[Topic 201622]

Kaspersky Secure Mail Gateway

Kaspersky Secure Mail Gateway lets you deploy a mail gateway as a cluster system, which can scale with the volume of processed traffic, and integrate it into the existing mail infrastructure of your organization. An operating system, mail server, and Kaspersky anti-virus application are preinstalled on the mail gateway.

Kaspersky Secure Mail Gateway protects incoming and outgoing email against malicious objects, spam and phishing content, and performs content filtering of email messages.

Kaspersky Secure Mail Gateway functionality includes:

• Performs Anti-Virus scanning of messages:
  • Checking messages for viruses and malware, macros (for example, Microsoft Office files containing macros), encrypted objects, archives (including recognizing types of files inside archives and compound objects).
  • Using information from
    Kaspersky Security Network

    An infrastructure of cloud services that provides access to the Kaspersky online Knowledge Base, which contains information about the reputation of files, web resources, and software. The use of data from Kaspersky Security Network ensures that Kaspersky applications respond faster to threats, improves the performance of some protection components, and reduces the likelihood of false alarms.

    to ensure a faster response to new threats.
  • Integrates with
    Kaspersky Private Security Network

    A solution that allows users of Kaspersky anti-virus applications to access Kaspersky Security Network data without sending their own information to Kaspersky Security Network servers.

    (KPSN) so that organizations where Internet access is restricted by internal rules and policies can utilize Kaspersky Security Network (KSN) functionality.
  • Integrating with
    Kaspersky Anti Targeted Attack Platform

    Solution designed for the protection of a corporate IT infrastructure and timely detection of threats such as zero-day attacks, targeted attacks, and complex targeted attacks known as advanced persistent threats (hereinafter also referred to as "APT").

    (KATA) for detection of threats such as zero-day attacks, targeted attacks, and complex targeted attacks known as advanced persistent threats (APT).
• Performs Anti-Spam scanning of messages:
  • Checking messages for spam, probable spam, mass mail (including spoofed domain recognition and IP address reputation checking).
  • Detects messages containing Unicode
    spoofing

    A type of attack based on the falsification (spoofing) of transmitted data. Spoofing may be aimed at obtaining elevated privileges, primarily through bypassing the verification mechanism by generating a request similar to an authentic request. One variant of spoofing is to forge an HTTP header to gain access to hidden content.

    The goal of spoofing may also be to deceive a user. A classic example of such an attack is the falsification of the sender's address in emails.

    A type of attack based on the falsification (spoofing) of transmitted data. Spoofing may be aimed at obtaining elevated privileges, primarily through bypassing the verification mechanism by generating a request similar to an authentic request. One variant of spoofing is to forge an HTTP header to gain access to hidden content.

    The goal of spoofing may also be to deceive a user. A classic example of such an attack is the falsification of the sender's address in emails.

    A type of attack based on the falsification (spoofing) of transmitted data. Spoofing may be aimed at obtaining elevated privileges, primarily through bypassing the verification mechanism by generating a request similar to an authentic request. One variant of spoofing is to forge an HTTP header to gain access to hidden content.

    The goal of spoofing may also be to deceive a user. A classic example of such an attack is the falsification of the sender's address in emails.

    . If Unicode spoofing is detected, the message is considered to be spam. The program adds the unicode_spoof tag to the X-KSMG-AntiSpam-Method message header.
  • Adds the X-MS-Exchange-Organization-SCL X-headers to messages based on the Anti-Spam scan results. This tag contains the
    SCL rating

    Spam Confidence Level is a special tag used by Microsoft Exchange mail servers to measure the probability that a message contains spam. The SCL rating can range from 0 (minimum probability of spam) to 9 (the message is most likely spam). Kaspersky Secure Mail Gateway can change the SCL rating of a message depending on the message scan results.

    Spam Confidence Level is a special tag used by Microsoft Exchange mail servers to measure the probability that a message contains spam. The SCL rating can range from 0 (minimum probability of spam) to 9 (the message is most likely spam). Kaspersky Secure Mail Gateway can change the SCL rating of a message depending on the message scan results.

    .
  • Places messages into Anti-Spam Quarantine and manages the Anti-Spam Quarantine in the web interface.
• Performs Anti-Phishing scanning of messages.
• Scans messages for malicious or advertising links, as well as links related to legitimate software.
• Performs content filtering of messages:
  • By name
  • By size
  • By attachment type (Kaspersky Secure Mail Gateway can determine the actual format and type of attachments regardless of file extension).
• Lets you perform Mail Sender Authentication using
  SPF

  Comparison of IP addresses of mail senders with the list of possible message sources that has been created by the mail server administrator.

  Comparison of IP addresses of mail senders with the list of possible message sources that has been created by the mail server administrator.

  ,
  DKIM

  Verification of the digital signature of messages.

  Verification of the digital signature of messages.

  , and
  DMARC

  Verification that determines the policy and actions taken on messages based on the results of SPF and DKIM Mail Sender Authentication.

  Verification that determines the policy and actions taken on messages based on the results of SPF and DKIM Mail Sender Authentication.

  technologies.
• Configuring integration with Active Directory to obtain information about domain users.
• Obtaining information about program events:
  • Logging mail traffic processing events as well as system events that occur during the operation of the program. The log can be filtered to search for events conveniently.
  • Exporting events in the CSV format.
• Publishing program events to a
  SIEM system

  SIEM system (Security Information and Event Management) is a solution for managing information and events in an organization's security system.

  SIEM system (Security Information and Event Management) is a solution for managing information and events in an organization's security system.

  used in your organization over the Syslog protocol. Information about each program event is relayed as a separate syslog message in CEF format.
• Configuring settings and managing the program via a web interface.
  • Monitoring the status of email traffic and usage of system resources and viewing lists of the latest detected threats in the web interface of the program.
  • Delimiting user access to program functionality using a role system.
  • Configuring single sign-on authentication.
  • Creating a cluster to scale the solution (horizontally or vertically) with centralized management of all servers in the cluster using the program web interface.
  • Managing Backup:
    • Saving backup copies of messages in Backup based on scan results.
    • Saving messages from Backup to a file.
    • Forwarding messages to recipients.
    • Receiving information about users from different domains and granting users access to personal Backup.
  • Creating allowlists and denylists, which let you fine-tune the way the mail system reacts to messages from certain addresses.
  • Updating program databases from Kaspersky update servers and custom sources on schedule and on demand.

    The update functionality (including anti-virus signature updates and code base updates), as well as the KSN functionality may not be available in the application in the territory of the USA.

  • Configuring email notifications:
    • Notifying the sender, recipients, and other addresses about objects detected in a message.
    • Sending notifications to users about system events encountered by the program.
  • Adding email disclaimers to outgoing and incoming messages, and adding warnings about potentially unsafe messages.
  • Generating and viewing reports about the results of message processing and program events.
  • Processing email messages in accordance with rules configured for groups of senders and recipients.
  • Adding, modifying, or deleting information about domains (including local domains of the organization) and email addresses, editing Kaspersky Secure Mail Gateway settings for such domains and email addresses, configuring email routing.
  • Lets you configure
    MTA

    Mail Transfer Agent is an agent that handles message sending between mail servers.

    Mail Transfer Agent is an agent that handles message sending between mail servers.

    .
  • Adding, modifying, and deleting DKIM and TLS encryption keys.
  • Receiving program operation statistics via the SNMP protocol, and enabling or disabling forwarding of
    SNMP traps

    An application event notification sent by the SNMP agent.

    An application event notification sent by the SNMP agent.

    .

Kaspersky Secure Mail Gateway is distributed as an ISO image of a virtual machine for deployment in the VMware ESXi or Microsoft Hyper-V hypervisor.

Deploying of the image creates a virtual machine with a pre-installed CentOS 7.9 operating system, a mail server, and Kaspersky Secure Mail Gateway. After deploying the virtual machine, you can configure it using the Initial Configuration Wizard.

[Topic 207070]

What's new

Kaspersky Secure Mail Gateway 2.0 provides the following improvements:

• New cluster architecture for scaling the solution (horizontally or vertically) with the capability to centrally manage all servers of the cluster through the program web interface.
• New role-based restriction of user access to program functionality (when integrated with Microsoft Active Directory).
• Added centralized management of message Backup (including user-based).
• Integration with KATA 3.7 and KATA 4.0 for detecting and blocking objects.
• Event log with filtering capabilities to conveniently search and export events to a CSV file for further analysis.
• Improved mechanism for detecting sophisticated attacks aimed at compromising corporate correspondence (such as
  BEC attacks

  Business Email Compromise (BEC) refers to fraudulent business correspondence for the purpose of committing financial fraud, acquiring confidential information, or undermining the reputation of a company. A BEC attack normally involves an entire sequence of actions that ultimately provide hackers with the opportunity to begin correspondence with an employee of a company, gain that employee's trust through the use of social engineering techniques, and persuade the employee to perform actions that conflict with the interests of the company and/or its customers.

  Business Email Compromise (BEC) refers to fraudulent business correspondence for the purpose of committing financial fraud, acquiring confidential information, or undermining the reputation of a company. A BEC attack normally involves an entire sequence of actions that ultimately provide hackers with the opportunity to begin correspondence with an employee of a company, gain that employee's trust through the use of social engineering techniques, and persuade the employee to perform actions that conflict with the interests of the company and/or its customers.

  and Active Directory spoofing attacks).
• Added Kaspersky URL Advisor module in message processing rules to detect malicious links, adware links and legitimate software links, and distinguish them from phishing links.
• Added spam detection technology based on recognition of spoofed domains (look-alike).
• Upgraded operating system preinstalled in the ISO image and updated Mail Transfer Agent (MTA).
• Added identification of the reputation of IP addresses during scans by the Anti-Spam module.
• New information displayed in the Dashboard section, and added capability to filter information about cluster nodes and to create your own graph layouts.
• Added capability to import settings from KSMG 1.1 MR3.

[Topic 207071]

Hardware and software requirements

Hardware requirements of the virtual machine configuration for ISO image deployment

• 8 CPU cores
• 16 GB of RAM
• 200 GB of disk space

Software requirements for corporate LAN computers (to use SSO authentication for the application web interface)

• Windows 8.1.
• Windows 10 (1809, 20H2, 21H2).
• Windows 11 (21H2).

Software requirements for the hypervisor for deploying the virtual machine

• VMware ESXi 6.5 Update 3.
• VMware ESXi 6.7 Update 3b.
• VMware ESXi 7.0 Update 2d.
• Microsoft Hyper-V Server 2016 (Generation 1 only).
• Microsoft Hyper-V Server 2019.

Software requirements for configuring integration with an LDAP server

• Windows Server 2012 R2 Standard.
• Windows Server 2016 Standard.
• Windows Server 2019 Standard.
• Windows Server 2022 Standard.

Software requirements for managing Kaspersky Secure Mail Gateway via the web interface

To run the web interface, one of the following browsers must be installed on the computer:

• Mozilla Firefox version 94.
• Google Chrome version 96.
• Microsoft Edge version 96.

These system requirements guarantee that Kaspersky Secure Mail Gateway will have a peak throughput of 10 messages per second with an average message size of 300 KB. The actual performance of the application depends on the processor model and its clock rate. To increase throughput, you are advised to increase virtual machine resources or deploy several virtual machine images and distribute the stream of email messages among them while creating the appropriate record on the DNS server, or use network load balancing services.

[Topic 59365]

Distribution kit

Kaspersky Secure Mail Gateway is included in the following comprehensive solutions for security and system administration from Kaspersky:

• Kaspersky TOTAL Security for Business.
• Kaspersky Security for Mail Servers.

To select a comprehensive solution that is most suitable for your organization, consult with specialists of a Kaspersky partner company. The contact details and addresses of partners are provided on the Kaspersky website at https://locator.kaspersky.com/b2b/.

The content of the distribution kit may differ depending on the region in which the application is distributed.

When you buy Kaspersky Secure Mail Gateway, you copy the application from the website of a partner company or the Kaspersky website. Information that is required for activating the application will be sent to you by email after your payment has been received.

[Topic 205767]

About information X-headers

Based on the results of the scan, the application appends special information X-headers to the header of the message, for example:

• X-KSMG-Rule-ID – list of message processing rule IDs.
• X-KSMG-Message-Action – action taken by the application on the message, and the application module that was triggered.
• X-KSMG-AntiVirus – header for messages processed by the Anti-Virus module (contains the name and version of the application as well as the release date of Anti-Virus databases).
• X-KSMG-AntiVirus-Status – status assigned to the message by Anti-Virus based on the Anti-Virus scan results.
• X-KSMG-AntiSpam-Lua-Profiles – version of Anti-Spam databases and information about the assigned spam rating.
• X-KSMG-AntiSpam-Method – method used to identify spam.
• X-KSMG-AntiSpam-Rate – rating assigned to the message by the Anti-Spam engine.
• X-KSMG-AntiSpam-Status – status assigned to the message by the Anti-Spam engine based on the scan results.
• X-KSMG-AntiSpam-Envelope-From – message sender.
• X-KSMG-AntiSpam-Auth – status assigned to the message as a result of Mail Sender Authentication using SPF, DKIM, DMARC technologies.
• X-KSMG-AntiSpam-Version – version of the Anti-Spam module.
• X-KSMG-AntiSpam-Info – criteria which the Anti-Spam module applied to assign the status to the message.
• X-KSMG-AntiSpam-Moebius-Timestamps – information about signatures of the Moebius service.
• X-KSMG-AntiPhishing – header for messages processed by the Anti-Phishing module (contains the result of the scan).
• X-KSMG-LinksScanning – header for messages processed by the URL Advisor module (contains the scan result and the release date of the Anti-Virus databases).
• X-KSMG-AntiSpam-Interceptor-Info – message scan result.

  The header can contain the following values:

  • not scanned – the Anti-Spam module is disabled.
  • timeout expired – the scan was not completed because timeout was reached.
  • scan successful – the message was scanned successfully.
  • fallback – the scan was not completed because an error was encountered.

[Topic 209630]

Network accesses used

All necessary ports are already configured for the application deployed from the ISO image. Information about network accesses required by application functionality is listed in the following table.

Network accesses required by the application

Page top

[Topic 296365]

Known limitations of Kaspersky Secure Mail Gateway 2.0

Content Filtering does not detect CSV and SLDM attachment types. If you need the Content Filtering module to detect these attachment types, please contact Technical Support.

[Topic 90219]

The Kaspersky Secure Mail Gateway interface

You work with the Kaspersky Secure Mail Gateway through a web interface.

The main window of the web interface contains the following items:

• Management console tree in the left part of the main window of the program web interface.
• Workspace in the right part of the main window of the program web interface.

The Kaspersky Secure Mail Gateway's control panel tree

The Kaspersky Secure Mail Gateway's control panel tree includes the following sections:

• Dashboard. Contains widget and dashboards for monitoring the operation of the program.
• Rules. Lets you create and configure rules for processing messages.
• User lists. Lets you create and configure personal customized lists of allowed and denied addresses.
• Nodes. Lets you manage cluster nodes.
• Events. Contains information about events detected in email traffic as well as system events encountered during the operation of the program.
• Backup. Contains information about messages that had copies placed in Backup based on scanning by program modules, as well as a filter for searching messages in Backup.
• Message queue. Contains information about the message queue of the Mail Transfer Agent (MTA), Anti-Spam Quarantine, KATA Quarantine (if integration with KATA is configured), and the message search filter.
• Reports. Lets you generate reports about the operation of the program and send them by email.
• Accounts. Contains information about program user accounts and access rights.
• Settings. Contains the General, Personal accounts, External services, Logs and events, Monitoring, Application access, and Built-in MTA sections in which you can configure the program settings.

The workspace of Kaspersky Secure Mail Gateway web interface

The workspace contains information about the sections that you select in the management console and control elements for editing the program settings.

Settings in the workspace of the main window are grouped into settings groups for sections that let you manage Kaspersky Secure Mail Gateway settings.

[Topic 69238]

Application licensing

This section provides information about general concepts related to licensing of Kaspersky Secure Mail Gateway.

[Topic 73374]

About the End User License Agreement

The End User License Agreement is a binding agreement between you and AO Kaspersky Lab, stipulating the terms on which you may use the application.

Read through the terms of the End User License Agreement carefully before you start using the application.

You can view the terms and conditions of the End User License Agreement in the following ways:

• During installation of Kaspersky Secure Mail Gateway.
• By reading the license.txt file. This file is included in the distribution kit of the application.

By confirming that you agree with the End User License Agreement when installing the application, you signify your acceptance of the terms of the End User License Agreement. If you do not accept the terms and conditions of the End User License Agreement, you must cancel the installation and may not use the application.

[Topic 73976]

About the license certificate

A License Certificate is a document that you receive together with a key file or activation code.

The License Certificate contains the following license information:

• License key or order number.
• Details of the license holder.
• Information about the application that can be activated using the license.
• Limitation on the number of licensing units (for example, devices on which the application can be used under the license).
• License start date
• License expiration date or license validity period.
• License type.

[Topic 91152]

About the key

A license key is a sequence of bits used to activate and use the application in accordance with the End User License Agreement. A license key is generated by Kaspersky.

You can add a key to the application in one of the following ways: apply a key file or enter an activation code.

The added license key is displayed in the application interface as a unique alphanumeric sequence.

Kaspersky can block a license key over violations of the End User License Agreement. If the license key has been blocked, you must add a different license key to continue using the application.

The following types of keys are used for Kaspersky Secure Mail Gateway:

• Fully-functional key. When this key is added, the application works in full-functionality mode. This means that it scans for spam, phishing, viruses and other types of malware, employs Link scanning, Content Filtering and Mail Sender Authentication, and scans messages using Kaspersky Anti Targeted Attack Platform.
• Key for Anti-Virus protection. When this key is added, the application scans for viruses and other types of malware, employs Link scanning, Mail Sender Authentication and Content Filtering, and scans messages using Kaspersky Anti Targeted Attack Platform. With this key, the application does not scan for spam or phishing content. The status label assigned by the application to a message following scans by these modules contains information regarding limited functionality.
• Key for Anti-Spam and Anti-Phishing protection. When this key is added, the application scans messages for spam and phishing content, employs Content Filtering and Mail Sender Authentication, and scans messages using Kaspersky Anti Targeted Attack Platform. The application does not scan for viruses or other malware, and does not employ URL Advisor. The status label assigned by the application to a message following scans by these modules contains information regarding limited functionality.

Anti-Spam and Anti-Virus databases are updated regardless of key type.

[Topic 69431]

About the key file

A key file is a file with the .key extension that you receive from Kaspersky. The purpose of the key file is to add a license key to activate the application.

You receive a key file at the email address you specified after purchasing Kaspersky Secure Mail Gateway or after requesting the trial version of Kaspersky Secure Mail Gateway.

You do not need to connect to Kaspersky activation servers in order to activate the application with a key file.

You can recover a key file if it is accidentally deleted. You may need a key file to register with Kaspersky CompanyAccount.

