKIM signature to messages from addresses from a specific domain

Before adding the DKIM signature to messages from addresses belonging to a certain domain, you have to create or import a DKIM key.

To add the DKIM key to messages sent from email addresses belonging to a certain domain:

1. In the main window of the application web interface, open the management console tree and select the Domains section.
2. If the workspace shows the value of the setting as Disabled, do the following:
   1. Click the DKIM signature link to open the DKIM settings window.
   2. In the DKIM signature drop-down list, select Enabled.
   3. Click the OK button.

      The DKIM settings window closes.

3. In the list of domains, select the domain for which you want to add the DKIM signature to outgoing messages.
4. In the DKIM signature for messages from domain addresses settings group, click the Add button.
5. The Creating DKIM signature for the domain window opens.
6. In the Selector field, type the name that will help you find the DKIM signature.
7. In the Key name list, select the DKIM key based on which the DKIM signature will be added to messages.
8. Click the OK button.

The Creating DKIM signature for the domain window closes.

After you have configured the DKIM signature for messages in the web interface of Kaspersky Secure Mail Gateway, to enable the remote mail server to be able to verify this DKIM signature you must add the public DKIM key to the settings of your DNS server.

[Topic 95401]

DKIM signature for outgoing messages

This section provides instructions on adding a DKIM signature to outgoing messages.

[Topic 100482]

Creating the DKIM key

To create a DKIM key:

1. In the main window of the application web interface, open the management console tree and select the Encryption Keys section and DKIM subsection.
2. Click the Create button in the upper part of the workspace.

   The Key name field appears.

3. In the Key name field, type the name of the DKIM key that will help you to find the key when adding the DKIM signature for messages.
4. Click the OK button.

The DKIM key you have created appears in the list of DKIM keys in the workspace of the main window of the application web interface.

[Topic 100484]

Importing the DKIM key from file

To import a DKIM key from file:

1. In the main window of the application web interface, open the management console tree and select the Encryption Keys section and DKIM subsection.
2. Click the Import from file button in the upper part of the workspace.
3. In the Key name field, type the name that you want to assign to the DKIM key being imported.
4. Click the Browse button on the right of the Choose DKIM key file field.

   The file selection window opens in the browser that you use.

5. Choose the file of the DKIM key that you want to import and click the Open button in your browser.

   The file must contain an RSA key in PEM format and be 2048 or 4096 bits long.

   The file selection window closes.

6. Click the OK button.

The DKIM key appears in the list of DKIM keys in the workspace of the main window of the application web interface.

[Topic 100483]

Deleting the DKIM key

To delete a DKIM key:

1. In the main window of the application web interface, open the management console tree and select the Encryption Keys section and DKIM subsection.
2. In the list of DKIM keys, select the check box next to the name of one or several keys that you want to delete.
3. Click the Delete button in the upper part of the workspace.

   The Delete selected items action confirmation window opens.

4. Click the Yes button.

   The Delete selected items window closes.

The DKIM key is deleted.

[Topic 95396]

Using the TLS protocol in the operation of Kaspersky Secure Mail Gateway

This section contains information about using the TLS protocol in the operation Kaspersky Secure Mail Gateway and instructions on how to configure the protocol usage settings.

[Topic 95410]

Creating a TLS certificate

To create a TLS certificate:

1. In the main window of the application web interface, open the management console tree and select the Encryption Keys section and TLS subsection.
2. Click the Create button in the upper part of the workspace.
3. In the TLS certificate name, type the name of the TLS certificate to be sent to the SMTP client for authentication at the beginning of each TLS session.

   The TLS certificate of the server is provided when Kaspersky Secure Mail Gateway acts in the role of a mail server (receives messages).

   The TLS certificate name cannot be blank.

4. In the State field, type the name of the state or region where your organization is located.
5. In the Locality field, type the name of the city where your organization is located.
6. In the Country code field, enter the two-letter code of the country in which your organization is located.

   For example, you can type RU for Russia or US for the USA.

7. In the Organization field, enter the name of your organization.
8. In the Organization Unit field, type the name of the organizational unit for which you are creating the TLS certificate.
9. In the Email address field, specify the email address of the Kaspersky Secure Mail Gateway administrator.
10. Click the OK button.

The TLS certificate you have created appears in the list of TLS certificates in the workspace of the main window of the application web interface.

[Topic 95411]

Deleting a TLS certificate

To delete a TLS certificate:

1. In the main window of the application web interface, open the management console tree and select the Encryption Keys section and TLS subsection.
2. In the list of TLS certificates, select the check box next to the name of one or several certificates that you want to delete.
3. Click the Delete button in the upper part of the workspace.

   The Delete selected items action confirmation window opens.

4. Click the Yes button.

   The Delete selected items window closes.

The TLS certificate is deleted.

[Topic 95413]

Preparing a self-signed TLS certificate for import

A self-signed TLS certificate intended to be imported into Kaspersky Secure Mail Gateway must meet the following requirements:

• The certificate file must have a unique name in the list of certificates used in Kaspersky Secure Mail Gateway.
• The certificate file and the private key file must be in PEM format.
• The key length must be 1024 bits or longer.

By way of an example, below are instructions on how to prepare for import the self-signed TLS server certificate server_cert.pem, whose private key is contained in the key.pem file.

To prepare a self-signed TLS certificate for import into Kaspersky Secure Mail Gateway:

1. In the private key file, remove the password (if any) for accessing the certificate. To do so, execute the command:

   # openssl rsa -in <name of the private key file>.pem -out <name of the private key file with the password removed>.pem

   For example, you can execute the following command:

   # openssl rsa -in key.pem -out key-nopass.pem

2. Combine the private key and the server certificate in a single file. To do so, execute the command:

   % cat <name of the private key file with the password removed>.pem <name of the server certificate>.pem <name of the server certificate after the files were combined>.pem

   For example, you can execute the following command:

   % cat key-nopass.pem server_cert.pem > cert.pem

The self-signed TLS certificate (for example, cert.pem) is ready for import into Kaspersky Secure Mail Gateway.

[Topic 95423]

Preparing to import a TLS certificate signed by a certification authority

A TLS certificate signed by a certification authority (CA certificate) intended for import into Kaspersky Secure Mail Gateway must meet the following requirements:

• The certificate file must have a unique name in the list of certificates used in Kaspersky Secure Mail Gateway.
• The files of the server certificate, intermediate and root CA certificates, and the private key file must be in PEM format.
• The key length must be 1024 bits or longer.
• You must have the complete certificate chain – the path from the server certificate to the roof CA certificate.

  On receiving the CA certificate, you may need to use the intermediate certificate in addition to the server certificate.

• Certificates must be specified in the certificate chain in the following order: first the server certificate, followed by intermediate CA certificates.
• Intermediate certificates must not be skipped in the certificate chain.
• The certificate chain must not include any certificates unrelated to current certification.

By way of an example, below are instructions on how to prepare for import a TLS server certificate signed by a certification authority, server_cert.pem, whose private key is contained in the key.pem file. The name of the intermediate server certificate is intermediate CA. The name of the root certificate is root CA.

