Before-queue integration
July 4, 2024
ID 43928
When "before-queue" integration is used and messages are forwarded to Kaspersky Security 8 for Linux Mail Server for scanning and then returned to the Postfix mail server, the following conditions must be satisfied:
- The filter must be configured to intercept messages from the Postfix mail server via
socket-in. This socket is specified in the configuration file of the program at step 8 of the instructions below. - The filter must forward messages to Scan Logic for scanning via the
scannersocket. This socket is specified while running the initial configuration script. - The filter must return messages to the Postfix mail server via
socket-out.This socket is specified in the configuration file of the program at step 8 of the instructions below.
When Kaspersky Security 8 for Linux Mail Server is integrated with the Postfix mail server, socket-in, scanner, and socket-out can point to a network socket or to a local one.
To perform before-queue integration of Kaspersky Security 8 for Linux Mail Server with Postfix:
- Open the configuration file master.cf.
- In the master.cf file, after the line
smtp inet n - n - - smtpdadd the following lines:
#klms-postfix-prequeue-start-o smtpd_proxy_filter=$sock_postfix_format-o smtpd_proxy_options=speed_adjust(for integration with Postfix 2.7 or higher)#klms-postfix-prequeue-endwhere
$sock_postfix_formatis the IP address and port number on which the filter listens for incoming connections, in the<IP address>:<port>format (for a network socket). - Add the following strings at the end of the master.cf configuration file:
- For an inet socket:
#klms-begin127.0.0.1:$forward_port inet n - n - 10 smtpd-o receive_override_options=no_unknown_recipient_checks, no_header_body_checks,no_address_mappings-o smtpd_helo_restrictions=-o smtpd_client_restrictions=-o smtpd_sender_restrictions=-o smtpd_recipient_restrictions=permit_mynetworks,reject-o mynetworks=127.0.0.0/8,[::1]/128-o smtpd_authorized_xforward_hosts=127.0.0.0/8,[::1]/128#klms-endwhere the
127.0.0.1:$forward_port inet n - n - 10 smtpdstring is required to enable Postfix to accept processed messages from the filter and listen for data on$forward_port. - For a unix socket:
#klms-beginklms_postfix-prequeue unix - - n - 10 smtp-o smtp_send_xforward_command=yes$unix_socket_name unix n - n - 100 smtpd-o receive_override_options=no_unknown_recipient_checks, no_header_body_checks,no_address_mappings-o smtpd_helo_restrictions=-o smtpd_client_restrictions=-o smtpd_sender_restrictions=-o smtpd_recipient_restrictions=permit_mynetworks,reject-o mynetworks=127.0.0.0/8,[::1]/128-o smtpd_authorized_xforward_hosts=127.0.0.0/8,[::1]/128#klms-endwhere the
$unix_socket_name unix n - n - 100 smtpdstring is required to enable Postfix to accept processed messages from the filter and listen for data on the $unix_socket_name unix socket.
- For an inet socket:
- Open the file /var/opt/kaspersky/klms/installer.dat (under Linux) or /var/db/kaspersky/klms/installer.dat (under FreeBSD).
- Add the following lines to the file:
POSTFIX_INTEGRATION_TYPE=prequeueSTART_SMTP_PROXY=1 - Open the file /etc/opt/kaspersky/klms/klms_filters.conf (under Linux) or /usr/local/etc/kaspersky/klms/klms_filters.conf (under FreeBSD).
- In the
[global]section, set thefalsevalue for theheader-guardsetting. - In the
[smtp_proxy]section, specify the following settings:socket-in=<IP address and port number>or<UNIX socket>specified at Step 2 of the wizard for$sock_postfix_formatsocket-out=<IP address and port number>or<UNIX socket>specified at step 3 of the instructions for$forward_port or $unix_socket_namein theinet:<port>@<IP address>format (for a network socket) orunix:<path to the UNIX socket>(for a UNIX socket).Example 1:
socket-in=inet:10025@127.0.0.1socket-out=inet:10026@127.0.0.1Example 2:
socket-in=unix:/var/run/ksmg/ksmg_smtp_socksocket-out=unix:/var/spool/postfix/public/ksmg_forward_sock - Restart the klms service.
- Restart the Postfix mail server.