To recover a key file, do one of the following:

• Contact the vendor of the license.
• Receive a key file from the Kaspersky website based on your existing activation code.

[Topic 69430]

About the activation code

An activation code is a unique sequence of 20 Latin alphabet characters and digits. You enter the activation code in order to add a license key to activate Kaspersky Secure Mail Gateway. You receive an activation code at the email address you specified after purchasing Kaspersky Secure Mail Gateway or after requesting the trial version of Kaspersky Secure Mail Gateway.

To activate the application with an activation code, Internet access is required for connecting to Kaspersky activation servers.

If you have lost your activation code after activating the application, contact the Kaspersky partner from whom you purchased the license.

[Topic 144076]

About the subscription

A subscription for Kaspersky Secure Mail Gateway is a purchase order for the application with specific parameters (subscription expiration date, number of devices protected).

A subscription can be limited (for example, lasting one year) or unlimited (without an expiration date). To continue using Kaspersky Secure Mail Gateway after a limited subscription expires, you need to renew it. An unlimited subscription is extended automatically if prepayment is made on time.

When a limited subscription expires, you may be provided a grace period for renewal. During this grace period, the application remains fully functional.

To use Kaspersky Secure Mail Gateway based on a subscription, you must apply an activation code. After the activation code is applied, a key is installed. This key defines the license granting use of the application on subscription.

[Topic 171771]

About data provision

The program operates with the use of data whose transmission and processing requires the consent of the Kaspersky Secure Mail Gateway administrator.

You can view the list of data and the terms on which it is used as well as give consent to data processing in the following agreements between your organization and Kaspersky:

• In the End User License Agreement.

  In accordance with the terms and conditions of the End User License Agreement that you have accepted, you consent to automatic real-time provision of information required for improving the security level of the mail server to Kaspersky. This information is enumerated in the End User License Agreement under "Conditions regarding Data Processing":

  • identifier of the program;
  • unique identifier of activation of the current license activation code;
  • identifier of the program installation;
  • name and version of the program.
• In the Privacy Policy.
• In the Kaspersky Security Network Statement and the Supplementary Kaspersky Security Network Statement.

  In the course of participation in the Kaspersky Security Network and submission of KSN statistics to Kaspersky, information can be transmitted that was obtained as a result of the program's operation. The list of data that is transmitted is provided in the Kaspersky Security Network Statement and the Supplementary Kaspersky Security Network Statement.

Data protection

Kaspersky protects any information received in this way as prescribed by law and applicable rules of Kaspersky. Data is transmitted over encrypted data links.

RAM of Kaspersky Secure Mail Gateway may contain any processed data of program users. The administrator of Kaspersky Secure Mail Gateway must personally ensure the security of such data.

By default, access to personal information of users can only be gained by the superuser (root) account of operating systems, the administrator account of Kaspersky Secure Mail Gateway Local administrator, as well as system accounts kluser, postfix, opendkim, and nginx, which components of the program use in the course of their operation. The program itself has no capability to restrict the permissions of administrators and other users of operating systems on which the program is installed. Access to the storage location of the data is restricted by the file system. The administrator should take steps to control access to personal information of other users by any system level measures at the administrator's own discretion.

Data is sent between cluster nodes through an encrypted channel (over HTTPS with user authorization using a security certificate). Data is sent to the web interface through an encrypted channel over HTTPS. Web interface users must complete the authentication procedure, and the Local administrator is authorized with a password.

Email delivery supports SMTPS encryption.

Managing the program using the management console of the server on which the program is installed using the superuser account lets you manage dump settings. A dump is generated whenever the program crashes and can be useful for analyzing the causes of the crash. The dump may include any data, including fragments of analyzed files. By default, dump generation in Kaspersky Secure Mail Gateway is disabled.

Access to such data can be gained from the Management Console of the server on which the program is installed, using an account with super-user privileges.

When sending diagnostic information to Kaspersky Technical Support, the Kaspersky Secure Mail Gateway administrator must take steps to ensure the security of dumps and trace files.

The administrator of Kaspersky Secure Mail Gateway is responsible for access to this information.

Scope of data that can be stored by the program

The following table contains the complete list of user data that can be stored by Kaspersky Secure Mail Gateway.

User data that can be stored in Kaspersky Secure Mail Gateway

Scope of data transmitted to the Kaspersky Security Network service

Data is sent to KSN servers in an encrypted form. By default, data can be accessed by Kaspersky staff, the superuser (root) account of operating systems, and the kluser system account, which components of the program use in the course of their operation.

For a full enumeration of user data transmitted to the KSN service, see the following table.

The enumerated data is transmitted only if consent has been given to participate in Kaspersky Security Network.

Data transmitted to the Kaspersky Security Network service

When the application databases are updated from Kaspersky servers, the following information is transmitted:

• Program version and type
• Unique ID of the current license key
• Unique program installation ID
• Update session ID

[Topic 100499]

Modes of Kaspersky Secure Mail Gateway operation under license

Kaspersky Secure Mail Gateway can operate in various modes depending on the license.

Unlicensed

Kaspersky Secure Mail Gateway runs in this mode from the time when you install the application and start its web interface and until you add an active key.

Kaspersky Secure Mail Gateway does not scan email messages in Unlicensed mode.

Trial license

In this mode, Kaspersky Secure Mail Gateway scans email messages and updates databases.

When the trial license key expires, Kaspersky Secure Mail Gateway stops scanning email messages and updating databases.

In order for Kaspersky Secure Mail Gateway to resume operation, you have to install a commercial license key.

Commercial license

In this mode, Kaspersky Secure Mail Gateway scans email messages and updates databases.

When the commercial license key expires, Kaspersky Secure Mail Gateway continues scanning email messages but stops updating databases.

To resume database updates, add a new commercial license key or renew the existing commercial license key.

Kaspersky Secure Mail Gateway supports the following types of commercial license keys:

• Fully-functional key. When this key is added, the application works in full-functionality mode. This means that it scans for spam, phishing, viruses and other types of malware, employs Link scanning, Content Filtering and Mail Sender Authentication, and scans messages using Kaspersky Anti Targeted Attack Platform.
• Key for Anti-Virus protection. When this key is added, the application scans for viruses and other types of malware, employs Link scanning, Mail Sender Authentication and Content Filtering, and scans messages using Kaspersky Anti Targeted Attack Platform. With this key, the application does not scan for spam or phishing content. The status label assigned by the application to a message following scans by these modules contains information regarding limited functionality.
• Key for Anti-Spam and Anti-Phishing protection. When this key is added, the application scans messages for spam and phishing content, employs Content Filtering and Mail Sender Authentication, and scans messages using Kaspersky Anti Targeted Attack Platform. The application does not scan for viruses or other malware, and does not employ URL Advisor. The status label assigned by the application to a message following scans by these modules contains information regarding limited functionality.

Key denylist

A key can be added to the key denylist in a number of cases. If this has happened, Kaspersky Secure Mail Gateway stops scanning email messages, but continues attempts to update databases in case the key is removed from the list of forbidden keys.

As soon as the key has been removed from the list of forbidden keys, Kaspersky Secure Mail Gateway resumes scanning of email messages in accordance with the valid license.

After message scans are disabled, the following functionality continues to work in the application:

• Mail Transfer Agent (MTA)
• LDAP server connection
• Event log
• Application operation reports
• Use of the web interface to manage all application settings except protection settings, message processing rules and their related settings for notifications and comments.

[Topic 144190]

Adding an activation code

To add an activation code:

1. In the application web interface window, select the Settings → General → Licensing section.
2. Click Add license key.

   This opens the Add license key window.

3. In the Type of license key drop-down list, select Activation code.
4. In the Activation code text box, type the program activation code in the XXXXX-XXXXX-XXXXX-XXXXX format, where X is a letter of the Latin alphabet (A-Z) or a decimal digit (0-9).
5. Click Activate.

The activation code will be sent to Kaspersky activation servers for verification.

If the code was entered incorrectly, a message is displayed in the workspace saying that the program was not activated. You can try to enter the activation code again in the same window.

If the code you typed is valid, a message appears confirming successful activation of the program. You can verify the state of the license key on cluster nodes.

You can also activate the program with a key file.

[Topic 91150]

Adding a key file

It is recommended to activate the program using an activation code.

To add a key file:

1. In the application web interface window, select the Settings → General → Licensing section.
2. Click Add license key.

   This opens the Add license key window.

3. In the Type of license key drop-down list, select Key file.
4. Under License key file, click Browse.

   The file selection window opens.

5. Select a key file to add and click Open.
6. Click Activate.

The key file is added and the program is activated. You can verify the state of the license key on cluster nodes.

[Topic 91151]

Removing a key

If you remove the license key, you cannot use the program functionality available under your license.

To remove a key:

1. In the application web interface window, select the Settings → General → Licensing section.
2. Click Remove license key.
3. In the confirmation window, click OK.

The license key will be deleted from all cluster nodes.

[Topic 215654]

Monitoring license key status

To track down license key problems, you can view summary information about licensing on all cluster nodes in the Licensing dashboard in the Nodes section.

A license key status can be one of the following:

• No errors means a valid license key was added.
• Warnings means the license key will soon expire.

  You can configure the time in days before expiry when this status is displayed in licensing settings.

• Errors means that a license key was not added or licensing errors occurred (for example, the key has expired or the key is on the denylist).

The right part of the dashboard shows the number of cluster nodes for each status.

To view detailed information about the status of the license key on each cluster node,

click View details in the Licensing pane to go to the Settings → Licensing → License key status section.

The upper part of the section displays a group of settings with information about the added license key:

• Status of the license key (for example, Active license key or The key is in denylist).
• License type is the type of license (trial or commercial).
• Functionality level is the application operating mode.
• Serial number is a unique sequence of Latin alphabet characters and digits.
• Program is the name of the application for which the license key was issued.

The lower part of the section displays the table of cluster nodes with information about the status of the license key on each node:

• IP address:port is the IP address and port of the cluster node.
• License key status is a detailed description of the status of the license key on the cluster node.
• Serial number is a unique sequence of Latin alphabet characters and digits.
• Expiration date is the date and time when the current license will expire.

  If you are using a commercial license key, after this expiration date the application will continue scanning messages using the last downloaded databases but will stop receiving database updates. If you are using a trial license key, application functionality will be completely disabled at the specified date and time of expiration.

This table is displayed if the user has View nodes information and/or Create/edit/delete nodes permissions, and View settings and/or Edit settings permissions.

You can also view information about the added license key in the information window of each cluster node.

[Topic 215655]

Configuring warnings about upcoming license key expiration

You can configure warnings about upcoming expiration of the license key in the application web interface. When the set number of days remains until expiration, the administrator is prompted with a warning in the following sections of the web interface:

• In the Nodes section in the Licensing pane
• In the cluster node information window
• In the table of license key status for each cluster node in the Settings → Licensing → License key status section.

To configure warnings about upcoming license key expiration:

1. In the application web interface window, select the Settings → Licensing → Settings section.
2. In the Notify about license key expiration before (days) field, enter the number of days before the expiration of the license key you want to receive warning in the application web interface.

   If you want to disable warnings, enter 0.

   Possible values: integers from 0 to 99. Default value: 30.

3. Click Save.

Warnings about upcoming expiration of the license key are configured.

[Topic 144226]

Purchasing a license

Kaspersky Secure Mail Gateway is included in the following comprehensive solutions for security and system administration from Kaspersky:

• Kaspersky TOTAL Security for Business.
• Kaspersky Security for Mail Servers.

To select a comprehensive solution that is most suitable for your organization, consult with specialists of a Kaspersky partner company. The contact details and addresses of partners are provided on the Kaspersky website at https://locator.kaspersky.com/b2b/.

[Topic 277333]

Renewing a license

Renewing a license involves the following steps:

1. Disabling message reception in the cluster

   After the key is removed, Kaspersky Secure Mail Gateway will skip all messages without scanning by the scan modules. Allowlists and denylists will keep working. We recommend disabling message reception in the Kaspersky Secure Mail Gateway cluster to prevent messages with malicious content from reaching the organization.

2. Removing an existing license key
3. Adding a new license key

   You can add a key to the application in one of the following ways: apply a key file or enter an activation code.

4. Running database updates
5. Checking the state of nodes

   Go to the Nodes section and make sure that there are no database update errors or licensing errors.

   If the Operating system restart is required is displayed for a node, restart that node.

6. Enabling message reception in the cluster

[Topic 206559]

Application installation and setup

Servers on which you are installing the application must have static IP addresses. Otherwise, after the cluster is created, managing node settings as well as synchronizing settings with the Control node will be unavailable.

You can install the application on a virtual server without an operating system. The application is deployed using an ISO file that contains an operating system image with pre-installed Kaspersky Secure Mail Gateway and a built-in mail server.

Installation to virtual machines on the following hypervisors is supported:

• VMware ESXi.

  You can perform all virtual machine deployment activities using the following interfaces:

  • The VMware vSphere web interface
  • The management console of the VMware ESXi hypervisor
• Microsoft Hyper-V.

  You can perform all virtual machine deployment activities using the following interfaces:

  • In the Microsoft System Center Virtual Machine Manager (hereinafter also Microsoft SCVMM) interface
  • In the Microsoft Hyper-V Manager management console

Make sure that the version of the hypervisor and the hardware resources allocated for the virtual machine meet all applicable hardware and software requirements.

Only Generation 1 virtual machines are supported when the program is installed to a Microsoft Hyper-V Server 2016 hypervisor. Use of Generation 2 virtual machines may lead to virtual machine malfunctions or cause disrupted operation of the hypervisor

The port setup in the operating system that is required for correct operation of the application is already complete. You can read the list of network accesses used.

After installation, the application begins recording information relevant to the operation of its component in the Kaspersky Secure Mail Gateway event log, the syslog event log, as well as trace files in accordance with the specified trace level. For more details, see the section About data provision.

[Topic 206561]

Deploying a virtual machine in the management console of the VMware ESXi hypervisor

Deploying a virtual machine image involves the following steps:

1. Uploading an ISO file to data storage

   The ISO file of Kaspersky Secure Mail Gateway contains an operating system image with the application pre-installed and a built-in mail server.

2. Creating a virtual machine

   When creating a virtual machine, you must modify settings in accordance with recommendations for the operation of Kaspersky Secure Mail Gateway.

3. Modifying virtual machine settings

   If you want to connect a virtual machine to multiple network segments, you need to add an additional network adapter for each segment. If this is not necessary, you can skip this step.

4. Connecting to the virtual machine and starting the Setup Wizard

   Before you can use Kaspersky Secure Mail Gateway, you must complete application setup.

[Topic 183991]

Uploading an ISO file

Before running the Virtual Machine Creation Wizard, you must upload an ISO file to the data storage of the host.

To upload an ISO file in the management console of the VMware ESXi hypervisor:

1. Open the management console of the VMware ESXi hypervisor.
2. In the Navigator panel, select the Storage section.
3. Select the Datastores tab.
4. Click Datastore browser.

   This opens the Datastore browser window.

5. Select the data storage and the folder in which you want to upload the ISO file.
6. Click Upload.

   The file selection window opens.

7. Select a file and click Open.

Wait until the file finishes uploading. When the upload is complete, the name of the ISO file is displayed in the file table of the host's data storage. Make sure the size of the uploaded file in the table matches the size of the source file.

[Topic 206593]

Creating a virtual machine in the management console of the VMware ESXi hypervisor

To create a virtual machine in the management console of the VMware ESXi hypervisor:

1. Open the management console of the VMware ESXi hypervisor.
2. In the Navigator panel, select the Virtual Machines section.
3. Click Create/Register VM.

   The Virtual Machine Creation Wizard opens.

4. Follow the steps of the wizard:
   1. Select a method for creating the virtual machine.
      1. Select the Create a new virtual machine option.

         This method allows manually setting up the settings and hardware configuration of the virtual machine.

      2. Click Next.

      The Wizard proceeds to the next step.

   2. Enter the name of the virtual machine and select the guest operating system.
      1. In the Name field, enter the name of the virtual machine.

         The name must be unique among the names of all existing virtual machines.

      2. In the Compatibility drop-down list, select ESXi 6.7 U2 virtual machine.
      3. In the Guest OS Family drop-down list, select Linux.
      4. In the Guest OS Version drop-down list, select CentOS 7 (64-bit).
      5. Click Next.

      The Wizard proceeds to the next step.

   3. Select the virtual data storage.
      1. Select the virtual data storage from the list of available storages.
      2. Click Next.

      The Wizard proceeds to the next step.

   4. Set up the hardware configuration of the virtual machine.
      1. On the Virtual Hardware tab, in the CPU settings group, select the necessary number of virtual processors from the drop-down list.

         The minimum recommended value is 8. You can enter a greater value if you need higher performance from your virtual machine.

         Available values depend on the capabilities of the hypervisor.

      2. Expand the Memory settings group and do the following:
         1. In the RAM field, specify the amount of RAM that will be allocated for the virtual machine.

            The minimum recommended value is 16 GB. You can enter a greater value if you need higher performance from your virtual machine.

         2. Select the Reserve all guest memory (All locked) check box.
      3. Expand the Hard Disk 1 settings group and do the following:
         1. Specify the amount of disk space that will be allocated for the virtual machine.

            The minimum recommended value is 200 GB. You can enter a greater value if you need to store a large database for the event log.

         2. In the Disk Provisioning block, select the type of provisioning for virtual machine files.
      4. In the Network Adapter 1 group of settings, select the virtual network to which the virtual machine must be connected.
      5. In the CD/DVD Drive 1 settings group, do the following:
         1. Select the Datastore ISO File drive type.
         2. Click Browse... to the right of the CD/DVD Media field.

            This opens the file selection window.

         3. Select the ISO file that you uploaded before installing the program and click OK.
         4. Select the Connect at power on check box.
      6. Click Next.

      The Wizard proceeds to the next step.

   5. Confirm the creation of the virtual machine.
      1. Verify that the virtual machine settings configured at previous steps are correct.
      2. If all settings are configured correctly, click the Finish button.

The virtual machine is created with the specified settings.

[Topic 226532]

Modifying virtual machine settings

To add additional network adapters:

1. Open the management console of the VMware ESXi hypervisor.
2. In the Navigator pane, in the Virtual Machines section, select the virtual machine whose settings you want to edit.
3. Click the Edit button on the control panel.

   This opens the virtual machine properties window.

4. On the Virtual Hardware tab, click the Add network adapter button.

   The new network adapter will be displayed in the left pane.

5. Select the added network adapter in the left pane and use the drop-down list on the right to select the network segment that the adapter should connect to.
6. Click Save.

The additional network adapters will be added.

[Topic 184005]

Connecting to the virtual machine and starting the Setup Wizard

To connect to the virtual machine and begin configuring Kaspersky Secure Mail Gateway in the management console of the VMware ESXi hypervisor:

1. Open the management console of the VMware ESXi hypervisor.
2. In the Navigator panel, in the Virtual Machines section, select the virtual machine that you want to start.
3. Click Power on.

   The virtual machine starts.

4. Click Console and in the drop-down list, select the console launch format:
   • Open browser console.
   • Launch remote console.

   The management console of the virtual machine opens. After connecting to the virtual machine, the Setup and Initial Configuration Wizard starts. Follow the instructions of the wizard.

[Topic 206562]

Deploying a virtual machine in the web interface of VMware vSphere

Deploying a virtual machine image involves the following steps:

1. Uploading an ISO file to data storage

   The ISO file of Kaspersky Secure Mail Gateway contains an operating system image with the application pre-installed and a built-in mail server.

2. Creating a virtual machine

   When creating a virtual machine, you must modify settings in accordance with recommendations for the operation of Kaspersky Secure Mail Gateway.

3. Modifying virtual machine settings

   If you want to connect a virtual machine to multiple network segments, you need to add an additional network adapter for each segment. If this is not necessary, you can skip this step.

4. Connecting to the virtual machine and starting the Setup Wizard

   Before you can use Kaspersky Secure Mail Gateway, you must complete application setup.

[Topic 184385]

Uploading an ISO file

To upload an ISO file to data storage using the VMware vSphere web interface:

1. In the web interface of VMware vSphere Client, enter administrator credentials.
2. In the left pane, click the icon.

   The Storage page opens.

3. Select a storage from the list and open the Files tab.
4. Select the folder in which you want to upload the ISO file.
5. Click the Upload files button.

   The file selection window opens.

6. Select the ISO file and click Open.

Wait until the file finishes uploading. When the upload is complete, the name of the ISO file is displayed in the file table of the host's data storage. Make sure the size of the uploaded file in the table matches the size of the source file.

[Topic 206596]

Creating a virtual machine in the web interface of VMware vSphere

To create a virtual machine in the VMware vSphere web interface:

1. In the web interface of VMware vSphere Client, enter administrator credentials.
2. In the left pane, click the icon.

   The Hosts and clusters page opens.

3. Select the data center and the storage in which you want to create a virtual machine.

   The workspace displays the properties window for the selected storage.

4. In the control panel, in the Actions drop-down list, select New Virtual Machine...

   The Virtual Machine Creation Wizard opens.

5. Follow the steps of the wizard:
   1. Select a method for creating the virtual machine.
      1. Select the Create a new virtual machine option.

         This method allows manually setting up the settings and hardware configuration of the virtual machine.

      2. Click Next.

      The Wizard proceeds to the next step.

   2. Enter the name and location of the virtual machine.
      1. In the Virtual machine Name field, enter the name of the virtual machine.

         The name must be unique among the names of all existing virtual machines.

      2. In the folder tree under the text box, select a folder in the host's virtual storage where you want the virtual machine to be stored.
      3. Click Next.

      The Wizard proceeds to the next step.

   3. Select computing resources.
      1. In the right part of the window, select a cluster and a resource pool.
      2. Click Next.

      The Wizard proceeds to the next step.

   4. Select the virtual data storage.
      1. Select the virtual data storage from the list of available storages.
      2. Click Next.

      The Wizard proceeds to the next step.

   5. Configure the compatibility with the virtual infrastructure.
      1. In the Compatible with drop-down list, select ESXi 6.7 U2 and later.
      2. Click Next.

      The Wizard proceeds to the next step.

   6. Select the guest operating system.
      1. In the Guest OS Family drop-down list, select Linux.
      2. In the Guest OS Version drop-down list, select CentOS 7 (64-bit).
      3. Click Next.

      The Wizard proceeds to the next step.

   7. Set up the hardware configuration of the virtual machine.
      1. On the Virtual Hardware tab, select the CPU settings group and use the drop-down list to select the number of virtual processors.

         The minimum recommended value is 8. You can enter a greater value if you need higher performance from your virtual machine.

         Available values depend on the capabilities of the hypervisor.

      2. Expand the Memory settings group and do the following:
         1. Specify the amount of RAM that will be allocated for the virtual machine.

            The minimum recommended value is 16 GB. You can enter a greater value if you need higher performance from your virtual machine.

         2. Select the Reserve all guest memory (All locked) check box.
      3. Expand the New Hard Disk settings group and do the following:
         1. Specify the amount of disk space that will be allocated for the virtual machine.

            The minimum recommended value is 200 GB. You can enter a greater value if you need to store a large database for the event log.

         2. In the Disk Provisioning drop-down list, select the option for allocating virtual machine files.
      4. In the New Network group of settings, select the virtual network to which you want to connect the virtual machine.
      5. In the New CD/DVD Drive settings group, do the following:
         1. Select the Datastore ISO File drive type from the drop-down list.

            This opens the file selection window.

         2. Select the ISO file that you uploaded before installing the program and click OK.
         3. In the Status field, select the Connect At Power On check box.
      6. Click Next.

      The Wizard proceeds to the next step.

   8. Confirm the creation of the virtual machine.
      1. Verify that the virtual machine settings configured at previous steps are correct.
      2. If all settings are configured correctly, click the Finish button.

The virtual machine with the defined settings will be created and displayed in the list in the left pane.

[Topic 226584]

Modifying virtual machine settings

To add additional network adapters:

1. In the web interface of VMware vSphere Client, enter administrator credentials.
2. In the left pane, click the icon.

   The Hosts and clusters page opens.

3. Select the virtual machine whose settings you want to edit.
4. In the control panel, in the Actions drop-down list, select Edit Settings...

   This opens the virtual machine properties window.

5. In the upper-right corner, click the Add new device button and use the drop-down list to select Network adapter.

   The new network adapter will be displayed in the partitions tree on the left.

6. Select the added network adapter from the partitions list and use the drop-down list on the right to select the network segment that the adapter should connect to.
7. Click OK.

The additional network adapters will be added.

[Topic 184386]

Connecting to the virtual machine and starting the installation

To connect to the virtual machine and begin installing Kaspersky Secure Mail Gateway in the web interface of VMware vSphere:

1. In the web interface of VMware vSphere Client, enter administrator credentials.
2. In the left pane, click the icon.

   The Hosts and clusters page opens.

3. In the context menu of the virtual machine that you want to start, select Power → Power On.

   The virtual machine starts.

4. In the control panel, in the Actions drop-down list, select Open console.

   The management console of the virtual machine opens. After connecting to the virtual machine, the Setup and Initial Configuration Wizard starts. Follow the instructions of the wizard.

[Topic 206615]

Deploying a virtual machine in the management console of the Microsoft Hyper-V Manager hypervisor

Deploying a virtual machine image involves the following steps:

1. Creating a virtual machine
2. Modifying virtual machine settings

   The virtual machine creation wizard does not let you edit certain settings. Therefore you need to modify the number of virtual processors and secure boot settings in the virtual machine you have created.

3. Connecting to the virtual machine and starting the Setup Wizard

   Before you can use Kaspersky Secure Mail Gateway, you must complete application setup.

[Topic 206599]

Creating a virtual machine in the management console of Microsoft Hyper-V Manager

Before creating a virtual machine, you must put the ISO file into any network folder that is accessible to the server with the hypervisor. If you are opening the Microsoft Hyper-V Manager console on the same server where the hypervisor is installed, you can put the ISO file on the local hard disk.

To create a virtual machine:

1. Open the Microsoft Hyper-V Manager management console.
2. In the left part of the window, select the hypervisor which you want to connect to and deploy the virtual machine image.
3. In the context menu, select New → Virtual Machine.

   The Virtual Machine Creation Wizard opens.

4. Follow the steps of the wizard:
   1. Select the name and location of the virtual machine.
      1. Type the name of the new virtual machine in the Name field.

         The name must be unique among the names of all existing virtual machines.

      2. To select a different folder for saving the virtual machine:
         1. Select the Store the virtual machine in a different location check box.
         2. In the Location field, specify the path to the folder where you want to save the virtual machine.

         The default folder is <disk>:\Virtual Machines.

      3. Click Next.

      The Wizard proceeds to the next step.

   2. Select the generation of the virtual machine.
      1. Select one of the following options:
         • Generation 1 if you are using the Microsoft Hyper-V Server 2016 hypervisor.
         • Generation 2 if you are using the Microsoft Hyper-V Server 2019 or 2022 hypervisor.
      2. Click Next.

      The Wizard proceeds to the next step.

   3. Allocate memory for the virtual machine.
      1. In the Startup memory field, enter the amount of RAM that you want to allocate to the virtual machine.

         The minimum recommended value is 16384 MB. You can enter a greater value if you need higher performance from your virtual machine.

      2. Clear the Use Dynamic Memory for this virtual machine check box.
      3. Click Next.

      The Wizard proceeds to the next step.

   4. Configure the network connection.
      1. In the Connection drop-down list, select the virtual network to which you want to connect the virtual machine.
      2. Click Next.

      The Wizard proceeds to the next step.

   5. Connect a virtual hard disk.
      1. Select Create a virtual hard disk.
      2. In the Name field, specify the name of the virtual drive that you are creating.
      3. In the Location field, select the location for storing data of the virtual drive on the physical server.
      4. In the Size field, enter the amount of disk space that you want to allocate to the virtual machine.

         The minimum recommended value is 200 GB. You can enter a greater value if you need to store a large database for the event log.

      5. Click Next.

      The Wizard proceeds to the next step.

   6. Select the operating system installation method.
      1. In the list of actions, select Install an operating system from a bootable image file.
      2. In the Media settings group, in the Image file (.iso) field, specify the path to the ISO image for installing the virtual machine.
      3. Click Next.

      The Wizard proceeds to the next step.

   7. Confirm the creation of the virtual machine.
      1. Verify that the virtual machine settings configured at previous steps are correct.
      2. If all settings are configured correctly, click the Finish button.

The virtual machine is created with the specified settings. Make sure the virtual machine is displayed in the Virtual Machines list on the selected hypervisor.

The virtual machine is created with the default number of CPUs. You must modify this setting in virtual machine properties after it is created.

[Topic 206612]

Modifying virtual machine settings

Before proceeding with this procedure make sure the virtual machine is powered off.

For the program to work correctly, you must modify the number of processors of the virtual machine and edit secure boot settings.

To modify virtual machine settings:

1. Start Hyper-V Manager.
2. In the main window of the program, in the Virtual Machines table, select the virtual machine that you deployed from the ISO file.
3. Right-click to open the context menu and click Settings.

   This opens the virtual machine properties window.

4. In the Security group of settings, in the Template drop-down list, select Microsoft UEFI Certificate Authority.

   This is applicable only to second-generation virtual machines.

5. In the Hardware group of settings, select the Processor section.
6. In the Number of virtual processors field, enter the number of virtual processors.

   The minimum recommended value is 8. You can enter a greater value if you need higher performance from your virtual machine.

7. If you need to connect the virtual machine to multiple network segments, add additional network adapters. To do so:
   1. In the Hardware settings group, select the Add Hardware section.
   2. In the workspace, select Network Adapter and click the Add button.

      The new network adapter will be displayed at the end of the list in the Hardware block.

   3. Select the new network adapter in the Hardware block and use the Virtual switch drop-down list to select the network segment that you want to connect to.
8. Click OK.

The number of processors for the virtual machine is modified.

[Topic 184006]

Connecting to the virtual machine and starting the Setup Wizard

To connect to the virtual machine and begin configuring Kaspersky Secure Mail Gateway in the management console of Microsoft Hyper-V Manager:

1. Open the Microsoft Hyper-V Manager management console
2. In the left part of the window, select the hypervisor on which the virtual machine is deployed.
3. In the workspace, right-click the virtual machine that you want to start.
4. In the context menu, click Start.

   The virtual machine starts.

5. In the context menu of the virtual machine, click Connect.

The virtual machine management console opens and the Setup and Initial Configuration Wizard starts. Follow the instructions of the wizard.

[Topic 206563]

Deploying a virtual machine using Microsoft SCVMM

Deploying a virtual machine image involves the following steps:

1. Uploading the ISO file to the Microsoft SCVMM server library

   The ISO file of Kaspersky Secure Mail Gateway contains an operating system image with the application pre-installed and a built-in mail server.

2. Creating a virtual machine

   When creating a virtual machine, you must modify settings in accordance with recommendations for the operation of Kaspersky Secure Mail Gateway.

3. Modifying virtual machine settings

   If you want to connect a virtual machine to multiple network segments, you need to add an additional network adapter for each segment. If this is not necessary, you can skip this step.

4. Connecting to the virtual machine and starting the Setup Wizard

   Before you can use Kaspersky Secure Mail Gateway, you must complete application setup.

[Topic 184278]

Uploading an ISO file

To upload an ISO file to the library of the Microsoft SCVMM server, you must place the ISO file on a local hard disk of the computer where the Microsoft SCVMM program runs.

To upload an ISO file to the library of the Microsoft SCVMM server:

1. Start Virtual Machine Manager (VMM).
2. In the lower left part of the window, select the Library section.
3. In the control panel, click Import Physical Resource.

   This opens the Import Library Resources window.

4. Click Browse....

   This opens the Select Destination Folder window.

5. Select the resource library and a folder where you want to upload the ISO file, then click OK.
6. In the Import Library Resources window, click Add resource....

   This opens the Select resource items window.

7. Select the ISO file and click Open.
8. Click Import.

The ISO file is uploaded to the library of the Microsoft SCVMM server and is displayed in the Physical Library Objects table.

[Topic 206602]

Creating a virtual machine using Microsoft SCVMM

If the Microsoft Hyper-V hypervisor is connected to the Microsoft System Center infrastructure, you can create a virtual machine using Microsoft SCVMM.

To create a virtual machine:

1. Start Virtual Machine Manager (VMM).
2. In the lower-left corner of the window, select the VMs and Services section.
3. In the toolbar, click Create Virtual Machine and in the drop-down list, select Create Virtual Machine.

   The Virtual Machine Creation Wizard opens.

4. Follow the steps of the wizard:
   1. Select a method for creating the virtual machine.
      1. Select the Create the new virtual machine with a blank virtual hard disk option.

         This method allows manually setting up the settings and hardware configuration of the virtual machine.

      2. Click Next.

      The Wizard proceeds to the next step.

   2. Enter the name and generation of the virtual machine.
      1. In the Virtual machine Name field, enter the name of the virtual machine.

         The name must be unique among the names of all existing virtual machines.

      2. Select one of the following options in the Generation drop-down list:
         • Generation 1 if you are using the Microsoft Hyper-V Server 2016 hypervisor.
         • Generation 2 if you are using the Microsoft Hyper-V Server 2019 or 2022 hypervisor.
      3. Click Next.

      The Wizard proceeds to the next step.

   3. Set up the hardware configuration of the virtual machine.
      1. In the Compatibility section, select the Hyper-V check box.
      2. In the General group of settings, in the Processor section, select the number of virtual processors in the Number of processors field.

         The minimum recommended value is 8. You can enter a greater value if you need higher performance from your virtual machine.

      3. In the General group of settings, in the Memory section:
         1. Select Static.
         2. In the Virtual machine memory field, enter the amount of RAM that you want to allocate to the virtual machine.

            The minimum recommended value is 16384 MB. You can enter a greater value if you need higher performance from your virtual machine.

      4. In the Bus configuration settings group, under SCSI Adapter → <disk name>, do the following:
         1. Select Create a new virtual hard disk.
         2. In the Type drop-down list, select the Fixed virtual disk type.
         3. In the Size field, enter the amount of disk space that you want to allocate to the virtual machine.

            The minimum recommended value is 200 GB. You can enter a greater value if you need to store a large database for the event log.

      5. In the Bus configuration settings group, under SCSI Adapter → Virtual DVD Drive, select the type of virtual drive media. To do so:
         1. Select Existing ISO image.
         2. Click Browse....

            This opens the Select ISO window.

         3. Select the ISO file that you uploaded before installing the program and click OK.
      6. In the Network Adapters group of settings, in the Network Adapter 1 section:
         1. For the network adapter connection mode, select Connected to a VM network.
         2. To the right of the VM network field, click Browse....

            This opens the Select a VM Network window.

         3. Select the virtual network that you want to connect the virtual machine to and click OK.
      7. In the Advanced settings group, select the Firmware section and clear the Enable secure boot check box.

         This is applicable only to second-generation virtual machines.

      8. Click Next.

      The Wizard proceeds to the next step.

   4. Select the virtual machine placement type.
      1. Select Place the virtual machine on a host.
      2. In the Destination drop-down list, select the host group for creating a virtual machine.
      3. Click Next.

      The Wizard proceeds to the next step

   5. Select the hypervisor on which you want to create the virtual machine.
      1. In the hypervisor table of the group selected at the previous step, select the hypervisor on which you want the virtual machine to be located.
      2. Click Next.

      The Wizard proceeds to the next step.

   6. Verify the settings values.
      1. Verify virtual machine settings entered at the previous steps of the wizard.
      2. Click Next.

      The Wizard proceeds to the next step.

   7. Select the operating system and configure the advanced settings.
      1. In the Action to take when the virtualization server stops drop-down list, select Shut down guest OS.
      2. In the Operating system group of settings, in the drop-down list, select CentOS Linux 7 (64 bit).
      3. Click Next.

      The Wizard proceeds to the next step.

   8. Confirm the creation of the virtual machine.
      1. Verify that the virtual machine settings configured at previous steps are correct.
      2. If all settings are configured correctly, click Create.

This starts the process of creating the virtual machine with specified settings. Make sure the process completes correctly and the virtual machine is displayed in the list of virtual machines of the selected hypervisor.

[Topic 226529]

Modifying virtual machine settings

To edit the settings of a virtual machine:

1. Start Virtual Machine Manager (VMM).
2. In the lower-left part of the window, select the VMs and Services section.
3. In the upper right part of the window, in the tree, select the hypervisor on which the virtual machine was created.
4. In the workspace of the window, select the virtual machine whose settings you want to edit.
5. In the context menu, select Properties.

   This opens the virtual machine properties window.

6. In the left pane, select the Hardware Configuration section.
7. In the upper control panel, click the New button and select Network adapter from the drop-down list.

   The new network adapter will be displayed in the Network Adapters settings group.

8. In the workspace, do the following:
   1. For the network adapter connection mode, select Connected to a VM network.
   2. To the right of the VM network field, click Browse....

      This opens the Select a VM Network window.

   3. Select the network segment that the added network adapter should connect to, and click OK.
9. Click OK.

The new virtual machine settings will be applied.

[Topic 184390]

Connecting to the virtual machine and starting the Setup Wizard

To connect to the virtual machine and begin configuring Kaspersky Secure Mail Gateway using Microsoft SCVMM:

1. Start Virtual Machine Manager (VMM).
2. In the lower-left part of the window, select the VMs and Services section.
3. In the upper right part of the window, in the tree, select the hypervisor on which the virtual machine was created.
4. In the workspace of the window, select the virtual machine that you want to start.
5. In the toolbar, click Power On.

   The virtual machine starts.

6. In the control panel, click Connect or View and in the drop-down list, select Connect via Console.

The virtual machine management console opens and the Setup and Initial Configuration Wizard starts. Follow the instructions of the wizard.

[Topic 209033]

Application installation and setup

These instructions describe the process of installing and setting up the application on a virtual machine that uses a BIOS boot loader. For virtual machines with UEFI, the pseudographic interface can be different.

To install and configure the application:

1. Start the prepared virtual machine or physical server and choose to load it from the CD.

   It will begin loading from the ISO disk image.

2. In the next window, select Install -- Kaspersky Secure Mail Gateway or wait for the operating system to load and the Setup Wizard to start automatically.

   

3. In the welcome window of the Setup Wizard, click OK.

   

4. Select the language to display the End User License Agreement and the Privacy Policy in.

   

5. Carefully read the End User License Agreement and express your consent or disagreement:
   • If you want to accept the terms of the End User License Agreement, click I accept.
   • If you want to reject the terms of the End User License Agreement, click I decline.

   Use the up/down or Page up/Page down keys to view the text of the End User License Agreement. You can switch between buttons by using the Tab key.

   If you decline the terms of the End User License Agreement, application setup is canceled.

6. Accept or decline the Privacy Policy:
   • If you want to accept the terms of the Privacy Policy, click I accept.
   • If you want to reject the terms of the Privacy Policy, click I decline.

   If you decline the terms of the Privacy Policy, application setup is canceled.

7. Select a disk to install the application to and in the confirmation window, click Yes.

   

   

   Wait until the data is copied from the ISO disk image to the virtual disk. After the copy operation is completed, the virtual machine will be restarted and the Initial Configuration Wizard for the application will start.

8. This opens the Hostname window; in that window, in the Hostname field, enter the fully qualified domain name of the server hosting Kaspersky Secure Mail Gateway as indicated on the DNS server, and click OK.

   This opens a window containing a list of available network adapters.

9. Select the network adapter that you want to configure and press ENTER.

   

   To start using the network adapter, you must initialize it. If the adapter has not been initialized before, an initialization confirmation window will open.

10. In the confirmation window, click Yes. The status of the adapter is changed from new to on. Select the adapter from the list and press ENTER.

    The adapter properties window opens.

11. Configure an IPv4 address for the network adapter. To do so, move the cursor to the Use DHCP line and press ENTER.

    

12. In the opened window, select the appropriate mode:
    • If you want to use a static IP address for the server hosting the application, click Yes.
    • If you want to receive network adapter settings via DHCP, click No.

      DHCP is used by default. This mode will be suitable for installing the application for testing or demonstration purposes. It is recommended to use a static configuration to ensure proper operation of a cluster in a real-world infrastructure.

13. If you selected a static configuration at the previous step, do the following in the opened Interface IP configuration window:
    1. In the Addresses field, enter the IP address of the network adapter.
    2. In the Netmask field, enter the network mask.
    3. Click OK to save changes.

       

    4. Click the Go back button at the bottom of the window after network adapter configuration is complete.

    This opens a window containing a list of all available network adapters. If necessary, you can repeat the configuration steps for another network interface controller.

14. After configuring all network adapters, select Continue at the bottom of the list.

    The Select Action – Routing window opens.

    

15. To configure the default route:
    1. Select Interface and press ENTER.
    2. In the opened Select gateway device window, select the network adapter that should be used for the default route and press ENTER.
    3. If you selected a network adapter using DHCP at the previous step, the dhcp value will be automatically defined in the Gateway field. If you selected a network adapter with a static configuration, the dhcp option will be unavailable for the default gateway.
    4. To assign a static IP address for the default gateway:
       1. Select Gateway and press ENTER.
       2. For adapters that use DHCP, click Yes in the opened Use static configuration window.

          The Interface gateway configuration window opens.

       3. In the Gateway field, enter a static address for the default gateway and click OK.

          

16. If necessary, you can configure a static route. To do so:
    1. In the Select Action – Routing window, select Edit static routes and press ENTER.
    2. In the opened Select Action – Routes window, click New route.

       The New static route window opens.

    3. In the Address field, enter the IP address of the network adapter.
    4. In the Netmask field, enter the network mask.
    5. In the Gateway field, enter the IP address of the gateway.
    6. Click OK.

       

    7. In the opened window, select the network adapter that will be used for the static route, and press ENTER.

       

       The added static route will be displayed in the Select Action – Routes window.

       If necessary, you can repeat steps b – g to add another static route.

    8. After configuration is complete, click Go back in the lower part of the Select Action – Routes window.
    9. Click Continue in the lower part of the Select Action – Routing window.

    The Select Action – Resolver window opens.

    

17. If you want to receive the addresses of DNS servers and a search list of DNS suffixes over the DHCP protocol:
    1. In the Use DHCP field, press ENTER.

       The Obtain DNS addresses over DHCP window opens.

       

    2. Select the network interface of the DHCP service.

       The values of the Search list, Primary DNS and Secondary DNS fields will be filled in automatically.

    3. In the Select Action – Resolver window, click Continue.
18. If you want to manually configure the DNS service settings:
    1. Make sure that the no option is defined for the Use DHCP field.
    2. In the Search list field, press ENTER.

       The Interface DNS configuration window opens.

    3. In the Search list field, enter the domain search DNS suffixes separated by a space.
    4. In the Primary field, enter the address of the primary DNS server.
    5. In the Secondary field, enter the address of the secondary DNS server.
    6. Click OK.

       

    7. In the Select Action – Resolver window, click Continue.

    This opens the next window of the Initial Configuration Wizard.

19. Select the IP address of the network interface to be used for inbound connections while interacting with other cluster nodes. Click OK.

    

20. Enter a port for the interaction with the other cluster nodes and click OK.

    

    We recommend using the default value of 9045.

21. Enter a Local administrator password.

    The password must contain:

    • At least 15 characters
    • Only ASCII characters (A-Z, a-z), numeric characters and special characters
    • Characters of the following types:
      • Uppercase character (A-Z).
      • Lowercase character (a-z)
      • Number.
      • Special character.

    

22. Use any appropriate method to save the certificate fingerprint of the server that is displayed in the final window of the Setup Wizard.

    

    When adding a server to the cluster using the application web interface, you need to match this fingerprint against the fingerprint that is displayed in the web interface.

Application installation and setup is complete. After this you are able to use a browser to connect to the application web interface to configure the application.

After initial configuration is completed, it is recommended to open the virtual machine properties and disable loading from the disk containing the ISO image.

[Topic 206564]

Removing the application

After removing the application all information related to it will be lost.

The application does not have a standard removal procedure.

You can remove the whole virtual machine including virtual disk files and system snapshot files. To do so, follow one of the procedures in this sections depending on the hypervisor used.

If you deployed the application on a physical server, to remove the application you will have to format the hard drive of the server by using a specialized data deletion tool and then make sure that the application can no longer be loaded.

[Topic 212443]

Preparing for removing the application

Before removing the application from a physical server or a virtual machine:

1. Disable load balancing for the cluster node that you are removing
2. Stop traffic processing requests

   To do so, make sure traffic processing is rerouted around the cluster node that you are removing.

3. Remove the node from the cluster

[Topic 189447]

Deleting a virtual machine in the management console of the VMware ESXi hypervisor

Before removing the application, you must make preparations.

To delete a virtual machine in the management console of the VMware ESXi hypervisor:

1. Open the management console of the VMware ESXi hypervisor.
2. In the Navigator panel, select the Virtual Machines section.
3. Select the listed virtual machine that you want to delete.
4. If the virtual machine is running, shut it down. To do so, click the Power off button. Wait until the virtual machine shuts down.
5. In the control panel, in the Actions drop-down list, select Delete.
6. In the confirmation window, click Delete.

The virtual machine with Kaspersky Secure Mail Gateway installed is deleted and is no longer displayed in the list of virtual machines.

[Topic 189448]

Deleting a virtual machine in the web interface of VMware vSphere

Before removing the application, you must make preparations.

To delete a virtual machine in the VMware vSphere web interface:

1. In the web interface of VMware vSphere Client, enter administrator credentials.
2. In the left pane, click the icon.

   The Hosts and clusters page opens.

3. Select the listed virtual machine that you want to delete.
4. If the virtual machine is running, shut it down. To do so, select the virtual machine. Then, in the control panel, in the Actions drop-down list, select Power → Power off.
5. In the confirmation window, click Yes. Wait until the virtual machine shuts down.
6. In the control panel, in the Actions drop-down list, select Delete from Disk.
7. In the confirmation window, click Yes.

The virtual machine with Kaspersky Secure Mail Gateway installed is deleted and is no longer displayed in the list of virtual machines.

[Topic 189449]

Deleting a virtual machine in the management console of the Microsoft Hyper-V hypervisor

Before removing the application, you must make preparations.

To delete a virtual machine in the management console of the Microsoft Hyper-V hypervisor:

1. Start Hyper-V Manager.
2. In the main window of the program, in the list of the virtual machines of the hypervisor in the Virtual Machines table, select the virtual machine that you want to delete.
3. If the virtual machine is running, shut it down. To do so, right-click to open the context menu and select Turn Off. Wait until the virtual machine shuts down.
4. In the context menu of the virtual machine, select Settings.

   This opens the virtual machine properties window.

5. In the Hardware settings group, select SCSI Controller → Hard Drive.
6. Use any convenient method to save the path indicated in the Virtual hard disk field and close the virtual machine properties window.

   By default, after removing a virtual machine in the hypervisor management console, the file of the virtual hard drive is not deleted from the server. You will need to manually delete it.

7. In the context menu of the virtual machine, click Delete.
8. In the confirmation window, click Delete.
9. On the physical server of the hypervisor, manually delete the file of the virtual hard drive from the folder indicated at step 6.

The virtual machine with Kaspersky Secure Mail Gateway installed is deleted and is no longer displayed in the list of virtual machines.

[Topic 189450]

Deleting a virtual machine using Microsoft SCVMM

Before removing the application, you must make preparations.

To delete a virtual machine using Microsoft SCVMM:

1. Start Virtual Machine Manager (VMM).
2. In the lower-left corner of the window, select the VMs and Services section.
3. In the tree in the upper left panel, select the hypervisor on which the virtual machine was created.
4. Select the listed virtual machine that you want to delete.
5. If the virtual machine is running, shut it down. To do so, click Power Off in the toolbar.
6. In the confirmation window, click Yes. Wait until the virtual machine shuts down.
7. In the toolbar, click Delete.
8. In the confirmation window, click Yes.

The virtual machine with Kaspersky Secure Mail Gateway installed is deleted and is no longer displayed in the list of virtual machines.

[Topic 215961]

Getting started with the application

After completing the installation, you can manage the application using the web interface in a browser on any computer.

Kaspersky Secure Mail Gateway administrator must take steps to secure the communication between the browser and the Control node. For security purposes, it is also recommended to configure Kerberos authentication with single sign-on technology.

To manage application settings, you must connect to the Control node. When connecting to Secondary nodes, you can change the role of the node in the cluster and view the status of other connected servers.

[Topic 215959]

View modes of the program web interface

The program has two web interface view modes: administrator mode and user mode.

User mode is available to all users in an Active Directory domain that is configured for Single Sign-On (SSO) authentication. The menu displays sections containing personal Backup and personal lists of allowed and blocked addresses if access to them is allowed by the administrator in the Settings → Personal accounts settings. These sections only display information about the messages and addresses of the current user. To view this information, you need to set up integration with the LDAP server. Otherwise, these sections will be available to the user but an error message will be displayed instead of information about messages and addresses.

Administrator mode is available to a program user who has at least one role assigned. The menu displays the sections that the user is permitted to access. By default, administrator mode opens after successful authorization. If necessary, you can switch to user mode for the current user account.

To switch from administrator mode to user mode:

1. At the bottom of the left menu pane, click on the name of the current user.
2. In the pane that opens on the right, turn on the User mode toggle switch.

The main window of the program web interface will open in user mode for the current user account.

To switch from user mode to administrator mode:

1. At the bottom of the left menu pane, click on the name of the current user.
2. In the pane that opens on the right, turn off the User mode toggle switch.

The main window of the program web interface will open in administrator mode for the current user account.

[Topic 83813]

Connecting to the application web interface

If you connect to the web interface for the first time after installing the application, you will need to create a new cluster before you start.

You will be able to view and change various application settings depending on the account you are using to connect to the web interface.

The Local Administrator account created during installation of the application has the full set of permissions. Other application accounts cannot be created. However, if you have configured Single Sign-On (SSO) authentication, Active Directory domain users can connect to the web interface under their domain accounts in administrator mode or user mode and view available sections in accordance with permissions defined in the application.

To connect to the application web interface under the Local Administrator account:

1. Enter the following address in your browser:

   https://<IP address or fully qualified domain name (FQDN) of the Control node>

   This opens the web interface authorization page prompting you to enter the user name and password.

2. In the User name field, enter the name of the administrator account.

   For the Local Administrator account, enter Administrator.

3. In the Password field, enter the administrator password.

   The Local Administrator password is configured during application setup.

   If you enter the wrong password five times, authorization using the Local Administrator account will be disabled for five minutes before you can try again. The capability for authorization under a domain account via the NTLM protocol will remain available.

4. Click Log in.

This opens the main window of the application web interface.

To connect to the application web interface under a different user account:

Enter the following address in your browser:

https://<IP address or fully qualified domain name (FQDN) of the Control node>

If you configured authentication with Kerberos Single Sign-On, you only need to enter the address in FQDN format.

The rest of the authorization procedure depends on your answers to the following questions:

• Which protocol is being used for authentication?
• Is the computer in an Active Directory domain configured for SSO authentication?

The figure below shoes the authorization procedure depending on the factors listed above.

Authorization procedure when connecting to the web interface in user mode

* If you enter the wrong password five times when prompted by a browser for your user's domain account credentials, NTLM authentication will be disabled for five minutes. The capability for authorization under the Local Administrator account will remain available.

If the application is configured to use Kerberos and NTLM authentication simultaneously, the authorization procedure is as follows:

1. Attempt to complete authorization using the Kerberos protocol.
2. If unsuccessful, attempt to complete authorization using the NTLM protocol.
3. If unsuccessful, you are prompted to enter the application user account credentials.

For automatic authorization to work correctly on computers that are members of an Active Directory domain that is configured to use SSO authentication, additional configuration is required in the operating system and in the browser settings.

If authorization is successful, the main window of the application web interface is opened. If the user has the permissions to access different web interface viewing modes, they will be able to switch between these modes.

[Topic 216538]

Monitoring of program operation

You can monitor the program by using widgets and dashboards. You can filter monitoring data by period and by cluster nodes.

The Dashboard section of the program web interface displays the following information:

1. System Health. A chart of errors encountered by the cluster. You can click Go to Nodes to go to the Nodes section and view details about the health of each cluster node.
2. Processed. This widget displays statistics of program actions applied to all processed email messages:
   • Attachments deleted.
   • Deleted.
   • Disinfected.
   • Quarantined.
   • Rejected.
   • Skipped.

   You can click Size or Count to toggle between total size or count of all processed messages respectively.

3. Detected. This widget displays the number of detected objects grouped by protection module:
   • Anti-Phishing.
   • Anti-Spam.
   • Anti-Virus.
   • Content Filtering.
   • Mail Sender Authentication.
   • Links scanning.
   • KATA.

     This is displayed only when KATA integration is configured.

   If a protection module detects multiple objects in a message, only one object is counted for that module in statistics. If multiple objects are detected in a message by different protection modules, one object is counted in statistics for each protection module.

   You can click the link in the upper-right corner of the information pane to go to the Events section and view related events containing detection information for a selected period.

4. Widgets that display the number of messages scanned by the given module and grouped by scan result:
   • Anti-Virus.
   • Anti-Spam.
   • Anti-Phishing.
   • Content Filtering.
   • Links scanning.
   • Mail Sender Authentication.

   Only the Anti-Virus widget is displayed by default. You can create a new widget layout or modify the current layout to add the widgets you need.

   All widgets with protection module statistics display the following scan statuses:

   • Detected means the message was found to contain an object that satisfies rule application criteria.
   • Not detected means the message was scanned and does not contain threats or other objects.
   • Document with macro means the message has an attachment, which contains a document with macros.

     Only applies to Anti-Virus.

   • Quarantined means the message was moved to
     Anti-Spam Quarantine

     A Backup location where email messages are temporarily kept if the Anti-Spam module is unable to assign a final status after a scan.

     A Backup location where email messages are temporarily kept if the Anti-Spam module is unable to assign a final status after a scan.

     .

     Only applies to Anti-Spam.

   • Not processed is a group of statuses that are assigned to the message if it was not scanned for one of the following reasons:
     • Encrypted means an object could not be scanned because it is encrypted.

       Only applies to Anti-Virus.

     • Error means an error occurred when scanning the message.
     • Bases error means the message could not be scanned because program databases were not loaded.
     • License restrictions means the message could not be scanned because of program licensing limitations (for example, the license key could have expired).
   • Disabled by settings is a group of statuses assigned to the message if it was not scanned in accordance with one of the following program settings configured by the administrator:
     • Allowlist means the message was delivered without scanning because the sender address is on the global allow list.
     • Denylist means the message was rejected without scanning because the sender address is on the global deny list.
     • Nesting level exceeded means the maximum archive nesting level configured in general protection settings was reached.

       Only applies to Anti-Virus.

     • Personal allowlist means the message was not scanned by the Anti-Spam module because the sender address is on the personal allow list of the recipient.

       Only applies to Anti-Spam.

     • Personal denylist means the sender address is on the personal deny list of the recipient. The action configured in personal list settings was applied to the message.

       Messages placed in Backup based on personal list settings are not counted. Such messages are accounted for in statistics for other statuses in accordance with the scan result.

     • Local policy means the message was sent from a relay IP.

       Only applies to Mail Sender Authentication.

     • Disabled in protection settings the module is turned off in general protection settings or in a message processing rule.
     • Already processed by another module means the message was not scanned by this module because the message was already scanned by a different protection module and a Reject or Delete message action was applied to the message (and a copy of the message was not put in Backup).
5. Last threats. Table with information about recent detected threats:
   • Time is the time when the threat was detected.
   • Threat name is the name of the threat detected in the object.
   • Result is the action performed with the object.

   All information currently available to the program is displayed. Time filtering criteria are not applied.

6. Messages. This widget displays the incoming and outgoing email traffic processed by the program.

   When counting outgoing messages, notifications sent by the program are counted, but messages with Deleted, Rejected, and Quarantined scan status are not counted.

   You can click Size or Count to toggle between total size or count of incoming and outgoing messages respectively.

7. Top rules applied. Table with information about rules that were most frequently applied when processing messages:
   • Rule name is the name of the applied rule set by the administrator.
   • Count is the trigger count for the rule.

   If the rule was deleted by the administrator, it is not displayed on this dashboard.

Not all dashboards are displayed by default. You can create a new layout and add the panes you need, and then switch between available layouts.

[Topic 216539]

Creating a new layout

After the application is installed, the Dashboard section displays only the default layout. You can create a new layout and configure the display of dashboards in it.

