Support

Support for business applications

Kaspersky Secure Mail Gateway

Manual Integration with Exim mail server

Kaspersky Secure Mail Gateway
Нет результатов
Knowledge Base Online Help
Advice & Solutions FAQ Forum Contact support

Manual Integration with Exim mail server

July 3, 2024

ID 56941

If, during initial configuration of the application, you skip the automatic integration of the application with the mail server, you must integrate KSMG with the mail server manually.

You can manually configure before-queue integration of KSMG with the Exim mail server using a dynamically linked library (dlfunc). With before-queue integration, KSMG scans the messages before they end up in the queue of the Exim mail server. After-queue integration is not supported.

Depending upon the specific distribution of the operating system, you have to modify one or several configuration files of the Exim mail server:

  • In Red Hat Enterprise Linux and Rocky Linux, changes are made to the main configuration file, /etc/exim/exim.conf.
  • In Ubuntu:
    • If the configuration file is generated from a monolithic template, changes are made to the /etc/exim4/exim4.conf.template file.
    • If the configuration file is generated from a split template, changes are made to the /etc/exim4/conf.d/acl/40_exim4-config_check_data template file or similar.

To perform the before-queue integration of KSMG with Exim:

  1. Make sure that the Exim mail server supports the functions of the dlfunc dynamically linked library. To do so, run the following command:

    exim -bV

    The Exim mail server supports the dlfunc dynamically loaded library if the Support for section contains the Expand_dlfunc line.

  2. Make a backup copy of the Exim configuration files.
  3. Modify the access control list for acl_smtp_data. To do that, find in the Exim configuration file(s) the line that looks like:

    acl_smtp_data = acl_check_data (a different variable or macro can be used in place of acl_check_data)

    and after the line

    acl_check_data: (or a string containing a different variable or macro)

    add the following lines:

    # Manually added block ksmg-exim-filter-dflunc begin

    warn set acl_m_ksmg_input_directory = ${spool_directory}/input

      set acl_m_ksmg_lookup_result = ${lookup {$message_id-D} dsearch {$acl_m_ksmg_input_directory}}

    warn condition = ${if eq {$acl_m_ksmg_lookup_result}{}{yes}{no}}

      set acl_m_ksmg_input_directory = ${spool_directory}/input/${substr{5}{1}{$message_id}}

    warn set acl_m_ksmg_answer = ${dlfunc{DLFUNC_LIBRARY_FULLPATH}{scan}{$acl_m_ksmg_input_directory}}

    defer condition = ${if match {$acl_m_ksmg_answer}{^[245]}{no}{yes}}

      log_message = KSMG check failed, unexpected answer: $acl_m_ksmg_answer

    defer condition = ${if match {$acl_m_ksmg_answer}{^4}{yes}{no}}

      log_message = KSMG check defer: $acl_m_ksmg_answer

    deny condition = ${if match {$acl_m_ksmg_answer}{^5}{yes}{no}}

      log_message = KSMG check reject: $acl_m_ksmg_answer

      message = This message is blocked due to security reason

    warn condition = ${if match {$acl_m_ksmg_answer}{^2}{yes}{no}}

      logwrite = KSMG check accept: $acl_m_ksmg_answer

    # Manually added block ksmg-exim-filter-dlfunc ends here

    where DLFUNC_LIBRARY_FULLPATH is the path to the dlfunc library. The path to the library depends on the version of Exim and may look like this:

    • For Exim version from 4.86 to 4.90 not inclusive — /opt/kaspersky/ksmg/lib/libklms-exim-abi20-1.so
    • For Exim version from 4.90 to 4.93 not inclusive — /opt/kaspersky/ksmg/lib/libklms-exim-abi20-2.so
    • For Exim version from 4.93 to 4.94 not inclusive — /opt/kaspersky/ksmg/lib/libklms-exim-abi31.so
    • For Exim version from 4.94 to 4.96 not inclusive — /opt/kaspersky/ksmg/lib/libklms-exim-abi41.so
    • for Exim from 4.96 and later — /opt/kaspersky/ksmg/lib/libklms-exim-abi60.so
  4. If necessary, when you are done editing the configuration file, you can regenerate the main Exim configuration file.
  5. Add the kluser user to the group that includes the user that starts the exim process.

    By default, this group is called 'exim' in Red Hat Enterprise Linux and Rocky Linux, and 'Debian-exim' in Ubuntu.

  6. Add the user that starts the exim process to the klusers and kl_var_users groups.

    By default, the user name is 'exim' in Red Hat Enterprise Linux and Rocky Linux and 'Debian-exim' in Ubuntu.

  7. In /etc/opt/kaspersky/ksmg/filters.conf filter settings file, in the [global] section, set the following parameter values:

    scanner=unix:/var/run/ksmg/klms_scanner_sock

    header-guard=false

    • If PrivateTmp is set to false or not specified in the Exim Unit file:

      workdir=/tmp

    • If PrivateTmp is set to true in the Exim Unit file:

      workdir=/var/opt/kaspersky/ksmg/tmp

  8. In the /var/opt/kaspersky/ksmg/installer.dat file, set the following parameter values:

    MTA_INTEGRATION_METHOD=dlfunc

    MTA_INTEGRATION_MODE=prequeue

    filters_workdir=<value of the 'workdir' parameter from step 7>

    mta=manual

    START_SMTP_PROXY=0

    START_MILTER=0

  9. Restart the ksmg service.
  10. Restart Exim mail server.

Integration with Exim is completed.

Did you find this article helpful?
What can we do better?
Thank you for your feedback! You're helping us improve.
Thank you for your feedback! You're helping us improve.