The application operates with the use of data whose transmission and processing requires the consent of the Kaspersky Secure Mail Gateway administrator.
You can view the list of data and the terms on which it is used as well as give consent to data processing in the following agreements between your organization and Kaspersky:
In accordance with the terms and conditions of the End User License Agreement that you have accepted, you consent to automatic real-time provision of information required for improving the security level of the mail server to Kaspersky. This information is enumerated in the End User License Agreement under "Conditions regarding Data Processing":
You can read the End User License Agreement when installing Kaspersky Secure Mail Gateway or in the /opt/kaspersky/ksmg-appliance-addon/share/htdocs/en_US/assets/eula directory in Technical Support Mode.
In the course of participation in the Kaspersky Security Network and submission of KSN statistics to Kaspersky, information can be transmitted that was obtained as a result of the application operation. The list of data that is transmitted is provided in the Kaspersky Security Network Statement and the Supplementary Kaspersky Security Network Statement. You can read these Statements in the web interface in the Settings → External services → KSN/KPSN → KSN/KPSN settings section.
Data protection
Kaspersky protects any information received in this way as prescribed by law and applicable rules of Kaspersky. Data is transmitted over encrypted data links.
RAM of Kaspersky Secure Mail Gateway may contain any data of application users that are being processed. The administrator of Kaspersky Secure Mail Gateway must personally ensure the security of such data.
By default, access to personal information of users can only be gained by the superuser (root) account of operating systems, the administrator account of Kaspersky Secure Mail Gateway Local administrator, as well as system accounts kluser, postfix, opendkim, and nginx, which components of the application use in the course of their operation. The application itself has no capability to restrict the permissions of administrators and other users of operating systems on which the application is installed. Access to the storage location of the data is restricted by the file system. The administrator should take steps to control access to personal information of other users by any system level measures at the administrator's own discretion.
The local administrator can provide SSH access to the administrator account of the operating system (root). SSH access to personal data is not restricted.
The local administrator can provide access to the web interface. Access to personal data is provided in accordance with access rights configured for the role of the account.
Data is sent between cluster nodes through an encrypted channel (over HTTPS with authorization using a security certificate). Data is sent to the web interface through an encrypted channel over HTTPS. The local administrator is authorized with a password; other users of the web interface are authorized over Kerberos or NTLM protocol.
Connection to Active Directory is performed through an encrypted channel (TLS) with Kerberos authorization.
Email delivery supports SMTPS encryption.
Managing the application using the management console of the server on which the application is installed using the superuser account lets you manage dump settings. A dump is generated whenever the application crashes and can be useful for analyzing the causes of the crash. The dump may include any data, including fragments of analyzed files. By default, dump generation in Kaspersky Secure Mail Gateway is disabled.
Access to such data can be gained from the Management Console of the server on which the application is installed, using an account with super-user privileges.
When sending diagnostic information to Kaspersky Technical Support, the Kaspersky Secure Mail Gateway administrator must take steps to ensure the security of dumps and trace files.
The administrator of Kaspersky Secure Mail Gateway is responsible for access to this information.
Scope of data that can be stored by the application
The following table contains the complete list of user data that can be stored by Kaspersky Secure Mail Gateway.