To prepare a TLS certificate signed by a certification authority for import into Kaspersky Secure Mail Gateway:

1. In the file of the TLS certificate, remove the password (if any) for accessing the certificate. To do so, execute the command:

   # openssl rsa -in <name of the private key file>.pem -out <name of the private key file with the password removed>.pem

   For example, you can execute the following command:

   # openssl rsa -in key.pem -out key-nopass.pem

2. Do one of the following:
   • If you are certain that the clients to which the server will provide this certificate have their own copies of the root and intermediate CA certificates, combine the private key, server certificate, intermediate and root CA certificates into a single file. To do so, execute the command:

     % cat <name of the private key file with the password removed>.pem <name of the server certificate>.pem <name of the intermediate CA certificate>.pem <name of the root CA certificate>.pem <name of the TLS certificate after the files were combined>.pem

     For example, you can execute the following command:

     % cat key-nopass.pem server_cert.pem intermediate_CA.pem root_CA.pem > cert.pem

   • If you are not sure that the clients to which the server will provide this certificate have their own copies of the root and intermediate CA certificates, combine the private key and server certificate into a single file. To do so, execute the command:

     % cat <name of the private key file with the password removed>.pem <name of the server certificate>.pem <name of the server certificate after the files were combined>.pem

     For example, you can execute the following command:

     % cat key-nopass.pem server_cert.pem > cert.pem

The TLS certificate signed by the certification authority (for example, cert.pem) is ready for import into Kaspersky Secure Mail Gateway.

[Topic 95412]

Importing the TLS certificate from file

Before importing TLS certificates via the web interface of Kaspersky Secure Mail Gateway, you have to prepare them for import.

You can prepare certificates of the following types for import:

• Self-signed TLS certificate.
• CA-signed TLS certificate (hereinafter also referred to as a "CA certificate").

Self-signed certificates are normally used to test and debug SSL and TLS encryption of connections. You are advised to use certificates signed by a certification authority (CA certificates) on public servers.

To import a TLS certificate from file:

1. In the main window of the application web interface, open the management console tree and select the Encryption Keys section and TLS subsection.
2. Click the Import from file button in the upper part of the workspace.
3. In the TLS certificate name field, enter the name that you want to assign to the TLS certificate being imported.
4. Click the Browse button to the right of the Choose TLS certificate file field.

   The file selection window opens in the browser that you use.

5. Choose the file of the TLS certificate that you want to import and click the Open button in your browser.

   The certificate file (Preparing a self-signed TLS certificate for import, Preparing to import a CA-signed TLS certificate) must contain the TLS certificate and a private TLS key with the PEM extension. The private key must not be encrypted or password-protected.

   The file selection window closes.

6. Click the OK button.

The TLS certificate appears in the list of TLS certificates in the workspace of the main window of the application web interface.

[Topic 88718]

Backup

Backup is designed to store copies of messages which Kaspersky Secure Mail Gateway saves during processing. Copies of messages are stored in Backup in unreadable format and therefore do not compromise your computer's security.

Kaspersky Secure Mail Gateway places copies of the following messages in Backup:

• Messages to which the Anti-Virus engine assigned one of the status labels and before actions are taken on them.
• Messages to which the Anti-Spam engine assigned one of the status labels and before actions are taken on them.
• Messages to which the Anti-Phishing engine assigned one of the status labels and before actions are taken on them.
• Messages to which one of the following status labels was assigned after content filtering and before actions are taken on them.
• Messages whose senders' addresses have been detected in a custom black list of addresses and before the actions was taken on them.

Copies of messages are placed in Backup together with attachments.

The default maximum Backup space is 7,32 GB. As soon as this threshold value is exceeded, the application starts to remove the oldest copies of messages from Backup. When the amount of occupied space is again below the threshold value, the application stops removing copies of messages from Backup.

[Topic 88726]

Configuring Backup settings

To configure Backup settings:

1. In the main window of the application web interface, open the management console tree and select the Backup section.
2. Click any link to open the Backup settings window.
3. In the Backup maximum size field, specify the maximum hard drive space that can be taken up by Backup.

   A value of 100 MB or greater is recommended.

4. In the Free space threshold to notify about field, specify the amount of Backup free space that, when left, causes the application to send a notification to the administrator of Kaspersky Secure Mail Gateway.
5. Select one of the following options in the Allow delivery of infected messages list:
   • Yes, if you want to allow delivery of infected messages from Backup to recipients.
   • No, if you do not want to allow delivery of infected messages from Backup to recipients.

   This setting applies to the HelpDesk account. A user under the Administrator account can deliver messages from Backup to recipients regardless of the value of the Allow delivery of infected messages setting.

6. Select one of the following options in the Actions to take on messages if Backup is unavailable list:
   • Process messages, if you want the application to continue processing messages regardless of whether or not Backup is available.
   • Temporary fail, if you want the application to send a notification that Backup is temporarily unavailable.
   • Reject messages, if you want the application to reject messages when Backup is unavailable.
7. In the Notification subject for delivering message as an attachment field, enter the subject of the notification. For example, Message delivery from Backup.
8. In the Notification body for delivering message as an attachment field, enter the text of the notification. For example, you can enter a warning stating that the message delivered from Backup may be unsafe or contain viruses.
9. Click the OK button.

   The Backup settings window closes.

[Topic 91235]

Finding message copies in Backup

To find message copies in Backup:

1. In the main window of the application web interface, open the management console tree and select the Backup section.
2. In the workspace under the Deliver, View, Delete and Save buttons, click any link to open the Search filter window.
3. In the From field, enter the text for searching email addresses of message senders.

   You can enter an email address (for example: example-email@example.com), domain name (for example: example.com) or several symbols from the email address (for example: exa).

4. In the To field, enter the text for searching email addresses of message recipients.
5. In the Subject field, enter the text for searching for message headers.
6. In the Message-ID field, enter the text for searching for the message ID on the mail server.
7. In the Rule ID list, select the ID of the rule according to which messages were processed.
8. In the ID list, select the message ID in Backup.
9. In the Period list, select the period that has elapsed since the time when messages were processed and had their copies moved to Backup.

   You can choose one of the following periods:

   • Hour
   • Day
   • Week
   • 2 weeks
   • Month
   • 3 months
   • Year
   • Custom
10. If you choose the Custom period, do the following:
    1. In the starting from field, specify the search period start date and time.
    2. In the ending with field, specify the search period end date and time.
11. In the Scan type group of settings, select check boxes next to the names of Kaspersky Secure Mail Gateway engines based on whose conclusions messages were moved to Backup.

    You can select one or several scan engines:

    • Anti-Spam
    • Anti-Virus
    • Content Filtering
    • Anti-Phishing
    • Custom black list of addresses
    • Mail Sender Authentication
    • KATA protection
12. In the Message size (KB) group of settings, set a limit on message size in kilobytes.

    You can set one of the following limits:

    • Less than or equal to a certain message size in kilobytes
    • Greater than or equal to a certain message size in kilobytes
13. Click the OK button.

Copies of messages that match the search parameters are displayed in the list of message copies in the Backup section.

