Before-queue integration

July 4, 2024

ID 43928

When "before-queue" integration is used and messages are forwarded to Kaspersky Security 8 for Linux Mail Server for scanning and then returned to the Postfix mail server, the following conditions must be satisfied:

  • The filter must be configured to intercept messages from the Postfix mail server via socket-in. This socket is specified in the configuration file of the program at step 8 of the instructions below.
  • The filter must forward messages to Scan Logic for scanning via the scanner socket. This socket is specified while running the initial configuration script.
  • The filter must return messages to the Postfix mail server via socket-out. This socket is specified in the configuration file of the program at step 8 of the instructions below.

When Kaspersky Security 8 for Linux Mail Server is integrated with the Postfix mail server, socket-in, scanner, and socket-out can point to a network socket or to a local one.

To perform before-queue integration of Kaspersky Security 8 for Linux Mail Server with Postfix:

  1. Open the configuration file master.cf.
  2. In the master.cf file, after the line

    smtp inet n - n - - smtpd

    add the following lines:

    #klms-postfix-prequeue-start

    -o smtpd_proxy_filter=$sock_postfix_format

    -o smtpd_proxy_options=speed_adjust (for integration with Postfix 2.7 or higher)

    #klms-postfix-prequeue-end

    where $sock_postfix_format is the IP address and port number on which the filter listens for incoming connections, in the <IP address>:<port> format (for a network socket).

  3. Add the following strings at the end of the master.cf configuration file:
    • For an inet socket:

      #klms-begin

      127.0.0.1:$forward_port inet n - n - 10 smtpd

      -o receive_override_options=no_unknown_recipient_checks, no_header_body_checks,no_address_mappings

      -o smtpd_helo_restrictions=

      -o smtpd_client_restrictions=

      -o smtpd_sender_restrictions=

      -o smtpd_recipient_restrictions=permit_mynetworks,reject

      -o mynetworks=127.0.0.0/8,[::1]/128

      -o smtpd_authorized_xforward_hosts=127.0.0.0/8,[::1]/128

      #klms-end

      where the 127.0.0.1:$forward_port inet n - n - 10 smtpd string is required to enable Postfix to accept processed messages from the filter and listen for data on $forward_port.

    • For a unix socket:

      #klms-begin

      klms_postfix-prequeue unix - - n - 10 smtp

      -o smtp_send_xforward_command=yes

      $unix_socket_name unix n - n - 100 smtpd

      -o receive_override_options=no_unknown_recipient_checks, no_header_body_checks,no_address_mappings

      -o smtpd_helo_restrictions=

      -o smtpd_client_restrictions=

      -o smtpd_sender_restrictions=

      -o smtpd_recipient_restrictions=permit_mynetworks,reject

      -o mynetworks=127.0.0.0/8,[::1]/128

      -o smtpd_authorized_xforward_hosts=127.0.0.0/8,[::1]/128

      #klms-end

      where the $unix_socket_name unix n - n - 100 smtpd string is required to enable Postfix to accept processed messages from the filter and listen for data on the $unix_socket_name unix socket.

  4. Open the file /var/opt/kaspersky/klms/installer.dat (under Linux) or /var/db/kaspersky/klms/installer.dat (under FreeBSD).
  5. Add the following lines to the file:

    POSTFIX_INTEGRATION_TYPE=prequeue

    START_SMTP_PROXY=1

  6. Open the file /etc/opt/kaspersky/klms/klms_filters.conf (under Linux) or /usr/local/etc/kaspersky/klms/klms_filters.conf (under FreeBSD).
  7. In the [global] section, set the false value for the header-guard setting.
  8. In the [smtp_proxy] section, specify the following settings:

    socket-in=<IP address and port number> or <UNIX socket> specified at Step 2 of the wizard for $sock_postfix_format

    socket-out=<IP address and port number> or <UNIX socket> specified at step 3 of the instructions for $forward_port or $unix_socket_name in the inet:<port>@<IP address> format (for a network socket) or unix:<path to the UNIX socket> (for a UNIX socket).

    Example 1:

    socket-in=inet:10025@127.0.0.1

    socket-out=inet:10026@127.0.0.1

    Example 2:

    socket-in=unix:/var/run/ksmg/ksmg_smtp_sock

    socket-out=unix:/var/spool/postfix/public/ksmg_forward_sock

  9. Restart the klms service.
  10. Restart the Postfix mail server.

Did you find this article helpful?
What can we do better?
Thank you for your feedback! You're helping us improve.
Thank you for your feedback! You're helping us improve.