To create a new layout:

1. In the application web interface window, select the Dashboard section.
2. In the upper part of the window, click .
3. In the drop-down list, select New layout.

   The default set of widgets is displayed.

4. If you want to edit the default name of the layout:
   1. In the upper part of the workspace next to the New layout # name, click .
   2. This opens a window; type the new name in the Layout name text box.
   3. Click Save.
5. If you want to add widgets to the layout:
   1. Click Add widget.

      This opens the Add widget window.

   2. Select check boxes next to the names of widgets that you want to add to the layout.
   3. Click Add.
6. If you want to reposition the widget in the layout, drag the widget to a new location in the layout by clicking and holding the upper part of the widget with the left mouse button.
7. If you want to remove a widget from the layout, click in the upper right corner of the panel.
8. If you want to zoom a widget, click the icon in the upper right corner of the panel and select a value in the drop-down list.
9. If you want to hide a category of data on the widget, click the color indicator to the left of the category (for example, for objects with the Not detected status).
10. If necessary, toggle the presentation of the data (histogram or line diagram) using the view switch in the upper right corner of the panel.
11. Click Save.

The new layout is added to the list of layouts in the Dashboard section. You can now select it from the list of available layouts.

[Topic 216540]

Modifying a layout

To modify a layout:

1. In the application web interface window, select the Dashboard section.
2. In the upper right corner of the workspace, in the drop-down list to the right, select the layout that you want to modify.
3. Click and in the drop-down list, select Customize layout.
4. Make the changes you want.
5. Click Save.

The layout is modified.

[Topic 216541]

Removing a layout

To delete a layout:

1. In the application web interface window, select the Dashboard section.
2. In the upper right corner of the workspace, in the drop-down list to the right, select the layout that you want to delete.
3. Click and in the drop-down list, select Delete layout.

The layout will be removed.

[Topic 216542]

Selecting a layout from the list

To select a layout from the list of available layouts:

1. In the application web interface window, select the Dashboard section.
2. In the upper right corner of the workspace, in the drop-down list to the right, select the layout that you want to open.

The selected layout is displayed in the workspace.

[Topic 216543]

Filtering monitoring data

To filter the data displayed in widgets:

1. In the application web interface window, select the Dashboard section.
2. If you want to filter the data by period, in the upper right corner of the workspace, in the left drop-down list, select one of the following:
   • Last hour.
   • Last day.
   • Last week.
   • Last month.
   • Last year.

   Data for the last hour is displayed by default.

3. If you want to filter the data by cluster node, in the middle drop-down list, select the IP address of the node.

   By default, data is displayed for all nodes.

Data displayed in widgets is filtered in accordance with the specified criteria.

[Topic 88778]

Using message processing rules

A message processing rule (hereinafter also referred to as a "rule") is a set of parameters and actions applied by the program to messages that meet specific criteria. For a rule to be applied to a message, the addresses of the sender and recipient must be specified in the rule settings.

By default, the program contains the following preset message processing rules:

• AllowList processes messages from the global allowlist.
• DenyList processes messages from the global denylist.
• Default processes messages according to the settings predefined by Kaspersky.

  The AllowList and DenyList rules are disabled by default.

When Kaspersky Secure Mail Gateway processes an email message, it applies rules in accordance with their priority, that is, in the order of occurrence in the rule table, top to bottom. If the combination of sender-recipient addresses does not match, the program moves on to the next rule. As soon as it finds the sender-recipient pair of addresses in any rule, the program applies the processing settings configured in that rule to the message, and the search for a match is finished.

If none of the rules contains the "sender - recipient" pair of addresses, the message is processed in accordance with the preset settings of the Default rule.

If the message has a DKIM signature, it can be damaged by processing rules that modify the subject or body of the message, delete attachments, treat detected malicious objects, or add email disclaimers to the body of the message.

For each rule, you can configure your own email message processing criteria and select an action that is applied to the messages. If multiple program modules are triggered and they have different response actions configured, the most strict action will be performed ( Delete message → Reject → Delete attachment → Skip ).

The Reject action is recommended only if Kaspersky Secure Mail Gateway is directly integrated into the mail infrastructure, that is, if it functions as an edge gateway. If the program is integrated behind a third-party edge gateway, that is, it functions as an interior gateway, applying the Reject action will result in the edge gateway generating non-delivery notifications (DSN, Delivery status notification). Sending such notifications to non-existent email addresses may degrade the reputation of the edge gateway on the Internet.

[Topic 202953]

Viewing the rule table

To view the rule table,

In the application web interface window, select the Rules section.

The table displays the following information about rules:

• Priority.

  A number corresponding to priority determines the sequence in which rules are applied. Rules applied in the order of appearance in the table, top to bottom, that is, from highest priority to the lowest.

• Rule name.

  Name of the rule defined by the user.

• Status.

  Toggle switch for enabling or disabling the rule.

• Mode.

  The rule can operate in one of the following modes:

  • – Use the settings of scan modules.
  • – Reject without scanning.
  • – Delete without notifying the sender.
  • – Skip without scanning.
• Description.

  Any additional information about the rule specified by the user.

You can click the Detects notifications link to configure the general settings for email notifications regarding detections applicable to all rules. Then you need to enable notifications for each rule that you want to receive a message for whenever that rule is triggered.

[Topic 202954]

Configuring rule table display

To configure the display of the rule table:

1. In the application web interface window, select the Rules section.
2. Click .

   This opens the Customize table window.

3. Select check boxes next to settings that you want to display in the table.

   At least one check box must be selected.

The display of the rule table is configured.

[Topic 203001]

Message processing rule configuration scenario

You can modify general protection settings that are applied to all message processing rules in the Settings → General section.

1. Creating a rule

   When you create a rule, you must specify sender and recipient addresses, whose messages are to be processed in accordance with the settings of the rule, as well as the message processing mode. Other general settings are optional.

2. Anti-Virus protection of messages

   Kaspersky Secure Mail Gateway scans email messages for viruses and other threats using the Anti-Virus module.

   You can enable or disable Anti-Virus scanning of messages for the rule. If Anti-Virus scan is enabled in the rule, you can configure the scan depending on object type:

   • Infected and probably infected objects, as well as legitimate programs that can be exploited by hackers
   • Objects with errors encountered during scanning
   • Encrypted objects
   • Attachments with macros
3. Link scanning

   Kaspersky Secure Mail Gateway checks if the links in the body of the message are malicious, that is, if they lead to web sites that distribute malware. You can also enable the detection of advertising links and links relevant to legitimate programs.

4. Anti-Spam protection

   Kaspersky Secure Mail Gateway filters messages passing through the mail server to remove unsolicited mail (spam) using the Anti-Spam module.

   You can enable or disable Anti-Spam protection for the rule. If Anti-Spam protection is enabled for a rule, you can configure the scan depending on object type:

   • Spam
   • Probable spam
   • Mass mail.
5. Anti-Phishing protection

   Kaspersky Secure Mail Gateway filters messages passing through the mail server to remove

   phishing

   A type of Internet fraud aimed at obtaining unauthorized access to users' confidential data.

   A type of Internet fraud aimed at obtaining unauthorized access to users' confidential data.

   using the Anti-Phishing module.

   You can enable or disable Anti-Phishing protection for the rule.

6. Content filtering of messages

   Kaspersky Secure Mail Gateway can perform content filtering of messages that pass through the mail server.

   You can enable or disable Content Filtering for the rule. If Content Filtering is enabled for a rule, you can restrict the relaying of messages by the mail server in accordance with the following criteria:

   • Message size
   • Mask of attachment name
   • Format of attachments
7. Mail Sender Authentication

   Mail Sender Authentication is designed to provide additional protection for your corporate mail infrastructure against spam and phishing.

   Kaspersky Secure Mail Gateway uses the following Mail Sender Authentication technologies:

   • SPF authentication (Sender Policy Framework).
   • DKIM authentication (DomainKeys Identified Mail).
   • DMARC authentication (Domain-based Message Authentication, Reporting and Conformance).
8. Notifications of message scan results

   You can set up notifications about message scan events to be emailed to addresses from the configured general list, the sender, recipients, or other addresses.

9. Warnings about insecure messages

   You can configure a Warning template text to be added to the body of the message that has one of the following scan statuses:

   • Encrypted;
   • Infected;
   • Error;
   • Phishing;
   • Links scanning.
10. Email disclaimers

    An email disclaimer (hereinafter also "disclaimer") is a text that the program can add at the end of an email message.

    You can enable or disable disclaimers for one or more message processing rules and configure disclaimer templates.

11. KATA protection

    Kaspersky Secure Mail Gateway can be integrated with Kaspersky Anti Targeted Attack Platform and forward messages to the KATA server for scans.

    You can enable or disable KATA protection for a rule. If KATA protection is enabled in a rule, you can select a specific action for messages in which objects were detected, indicate whether or not the program should place a copy of messages in Backup, and configure a tag to be added to the subject of messages.

[Topic 88114]

Creating message processing rules

To create a message processing rule:

1. In the main window of the program web interface, open the management console tree and select the Rules section.
2. In the upper part of the workspace, click Create.

   A new message processing rule opens.

3. In the left pane, select the General section.
4. In the Rule name field, type the name of the new rule.

   The rule must have a unique name in the list of Kaspersky Secure Mail Gateway rules.

5. In the Description field, type the rule description.
6. In the Mode settings group, select one of the following message processing options corresponding to criteria of the rule:
   • Use the settings of scan modules to use the settings of Anti-Virus, Anti-Spam, and Anti-Phishing modules as well as Content Filtering settings.

     The left pane displays sections where you can configure modules used by the rule.

   • Reject without scanning to reject messages without scanning them with Anti-Virus, Anti-Spam, or Anti-Phishing modules, or applying Content Filtering settings.
   • Delete without notifying the sender to delete messages without scanning them with Anti-Virus, Anti-Spam, or Anti-Phishing modules, or applying Content Filtering settings; do not notify the sender about non-delivery.
   • Skip without scanning to deliver messages without scanning them.
7. If you want to modify the priority of the rule, in the Rule priority settings group, set the position of the rule in the rule table.

   By default, the rule is assigned the highest priority of all previously created rules.

8. In the Sender email settings group, specify senders to whom the rule must apply. To do this, select one of the following tabs:
   • Email
     1. In the text box, type an email address and press Enter.

        The email addresses are entered one at a time. Repeat the steps for all email addresses that you want to add.

        You can use the symbols "*" and "?" to create an address mask, and regular expressions beginning with the prefix "re:".

        Regular expressions are not case-sensitive.

   • IP
     1. In the text box, type the IP address of a message sender and press Enter.

        IP addresses should be entered one at a time. Repeat the steps for all IP addresses that you want to add.

        You can enter an IPv4 address (for example: 192.0.0.1), an IPv4 subnet address with a mask (for example: 192.0.0.0/16), an IPv6 address (for example: 2607:f0d0:1002:51::4), or IPv6 subnet address with a mask (for example: fc00::/7).

   • LDAP: DN
     1. In the text box, specify an LDAP account and press Enter.

        Type accounts one at a time. Repeat the steps for all accounts that you want to add.

   To apply the rule, you must specify at least one sender.

9. In the Recipient email settings group, specify recipients to whom the rule must apply. To do this, select one of the following tabs:
   • Email
     1. In the text box, type an email address and press Enter.

        The email addresses are entered one at a time. Repeat the steps for all email addresses that you want to add.

        You can use the symbols "*" and "?" to create an address mask, and regular expressions beginning with the prefix "re:".

        Regular expressions are not case-sensitive.

   • LDAP: DN
     1. In the text box, specify an LDAP account and press Enter.

        Type accounts one at a time. Repeat the steps for all accounts that you want to add.

   To apply the rule, you must specify at least one recipient.

10. In the lower right corner, click Save.

The rule is created and added to the rule table in the Rules section.

For modified settings to be applied by Kaspersky Secure Mail Gateway, the rule must be enabled. By default, the new rule is disabled and not used during operation of the program.

[Topic 202929]

Configuring Anti-Virus protection

Before configuring Anti-Virus protection in the message processing rule, make sure that the Anti-Virus module is enabled in general protection settings.

To configure Anti-Virus protection in the message processing rule:

1. In the application web interface window, select the Rules section.
2. In the rule table, select the rule for which you want to configure Anti-Virus protection.

   This opens the View rule window.

3. Click Edit.

   Rule settings become editable.

4. In the left pane, select the Anti-Virus section.
5. Use the toggle switch to the right of the section title to enable or disable Anti-Virus scanning of messages that match rule criteria.

   Anti-Virus protection of messages is enabled by default.

6. If you have disabled Anti-Virus scanning at the previous step, configure Anti-Virus module settings applied to the following objects based on the results of the scan:
   • Infected and probably infected objects, as well as legitimate programs that can be exploited by hackers.
     1. In the If an infected file is detected settings group, in the Action drop-down list, select the action that will be applied to messages:
        • Skip.
        • Disinfect.
        • Delete attachment.
        • Delete message.
        • Reject.

        The Disinfect action is selected by default.

     2. If on the previous step you have selected the Disinfect action, in the If disinfection fails drop-down list, select one of the following actions to take on infected messages that cannot be disinfected:
        • Delete attachment.
        • Delete message.
        • Reject.

        The Delete attachment action is selected by default.

     3. If you want to automatically place messages with detected objects in Backup based on the results of the anti-virus scan, select the Move copy to Backup check box.

        This check box is selected by default.

     4. If you want tags to be added after the scan to the beginning of the subject of infected or disinfected messages, type the text of the tags in text boxes under the Move copy to Backup check box.

        By default, [Infected] and [Cured] tags are added.

   • Objects with errors encountered during scanning.
     1. In the If Anti-Virus scan errors are detected drop-down list, select the action to take on messages that cause errors during scanning:
        • Skip.
        • Delete attachment.
        • Delete message.
        • Reject.

        The Skip action is selected by default.

     2. If you want to automatically place in Backup those messages that triggered errors when scanned, select the Move copy to Backup check box.

        This check box is cleared by default.

     3. If you want a tag to be added after the scan to the beginning of the subject of messages that cause errors during scanning, type the text of the tag in the text box under the Move copy to Backup check box.
   • Encrypted objects.
     1. In the If an encrypted object is detected drop-down list, select the action to apply to messages that contain encrypted objects:
        • Skip.
        • Delete attachment.
        • Delete message.
        • Reject.

        The Skip action is selected by default.

     2. If you want to automatically place messages with encrypted objects in Backup based on the results of the scan, select the Move copy to Backup check box.

        This check box is cleared by default.

     3. If you want a tag to be automatically added after the scan to the beginning of the subject of messages that contain encrypted objects, type the text of the tag in the text box under the Move copy to Backup check box.
   • Attachments with macros.
     1. In the If a macro is detected group of settings, select the Process attachments with macros check box if you want the application to process attachments with macros.
     2. In the Action drop-down list, select the action that will be applied to messages:
        • Skip.
        • Delete attachment.
        • Delete message.
        • Reject.

        The Delete attachment action is selected by default.

     3. If you want to automatically place messages containing attachments with macros in Backup based on the scan results, select the Move copy to Backup check box.

        This check box is cleared by default.

     4. If you want a tag to be automatically added after the scan to the beginning of the subject of messages that contain attachments with macros, type the text of the tag in the text box under the Move copy to Backup check box.

        By default, the [Attachments with Macros] tag is added.

7. If necessary, configure the list of exclusions from scanning. To do so, in the Exclusions from scanning settings group:
   1. If you want to exclude archives from Anti-Virus scans, select the Do not scan archives check box.
   2. If you want to exclude attached objects with certain names from Anti-Virus scans, in the Do not scan attachments by name masks field, type a name mask and press Enter.

      Enter masks one by one. Repeat the steps for each mask you want to add.

      Masks are case-insensitive and may contain any characters.

8. Click Save.

Anti-Virus protection is configured. The specified settings are applied to messages that match the rule criteria.

To ensure that the configured settings are applied during the operation of Kaspersky Secure Mail Gateway, make sure that email virus scans are enabled for the rule and that the rule that you have configured is enabled.

[Topic 215785]

Configuring URL Advisor

Before configuring link scanning in the message processing rule, make sure that link scanning is enabled in general protection settings.

To configure URL Advisor settings in the message processing rule:

1. In the application web interface window, select the Rules section.
2. In the rule table, select the rule for which you want to configure Anti-Virus protection.

   This opens the View rule window.

3. Click Edit.

   Rule settings become editable.

4. In the left pane, select the Links scanning section.
5. Use the toggle switch to the right of the section title to enable or disable link scanning for messages that match rule criteria.

   By default, link scanning is enabled.

6. If at the previous step, you enabled link scanning, configure how malicious or advertising links as well as links relevant to legitimate programs are treated after the scan:
   1. In the Action drop-down list, select the action that will be applied to messages:
      • Delete message.
      • Reject.
      • Skip.

      The Reject action is selected by default.

   2. If you want messages with detected objects to be automatically placed in Backup based on the results of a scan, select the Move copy to Backup check box.

      This check box is selected by default.

   3. If you want a tag to be added after the scan to the beginning of the subject of messages, type the text of the tag in the text box under the Move copy to Backup check box.

      The [Malicious|Adware|Legitimate links] tag is added by default.

7. Click Save.

[Topic 203007]

Configuring Anti-Spam protection

Before configuring Anti-Spam protection in the message processing rule, make sure that the Anti-Spam module is enabled in general protection settings.

To configure Anti-Spam protection in the message processing rule:

1. In the application web interface window, select the Rules section.
2. In the rule table, select the rule for which you want to configure Anti-Spam protection.

   This opens the View rule window.

3. Click Edit.

   Rule settings become editable.

4. In the left pane, select the Anti-Spam section.
5. Use the toggle switch to the right of the section title to enable or disable Anti-Spam scanning of messages that match rule criteria.

   By default, Anti-Spam protection of messages is enabled.

6. If you have disabled Anti-Spam protection at the previous step, configure Anti-Spam module settings applied to the following objects based on the results of the scan:
   • Spam.
     1. In the If spam is detected group of settings, select one of the following actions to take on messages containing spam:
        • Delete message.
        • Reject.
        • Skip.

        The Skip action is selected by default.

     2. If you want to automatically place messages recognized as spam in Backup, select the Move copy to Backup check box.

        This check box is cleared by default.

     3. If you want a tag to be automatically added after the scan to the beginning of the subject of messages that contain spam, type the text of the tag in the text box under the Move copy to Backup check box.

        By default, the [Spam] tag is added.

   • Probable spam.
     1. In the If probable spam is detected group of settings, select one of the following actions to take on messages containing probable spam:
        • Delete message.
        • Reject.
        • Skip.

        The Skip action is selected by default.

     2. If you want to automatically place messages containing suspected spam in Backup based on the scan results, select the Move copy to Backup check box.

        This check box is cleared by default.

     3. If you want a tag to be automatically added after the scan to the beginning of the subject of messages that contain probable spam, type the text of the tag in the text box under the Move copy to Backup check box.