[Topic 91236]

Viewing information about a message in Backup

To view information about a message in Backup:

1. In the main window of the application web interface, open the management console tree and select the Backup section.
2. In the list of message copies in Backup, in the lower part of the workspace do one of the following:
   • In the line with the details of the message that you want to view, click any of the following links: From, To, or Subject.
   • In the line with the details of the message that you want to view, select the check box and click the View button.

   A message copy containing the following message information opens:

   • ID
   • Subject
   • Message processing rule
   • Rule ID
   • From
   • To
   • Cc
   • Bcc
   • Scan Results with a list of scan modules: Anti-Spam, Anti-Virus, Content Filtering, Anti-Phishing, Mail Sender Authentication and KATA protection.
   • Backup Reason
   • Action
   • Time placed in Backup
   • Message ID on mail server
   • Message size
   • Time sent
   • Time received
   • Attachments
   • Virus
   • Anti-Virus databases release date
   • Anti-Spam databases release date
3. To return to the list of message copies in Backup, click the To messages list button in the upper part of the workspace.

[Topic 91239]

Delivering messages from Backup to recipients

If you consider a message in Backup to be safe, you can deliver the message from Backup to the recipients.

You can deliver a message from Backup after previewing it or by selecting messages that you want to deliver in the list of message copies in Backup (one or several messages).

Delivering infected messages can pose a security threat to the computers of recipients.

Before delivering an infected message to the recipient, make sure that delivery of infected messages is allowed in Backup settings (for personal user accounts and the HelpDesk account).

To deliver a message from Backup to recipients:

1. In the main window of the application web interface, open the management console tree and select the Backup section.
2. In the list of message copies in Backup, in the lower part of the workspace select check boxes in the lines with the details of messages that you want to deliver.
3. If you want to view information about a message, in the lower part of the workspace in the line containing the details of the message that you want to view, click the View button.

   The message copy opens.

4. Click the Deliver button in the upper part of the workspace.

   The Deliver message window opens.

5. Select the check box next to the name of the Deliver the message in an attachment setting if you want to deliver the message in an attachment.
6. Select the check box next to the name of the To recipient email addresses specified in the message header setting if you want to deliver the message to email addresses of recipients to whom this message was intended.
7. Select the check box next to the name of the To additional email addresses setting if you want to deliver the message to additional email addresses.
8. If you have chosen to deliver the message to additional email addresses, in the field under the name of the To additional email addresses setting, enter the email addresses to which you want to deliver the message.
9. Click the OK button.

   The Deliver message window closes.

   The message is placed in the delivery queue.

10. To return to the list of message copies in Backup, click the To messages list button in the upper part of the workspace.

    The list of message copies in Backup displays the message Message has been placed in queue for delivery.

11. To hide the Message has been placed in queue for delivery message, click the Hide link in the right part of the line with the message.

[Topic 91238]

Saving messages from Backup to file

If you consider a message in Backup to be safe, you can save it to file on the hard drive.

You can save a message from Backup after previewing it or by selecting the message that you want to save in the list of message copies in Backup.

Saving infected messages on the hard drive poses a security threat to your computer.

To save a message from Backup to a file:

1. In the main window of the application web interface, open the management console tree and select the Backup section.
2. In the list of message copies in Backup, in the lower part of the workspace select check boxes in the line with the details of the message that you want to save.
3. If you want to view information about a message, in the lower part of the workspace in the line containing the details of the message that you want to view, click the View button.

   The message copy opens.

4. Click the Save button in the upper part of the workspace.

   The message is saved on the hard drive of your computer in the folder specified as the destination folder for downloading files from the Internet in the settings of the browser that you use to manage Kaspersky Secure Mail Gateway.

   For example, if you are using the Microsoft Windows operating system and the Downloads folder is specified as the destination folder for downloading files from the Internet, the message is saved in the Downloads folder on the hard drive of your computer.

5. To return to the list of message copies in Backup, click the To messages list button in the upper part of the workspace.

[Topic 91237]

Deleting a message copy from Backup

You can delete a message copy from Backup after previewing it or by selecting messages that you want to delete in the list of message copies in Backup (one or several messages).

To delete one or several messages from Backup:

1. In the main window of the application web interface, open the management console tree and select the Backup section.
2. In the list of message copies in Backup, in the lower part of the workspace select check boxes in the lines with the details of messages that you want to delete.
3. If you want to view information about a message, in the lower part of the workspace in the line containing the details of the message that you want to view, click the View button.

   The message copy opens.

4. Click the Delete button in the upper part of the workspace.
5. The Delete message(s) window opens.
6. Click the Delete button in the Delete message(s) window.

   A copy of the message is deleted from Backup.

7. To return to the list of message copies in Backup, click the To messages list button in the upper part of the workspace.

   The list of message copies in Backup displays the message Marked message has been deleted.

8. To hide the Marked message has been deleted message, click the Hide link in the right part of the line with the message.

[Topic 100447]

Kaspersky Secure Mail Gateway message queue

This section contains information on working with Kaspersky Secure Mail Gateway message queues, as well as information on how to sort and filter messages in queue, KATA Quarantine and Anti-Spam Quarantine, or search events by specific table columns based on the indicators you specify.

[Topic 90596]

Enabling and disabling the transmission and reception of messages

To enable or disable transmission or reception of messages by the mail agent of Kaspersky Secure Mail Gateway:

1. In the main window of the application web interface, open the management console tree and select the Message Queue section.
2. In the upper part of the workspace:
   • Flip on the toggle switch next to the name of the Sending messages setting if you want to allow the forwarding of messages by the Kaspersky Secure Mail Gateway mail transfer agent.
   • Flip off the toggle switch next to the name of the Sending messages setting if you want to block the forwarding of messages by the Kaspersky Secure Mail Gateway mail transfer agent.

     If the Reject messages for unverified recipients (reject_unverified_recipient) parameter is set in advanced MTA settings, receipt of messages will also be disabled.

   • Flip on the toggle switch next to the name of the Receiving messages setting if you want to allow the receipt of messages by the Kaspersky Secure Mail Gateway mail transfer agent.
   • Flip off the toggle switch next to the name of the Receiving messages setting if you want to block the receipt of messages by the Kaspersky Secure Mail Gateway mail transfer agent.

Attention! These settings control transmission and reception of messages by the mail agent of Kaspersky Secure Mail Gateway.

[Topic 144341]

Viewing information about the message queue, KATA Quarantine, and Anti-Spam Quarantine

To view information about the message queue, KATA Quarantine, and Anti-Spam Quarantine:

In the main window of the application web interface, open the management console tree and select the Message Queue section.

The following information is displayed:

• KATA Quarantine, size. The KATA Quarantine size and the KATA Quarantine usage percentage compared to the maximum size defined in the KATA protection settings.
• KATA Quarantine, messages. The current number of messages in KATA Quarantine.
• KATA checked, messages. The number of messages scanned in KATA during the past hour.
• KATA timed out, messages. The number of messages whose KATA scan queue time expired during the past hour. The maximum queue time for a KATA scan is set in the KATA protection settings.
• Anti-Spam Quarantine, size. The Anti-Spam Quarantine size and Anti-Spam Quarantine usage percentage compared to the maximum size is defined in the Anti-Spam Quarantine settings.
• Anti-Spam Quarantine, messages. The current number of messages in Anti-Spam Quarantine.
• MTA queue, messages. The current number of messages in queue.

[Topic 144351]

Sorting messages in queue

To sort messages in queue:

1. In the main window of the application web interface, open the management console tree and select the Message Queue section.

   This opens a table of messages in the message queue, KATA Quarantine, and Anti-Spam Quarantine.

2. Click the button to the left of the name of the table column by which you want to sort messages. You can sort messages by one of the following indicators:
   • ID of the message in queue—Message ID in queue.
   • From—Message sender's address.
   • To—Message recipient's address.
   • Size – message size.
   • Received—Time at which messages arrive in queue.
   • Error—Message scan error.

To modify the sorting order for messages in queue,

click the or button to the left of the name of the table column whose message sorting order you want to modify.

[Topic 144350]

Filtering and searching messages by queue name

To filter or search messages by queue name:

1. In the main window of the application web interface, open the management console tree and select the Message Queue section.
2. Click the Queue link to expand the list of queue names.
3. Select the check boxes next to the names of the queues in which you want to search for messages. You can select one or several of the following queues:
   • Deferred.
   • Active.
   • Inbound (Maildrop and Incoming queues).
   • Hold.
   • Anti-Spam Quarantine.
   • KATA Quarantine.
4. Click the Apply button.

A list of queued messages formed according to the filter criteria appears in the workspace of the Message Queue section in the main window of the Kaspersky Secure Mail Gateway web interface.

If the message search filter is not specified, the list shows all queued messages.

[Topic 144352]

Filtering and searching messages by message ID in queue

To filter or search messages by message ID in queue:

1. In the main window of the application web interface, open the management console tree and select the Message Queue section.
2. Click the ID of the message in queue link to open the message filter configuration window.
3. In the ID field, enter several characters or all characters of the message ID in queue.
4. Click the Apply button.

A list of queued messages formed according to the filter criteria appears in the workspace of the Message Queue section in the main window of the Kaspersky Secure Mail Gateway web interface.

If the message search filter is not specified, the list shows all queued messages.

[Topic 144353]

Filtering and searching messages by message sender's address

To filter or search messages by sender address:

1. In the main window of the application web interface, open the management console tree and select the Message Queue section.
2. Click the From link to open the message filter configuration window.
3. In the From field, enter several characters or all characters of the message sender's address.
4. Click the Apply button.

A list of queued messages formed according to the filter criteria appears in the workspace of the Message Queue section in the main window of the Kaspersky Secure Mail Gateway web interface.

If the message search filter is not specified, the list shows all queued messages.

[Topic 144354]

Filtering and searching messages by message recipient's address

To filter or search messages by recipient address:

1. In the main window of the application web interface, open the management console tree and select the Message Queue section.
2. Click the To link to open the message filter configuration window.
3. In the To field, enter several characters or all characters of the message recipient's address.
4. Click the Apply button.

A list of queued messages formed according to the filter criteria appears in the workspace of the Message Queue section in the main window of the Kaspersky Secure Mail Gateway web interface.

If the message search filter is not specified, the list shows all queued messages.

[Topic 144355]

Filtering and searching messages by time of message arrival in queue

To filter or search messages by time of message arrival in queue:

1. In the main window of the application web interface, open the management console tree and select the Message Queue section.
2. Click the Received link to expand the list of message search periods.
3. Select one of the following periods:
   • Last hour
   • Last day
   • Last week
   • Custom
4. If you chose a custom period for searching messages:
   1. In the calendar that opens, specify the start and end dates of the period during which messages arrived in queue.
   2. Click the Apply button.

      The calendar closes.

A list of queued messages formed according to the filter criteria appears in the workspace of the Message Queue section in the main window of the Kaspersky Secure Mail Gateway web interface.

If the message search filter is not specified, the list shows all queued messages.

[Topic 90598]

Forced delivery and removal of messages from the queue

To forcedly send or remove messages from the queue of the MTA:

1. In the main window of the application web interface, open the management console tree and select the Message Queue section.
2. View the list of queued messages in the workspace.
3. To the left of the queue type name, select check boxes next to the messages that you want to process.
4. Click one of the following buttons on the toolbar in the upper part of the workspace:
   • Flush, if you want to forcedly send the selected messages.
   • Flush all, if you want to forcedly send all messages.

Frequent attempts to deliver undelivered messages out of turn affect the speed with which the other messages are sent.

• Delete, if you want to delete the selected messages.
• Delete all, if you want to delete all messages.

The operation of removing all messages from the queue permanently removes all data from the queue, including messages that have been received but not processed yet.

In the event of forced delivery of messages from the KATA Quarantine queue, messages will invariably be scanned in Kaspersky Anti Targeted Attack Platform but Kaspersky Secure Mail Gateway will not wait for the result from scanning these messages. These messages will not be displayed in the scan queue.

[Topic 91250]

Kaspersky Secure Mail Gateway operation reports

This section contains information on reports, and on how to create and view reports on mail server operation.

You can configure the following reports on the operation of the mail server:

• Daily.
• Weekly.
• Monthly.
• Custom.

[Topic 89211]

Content of Kaspersky Secure Mail Gateway operation reports

You can receive information about Kaspersky Secure Mail Gateway performance during a certain period from Kaspersky Secure Mail Gateway operation reports.

Reports contain the following information about the operation of Kaspersky Secure Mail Gateway:

1. Consolidated report on detects. Report on the results of operation of Kaspersky Secure Mail Gateway modules, which shows the quantity and volume of messages calculated based on the following indicators:
   • Detected in KATA
   • Detected by the Anti-Virus module
   • Detected by the Anti-Phishing module
   • Detected by the Anti-Spam module
   • Sender authentication violations
   • Processed by the Content Filtering module
   • Clean
   • Non-scanned
   • Total messages
2. Consolidated report on actions taken by Kaspersky Secure Mail Gateway on messages. Shows the quantity and volume of messages calculated based on the following indicators:
   • Messages delivered, including:
     • Clean
     • Disinfected
     • With deleted attachments
     • Skipped
     • Non-scanned
   • Messages not delivered, including:
     • Deleted
     • Rejected
     • Postponed
   • Total messages
3. Report on detections by the Anti-Virus module. Shows the number of messages that were scanned and not scanned by the Anti-Virus module during a certain period and contains statistics on detection of messages of the following types:
   • Clean
   • Infected
   • Encrypted
   • Scan errors
   • Messages that were not scanned due to one or several of the following reasons:
     • They were excluded from scans according to the processing rules of global black lists or white lists.
     • They were excluded from scans according to the processing rules of custom black lists or white lists.
     • Virus scan has been disabled for all messages.
     • Virus scan has been disabled for the rule that was applied when processing the message.
     • Anti-virus databases are missing.
     • License issues.
4. Report on detections by the Anti-Spam module. Shows the number of messages that were scanned and not scanned by the Anti-Spam module during a certain period and contains statistics on detection of messages of the following types:
   • Not spam
   • Spam
   • Probable spam
   • Blacklisted message
   • Mass mail
   • Scan errors

   It also displays the number of messages in Anti-Spam Quarantine and the number of messages that were not scanned.

5. Report on detections by the Anti-Phishing module. Shows the number of messages that were scanned and not scanned by the Anti-Phishing module during a certain period and contains statistics on detection of messages of the following types:
   • Not phishing
   • Phishing
   • Malicious URL
   • Scan errors

   In addition, the number of non-scanned messages is displayed.

6. Report on the results of content filtering of messages. Shows the number of messages processed according to content filtering rules during a certain period calculated based on the following indicators:
   • Messages without violations
   • Messages exceeding the allowed size
   • Messages with attachments having a forbidden name
   • Messages with attachments of a forbidden type

   In addition, the number of non-scanned messages is displayed.

7. Report on the message processing rules applied.
8. Report on the top ten sources of spam. Lists the addresses of sources and the number of times they triggered the Anti-Spam module.
9. A report on the top ten email addresses to which the largest number of spam-containing messages were sent. Lists the email addresses of recipients of messages and the number of times they triggered the Anti-Spam module.
10. Report on the top ten sources of malicious objects based on conclusions of the Anti-Virus module. Lists the addresses of sources and the number of times they triggered the Anti-Virus module.
11. A report on the top ten email addresses to which the largest number of malicious objects were sent based on conclusions of the Anti-Virus component. Lists the addresses of recipients and the number of times they triggered the Anti-Virus module.
12. Report on the top ten malicious objects based on conclusions of the Anti-Virus module. Lists the names of objects and the number of times they triggered the Anti-Virus module.

[Topic 89207]

Viewing Kaspersky Secure Mail Gateway operation reports

To view Kaspersky Secure Mail Gateway operation reports:

1. In the main window of the application web interface, go to the management console tree and select the Reports section and the subsection depending on the type of reports you want to view:
   • All reports, if you want to view all reports.
   • Daily, if you want to view daily reports.
   • Weekly, if you want to view weekly reports.
   • Monthly, if you want to view monthly reports.
   • Custom, if you want to view custom reports.

   A page with the list of reports of the type you have selected opens.

2. Click the PDF link in the row with the details of the report that you want to view.

The report is downloaded to the hard drive of your computer in the folder that is specified as the destination folder for downloading files from the Internet in the settings of the browser that you use to manage Kaspersky Secure Mail Gateway.

For example, if you are using the Microsoft Windows operating system and the Downloads folder is specified as the destination folder for downloading files from the Internet, the message is saved in the Downloads folder on the hard drive of your computer.

[Topic 100307]

Deleting Kaspersky Secure Mail Gateway operation reports

To delete one or several Kaspersky Secure Mail Gateway operation reports:

1. In the main window of the application web interface, go to the management console tree and select the Reports section and the subsection depending on the type of reports you want to delete:
   • All reports, if you want to remove all reports from the list.
   • Daily, if you want to remove daily reports from the list.
   • Weekly, if you want to remove weekly reports from the list.
   • Monthly, if you want to remove monthly reports from the list.
   • Custom, if you want to remove custom reports from the list.

   A page with the list of reports of the type you have selected opens.

2. Select check boxes in rows with the details of reports you want to delete.
3. Click the Delete button in the upper part of the workspace.

   The Delete reports action confirmation window opens.

4. Click the Delete button.

   The Delete reports window closes.

The selected reports are deleted.

[Topic 95375]

Enabling and disabling daily reports

To enable or disable Kaspersky Secure Mail Gateway daily reports:

1. In the main window of the application web interface, open the management console tree and select the Reports section and Daily subsection.
2. In the Generating Daily report section, do one of the following:
   • Flip on the toggle switch next to the name of the Generating Daily report section to enable Kaspersky Secure Mail Gateway daily reports.
   • Flip off the toggle switch next to the name of the Generating Daily report section to disable Kaspersky Secure Mail Gateway daily reports.

[Topic 100271]

Configuring the daily report

To configure the Kaspersky Secure Mail Gateway daily report:

1. In the main window of the application web interface, open the management console tree and select the Reports section and Daily subsection.
2. In the Generating Daily report section, click any link to open the Daily report settings window.
3. In the Report generation time field, specify the time at which the daily report will be generated.

   Specify a time in the range of 00:00 to 23:59.

4. In the Report language list, select the language in which the daily report will be generated.
5. In the Format dates in the report list, select the format of dates as you want them to appear in the daily report.
6. If you want Kaspersky Secure Mail Gateway to send the daily report to email addresses, select the check box next to the name of the Enable report sending setting and do the following:
   1. Select the check box next to the name of the Send report to administrator setting if you want Kaspersky Secure Mail Gateway to send the daily report to the email addresses of the Kaspersky Secure Mail Gateway administrator.
   2. In the Send report to the following email addresses field, enter the email address to which you want the daily report to be delivered.

      The email addresses are entered one at a time. Repeat the process of adding addresses to the list for all email addresses that you are adding.

      You can use the symbols "*" and "?" to create an address mask, and regular expressions beginning with the prefix "reg:".

      Regular expressions are not case-sensitive.

   3. Click the button on the right of the entry field.

      The email address you have added appears in the list under the entry field.

7. Click the OK button.

   The Daily report settings window closes.

The Generating Daily report section displays the Kaspersky Secure Mail Gateway daily report settings you have configured.

The generated Kaspersky Secure Mail Gateway weekly reports will appear in the list under the Generating Daily report section.

[Topic 100267]

Enabling and disabling weekly reports

To enable or disable Kaspersky Secure Mail Gateway weekly reports:

1. In the main window of the application web interface, open the management console tree and select the Reports section and Weekly subsection.
2. In the Generating Weekly report section, do one of the following:
   • Flip on the toggle switch next to the name of the Generating Weekly report section to enable Kaspersky Secure Mail Gateway weekly reports.
   • Flip off the toggle switch next to the name of the Generating Weekly report section to disable Kaspersky Secure Mail Gateway weekly reports.

[Topic 100266]

Configuring the weekly report

To configure the Kaspersky Secure Mail Gateway weekly report:

1. In the main window of the application web interface, open the management console tree and select the Reports section and Weekly subsection.
2. In the Generating Weekly report section, click any link to open the Weekly report settings window.
3. In the Report generation day of the week and time fields, select the day of the week and specify the time when the weekly report will be generated.

   Specify a time in the range of 00:00 to 23:59.

4. In the Report language list, select the language in which the weekly report will be generated.
5. In the Format dates in the report list, select the format of dates as you want them to appear in the weekly report.
6. If you want Kaspersky Secure Mail Gateway to send the weekly report to email addresses, select the check box next to the name of the Enable report sending setting and do the following:
   1. Select the check box next to the name of the Send report to administrator setting if you want Kaspersky Secure Mail Gateway to send the weekly report to the email addresses of the Kaspersky Secure Mail Gateway administrator.
   2. In the Send report to the following email addresses field, enter the email address to which you want the weekly report to be delivered.

      The email addresses are entered one at a time. Repeat the process of adding addresses to the list for all email addresses that you are adding.

      You can use the symbols "*" and "?" to create an address mask, and regular expressions beginning with the prefix "reg:".

      Regular expressions are not case-sensitive.

   3. Click the button on the right of the entry field.

      The email address you have added appears in the list under the entry field.

7. Click the OK button.

   The Weekly report settings window closes.