User data that can be stored in Kaspersky Secure Mail Gateway
Data type |
Where data is used |
Storage location |
Storage duration |
Access |
---|---|---|---|---|
Basic functionality of the application |
||||
|
Application configuration |
/var/opt/kaspersky |
Indefinite. |
|
|
Message processing rules |
/var/opt/kaspersky |
Indefinite. |
|
Information from email messages:
Information about LDAP attributes of users:
|
Application statistics |
/var/opt/kaspersky |
Indefinite. |
|
Information from email messages:
Information about LDAP attributes of users:
|
Message processing event log |
/var/opt/kaspersky |
In accordance with settings specified by the user of the application. By default, the storage duration is 3 days and the maximum size of the log is 1 GB. When this limit is reached, older records are deleted. |
|
/var/log/ksmg-messages |
Indefinite. When the size reaches 23 GB, older records are deleted. |
|
||
/var/log/ksmg-important |
Indefinite. When the size reaches 500 MB, older records are deleted. |
|
||
|
Application event log |
/var/opt/kaspersky |
In accordance with settings specified by the user of the application. By default, the storage duration is 1100 days, or the maximum size of the log is 1 GB. When this limit is reached, older records are deleted. |
|
/var/log/ksmg-messages |
Indefinite. When the size reaches 23 GB, older records are deleted. |
|
||
/var/log/ksmg-important |
Indefinite. When the size reaches 500 MB, older records are deleted. |
|
||
Information from email messages:
Data on application updates:
Information about user accounts:
|
Trace files |
/var/log/kaspersky |
Indefinite. When the size reaches 150 MB per trace stream, older records are deleted. |
|
/var/log/kaspersky/extra |
Indefinite. When the size reaches 400 MB per trace stream, older records are deleted. |
|||
/var/log/ksmg-traces |
Indefinite. When the size reaches 23 GB per trace stream, older records are deleted. |
|||
Information from email messages:
|
Backup |
/var/opt/kaspersky |
Indefinite. When the size reaches 7 GB, older records are deleted. |
|
Information from email messages:
|
Anti-Spam Quarantine |
/var/opt/kaspersky |
Indefinite. When the size reaches 1 GB, older records are deleted. |
|
Information from email messages:
|
KATA Quarantine. |
/var/opt/kaspersky |
Indefinite. When the 1 GB or 5000 message limit is reached (the values can be configured by the administrator), new messages are not placed in KATA Quarantine. |
|
Information from email messages:
|
Temporary files |
|
Until application restart. |
|
Integration with Active Directory |
||||
|
|
/var/opt/kaspersky/ksmg/ldap/cache.dbm |
Indefinite. The data is regularly updated. When integration with Active Directory is disabled, the data is deleted. |
|
Integration with Kaspersky Anti Targeted Attack Platform (KATA) |
||||
Information from email messages:
|
Forwarding of objects to be scanned on the KATA server |
Data is not saved. |
Data is not saved. |
No access. |
Built-in mail server functionality |
||||
|
Built-in mail server settings |
/etc/postfix/ /var/opt/kaspersky/ |
Indefinite. Data is deleted when the corresponding settings are removed in the application web interface. Certificate files can be overwritten when a certificate is replaced. |
|
Information from email messages:
|
Event log of the built-in mail server |
/var/log/maillog |
Indefinite. When the size reaches 23 GB, older records are deleted. |
|
Information from email messages:
|
Message queues of the built-in mail server |
/var/spool/postfix |
Indefinite. Messages are deleted when they are delivered to recipients. |
|
Connecting over SSH:
Connecting over the web interface:
|
Authorization event log |
/var/log/secure |
Not longer than 5 weeks. A weekly file rotation is maintained. |
|
Public SSH keys of application administrators. |
Built-in SSH server settings |
/etc/ssh/authorized_keys |
Indefinite. Data is deleted when the corresponding settings are removed in the application web interface. |
|
Scope of data transmitted to the Kaspersky Security Network service
Data is sent to KSN servers in an encrypted form. By default, data can be accessed by Kaspersky staff, the superuser (root) account of operating systems, and the kluser system account used by application components.
For a full enumeration of user data transmitted to the KSN service, see the following table.
The enumerated data is transmitted only if consent has been given to participate in Kaspersky Security Network.
Data transmitted to the Kaspersky Security Network service
Data type |
Where data is used |
Storage location |
Storage duration |
---|---|---|---|
|
Sending KSN requests |
KSN servers |
Indefinite. The maximum number of stored entries is 360,000. When this limit is reached, those entries are deleted that have not been accessed for the longest time. |
|
Sending KSN statistics |
KSN servers |
Before sending statistics to KSN. After disabling the sending of KSN statistics in application settings, the data is deleted when the next attempt to send them occurs. |
When the application databases are updated from Kaspersky servers, the following information is transmitted: