Manual Integration with Exim mail server

If, during initial configuration of the application, you skip the automatic integration of the application with the mail server, you must integrate KSMG with the mail server manually.

You can manually configure before-queue integration of KSMG with the Exim mail server using a dynamically linked library (dlfunc). With before-queue integration, KSMG scans the messages before they end up in the queue of the Exim mail server. After-queue integration is not supported.

Depending upon the specific distribution of the operating system, you have to modify one or several configuration files of the Exim mail server:

• In Red Hat Enterprise Linux and Rocky Linux, changes are made to the main configuration file, /etc/exim/exim.conf.
• In Ubuntu:
  • If the configuration file is generated from a monolithic template, changes are made to the /etc/exim4/exim4.conf.template file.
  • If the configuration file is generated from a split template, changes are made to the /etc/exim4/conf.d/acl/40_exim4-config_check_data template file or similar.

To perform the before-queue integration of KSMG with Exim:

1. Make sure that the Exim mail server supports the functions of the dlfunc dynamically linked library. To do so, run the following command:

   exim -bV

   The Exim mail server supports the dlfunc dynamically loaded library if the Support for section contains the Expand_dlfunc line.

2. Make a backup copy of the Exim configuration files.
3. Modify the access control list for acl_smtp_data. To do that, find in the Exim configuration file(s) the line that looks like:

   acl_smtp_data = acl_check_data (a different variable or macro can be used in place of acl_check_data)

   and after the line

   acl_check_data: (or a string containing a different variable or macro)

   add the following lines:

   # Manually added block ksmg-exim-filter-dflunc begin

   warn set acl_m_ksmg_input_directory = ${spool_directory}/input

     set acl_m_ksmg_lookup_result = ${lookup {$message_id-D} dsearch {$acl_m_ksmg_input_directory}}

   warn condition = ${if eq {$acl_m_ksmg_lookup_result}{}{yes}{no}}

     set acl_m_ksmg_input_directory = ${spool_directory}/input/${substr{5}{1}{$message_id}}

   warn set acl_m_ksmg_answer = ${dlfunc{DLFUNC_LIBRARY_FULLPATH}{scan}{$acl_m_ksmg_input_directory}}

   defer condition = ${if match {$acl_m_ksmg_answer}{^[245]}{no}{yes}}

     log_message = KSMG check failed, unexpected answer: $acl_m_ksmg_answer

   defer condition = ${if match {$acl_m_ksmg_answer}{^4}{yes}{no}}

     log_message = KSMG check defer: $acl_m_ksmg_answer

   deny condition = ${if match {$acl_m_ksmg_answer}{^5}{yes}{no}}

     log_message = KSMG check reject: $acl_m_ksmg_answer

     message = This message is blocked due to security reason

   warn condition = ${if match {$acl_m_ksmg_answer}{^2}{yes}{no}}

     logwrite = KSMG check accept: $acl_m_ksmg_answer

   # Manually added block ksmg-exim-filter-dlfunc ends here

   where DLFUNC_LIBRARY_FULLPATH is the path to the dlfunc library. The path to the library depends on the version of Exim and may look like this:

   • For Exim version from 4.86 to 4.90 not inclusive — /opt/kaspersky/ksmg/lib/libklms-exim-abi20-1.so
   • For Exim version from 4.90 to 4.93 not inclusive — /opt/kaspersky/ksmg/lib/libklms-exim-abi20-2.so
   • For Exim version from 4.93 to 4.94 not inclusive — /opt/kaspersky/ksmg/lib/libklms-exim-abi31.so
   • For Exim version from 4.94 to 4.96 not inclusive — /opt/kaspersky/ksmg/lib/libklms-exim-abi41.so
   • for Exim from 4.96 and later — /opt/kaspersky/ksmg/lib/libklms-exim-abi60.so
4. If necessary, when you are done editing the configuration file, you can regenerate the main Exim configuration file.
5. Add the kluser user to the group that includes the user that starts the exim process.

   By default, this group is called 'exim' in Red Hat Enterprise Linux and Rocky Linux, and 'Debian-exim' in Ubuntu.

6. Add the user that starts the exim process to the klusers and kl_var_users groups.

   By default, the user name is 'exim' in Red Hat Enterprise Linux and Rocky Linux and 'Debian-exim' in Ubuntu.

7. In /etc/opt/kaspersky/ksmg/filters.conf filter settings file, in the [global] section, set the following parameter values:

   scanner=unix:/var/run/ksmg/klms_scanner_sock

   header-guard=false

   • If PrivateTmp is set to false or not specified in the Exim Unit file:

     workdir=/tmp

   • If PrivateTmp is set to true in the Exim Unit file:

     workdir=/var/opt/kaspersky/ksmg/tmp

8. In the /var/opt/kaspersky/ksmg/installer.dat file, set the following parameter values:

   MTA_INTEGRATION_METHOD=dlfunc

   MTA_INTEGRATION_MODE=prequeue

   filters_workdir=<value of the 'workdir' parameter from step 7>

   mta=manual

   START_SMTP_PROXY=0

   START_MILTER=0

9. Restart the ksmg service.
10. Restart Exim mail server.

Integration with Exim is completed.

Page top