The Generating Weekly report section displays the Kaspersky Secure Mail Gateway weekly report settings you have configured.

The generated Kaspersky Secure Mail Gateway weekly reports will appear in the list under the Generating Weekly report section.

[Topic 100268]

Enabling and disabling monthly reports

To enable or disable Kaspersky Secure Mail Gateway monthly reports:

1. In the main window of the application web interface, open the management console tree and select the Reports section and Monthly subsection.
2. In the Generating Monthly report section, do one of the following:
   • Flip on the toggle switch next to the name of the Generating Monthly report section to enable Kaspersky Secure Mail Gateway monthly reports.
   • Flip off the toggle switch next to the name of the Generating Monthly report section to disable Kaspersky Secure Mail Gateway monthly reports.

[Topic 100278]

Configuring the monthly report

To configure the Kaspersky Secure Mail Gateway monthly report:

1. In the main window of the application web interface, open the management console tree and select the Reports section and Monthly subsection.
2. In the Generating Monthly report section, click any link to open the Monthly report settings window.
3. In the Report generation day of the month and time fields, select the day of the month and specify the time when the monthly report will be generated.

   Specify a time in the range of 00:00 to 23:59.

4. In the Report language list, select the language in which the monthly report will be generated.
5. In the Format dates in the report list, select the format of dates as you want them to appear in the monthly report.
6. If you want Kaspersky Secure Mail Gateway to send the monthly report to email addresses, select the check box next to the name of the Enable report sending setting and do the following:
   1. Select the check box next to the name of the Send report to administrator setting if you want Kaspersky Secure Mail Gateway to send the monthly report to the email addresses of the Kaspersky Secure Mail Gateway administrator.
   2. In the Send report to the following email addresses field, enter the email address to which you want the monthly report to be delivered.

      The email addresses are entered one at a time. Repeat the process of adding addresses to the list for all email addresses that you are adding.

      You can use the symbols "*" and "?" to create an address mask, and regular expressions beginning with the prefix "reg:".

      Regular expressions are not case-sensitive.

   3. Click the button on the right of the entry field.

      The email address you have added appears in the list under the entry field.

7. Click the OK button.

   The Monthly report settings window closes.

The Generating Monthly report section displays the Kaspersky Secure Mail Gateway monthly report settings you have configured.

The generated Kaspersky Secure Mail Gateway weekly reports will appear in the list under the Generating Monthly report section.

[Topic 100269]

Generating a custom report

To generate a custom report:

1. In the main window of the application web interface, open the management console tree and select the Reports section and Custom subsection.
2. Click the Create button in the upper part of the workspace.

   The Custom report settings window opens.

3. In the Reporting period list, select the period for which you want to generate a custom report, and do the following depending on the option you have selected:
   • If you want to generate a report for a specific day, in the Day field enter the date for which you want to generate the report.
   • If you want to generate a report for a specific month, in the Month field select the month for which you want to generate the report.
   • If you want to generate a report for a specific year, in the Year field select the year for which you want to generate the report.
   • If you want to generate a report for a specific date range, in the Date range field specify the start and end dates of the period for which you want to generate the report.
4. In the Report language list, select the language in which the custom report will be generated.
5. In the Format dates in the report list, select the format of dates as you want them to appear in the custom report.
6. If you want Kaspersky Secure Mail Gateway to send the custom report to email addresses:
   1. Select the check box next to the name of the Send report to administrator setting if you want Kaspersky Secure Mail Gateway to send the custom report to the email addresses of the Kaspersky Secure Mail Gateway administrator.
   2. In the Send report to the following email addresses field, enter the email address to which you want the custom report to be delivered.

      The email addresses are entered one at a time. Repeat the process of adding addresses to the list for all email addresses that you are adding.

      You can use the symbols "*" and "?" to create an address mask, and regular expressions beginning with the prefix "reg:".

      Regular expressions are not case-sensitive.

   3. Click the button on the right of the entry field.

      The email address you have added appears in the list under the entry field.

7. Click the OK button.

   The Custom report settings window closes.

The generated Kaspersky Secure Mail Gateway operation reports appear in the list in the workspace of the main window of the application web interface.

[Topic 144236]

General settings of Kaspersky Secure Mail Gateway

This section contains information on configuring the general settings of Kaspersky Secure Mail Gateway.

[Topic 144237]

Configuring the proxy server connection settings

To configure the proxy server connection settings:

1. In the main window of the application web interface, open the management console tree and select the Settings section and General Settings subsection.
2. In the Use Proxy Server section, click any link to open the Connection settings window.
3. In the Proxy server settings settings group, select one of the following options in the Use proxy server drop-down list:
   • Yes, if you want to use a proxy server with Kaspersky Secure Mail Gateway.
   • No, If you do not want to use a proxy server with Kaspersky Secure Mail Gateway.
4. In the Address field, enter the proxy server address.
5. In the Port field, enter the proxy server port.
6. In the Authentication settings settings group, select one of the following options in the Authentication drop-down list:
   • Not required, if you do not want to use authentication when connecting to the proxy server.
   • Plain, if you want to use authentication when connecting to the proxy server.
7. If the Authentication setting is set to Plain, enter the user name and password for connecting to the proxy server in the User name and Password fields.
8. In the Proxy server connection settings settings group, in the Bypass proxy for local addresses drop-down list, select one of the following values:
   • Yes , if you do not want to use a proxy server for internal email addresses of your organization.
   • No — if you want to use a proxy server irrespective of whether or not email addresses belong to your organization.
9. Click the OK button.

To enable or disable usage of a proxy server:

1. In the main window of the application web interface, open the management console tree and select the Settings section and Database Update subsection.
2. In the workspace, do one of the following:
   • Flip on the toggle switch next to the name of the Use Proxy Server settings group if you want to use a proxy server with Kaspersky Secure Mail Gateway.
   • Flip off the toggle switch next to the name of the Use Proxy Server settings group if you do not want to use a proxy server with Kaspersky Secure Mail Gateway.

You can enable use of a proxy server only after you configure the proxy server connection settings.

[Topic 60929]

Configuring email addresses of the administrator

To configure email addresses of the administrator for sending notifications, reports, and other messages of Kaspersky Secure Mail Gateway:

1. In the main window of the application web interface, open the management console tree and select the Settings section and General Settings subsection.
2. In the Email Addresses section, click the Administrator's email addresses link to open the Administrator's email addresses window.
3. In the Email addresses to which Kaspersky Secure Mail Gateway sends notifications, reports, and messages from the program email address field, enter the email address of the administrator.

   The email addresses are entered one at a time. Repeat the process of adding addresses to the list for all email addresses that you are adding.

   You can use the symbols "*" and "?" to create an address mask, and regular expressions beginning with the prefix "reg:".

   Regular expressions are not case-sensitive.

4. Click the Add button on the right of the entry field.

   The list of administrator's email addresses is compiled in the field under the button for adding entries.

5. Click the OK button.
6. The Administrator's email addresses window closes.

Email addresses are displayed on the right of the Administrator's email addresses link in the workspace of the main window of the application web interface.

[Topic 143858]

Configuring HelpDesk account settings

This section contains information about the HelpDesk account and how to configure it.

