After-queue integration

July 4, 2024

ID 43923

When "after-queue" integration is used and messages are forwarded to Kaspersky Security 8 for Linux Mail Server for scanning and then returned to the Postfix mail server, the following conditions must be satisfied:

  • The filter must be configured to intercept messages from the Postfix mail server via socket-in. This socket is specified in the configuration file of the program at step 9 of the instructions below.
  • The filter must forward messages to Scan Logic for scanning via the scanner socket. This socket is specified while running the initial configuration script.
  • The filter must return messages to the Postfix mail server via socket-out. This socket is specified in the configuration file of the program at step 9 of the instructions below.

When Kaspersky Security 8 for Linux Mail Server is integrated with the Postfix mail server, socket-in may point only to a network socket; scanner and socket-out can point to a network socket or to a local socket.

To perform after-queue integration of Kaspersky Security 8 for Linux Mail Server with Postfix:

  1. Open the configuration file main.cf.
  2. Add the following strings to the end of the main.cf file:

    #klms-begin-afterqueue-filter

    content_filter = klms_postfix-afterqueue:$sock_postfix_format

    #klms-end-afterqueue-filter

    where $sock_postfix_format is the IP address and port number on which the filter listens for incoming connections, in the <IP address>:<port> format (for a network socket).

  3. Open the configuration file master.cf.
  4. Add the following strings to the end of the master.cf file:
    • For an inet socket:

      #klms-begin-afterqueue-filter

      klms_postfix-afterqueue unix - - n - 20 smtp

      -o smtp_send_xforward_command=yes

      127.0.0.1:$forward_port inet n - n - 10 smtpd

      -o content_filter=

      -o receive_override_options=no_unknown_recipient_checks, no_header_body_checks,no_address_mappings

      -o smtpd_helo_restrictions=

      -o smtpd_client_restrictions=

      -o smtpd_sender_restrictions=

      -o smtpd_recipient_restrictions=permit_mynetworks,reject

      -o mynetworks=127.0.0.0/8,[::1]/128

      -o smtpd_authorized_xforward_hosts=127.0.0.0/8,[::1]/128

      -o smtpd_tls_security_level=none

      -o message_size_limit=0

      #klms-end-afterqueue-filter

      where the 127.0.0.1:$forward_port inet n - n - 10 smtpd string is required to enable Postfix to accept processed messages from the filter and listen for data on $forward_port.

    • For a Unix socket:

      #klms-begin-afterqueue-filter

      klms_postfix-afterqueue unix - - n - 20 smtp

      -o smtp_send_xforward_command=yes

      $unix_socket_name unix n - n - 100 smtpd

      -o receive_override_options=no_unknown_recipient_checks, no_header_body_checks,no_address_mappings

      -o smtpd_helo_restrictions=

      -o smtpd_client_restrictions=

      -o smtpd_sender_restrictions=

      -o smtpd_recipient_restrictions=permit_mynetworks,reject

      -o mynetworks=127.0.0.0/8,[::1]/128

      -o smtpd_authorized_xforward_hosts=127.0.0.0/8,[::1]/128

      -o smtpd_tls_security_level=none

      -o message_size_limit=0

      #klms-end

      where the $unix_socket_name unix n - n - 100 smtpd string is required to enable Postfix to accept processed messages from the filter and listen for data on the $unix_socket_name unix socket.

  5. Open the file /var/opt/kaspersky/klms/installer.dat (under Linux) or /var/db/kaspersky/klms/installer.dat (under FreeBSD).
  6. Add the following lines to the file:

    POSTFIX_INTEGRATION_TYPE=afterqueue

    START_SMTP_PROXY=1

  7. Open the file /etc/opt/kaspersky/klms/klms_filters.conf (under Linux) or /usr/local/etc/kaspersky/klms/klms_filters.conf (under FreeBSD).
  8. Set the true value in the [global] section for theheader-guard setting.
  9. In the [smtp_proxy] section, specify the following settings:

    socket-in=<IP address and port number> specified at Step 2 of the wizard for $sock_postfix_format

    socket-out=<IP address and port number> or <UNIX socket> specified at step 4 of the instructions for $forward_port or $unix_socket_name in the inet:<port>@<IP address> format (for a network socket) or unix:<path to the UNIX socket> (for a UNIX socket)

    Example 1:

    socket-in=inet:10025@127.0.0.1

    socket-out=inet:10026@127.0.0.1

    Example 2:

    socket-in=inet:10025@127.0.0.1

    socket-out=unix:/var/spool/postfix/public/ksmg_forward_sock

  10. Restart the klms service.
  11. Restart the Postfix mail server.

Did you find this article helpful?
What can we do better?
Thank you for your feedback! You're helping us improve.
Thank you for your feedback! You're helping us improve.