        By default, the [Probable spam] tag is added.

   • Mass mail.
     1. In the If mass mailing is detected group of settings, select one of the following actions to take on messages that constitute a mass mail campaign:
        • Delete message.
        • Reject.
        • Skip.

        The Skip action is selected by default.

     2. If you want to automatically place messages recognized as mass mail in Backup, select the Move copy to Backup check box.

        This check box is cleared by default.

     3. If you want a tag to be automatically added after the scan to the beginning of the subject of messages that constitute a mass mail campaign, type the text of the tag in the text box under the Move copy to Backup check box.

        By default, the [MASSMAIL] tag is added.

7. In the settings group Additional settings, select check boxes next to the names of settings that you want to enable:
   1. Use graphical image processing technologies if you want to use the GSG technology that identifies images containing text to analyze such text for being spam. The text is recognized regardless of whether it has been modified, rotated in the image, hidden in "noise" or otherwise modified to conceal the purpose of the image.
   2. Unicode spoofing protection if you want to enable Unicode spoofing protection. If Unicode spoofing is detected, the message is considered to be spam. The application adds the unicode_spoof tag to the X-KSMG-AntiSpam-Method message header.

      The application scans for Unicode spoofing only in the values of the MAIL FROM command from the SMTP session, as well as in the From, Sender, Reply-To message headers.

8. Click Save.

Anti-Spam protection is configured. The specified settings are applied to messages that match the rule criteria.

To ensure the configured settings are applied during the operation of Kaspersky Secure Mail Gateway, make sure to enable Anti-Spam protection for the rule and to enable the configured rule.

[Topic 203008]

Configuring Anti-Phishing protection

Before configuring Anti-Phishing protection in the message processing rule, make sure that the Anti-Phishing module is enabled in general protection settings.

To configure Anti-Phishing protection in the message processing rule:

1. In the application web interface window, select the Rules section.
2. In the rule table, select the rule for which you want to configure Anti-Phishing protection.

   This opens the View rule window.

3. Click Edit.

   Rule settings become editable.

4. In the left pane, select the Anti-Phishing section.
5. Use the toggle switch to the right of the section title to enable or disable Anti-Phishing scanning of messages that match rule criteria.

   By default, Anti-Phishing protection of messages is enabled.

6. If you enabled Anti-Phishing protection at the previous step, use the drop-down list to select an action to perform on phishing messages:
   • Delete message.
   • Reject.
   • Skip.

   The Reject action is selected by default.

7. If you want phishing messages to be automatically placed in Backup based on the results of a scan, select the Move copy to Backup check box.

   This check box is cleared by default.

8. If you want a tag to be added to the beginning of the subject of phishing messages based on the results of a scan, type the text of the tag in the text box under the Move copy to Backup check box.

   By default, the [Phishing] tag is added.

9. Click Save.

Anti-Phishing protection is configured. The specified settings are applied to messages that match the rule criteria.

To ensure the configured settings are applied during the operation of Kaspersky Secure Mail Gateway, make sure to enable Anti-Phishing protection for the rule and to enable the configured rule.

[Topic 203009]

Configuring Content Filtering

Before configuring Content Filtering in the message processing rule, make sure that Content Filtering is enabled in general protection settings.

To configure Content Filtering in the message processing rule:

1. In the application web interface window, select the Rules section.
2. In the rule table, select the rule for which you want to configure Content Filtering.

   This opens the View rule window.

3. Click Edit.

   Rule settings become editable.

4. In the left pane, select the Content Filtering section.
5. Use the toggle switch to the right of the section title to enable or disable content filtering of messages that match rule criteria.

   By default, Content Filtering of messages is disabled.

6. If at the previous step, you have enabled Content Filtering, configure the following filtering criteria:
   • By message size
     1. If you want to restrict the sending of messages that contain attachments of a certain size, in the If the allowed message size is exceeded group of settings, in the drop-down list, select an action to apply to messages:
        • Skip.
        • Delete message.
        • Reject.

        The Reject action is selected by default.

     2. If you want to automatically place messages containing attached objects of a certain size in Backup based on the scan results, select the Move copy to Backup check box.

        This check box is selected by default.

     3. If you want a tag to be automatically added after the scan to the beginning of the subject of messages that contain attachment objects of a certain size, type the text of the tags in text boxes under the Move copy to Backup check box.

        By default, no tag is assigned.

     4. In the Message size (KB) field, type the maximum size of objects in the range from 0 KB to 1,048,576 KB (1 GB).

        If the value is set to 0 KB, no restrictions apply to the size of objects.

   • By attachment format
     1. If you want to restrict the sending of messages that contain attachments of a particular format, in the If attachment type is detected group of settings, create a list of attachment formats to which the rule must apply. To do so:
        1. Select a list creation method:
           • Attachments that have type from the list below if you want to specify attachment formats that you want to add to the list.

             Content Filtering settings will be applied to messages containing attachments that have specified formats.

           • Attachments that have type NOT from the list below if you want to specify attachment formats that you want to exclude from the list.

             Content Filtering settings will not be applied to messages containing attachments that have specified formats.

        2. Click Edit to open the File formats window.
        3. Select check boxes next to attachment formats that you want to add to the list or exclude from the list:
           • Archives (e.g., ZIP; RAR; TGZ)
           • Databases (e.g., ACCDB; ACCDC; MDB)
           • Executable files (e.g., EXE; DLL; OCX)
           • Graphic files (e.g., JPG; BMP; WMF)
           • Multimedia files (e.g., AVI; WMV; MP3)
           • Document files (e.g., DOC; XLS; PDF; PPT)
           • Other files (e.g., TXT; CHM; HTM)
        4. In the lower right corner, click OK.
     2. In the In case of detection drop-down list, select the action that will be applied to messages:
        • Skip.
        • Delete message.
        • Delete attachment.
        • Reject.

        The Reject action is selected by default.

     3. If you want to automatically place messages containing attachments of the specified formats in Backup based on the scan results, select the Move copy to Backup check box.

        This check box is selected by default.

     4. If you want a tag to be added after the scan to the beginning of the subject of messages that contain attachment objects of a certain format, type the text of the tags in text boxes under the Move copy to Backup check box.

        By default, no tag is assigned.

   • By attachment name.
     1. If you want to restrict the sending of messages that contain attachments with certain names, under Attachment name, in the Names of attachments field, enter the names of such attachments.

        You can use masks and regular expressions in an attachment name. Names can contain any characters. Use semicolons ";" to separate the names.

        Masks and regular expressions are not case-insensitive.

        For example, you can enter the *.exe name mask to restrict transmission of messages that include attachments with the EXE extension.

        To restrict the sending of messages that contain executable files of widespread formats, you can use the following regular expression:

        re:.*\.(scr|cpl|com|bat|cmd|vbs|pif|lnk|url|exe|bvs|spl|dll)

     2. In the In case of detection drop-down list, select the action that you want to apply to messages:
        • Skip.
        • Delete message.
        • Delete attachment.
        • Reject.

        The Reject action is selected by default.

     3. If you want to automatically place messages containing attachments with the specified names in Backup based on the scan results, select the Move copy to Backup check box.

        This check box is selected by default.

     4. If you want a tag to be automatically added after the scan to the beginning of the subject of messages that contain attachment objects of a certain format, type the text of the tags in text boxes under the Move copy to Backup check box.

        By default, no tag is assigned.

7. If you want to scan for forbidden formats or names of files within compound objects (including archives), select the Scan compound objects check box.

   If you enable scanning compound objects, the Scan file formats and names in archive check box is selected automatically because archives are a subset of compound objects.

8. If at the previous step, you did not enable scanning compound objects and want to scan for forbidden formats or filenames only in archives, select the Scan file formats and names in archive check box.
9. Click Save.

Content Filtering is configured. The specified settings are applied to messages that match the rule criteria.

To ensure the configured settings are applied during the operation of Kaspersky Secure Mail Gateway, make sure to enable Content Filtering for the rule and to enable the configured rule.

[Topic 203013]

Mail Sender Authentication

Before configuring Mail Sender Authentication in the message processing rule, make sure that the relevant authentication technologies are enabled in general protection settings.

To configure Mail Sender Authentication in the message processing rule:

1. In the application web interface window, select the Rules section.
2. In the rule table, select the rule for which you want to configure Mail Sender Authentication.

   This opens the View rule window.

3. Click Edit.

   Rule settings become editable.

4. In the left pane, select the Mail Sender Authentication section.
5. Use the toggle switch to the right of the section title to enable or disable mail sender authentication for messages that match rule criteria.

   By default, Mail Sender Authentication is disabled.

6. If at the previous step you have enabled Mail Sender Authentication, configure general settings for all authentication types:
   • Select the Consider temporary errors (TempError) as an authentication violation check box if you want Kaspersky Secure Mail Gateway to consider temporary errors (TempError) a violation of Mail Sender Authentication.
   • Select the Consider permanent errors (PermError) as an authentication violation check box if you want Kaspersky Secure Mail Gateway to consider permanent errors (PermError) a violation of Mail Sender Authentication.
7. Configure the following scan types:
   • DMARC authentication.

     Before configuring additional settings of DMARC message authentication for a rule, make sure that DMARC, DKIM, and SPF mail sender authentication and the DNS server connection are enabled in the general protection settings.

     1. In the DMARC Mail Sender Authentication group of settings, select the Consider DMARC authentication result as primary check box if you want to determine an Mail Sender Authentication violation based only on DMARC authentication while disregarding the results of SPF and DKIM authentication.

        If the check box is selected, an authentication violation is determined based on the results of DMARC authentication. If the check box is cleared, the results of SPF, DKIM and DMARC authentication are considered to be equivalent. A violation under any of these authentication methods is considered to be a Mail Sender Authentication violation. If violations are found by several authentication methods simultaneously, the strictest of the actions defined for SPF, DKIM, or DMARC Mail Sender Authentication violations is applied to the message.

     2. In the If a DMARC violation is detected drop-down list, select one of the following actions to take on messages found to cause an authentication violation during DMARC message authentication:
        • Apply DMARC policy.

          The DMARC policy is configured by the administrator on the DNS server. If the administrator has set a None or Quarantine policy, the application performs the Skip action. The Reject action of the application corresponds to the Reject policy.

        • Reject.
        • Delete message.
        • Skip.

        The Apply DMARC policy action is selected by default.

     3. If you want to automatically place in Backup those messages which the DMARC authentication finds to be inauthentic, select the Move copy to Backup check box.

        This check box is cleared by default.

     4. If you want tags to be automatically added after the scan to the beginning of the subject of messages that DMARC authentication finds to violate mail sender authenticity, type the text of the tag in the text box under the Move copy to Backup check box.

        By default, no tag is assigned.

   • SPF authentication.

     Before configuring additional settings of SPF message authentication for a rule, make sure that SPF Mail Sender Authentication is enabled in the settings of Kaspersky Secure Mail Gateway.

     1. In the SPF Mail Sender Authentication group of settings, select the Consider SPF softfail as a violation check box if you want to consider an SPF softfail error detected during SPF authentication as a violation of Mail Sender Authentication.
     2. In the If a SPF violation is detected drop-down list, select one of the following actions to take on messages found to cause an authentication violation during SPF message authentication:
        • Reject.
        • Delete message.
        • Skip.

        The Skip action is selected by default.

     3. If you want to automatically place in Backup those messages which the SPF authentication finds to be inauthentic, select the Move copy to Backup check box.

        This check box is cleared by default.

     4. If you want tags to be automatically added after the scan to the beginning of the subject of messages that SPF authentication finds to violate mail sender authenticity, type the text of the tag in the text box under the Move copy to Backup check box.

        By default, no tag is assigned.

   • DKIM authentication.

     Before configuring additional settings of DKIM message authentication for a rule, make sure that DKIM Mail Sender Authentication is enabled in the settings of Kaspersky Secure Mail Gateway.

     1. In the DKIM Mail Sender Authentication group of settings, select the Consider absence of DKIM signature as an authentication violation check box if you want to consider the absence of a DKIM signature in the message detected by DKIM authentication as a violation of Mail Sender Authentication.
     2. In the Alignment mode drop-down list, select an authentication mode:
        • Relaxed.
        • Strict.
     3. In the If a DKIM violation is detected drop-down list, select one of the following actions to take on messages found to cause an authentication violation during DKIM Mail Sender Authentication:
        • Reject.
        • Delete message.
        • Skip.

        The Skip action is selected by default.

     4. If you want to automatically place in Backup those messages which the DKIM authentication finds to be inauthentic, select the Move copy to Backup check box.

        This check box is cleared by default.

     5. If you want tags to be added after the scan to the beginning of the subject of messages that DKIM authentication finds to violate mail sender authenticity, type the text of the tag in the text box under the Move copy to Backup check box.

        By default, no tag is assigned.

8. Click Save.

Mail Sender Authentication is configured. The specified settings are applied to messages that match the rule criteria.

To ensure the configured settings are applied during the operation of Kaspersky Secure Mail Gateway, make sure to enable Mail Sender Authentication for the rule and to enable the configured rule.

[Topic 91242]

Notification settings for message scan events

You can configure delivery of email notifications about message scanning events for one or several rules.

This option is available if forwarding of notifications is enabled in the general settings for email notifications.

You can configure delivery of email notifications to recipients from the general list, sender, recipient of messages or to other recipients about the following message scan events:

• Malicious objects detected.
• Encrypted objects detected.
• Anti-Virus scan errors detected.
• Content Filtering issues detected.
• Phishing messages detected.
• A macro detected in the attachment.
• Malicious links detected.
• If an object detected by KATA.

  You can configure notifications about KATA alerts only if integration with Kaspersky Anti Targeted Attack Platform is enabled.

To configure notifications about message scanning events:

1. In the application web interface window, select the Rules section.
2. In the rule table, select the rule for which you want to configure notifications about scanning events.

   This opens the View rule window.

3. Click Edit.

   Rule settings become editable.

4. In the left pane, select the Notifications section.
5. In the group of settings with the name of the selected event (for example, Malicious objects detected), select the check boxes next to the names of settings:
   • Notify recipients from the general list if you want notifications about the selected event to be sent to addresses from the general list.

     If the check box is selected, you need to define the list of addresses in the general email notification settings after clicking the Specify link.

   • Notify sender if you want notifications about the selected event to be sent to message sender addresses.
   • Notify recipient if you want notifications about the selected event to be sent to message recipient addresses.
   • Additional addresses if you want notifications about the selected event to be sent to additional email addresses.
6. If you have configured notifications to be sent to message recipient addresses, select one of the following options:
   • Notify only if you want the notification to be sent without the original message.
   • Notify with source message in attachment if you want the notification to be sent with the original message in an attachment.
7. If you have configured notifications to be sent to additional email addresses, type an address in the text box and press Enter.

   The email addresses are entered one at a time. Repeat the process of adding addresses to the list for all email addresses that you are adding.

8. If necessary, click the Customize notification templates link in the upper-right corner of the window and edit the notification templates.
9. Click Save.

Notifications about message scanning events are configured.

To ensure the configured settings are applied during the operation of Kaspersky Secure Mail Gateway, make sure to enable the configured rule.

[Topic 88996]

Adding a Warning about insecure message

To add a warning about insecure message:

1. In the application web interface window, select the Rules section.
2. In the rule table, select the rule for which you want to configure a warning about insecure message.

   This opens the View rule window.

3. Click Edit.

   Rule settings become editable.

4. In the left pane, select the Insecure message warning section.
5. In the Warning template drop-down list, select the Warning template about insecure message that you want to add.
6. Select check boxes next to one or several types of messages to which you want to add a warning:
   • For encrypted messages.
   • For phishing messages.
   • For infected messages.
   • For messages with Anti-Virus scan errors.
   • For messages containing links.
7. Click Save.

Warnings are added to the text of the messages in accordance with settings.

Whether the warning is displayed correctly depends on the software that the recipient uses to view email as well as on the content of the messages. For this reason, we do not recommend relying entirely on warnings to inform users about potential threats and other objects detected in messages. For example, you can also add a text tag to the beginning of the message subject.

To ensure the configured settings are applied during the operation of Kaspersky Secure Mail Gateway, make sure to enable the configured rule.

[Topic 88989]

Adding email disclaimers

To add an email disclaimer to scanned messages:

1. In the application web interface window, select the Rules section.
2. In the rule table, select the rule for which you want to configure an email disclaimer.

   This opens the View rule window.

3. Click Edit.

   Rule settings become editable.

4. In the left pane, select the Email disclaimer section.
5. Enable or disable the email disclaimer using the toggle switch to the right of the section title.

   Disclaimers are not added by default.

6. In the Add disclaimer drop-down list, select the disclaimer template that you want to add to messages.
7. Click Save.

Adding an email disclaimer is configured.

To ensure the configured settings are applied during the operation of Kaspersky Secure Mail Gateway, make sure to enable adding email disclaimers for the rule and to enable the configured rule.

[Topic 224426]

Configuring KATA protection

Before configuring KATA protection settings in a message processing rule, make sure that KATA integration has been configured in the general protection settings.

To configure KATA protection in a message processing rule:

1. In the application web interface window, select the Rules section.
2. In the rules table, select the rule for which you want to configure KATA protection.

   This opens the View rule window.

3. Click Edit.

   Rule settings become editable.

4. In the left pane, select the KATA Protection section.
5. Use the toggle switch on the right of the section title to enable or disable KATA protection for messages that match the rule criteria.

   KATA protection is disabled by default.

6. If you enabled KATA protection at the previous step, use the In case of detection drop-down list to select the action to take on messages:
   • Delete message.
   • Reject.
   • Skip.

   The Delete message action is selected by default.

7. If you want messages with detected objects to be automatically placed in Backup based on the results of a scan on the KATA server, select the Move copy to Backup check box.

   This check box is selected by default.

8. If you want the application to add a tag to the beginning of the subject of messages in which objects are detected by KATA scans, type the text of the tag in the text box under the Move copy to Backup check box.

   The [KATA detect] tag is added by default.

9. Click Save.

KATA protection is now configured. The specified settings are applied to messages that match the rule criteria.

To ensure that the settings you have configured are actually used during operation of Kaspersky Secure Mail Gateway, make sure that KATA protection is enabled for the rule and that the rule you have configured is enabled.

[Topic 202955]

Viewing rule information

To view information about a rule:

1. In the application web interface window, select the Rules section.
2. Select the rule for which you want to view information.

   This opens the View rule window.

It contains the following sections:

• General.
• Anti-Virus.
• Links scanning.
• Anti-Spam.
• Anti-Phishing.
• Content Filtering.
• Mail Sender Authentication.
• Notifications.
• Insecure message warning.
• Email disclaimer.
• KATA Protection.

  This is displayed only when KATA integration is configured.

[Topic 88115]

Enabling and disabling a message processing rule

To enable or disable a message processing rule:

1. In the application web interface window, select the Rules section.
2. Do one of the following:
   • Flip on the toggle switch in the line with the name of the rule that you want to enable.
   • Flip off the toggle switch in the line with the name of the rule that you want to disable.