[Topic 143859]

About the HelpDesk account

The HelpDesk account is designed for obtaining restricted access to application settings. Using the HelpDesk account, the Kaspersky Secure Mail Gateway administrator can grant another user the rights to perform certain operations, for example, to investigate incidents with messages in Backup.

To obtain access to Kaspersky Secure Mail Gateway under the HelpDesk account, you must perform the following actions:

• Activate HelpDesk Account.
• Specify the user name and password.
• Enter the assigned account credentials on the web interface authorization page.

After completion of the authentication procedure, if the appropriate rights are present, the HelpDesk user can access the following operations in Kaspersky Secure Mail Gateway:

• Viewing information about a message in Backup.
• Delivering messages from Backup to the recipient.

  The value of this setting is assigned in Backup settings.

• Modifying custom black lists and white lists.
• Operations with reports:
  • Viewing ready reports.
  • Saving a ready report to the hard drive.
  • Creating a one-time report with custom settings.
  • Regularly creating daily, weekly, and monthly reports.
  • Removing selected reports from the list of ready reports.
  • Modifying the settings for generating reports for past periods according to schedule.

[Topic 143860]

Activating and deactivating the HelpDesk account

To activate or deactivate the HelpDesk account:

1. In the main window of the application web interface, open the management console tree and select the Settings section and General Settings subsection.
2. In the Activate HelpDesk Account section, do one of the following:
   • Flip on the toggle switch next to the name of the Activate HelpDesk Account settings group if you want to activate the HelpDesk account.
   • Flip off the toggle switch next to the name of the Activate HelpDesk Account settings group if you want to deactivate the HelpDesk account.

[Topic 143861]

Modifying the name and password of the HelpDesk account

To modify the HelpDesk account name or password:

1. In the main window of the application web interface, open the management console tree and select the Settings section and General Settings subsection.
2. In the Activate HelpDesk Account section, click any link to open the HelpDesk account settings window.
3. In the HelpDesk account user name and password section:
   • If you want to change the HelpDesk account name, enter a new name in the User name field.
   • If you want to change the HelpDesk account password, specify a new password in the Password field and enter it again in the Confirm password field.
4. Click the OK button.

   The HelpDesk account settings window closes.

[Topic 143862]

Granting the HelpDesk account access to custom black lists and white lists

To grant the HelpDesk account access to custom black lists and white lists:

1. In the main window of the application web interface, open the management console tree and select the Settings section and General Settings subsection.
2. In the Activate HelpDesk Account section, click any link to open the HelpDesk account settings window.
3. In the HelpDesk account privileges section in the Allow access to custom lists drop-down list, select the Yes option.
4. Click the OK button.

   The HelpDesk account settings window closes.

[Topic 143863]

Granting the HelpDesk account access to reports

To grant the HelpDesk account access to reports:

1. In the main window of the application web interface, open the management console tree and select the Settings section and General Settings subsection.
2. In the Activate HelpDesk Account section, click any link to open the HelpDesk account settings window.
3. In the HelpDesk account privileges section in the Allow access to reports drop-down list, select the Yes option.
4. Click the OK button.

   The HelpDesk account settings window closes.

[Topic 144395]

Changing the Administrator account password

To change the password of the Administrator account:

1. In the lower left corner of the main window of the application web interface, click the Administrator link to open the Change password window.
2. In the Old password field, enter the current password of the Administrator account.
3. In the New password field, enter the new password for the Administrator account.
4. In the Re-enter new password field, enter the new password for the Administrator account again.
5. Click the Change Password button.

The Change password window closes.

[Topic 91253]

Configuring the settings for the event log and audit log

You can select the category of the event log and specify the event log level.

By default, events are recorded in the log of the Mail category and have the Info event level.

To configure the settings of the event log and audit log:

1. In the main window of the application web interface, open the management console tree and select the Settings section and General Settings subsection.
2. In the Log Settings section, click any link to open the Log Settings window.
3. In the Syslog facility list, select the event log category.
4. Select the event log level in the Event level list.
5. In the Maximum number of records in Audit Log list, select the maximum number of log records in the audit log.

   The number of log records in the audit log has a default limit of 100000 records. When this limit is reached, log record rotation is applied to the audit log: Kaspersky Secure Mail Gateway overwrites the oldest log records with new data.

6. Click the OK button.

[Topic 144238]

Configuring application performance settings

To configure application performance settings:

1. In the main window of the application web interface, open the management console tree and select the Settings section and General Settings subsection.
2. In the Performance Settings settings group, click the Number of scanning threads link to open the Performance Settings window.
3. In the Number of scanning threads list, select the number of message streams that Kaspersky Secure Mail Gateway can scan simultaneously.
4. Click the OK button.

[Topic 144239]

Configuring the appearance of scanned messages

To configure the appearance of scanned messages:

1. In the main window of the application web interface, open the management console tree and select the Settings section and General Settings subsection.
2. In the Message Settings settings group, click the Add message X-headers link to open the Message Settings window.
3. In the Add message X-headers list, select one of the following options:
   • Yes, if you want to add headers to scanned messages.
   • No, if you do not want to add headers to scanned messages.
4. Click the OK button.

[Topic 144240]

Configuring the template for messages when removing an attachment

To configure the template for messages when removing an attachment:

1. In the main window of the application web interface, open the management console tree and select the Settings section and General Settings subsection.
2. In the Templates settings group, click the When removing an attachment link to open the Templates window.
3. In the When removing an attachment, insert the following text in the message body field, enter the text that you want to add to messages from which Kaspersky Secure Mail Gateway deletes attachments.
4. Click the OK button.

[Topic 144241]

Exporting application settings

To export the application settings:

1. In the main window of the application web interface, open the management console tree and select the Settings section and General Settings subsection.
2. In the Export and Import of Program Settings settings group, click the Export settings link to open the Export program settings window.
3. Click the OK button.

A file in KZ format is downloaded to the hard drive of your computer in the folder specified as the destination folder for downloading files from the Internet in the settings of the browser that you use to manage Kaspersky Secure Mail Gateway. The file contains all current application settings, including message processing rules with all recipients and senders.

[Topic 144242]

Importing application settings

To import application settings:

1. In the main window of the application web interface, open the management console tree and select the Settings section and General Settings subsection.
2. In the Export and Import of Program Settings settings group, click the Import settings link to open the Import program settings window.
3. Click the Browse button.

   The file selection window opens.

4. Select the KZ file containing the application settings that you want to load.
5. Select one of the following options for importing application settings:
   • All settings, if you want to import all application settings.
   • Selected settings, if you want to select which application settings to import.
6. If you are importing Selected settings, select the check boxes next to the application settings that you want to import.
7. Click the Next button.
8. If the application settings were imported successfully, click the Restart the program button.

The application will be restarted. After a few minutes, you must refresh the browser window and sign in again.

[Topic 144243]

Restarting the application

To restart the application:

1. In the main window of the application web interface, open the management console tree and select the Settings section and General Settings subsection.
2. In the Export and Import of Program Settings settings group, click the Restart the program link to open the Program restart confirmation window.
3. Click the OK button.

The application will be restarted. After a few minutes, you must refresh the browser window and sign in again.

