Before-queue integration
July 4, 2024
ID 43928
When "before-queue" integration is used and messages are forwarded to Kaspersky Security 8 for Linux Mail Server for scanning and then returned to the Postfix mail server, the following conditions must be satisfied:
- The filter must be configured to intercept messages from the Postfix mail server via
socket-in
. This socket is specified in the configuration file of the program at step 8 of the instructions below. - The filter must forward messages to Scan Logic for scanning via the
scanner
socket. This socket is specified while running the initial configuration script. - The filter must return messages to the Postfix mail server via
socket-out.
This socket is specified in the configuration file of the program at step 8 of the instructions below.
When Kaspersky Security 8 for Linux Mail Server is integrated with the Postfix mail server, socket-in
, scanner
, and socket-out
can point to a network socket or to a local one.
To perform before-queue integration of Kaspersky Security 8 for Linux Mail Server with Postfix:
- Open the configuration file master.cf.
- In the master.cf file, after the line
smtp inet n - n - - smtpd
add the following lines:
#klms-postfix-prequeue-start
-o smtpd_proxy_filter=$sock_postfix_format
-o smtpd_proxy_options=speed_adjust
(for integration with Postfix 2.7 or higher)#klms-postfix-prequeue-end
where
$sock_postfix_format
is the IP address and port number on which the filter listens for incoming connections, in the<IP address>:<port>
format (for a network socket). - Add the following strings at the end of the master.cf configuration file:
- For an inet socket:
#klms-begin
127.0.0.1:$forward_port inet n - n - 10 smtpd
-o receive_override_options=no_unknown_recipient_checks, no_header_body_checks,no_address_mappings
-o smtpd_helo_restrictions=
-o smtpd_client_restrictions=
-o smtpd_sender_restrictions=
-o smtpd_recipient_restrictions=permit_mynetworks,reject
-o mynetworks=127.0.0.0/8,[::1]/128
-o smtpd_authorized_xforward_hosts=127.0.0.0/8,[::1]/128
#klms-end
where the
127.0.0.1:$forward_port inet n - n - 10 smtpd
string is required to enable Postfix to accept processed messages from the filter and listen for data on$forward_port
. - For a unix socket:
#klms-begin
klms_postfix-prequeue unix - - n - 10 smtp
-o smtp_send_xforward_command=yes
$unix_socket_name unix n - n - 100 smtpd
-o receive_override_options=no_unknown_recipient_checks, no_header_body_checks,no_address_mappings
-o smtpd_helo_restrictions=
-o smtpd_client_restrictions=
-o smtpd_sender_restrictions=
-o smtpd_recipient_restrictions=permit_mynetworks,reject
-o mynetworks=127.0.0.0/8,[::1]/128
-o smtpd_authorized_xforward_hosts=127.0.0.0/8,[::1]/128
#klms-end
where the
$unix_socket_name unix n - n - 100 smtpd
string is required to enable Postfix to accept processed messages from the filter and listen for data on the $unix_socket_name unix socket.
- For an inet socket:
- Open the file /var/opt/kaspersky/klms/installer.dat (under Linux) or /var/db/kaspersky/klms/installer.dat (under FreeBSD).
- Add the following lines to the file:
POSTFIX_INTEGRATION_TYPE=prequeue
START_SMTP_PROXY=1
- Open the file /etc/opt/kaspersky/klms/klms_filters.conf (under Linux) or /usr/local/etc/kaspersky/klms/klms_filters.conf (under FreeBSD).
- In the
[global]
section, set thefalse
value for theheader-guard
setting. - In the
[smtp_proxy]
section, specify the following settings:socket-in=<IP address and port number>
or<UNIX socket>
specified at Step 2 of the wizard for$sock_postfix_format
socket-out=<IP address and port number>
or<UNIX socket>
specified at step 3 of the instructions for$forward_port or $unix_socket_name
in theinet:<port>@<IP address>
format (for a network socket) orunix:<path to the UNIX socket>
(for a UNIX socket).Example 1:
socket-in=inet:10025@127.0.0.1
socket-out=inet:10026@127.0.0.1
Example 2:
socket-in=unix:/var/run/ksmg/ksmg_smtp_sock
socket-out=unix:/var/spool/postfix/public/ksmg_forward_sock
- Restart the klms service.
- Restart the Postfix mail server.