[Topic 202927]

Changing rule settings

To modify rule settings:

1. In the application web interface window, select the Rules section.
2. Select the rule for which you want to modify settings.

   This opens the View rule window.

3. In the lower part of the window, click Edit.

   This opens the Edit rule window.

4. Make the changes you want.
5. Click Save.

Rule settings are modified.

[Topic 88123]

Deleting message processing rules

To delete a message processing rule:

1. In the application web interface window, select the Rules section.
2. Select the rule that you want to delete.

   This opens the View rule window.

3. In the lower part of the window, click Delete.
4. In the confirmation window, click OK.

The message processing rule is deleted.

[Topic 90648]

Allowlists and denylists

You can use allowlists and denylists for more granular control of the way the mail system reacts to messages from certain addresses. For example, sources that are officially not spam but are identified by the program as mass mail (for example, messages from news portals) can be added to the allowlist.

You can use the following to configure allowlists and denylists:

• Preset AllowList and DenyList message processing rules. You can also create your own rules with sender and recipient addresses to whose messages the specified action must be applied, and change the priorities of the rules.

  By default, AllowList and DenyList rules are turned off, and no sender and recipient addresses are specified therein. You will have to generate address lists in these rules and turn on the rules.

• Personal allowlists and denylists that contain sender addresses for a single recipient. A personal allowlist allows messages to pass through without Anti-Spam scans. The messages are still scanned for phishing, viruses, and other threats, and content filtering is also performed.

A flowchart of the default algorithm for processing messages in accordance with allowlists and denylists is shown in the figure below. You can change the action for the DenyList rule (Reject or Delete message) as well as change the rules priority by moving the AllowList and DenyList rules around the rule table. In this case, the algorithm for applying program actions will differ from the one described below.

Algorithm for processing messages in accordance with allowlists and denylists

Messages whose sender and recipients have their addresses on an allowlist or denylist in message processing rules are processed as follows:

• If the addresses of the sender and recipients of a message are on the allowlist in the AllowList rule, the program skips the message without scanning it by default.
• If the addresses are not specified in the AllowList rule, the address is checked against the denylist in the DenyList rule. If sender and recipient addresses are found in the list, by default the program rejects the message without performing a scan. You can change the action for the DenyList rule.

If the message is not subject to global allowlists and denylists in message processing rules, the program checks if the sender address is found in personal lists of the recipient.

• If the sender address is on the personal allowlist, an Anti-Spam scan is not performed. The message is processed in accordance with the results of scanning with the other program modules.
• If the sender address is not present in the personal allowlist of the recipient, the address is checked against the personal denylist. If there's a match, the message is not delivered to the recipient who owns the personal denylist. Depending on the specified action, the program deletes or rejects the message. The program can also place the message in Backup.

  * Before placing a copy of the message in Backup, the program scans it with all protection modules. Based on the results of the scan, the program applies the strictest possible action to the message. For example, if the scan results trigger a rule that applies the Delete message action but personal denylists stipulate the Reject action, the Delete message action is performed because it is the more strict response. In other words, the message is deleted in accordance with the rule settings instead of being rejected in accordance with personal denylist settings.

  Messages placed in Backup are not taken into account when counting messages with the Personal denylist status in widgets in the Dashboard section.

If the addresses are not present in any of the lists either in message processing rules or in personal lists of the recipient, the message is processed in accordance with the selected rule. The rule selection algorithm is described in more detail in the chapter about the application of message processing rules.

[Topic 88759]

Configuring personal lists

Settings in this section apply to all personal accounts.

To configure personal allowlists and denylists:

1. In the application web interface window, select the Settings → Personal accounts → Allowlists and denylists section.
2. Enable or disable the display and use of allow and/or deny lists using Allowlist and Denylist toggle switches.

   When you enable a personal allowlist or denylist, it becomes available for viewing and is used for email traffic processing.

3. In the If the sender's address is in denylist drop-down list, select one of the following actions on messages:
   • Delete message if you want to delete messages from a sender whose address is in the personal deny list.
   • Reject if you want to reject messages from a sender whose address is in the personal deny list.
4. If you want to move messages from a sender whose address is in the personal deny list to Backup, select the Move copy to Backup check box.

   This check box is selected by default.

5. Click Save.

Personal allowlists and denylists are configured.

[Topic 94247]

Viewing personal allowlists and denylists

To manage personal allowlists and denylists in the program web interface, you must add a LDAP server connection.

In administrator mode, you can view personal allowlists and denylists for all users whose account information is saved in the LDAP cache.

In user mode, only lists for the current user are displayed if the administrator has turned on the display and use of personal lists in program settings.

To view personal allowlists and denylists in administrator mode:

1. Connect to the program web interface using program administrator credentials.
2. Select User lists in the program web interface window.
3. In the text box, enter the user name in the LDAP directory service in the distinguishedName format.

   A list of LDAP accounts matching the search string you specified appears under the entry field.

4. Click the LDAP record of the user whose lists you want to view.
5. Click Search to the right of the text box.

The workspace displays the allowlists and denylists of the selected user.

To view personal allowlists and denylists in user mode:

1. Connect to the program web interface using domain user credentials.
2. Select the User lists section.

The workspace displays allowlists and denylists of the current user.

[Topic 103944]

Creating personal lists

To gain access to personal allowlists and denylists in the program web interface, you must add a LDAP server connection.

In administrator mode, you can add, edit, and delete addresses in personal lists of all users whose account data are stored in the LDAP cache.

In user mode, you can view and edit personal lists only for the current user.

To create personal allowlists and denylists:

1. If you are in administrator mode:
   1. Select User lists in the program web interface window.
   2. In the text box, enter the user name in the LDAP directory service in the distinguishedName format.

      A list of LDAP accounts matching the search string you specified appears under the entry field.

   3. Click the LDAP record of the user whose lists you want to edit.
   4. Click Search to the right of the text box.
2. If in user mode, select the User lists section.

   The workspace displays personal lists: the allowlist in the left part, and the denylist in the right part.

   Complete steps 3–5 for each personal list.

3. If you want to add a new address to the personal list, enter it in the text box and press Enter.

   You can add addresses one by one or enter multiple semicolon-separated addresses.

   You can use the symbols "*" and "?" to create an address mask, and regular expressions beginning with the prefix "re:".

   Regular expressions are not case-sensitive.

   Adding internationalized addresses is supported.

4. If you want to edit a previously added address, click the address in the text box, make the necessary changes in edit mode and press Enter.
5. If you want to delete an address from the personal list, click to the right of the address.
6. Click Save.

   If at least one address has an incorrect format, the lists cannot be saved. Fix all addresses highlighted with a red background and repeat the save operation.

Personal allowlists and denylists are created.

[Topic 201623]

Managing the cluster

After installation and setup, you can configure the application in the web interface. To do so, you must combine all nodes hosting the Kaspersky Secure Mail Gateway application into a

All nodes must be added to the cluster by their IP addresses of the same format (only IPv4 or only IPv6).

The table of cluster nodes is displayed in the application web interface in the Nodes section.

[Topic 201626]

Creating a new cluster

After the application is installed, you must create a cluster for managing nodes through the application web interface. In addition, you can create multiple clusters to manage different groups of servers separately from each other.

To create a new cluster:

1. In the web interface of the node to which you want to assign the Control node role, click Create new cluster.
2. Refresh the browser page after a few minutes.

   The web interface of the Control node.

The cluster is created. After this, you can add Secondary nodes to the cluster.

[Topic 202380]

Viewing the cluster node table

To view the cluster node table:

in the program web interface window, select the Nodes section.

The table displays the following information about cluster nodes:

• IP address:port is the IP address and the port for connecting cluster node to the server.
• Role is the role of the node in the cluster.
• Status is information about whether the node is experiencing any problems.

  The status display includes the following information about the node:

  • Status of connection to KSN/KPSN servers
  • License key status
  • Application database update status
  • Date and time and result of the last update task
  • Status of time synchronization with the Control node (for Secondary nodes).

  The following statuses are available:

  • Synchronized means the node has no problems with any of the listed parameters.
  • Node is not available means there is no connection with the node (the time when the node became unreachable is also specified).
  • Unable to guarantee fault tolerance of the application: no servers with Secondary node role.
  • No SPN for Kerberos Single Sign-On.
  • Operating system restart is required.
  • Domain controller data is either out of date or missing.

  If there are errors or warnings for a specific parameter in a widget, all statuses are listed (for example, Databases are out of date, Protection level decreased, The license is suspended).

• Comment is any additional information about the node.

If necessary, you can view detailed information about each cluster node.

[Topic 201627]

Configuring the display of the cluster node table

To configure the display of the cluster node table:

1. In the application web interface window, select the Nodes section.

   The cluster node table opens.

2. In the table on the right, click .

   This opens the cluster node table settings menu.

3. Select check boxes next to settings that you want to display in the table.

   At least one check box must be selected.

The display of the cluster node table is now configured.

[Topic 201759]

Viewing information about a cluster node

To view information about a cluster node:

1. In the application web interface window, select the Nodes section.
2. Select the node whose information you want to view.

   A window containing information about the node opens.

The window contains the following information depending on server type:

1. Node information settings group:
   • Certificate fingerprint: is the
     certificate fingerprint

     Information that can be used to confirm the authenticity of a server certificate. The fingerprint is created by applying a cryptographic hash function to the content of the server certificate.

     of the server.
   • Virtualization technology is the name of the virtualization platform.

     The following values are possible:

     • ACRN
     • bhyve (FreeBSD hypervisor)
     • Bochs Emulator
     • Linux KVM
     • Microsoft Hyper-V
     • Not used means that the program is installed on a physical server
     • Oracle VM VirtualBox
     • Parallels Desktop or Server
     • QEMU
     • QNX
     • UML (user-mode Linux)
     • VMware Workstation or Server
     • Xen
     • z/VM

     Kaspersky Secure Mail Gateway supports Microsoft Hyper-V and VMware ESXi. Program performance cannot be guaranteed when using other hypervisors.

   • Comment is additional information about the node. Optional setting.
   • Current server role is the role of the current node in the cluster.
   • Scan threads is the number of message streams that Kaspersky Secure Mail Gateway can scan simultaneously.
2. Settings settings group:
   • For the Control node:
     • Applied refers to the last time when settings were successfully applied to program modules.
     • Time is the state of time synchronization with the hypervisor and the NTP server.
   • For a Secondary node:
     • Synchronized refers to the last time when settings were successfully received from the Control node. If settings were received, you can assign the Control role to this Secondary node without losing the defined settings.
     • Applied refers to the last time when settings were successfully applied to program modules.
3. Database information settings group:
   • Database update is the state of the program databases and the result and time of their last successful update.
   • Anti-Virus is the state of the Anti-Virus module databases.
   • Anti-Phishing is the state of the Anti-Phishing module databases.
   • Anti-Spam is the state of the Anti-Spam module databases.

   The following values are possible:

   • Databases are up to date.
   • Databases are out of date.
   • Databases are obsolete.
   • Bases error.
4. External services settings group:
   • KSN/KPSN status is the status of the connection to KSN/KPSN services.
   • KATA status is the state of the connection to the KATA server (displayed only when KATA integration is configured).
   • Kerberos keytab file status is the existence of SPN entries about all Secondary nodes in the keytab file (displayed only if Kerberos authentication is enabled).
   • LDAP status settings group (displayed only if integration with an Active Directory domain is configured):
     • Connection is the date and time of the last successful connection to the Active Directory domain controller.
     • Data for rules match is the date and time of the last successful update of user account data used for selecting traffic processing rules.
     • User accounts autofill is the date and time of the last successful update of data used for autocompletion of user names in the program web interface.

     If at least one of these steps results in an error, the cluster nodes table shows an error message.

5. Server time settings group (displayed only for Secondary nodes):
   • Time is the status of time synchronization with the following:
     • Server hosting the Control node
     • Hypervisor
     • NTP server

   If the status is Failure, you can copy error information to the clipboard by clicking the button to the right of the status.

6. License information settings group:
   • License expiration date.
   • License is the information about the status of the license key (for an active license key, expiration date and the number of days to expiration is also displayed).
   • Program is the name of the program for which the added license key was issued.
   • Functionality level is the program operation mode depending on the added license key.
   • License type is the type of license (trial, commercial, or subscription).
   • Serial number is the serial number of the license key.

[Topic 201629]

Adding a node to the cluster

To add a node to the cluster:

1. In the application web interface window, select the Nodes section.
2. Click Add node.

   This opens the Add node window.

3. In the IP address and Port fields, type the IP address and port of the server hosting the application that you want to add as a cluster node.
4. If necessary, type additional information about the node you are adding in the Comment field.
5. In the Scan threads field, enter the number of traffic streams that the mail server can process simultaneously.

   Default value: 16.

6. Click Next.
7. Compare the certificate fingerprint in the Check node window with the certificate fingerprint of the server. If the certificate fingerprints match, click Confirm.

   The certificate fingerprint is displayed in the local console of the server after the Initial Configuration Wizard completes.

The node is added to the cluster and is displayed in the node table on the Nodes page.

To use the time zone configured for the other nodes, restart the new cluster node.

Before you direct email traffic to the added node, you must update application databases and perform LDAP synchronization. Otherwise, the application cannot provide an adequate level of protection or place email messages in Personal Backup, and rules that mention attributes of Active Directory accounts cannot be applied.

[Topic 201630]

Modifying node settings

You cannot change the IP address and port of the server on which the program is installed. If necessary, remove the node from the cluster and add a new node with the required address.

To modify node settings:

1. In the application web interface window, select the Nodes section.
2. In the cluster nodes table, select the node whose settings you want to modify.

   The node settings window opens.

3. In the lower right corner of the window, click Edit.

   This opens the Edit node window.

4. If necessary, change the following settings:
   • Type any additional information about the node in the Comment field.
   • The number of simultaneous mail traffic processing threads in the Scan threads field.

     The recommended value is the number of CPU cores times two.

5. Click Save.

Node settings will be modified.

[Topic 201631]

Removing a node from a cluster

The Control node cannot be removed.

When a node is removed from a cluster, the program is not removed from the server. You can add the node back to the cluster at any time and continue to manage the program settings for this node.

To remove a node from a cluster:

1. In the application web interface window, select the Nodes section.
2. In the cluster nodes table, select the Secondary node that you want to remove from the cluster.

   The node settings window opens.

3. In the lower left corner of the window, click Delete.

   This will open a window for confirming deletion of the node from the cluster.

4. Click OK.

The node will be removed from the cluster. Information about the node will no longer be displayed in the cluster nodes table. Quarantined objects, backup copies of objects, database updates, event logs, reports, and received diagnostics is stored on the server where the program is installed.

[Topic 201632]

Changing the role of a node in a cluster

You can assign the Control node role to any cluster node. The other nodes will have the Secondary node role. For example, you may need to change the roles due to a failure of the Control node, or if you have to remove the application from this server.

To assign the Secondary node role to the Control node:

1. In the application web interface window, select the Nodes section.
2. In the cluster nodes table, select the Control node.

   The node settings window opens.

3. Click Change role to Secondary node.

The Control node will become a Secondary node. The web interface of the Secondary node opens.

To assign the Control node role to a Secondary node:

1. In the application web interface window, select the Nodes section.
2. In the cluster nodes table, select a Secondary node.

   The node settings window opens.

3. Click Go to manage node.

   Authorization page opens in a new browser window.

4. Enter the name and password of the application administrator.

   The web interface of the Secondary node opens.

5. Click Change role to Control node.
6. In the confirmation window, click OK.

The Secondary node will become the Control node.

[Topic 201633]

Deleting the cluster

A cluster can be removed only if there are no Secondary nodes.

To delete the cluster:

1. In the application web interface window, select the Nodes section.
2. In the cluster nodes table, select the Control node.

   The node settings window opens.

3. In the lower part of the window, click Delete cluster.

   This will open a window for confirming deletion of the node from the cluster.

4. Click OK.

The cluster is deleted. You will see the web interface of the server hosting the application that is not part of a cluster.

[Topic 201634]

Restarting a cluster node

Restarting through the web interface is available only for the application ISO image. If the application is installed from an RPM or DEB package, the restart is handled by the operating system.

A restart of the operating system of a node may be required for applying certain updates, such as OpenSSL library updates. If this is the case, the cluster nodes table displays the Operating system restart is required notification.

To restart the Control node using the application web interface:

1. In the application web interface window, select the Nodes section.
2. In the cluster nodes table, select the Control node.

   A window containing information about the node opens.

3. Click Restart.
4. In the confirmation window, click OK.

The operating system will be restarted. This may take some time. Reload the browser page after several minutes. After the restart completes, you will see the page for connecting to the web interface of the application.

Traffic processing will be stopped before the restart completes.

To restart the Secondary node using the application web interface:

1. In the application web interface window, select the Nodes section.
2. In the cluster nodes table, select the Secondary node that you want to restart.

   A window containing information about the node opens.

3. Click the Go to manage node link to go to the web interface of the Secondary node.

   The page for connecting to the web interface opens in a new tab of the browser.

4. Enter the account credentials and connect to the Secondary node.
5. Click Restart.
6. In the confirmation window, click OK.

The operating system will be restarted. This may take some time. Reload the browser page after several minutes. After the restart completes, you will see the page for connecting to the web interface of the Secondary node.

Traffic processing will be stopped before the restart completes.

[Topic 234112]

Managing the SSL certificate of the cluster node

By default, Kaspersky Secure Mail Gateway 2.0 uses a self-signed certificate automatically generated during cluster node deployment as the SSL certificate of the cluster node. When logging in to the program web interface with this certificate, the browser displays an insecure connection warning. For better convenience and security when using the web interface, you can replace the default certificate of the node with a certificate issued by a trusted certification authority.

To replace the SSL certificate of a cluster node, you will need the following files:

• A certificate file in the X.509 format with the PEM extension or a container file with a certificate chain in the X.509 format with the PEM extension
• An RSA private key file with the PEM extension (without a passphrase)

You can prepare the private key file and the certificate on your own, or alternatively you can obtain ready-to-use files from a certification authority.

Steps involved in replacing the SSL certificate of the cluster node and creating the private key and certificate files on your own

1. Creating a private key file and a Certificate Signing Request

   You will receive one of the following files from the certification authority:

   • Signed X.509 certificate file with the CER or CRT extension
   • PKCS#7 certificate chain file with the P7B extension The file includes the website certificate signed at your request as well as certificates of intermediate certificate authorities.
2. Converting obtained files into the PEM encoding

   Depending on the type of the file obtained at the previous step, do one of the following:

   • Convert a certificate from the DER encoding to the PEM encoding.
   • Extract the certificate chain from a PKCS#7 container.
3. Replacing the SSL certificate of a cluster node

Steps involved in replacing the SSL certificate of the cluster node using private key and certificate files provided by a certification authority

1. Obtaining private key and certificate files from the certification authority

   The private key and certificates are provided as a PFX container (PKCS#12 format, PFX or P12 extension).