[Topic 144244]

Configuring integration with Kaspersky Security Center

After installation, Kaspersky Secure Mail Gateway sends information about itself to Kaspersky Security Center. Based on this information, Kaspersky Security Center combines all virtual machines of Kaspersky Secure Mail Gateway into a cluster. A name is assigned to the cluster. You can configure this setting for integration with Kaspersky Security Center.

To configure the setting for integration with Kaspersky Security Center:

1. In the main window of the application web interface, open the management console tree and select the Settings section and General Settings subsection.
2. In the Integration with Kaspersky Security Center settings group, click the Cluster ID link to open the Integration with Kaspersky Security Center window.
3. In the Specify Kaspersky Security Center cluster ID field, enter the Kaspersky Security Center cluster ID. For example, enter Kaspersky Secure Mail Gateway.

Click the OK button.

[Topic 100476]

Configuring MTA settings

Kaspersky Secure Mail Gateway is integrated into the existing corporate mail infrastructure and is not a standalone mail system. For example, Kaspersky Secure Mail Gateway does not deliver email messages to recipients and does not manage user accounts.

You can configure the basic MTA settings using the Quick MTA Setup Wizard or manually in the application web interface.

This section describes how you can configure the MTA settings manually.

[Topic 100477]

Configuring basic MTA settings

To configure basic MTA settings:

1. In the main window of the application web interface, open the management console tree and select the Settings section and MTA subsection.
2. Open the Basic Settings section if it is not already open.
3. Click any link in the Basic Settings section to open the Basic MTA settings window.
4. If you want to change the domain name of Kaspersky Secure Mail Gateway (mydomain), enter the new domain name of the application server in the Domain name field.
5. If you want to change the fully qualified domain name of Kaspersky Secure Mail Gateway (myhostname), enter the new fully qualified domain name of the application server in the Hostname field.
6. In the Message size limit field, specify the maximum size of the email message received or forwarded through Kaspersky Secure Mail Gateway, including SMTP headers. Specify the maximum size in bytes.

   Type 0 if restrictions are not required.

   The default value is 20971520 bytes.

7. Create a list of trusted networks and network hosts that are allowed to send email messages via Kaspersky Secure Mail Gateway (mynetworks). As a rule, these are internal networks and network hosts of your organization. For example, you can specify the IP addresses of Microsoft Exchange servers used at your organization.

   If trusted networks are not specified, Kaspersky Secure Mail Gateway will not be receiving messages from internal mail servers and redirect them outside the network of your organization.

   Perform the following actions for each address that you want to add:

   1. In the Trusted networks field, enter the network IP address or the subnet address.

      Type IP addresses in IPv4 format or subnet addresses in CIDR format.

   2. Click the Add button.

      The network IP address or subnet address that you added will be displayed in the list of trusted networks and network hosts.

   Addresses should be entered one at a time. Repeat the actions for adding IP addresses or subnet addresses to the list for all trusted networks and network hosts that you are adding.

8. In the Email destination address field, enter the address of your edge gateway (relayhost). Kaspersky Secure Mail Gateway will be redirecting all messages to this address.

   You can enter an IPv4 address (for example, 192.0.0.1 or 192.0.0.0/16), domain name or FQDN.

   If you have configured email routing for individual domains, Kaspersky Secure Mail Gateway will be redirecting email messages to the addresses specified for each domain.

9. In the MX record lookup list, select one of the following values:
   • Enabled, if you want to enable the search for MX records for domain names or FQDNs.
   • Disabled, if you want to disable MX record lookup.
10. Click the OK button.

The Basic MTA settings window closes.

[Topic 90599]

Configuring advanced MTA settings

To configure advanced MTA settings:

1. In the main window of the application web interface, open the management console tree and select the Settings section and MTA subsection.
2. Open the Advanced Settings section.
3. Click any link in the upper part of the list of settings to open the Advanced MTA settings window.
4. In the SMTP greeting text field, type the text that will accompany code 220 in the SMTP greeting.
5. In the Maximum connection attempts field, specify the maximum number of connection attempts by one remote SMTP client to the service of the SMTP server per minute.

   Type 0 if restrictions are not required.

   The default value is 0 (unlimited).

6. In the Maximum simultaneous connection attempts field, specify the maximum number of simultaneous connection attempts by one remote SMTP client to the SMTP server.

   Type 0 if restrictions are not required.

   The default value is 50.

7. In the Maximum mail delivery requests field, specify the maximum number of message delivery requests from one remote SMTP client to the SMTP server per minute, regardless of whether this mail server accepts these messages or not.

   Type 0 if restrictions are not required.

   The default value is 0 (unlimited).

8. In the SMTP session timeout field, specify the maximum period of time during which a request has to be received from the remote SMTP client and a response sent by the SMTP server.

   The default value is 30 seconds.

9. In the Interval between destination address connection attempts, specify the interval between attempts by the MTA queue manager to connect to the message destination address if the destination address is unavailable.

   The default value is 60 seconds.

10. In the Minimum delivery interval for Deferred queue field, specify the minimum interval between attempts to deliver a message that has been deferred into the Deferred queue.

    The default value is 300 seconds.

11. In the [[LabelTitleSettingsMTAAdvancedDialog_maximalBackoffTime] field, specify the maximum interval between attempts to send a message that has been deferred into the Deferred queue.

    The default value is 4000 seconds.

12. In the Maximum queue lifetime for a message, set a limit on the time during which a message with a permanent error status will be stored in the queue. When this time elapses, the message is considered undelivered.

    The default value is 3 days.

13. In the Deferred queue processing interval field, specify the frequency at which the Deferred queue is scanned by the queue manager.

    The default value is 1000 seconds.

14. In the Maximum queue lifetime for a bounce message, set a limit on the time during which a bounce message with a permanent error status will be stored in the queue. When this time elapses, the message is considered undelivered.

    The default value is 3 days.

15. In the BCC address for all messages field, specify an optional email address for receiving blind carbon copies of all messages received by the MTA.
16. In the Check addresses format for RFC 821 compliance list, configure (enable or disable) checking of email addresses in the SMTP MAIL FROM and RCPT TO to verify that such addresses are in angle brackets and do not contain RFC 822 comments and phrases. This check prevents reception of messages from malicious applications.

    To configure the scanning of addresses, in the Check addresses format for RFC 821 compliance list, select one of the following values:

    • Yes, if you want to enable checking.
    • No if you want to disable checking.

    The default value is Yes.

17. Configure the Disable recipient verification SMTP VRFY setting, which enables or disables the SMTP VRFY command. The SMTP VRFY command prevents specific services from collecting email addresses.

    To enable or disable the SMTP VRFY command, select one of the following values in the Disable recipient verification SMTP VRFY list:

    • Yes, if you want to enable the command.
    • No, if you want to disable the command.

    The default value is Yes.

18. In the EHLO keywords not sent by SMTP server in response field, select check boxes next to those non-case-sensitive EHLO commands (for example: pipelining, starttls, auth), which your SMTP server will not announce in the response to the EHLO request from an external SMTP client.

    Default values are: silent-discard, dsn, etrn.

19. Click the OK button.

    The Advanced MTA settings window closes.

[Topic 95399]