   If your organization uses the Active Directory Certification Services service as the certification authority, use the Web Server template to create the certificate. Save the result as a certificate chain in the DER encoding.

2. Extracting certificate and private key files from a PFX container
3. Replacing the SSL certificate of a cluster node

[Topic 234130]

Creating an SSL certificate signature request file

You can create a Certificate Signing Request file using the openssl utility or online services.

To create a Certificate Signing Request file using the openssl utility:

1. Prepare a request.config text file with the following contents (for examples of settings, see the table below):

   [req]

   default_bits=2048

   prompt=no

   default_md=sha256

   req_extensions=req_ext

   distinguished_name=dn

   [dn]

   C=<two-letter country code>

   ST=<region>

   L=<city>

   O=<organization name>

   OU=<organizational unit name>

   emailAddress=<email address of the web server administrator>

   CN=<domain name of the Control Node of the cluster>

   [req_ext]

   subjectAltName=@alt_names

   [alt_names]

   DNS.1=<domain name of the Control Node of the cluster>

   DNS.2=<domain name of the Secondary Node of the cluster>

   DNS.3=<domain name of the Secondary Node of the cluster>

2. Create a private RSA key with the PEM extension (without a passphrase):

   openssl genrsa -out key.pem 2048

3. Create a Certificate Signing Request using the following command:

   openssl req -new -sha256 -key key.pem -out request.csr -config request.config

This creates the following files:

• key.pem is the RSA private key file with the PEM extension. Save this file to use it for replacing the certificate on the cluster node.
• request.csr is the Certificate Signing Request in the PKCS#10 format. Submit this file to the certification authority.

Examples of settings in the request.config file

Page top

[Topic 239055]

Converting a certificate from the DER encoding to the PEM encoding

After processing the Certificate Signing Request, the certification authority may issue a signed certificate in the X.509 format (file with the CER or CRT extension).

The X.509 certificate file can be provided in two encodings:

• DER encoded
• Base64 encoded (PEM encoding)

If the certificate is provided in the DER encoding, you must convert it to the PEM encoding. You can use the openssl utility to convert the certificate.

To convert a certificate from the DER encoding to the PEM encoding, use the following command:

openssl x509 -in source.cer -inform DER -out cert.pem

You can use the obtained cert.pem file to replace the web interface certificate.

[Topic 239056]

Extracting the certificate chain from a PKCS#7 container

After processing the Certificate Signing Request, the certification authority may provide a certificate chain in the PKCS#7 format (file with the P7B extension). The chain includes the website certificate signed at your request as well as certificates of intermediate certificate authorities.

The PKCS#7 certificate file can be provided in two encodings:

• DER encoded
• Base64 encoded (PEM encoding)

To use the certificates, you must extract them from the container to get a PEM-encoded file. You can use the openssl utility to convert the certificate.

To convert the DER encoded PKCS#7 file, use the following command:

openssl pkcs7 -in source.p7b -inform DER -print_certs -out cert.pem

To convert a PEM encoded PKCS#7 file, use the following command:

openssl pkcs7 -in source.p7b -inform PEM -print_certs -out cert.pem

You can use the obtained cert.pem file to replace the web interface certificate.

[Topic 239064]

Extracting certificate and private key files from a PFX container

If the certification authority provided the certificate as a PFX container (PKCS#12 format, file with the PFX or P12 extension), you must extract PEM-encoded certificate and private key files from the container.

You can extract the certificate and private key files using openssl. To extract the files, you will need to enter the passphrase of the PFX container.

To extract the private key file, use the following command:

openssl pkcs12 -in source.pfx -nocerts -nodes -out key.pem

To extract the certificate key file, use the following command:

openssl pkcs12 -in source.pfx -clcerts -nokeys -out cert.pem

You will get the following files:

• key.pem is the PEM-encoded RSA private key file (without a passphrase).
• cert.pem is the PEM-encoded X.509 certificate file.

You can use the private key and certificate files thus obtained to replace the web interface certificate.

[Topic 234129]

Replacing the SSL certificate of a cluster node

To replace the SSL certificate of a cluster node:

1. Log in over SSH to the management console of the node for which you want to replace the certificate.
2. Place the certificate file (cert.pem) and the private key file (key.pem) in the /root directory.
3. Change to the web server config files directory:

   cd /etc/nginx/ksmg

4. Create backup copies of the current certificate and private key:

   cp -p webapi.crt webapi.crt.backup

   cp -p webapi.key webapi.key.backup

5. Replace the contents of the certificate and private key files:

   cat /root/cert.pem > webapi.crt

   cat /root/key.pem > webapi.key

6. Set the owner of the certificate and access permissions of the private key:

   chown root:root webapi.crt

   chmod 644 webapi.crt

   chown kluser:root webapi.key

   chmod 600 webapi.key

7. Restart the nginx service:

   systemctl restart nginx

8. Check the status of the nginx service:

   systemctl status nginx

   The service must have the running status.

9. Open the web interface of the cluster node in the browser. If the certificate was successfully replaced, the insecure connection warning is not displayed.
10. If the replacement was successful, delete the original certificate and private key files from the /root directory:

    rm -f /root/cert.pem /root/key.pem

The SSL certificate of the cluster node is replaced. If you want to replace certificates on multiple cluster nodes, you must follow the step-by-step instruction on each of the nodes.

[Topic 216884]

Checking data integrity

An application module integrity check is run automatically after the application is started on a cluster node. This allows to check if application components are correctly installed and not tampered with or corrupted.

You can run a data integrity check manually at any time. The integrity check is run for each cluster node separately. This involves checking the hashes of application executable files using the GOST R 34.11-2012 algorithm.

You can see the results of manually started scans in the summary table for cluster nodes.

If the integrity check does not find any integrity violations, the results window displays a corresponding message. If there are integrity violations, you can download an archive with the list of encountered problems.

Information about the integrity check is recorded in the event log and in Syslog.

[Topic 216885]

Viewing information about data integrity check tasks

To view information about the latest integrity check tasks performed on all cluster nodes:

1. In the application web interface window, select the Nodes section.
2. Click Integrity check in the upper part of the workspace to open the Integrity check window.

You will see a table containing information about the latest completed integrity check tasks on cluster nodes:

• IP address:port is the IP address and port for connection to the node for which the integrity check was run.
• Role is the role of the node in the cluster.
• Last task status:

  Dash if the integrity check has never been run.

  • In progress (with task progress percentage).
  • Cancelling.
  • Deleting.
  • Completed (with task completion time).
  • Completed with error (with task completion time and error description).
  • Pending.
• Integrity check result:
  • Failed means that the task was completed and data integrity breaches were detected.
  • Succeeded means that the task was completed and no data integrity breaches were detected.

To view information about all integrity check tasks performed on a single cluster node:

1. In the application web interface window, select the Nodes section.
2. Click Integrity check in the upper part of the workspace to open the Integrity check window.
3. Select the cluster node whose task information you want to view.

This opens the View archives window. This window displays a table containing information about the start date and the results of all scan tasks successfully completed on the selected node.

[Topic 216886]

Running an integrity check manually

To run an integrity check manually:

1. In the application web interface window, select the Nodes section.
2. Click Integrity check in the upper part of the workspace to open the Integrity check window.
3. In the table in the workspace, select the cluster node for which you want to run an integrity check.

   This opens the View archives window.

4. In the lower part of the window, click Start.

The integrity check is run.

The task result is displayed in the View archives window and in the cluster node table on the Integrity check page. If there are application module integrity violations, you can download an archive with the list of encountered problems.

[Topic 216887]

Downloading an archive with integrity check results

An archive with integrity check results is available for download only if module integrity violations were found. If there are no violations, only a success message is displayed.

To download an integrity check result archive:

1. In the application web interface window, select the Nodes section.
2. Click Integrity check in the upper part of the workspace to open the Integrity check window.
3. In the table in the workspace, select the cluster node for which you want to download an integrity check results archive.

   This opens the View archives window.

4. In the row containing the relevant archive, click to the right of the archive name.

The archive is saved on your computer in the browser's downloads folder.

[Topic 216888]

Removing an archive with integrity check results

To delete the archive with integrity check results:

1. In the application web interface window, select the Nodes section.
2. Click Integrity check in the upper part of the workspace to open the Integrity check window.
3. In the table in the workspace, select the cluster node for which you want to delete an integrity check results archive.

   This opens the View archives window.

4. In the row containing the relevant archive, click to the right of the archive name.

The archive is deleted from the list.

[Topic 239606]

Modifying the network settings of a cluster node

This section contains instructions for modifying network settings of a Kaspersky Secure Mail Gateway cluster node and lists the actions that must be taken before and after the procedure to ensure the correctness of settings.

[Topic 239591]

Modifying the network settings of a cluster node

You can change the IP address and port of the server where Kaspersky Secure Mail Gateway is installed. Modifying network settings and configuring a new address is performed on each individual node using a special script. You can download the script for Kaspersky Secure Mail Gateway version 2.0 here. Before using the script, it must be copied to the cluster node whose address is planned to be changed.

To maintain the integrity and the ability to manage the Kaspersky Secure Mail Gateway cluster, node addresses must be changed in a certain order. The procedure depends on the number of nodes in the cluster and the number of nodes for which you want to change addresses. The following cases are possible:

• Some nodes in the cluster must have their addresses changed.
• All nodes in the cluster must have their addresses changed. This scenario is also used when the cluster consists of a single node.

[Topic 242101]

Network settings modification scenario for a subset of the nodes

The administrator must ensure network connectivity between nodes with new and old addresses.

Scenario for modifying the network settings of a subset of cluster nodes involves the following steps:

1. Changing the role of a node from Control to Secondary

   You must carry out this step if the Control node is in the subset of nodes for which you want to change addresses. Temporarily assign the Control node role to a node for which you are not planning to change the address.

2. Disabling mail traffic processing on selected nodes

   If you are using a load balancer, in balancer settings, turn off the load for nodes whose addresses you are planning to change. If you are not using a load balancer, in the web interface of Kaspersky Secure Mail Gateway, disable the reception of messages for the selected nodes.

   After turning off the load, wait until messages from all queues are completely sent on the selected nodes.

3. Changing the addresses of Secondary nodes

   Change the addresses of selected Secondary nodes, one by one. To do so, on each node:

   1. Modify the network settings of the Secondary node in Technical Support Mode.

      You can modify the network settings of the operating system, IP addresses of network adapters, the default gateway address, DNS server addresses.

   2. Test the network settings of the operating system on the node.

      This step lets you make sure that the new network settings are in fact applied.

   3. Modify the A and PTR records on the DNS server for the Secondary node to match the new IP address and domain name of the node.

      This is necessary for correct functioning of Kerberos authentication with the Single Sign-On technology and for interaction with other mail systems.

   4. Change the address of the node in the program in Technical Support Mode

      This step is necessary if the IP address or port of the node was modified.

4. Replacing Secondary nodes with the old addresses with Secondary nodes with the new addresses in the cluster using the program web interface

   Nodes that had their address changed must be removed from the cluster; these nodes must then be added to the cluster with the new addresses.

5. Changing the role of a node from Secondary to Control

   This step is necessary is the Control node role was temporarily assigned to a different node.

6. Checking the availability and health of all cluster nodes

   You can view the statuses of cluster nodes in the web interface of the Control node.

7. Enabling mail traffic processing on nodes

   Enable mail traffic processing on cluster nodes with new addresses, one after another. Make sure that traffic is being processed without errors.

[Topic 242105]

Network settings modification scenario for all nodes

Scenario for modifying the network settings of all cluster nodes involves the following steps:

1. Disabling mail traffic processing on all cluster nodes

   If you are using a load balancer, turn off the load on the nodes in load balancer settings. If you are not using a load balancer, in the web interface of Kaspersky Secure Mail Gateway, disable the reception of messages for all nodes.

   After turning off the load, wait until messages from all queues are completely sent on the nodes.

2. Changing the address of the Control node

   To do so, on the Control node:

   1. Modify the network settings of the node in Technical Support Mode.

      You can modify the network settings of the operating system, IP addresses of network adapters, the default gateway address, DNS server addresses.

   2. Test the network settings of the operating system on the node.

      This step lets you make sure that the new network settings are in fact applied.

   3. Modify the A and PTR records on the DNS server for the Control node to match the new IP address and domain name of the node.

      This is necessary for correct functioning of Kerberos authentication with the Single Sign-On technology and for interaction with other mail systems.

   4. Change the address of the node in the program in Technical Support Mode

      This step is necessary if the IP address or port of the node was modified.

3. Removing Secondary nodes from the cluster

   Log in to the web interface of the Control node using the new address and remove all Secondary nodes from the cluster.

   If the cluster contains a single node, skip this step and go to step 6.

4. Changing the addresses of Secondary nodes

   Change the addresses of all Secondary nodes, one by one. To do so, on each node:

   1. Modify the network settings of the Secondary node in Technical Support Mode.

      You can modify the network settings of the operating system, IP addresses of network adapters, the default gateway address, DNS server addresses.

   2. Test the network settings of the operating system on the node.

      This step lets you make sure that the new network settings are in fact applied.

   3. Modify the A and PTR records on the DNS server for the Secondary node to match the new IP address and domain name of the node.

      This is necessary for correct functioning of Kerberos authentication with the Single Sign-On technology and for interaction with other mail systems.

   4. Change the address of the node in the program in Technical Support Mode

   This step is necessary if the IP address or port of the node was modified.

5. Adding Secondary nodes to the cluster

   Use the new address of the Control node to log in to the web interface and add Secondary nodes with the new addresses to the cluster.

6. Checking the availability and health of all cluster nodes

   You can view the statuses of cluster nodes in the web interface of the Control node.

7. Enabling mail traffic processing on nodes

   Enable the reception of messages on cluster nodes under their new addresses, one by one. Make sure that traffic is being processed without errors.

[Topic 239613]

Modifying the network settings of a node in Technical Support Mode

This section provides step-by-step instructions for modifying the network settings of a cluster node using a script in Technical Support Mode.

To begin modifying the network settings of a cluster node:

1. Connect to the Kaspersky Secure Mail Gateway virtual machine management console under the root account using a private SSH key.

   You will enter Technical Support Mode.

2. Run the cluster node network settings modification script:

   sh ksmg20_change_network_settings.sh -e

The cluster node network settings modification script starts.

[Topic 239631]

Step 1. Modifying the network settings of the operating system of a node

At this step, you can modify the settings of network adapters.

To edit the network settings of the operating system on the node:

1. In the Select Action – Interfaces window, select the network adapter for which you want to modify settings.

   

2. In the Select Action – <Adapter name> window, in the IP addr line, press ENTER.

   

3. In the Interface IP configuration window, use the TAB key to select the setting that you want to modify and enter the new value:
   • If you want to modify the IP address of the adapter, enter the new value in the Address field.
   • If you want to change the subnet mask, enter the new value in the Netmask field.

   

4. To save changes, click Оk.
5. In the Select Action – <Adapter name> window, select Go back in the bottom of the list.
6. This opens a window containing a list of all available network adapters. If necessary, you can repeat the configuration steps for another network interface controller.
7. After configuring all network adapters, select Continue in the bottom of the list.

[Topic 239664]

Step 2. Modifying routing settings

At this step, you can modify the default route settings and static routes.

To modify routing settings:

1. In the Select Action – Routing window, select routing settings that you want to modify.

   

   • The network adapter of the default route
     1. Select Interface and press ENTER.

        This opens the Select gateway device window.

        

     2. Select the network adapter that must be used for the default route and press ENTER.
   • Default gateway address
     1. Select Gateway and press ENTER.

        The Interface gateway configuration window opens.

        

     2. Change the default gateway address and click Оk.
   • Static route
     1. Select Edit static routes and press ENTER.
     2. This opens the Select Action – Routes window.

        

2. If you want to modify a static route, you can take the following actions:
   • Modifying the settings of an existing static route
     1. In the Select Action – Routes window, select a route from the list.

        This opens the Select Action – Edit static routewindow.

        

     2. Select the row of the setting, press ENTER, then in the Edit static route window, use the TAB key to select the relevant setting, edit its value and click Ok.

        

     3. To change the network adapter of the selected route, in the Select Action – Edit static route window, select Route via, then in the Select interface to set route via window, select the network adapter for the static route and press ENTER.

        

   • Adding a new static route
     1. In the Select Action – Routes window, click New route and press ENTER.

        The New static route window opens.

        

     2. Specify the settings of the new static route:
        • In the Address field, enter the IP address of the network adapter.
        • In the Netmask field, enter the network mask.
        • In the Gateway field, enter the address of the gateway.
     3. Save the settings by clicking Оk.
     4. If you want to change the network adapter of the selected route, select Route via, then in the Select interface to set route via window, select the network adapter for the static route and press ENTER.

        

   • Deleting a static route
     1. In the Select Action – Routes window, select a route from the list.

        This opens the Select Action – Edit static routewindow.

        

     2. Select Delete static route, then in the Delete static route window, click Yes.

        

3. Configure the static route in the Select Action – Edit static route window, then select Go back.

   This opens the Select Action – Routes window with a modified list of static routes.

4. In the Select Action – Routes window, click Go back.

   This opens the Select Action – Routing window.

5. In the Select Action – Routing window, click Continue.

[Topic 239697]

Step 3. Modifying DNS server settings

At this step, you can modify the DNS server settings.

To modify DNS server settings:

1. In the Select Action – Resolver window:
   1. Make sure that the no option is defined for the Use DHCP field.

      

   2. In the Search list field, press ENTER.

      The Interface DNS configuration window opens.

      

      • In the Search list field, enter the domain search DNS suffixes separated by a space.
      • In the Primary field, enter the address of the primary DNS server.
      • In the Secondary field, enter the address of the secondary DNS server.
   3. Click OK.
2. In the Select Action – Resolver window, click Continue.

As a result, the wizard applies the new network settings of the node. Connect to the node over SSH using the new IP address and proceed to test the applied settings.

[Topic 239713]

Testing the network settings of the operating system of a node

Before you change the address of the node in Kaspersky Secure Mail Gateway, it is recommended to make sure the new network settings of the operating system have been applied.

To test the network settings of the operating system of a cluster node:

1. In Technical Support Mode, connect to the node using the new IP address.
2. Check if the current network settings of the operating system match the settings that you have specified in the steps of the wizard. To view and check the settings of the operating system, use the following commands:
   • To test the network adapter settings:

     ip address

   • To test the default route and static route:

     ip route

   • To test the DNS server settings:

     cat /etc/resolv.conf

3. Make sure the DNS server has a record for the new domain name of the node:

   host <domain name of the node>

   If the record for the domain name of the node is not found on the DNS server, check if the network settings are specified correctly. If necessary, modify the network settings of the operating system.

4. If necessary, change the domain name of the host:

   hostnamectl set-hostname <new domain name of the host>

5. Check if the new domain name is in fact assigned to the host:

   hostnamectl status

   The output includes the line static hostname with the assigned domain name of the cluster node.