Before-queue integration

When "before-queue" integration is used and messages are forwarded to Kaspersky Security 8 for Linux Mail Server for scanning and then returned to the Postfix mail server, the following conditions must be satisfied:

• The filter must be configured to intercept messages from the Postfix mail server via socket-in. This socket is specified in the configuration file of the program at step 8 of the instructions below.
• The filter must forward messages to Scan Logic for scanning via the scanner socket. This socket is specified while running the initial configuration script.
• The filter must return messages to the Postfix mail server via socket-out. This socket is specified in the configuration file of the program at step 8 of the instructions below.

When Kaspersky Security 8 for Linux Mail Server is integrated with the Postfix mail server, socket-in, scanner, and socket-out can point to a network socket or to a local one.

To perform before-queue integration of Kaspersky Security 8 for Linux Mail Server with Postfix:

1. Open the configuration file master.cf.
2. In the master.cf file, after the line

   smtp inet n - n - - smtpd

   add the following lines:

   #klms-postfix-prequeue-start

   -o smtpd_proxy_filter=$sock_postfix_format

   -o smtpd_proxy_options=speed_adjust (for integration with Postfix 2.7 or higher)

   #klms-postfix-prequeue-end

   where $sock_postfix_format stands for the IP address and port on which the filter listens for incoming connections in the <IP address>:<port> format (for a network socket) or the path to a local socket on which the filter is listening for incoming connections in the unix:<full path to the socket file> format.

   Example: -o smtpd_proxy_filter=127.0.0.1:10025 or -o smtpd_proxy_filter=unix:/var/run/ksmg/ksmg_smtp_sock

3. Add the following strings at the end of the master.cf configuration file:
   • For an inet socket:

     #klms-begin

     127.0.0.1:$forward_port inet n - n - - smtpd

     -o receive_override_options=no_unknown_recipient_checks, no_header_body_checks,no_address_mappings

     -o smtpd_helo_restrictions=

     -o smtpd_client_restrictions=

     -o smtpd_sender_restrictions=

     -o smtpd_recipient_restrictions=permit_mynetworks,reject

     -o mynetworks=127.0.0.0/8,[::1]/128

     -o smtpd_authorized_xforward_hosts=127.0.0.0/8,[::1]/128

     #klms-end

     where the 127.0.0.1:$forward_port inet n - n - - smtpd string is required to enable Postfix to accept processed messages from the filter and listen for data on $forward_port.

     Example: 127.0.0.1:10026 inet n - n - - smtpd

   • For a unix socket:

     #klms-begin

     $unix_socket_name unix n - n - - smtpd

     -o receive_override_options=no_unknown_recipient_checks, no_header_body_checks,no_address_mappings

     -o smtpd_helo_restrictions=

     -o smtpd_client_restrictions=

     -o smtpd_sender_restrictions=

     -o smtpd_recipient_restrictions=permit_mynetworks,reject

     -o mynetworks=127.0.0.0/8,[::1]/128

     -o smtpd_authorized_xforward_hosts=127.0.0.0/8,[::1]/128

     #klms-end

     where the $unix_socket_name unix n - n - - smtpd string is required to enable Postfix to accept processed messages from the filter and listen for data on the $unix_socket_name unix socket.

     Example: ksmg_forward_sock unix n - n - - smtpd

4. Open the file /var/opt/kaspersky/klms/installer.dat (under Linux) or /var/db/kaspersky/klms/installer.dat (under FreeBSD).
5. Add the following lines to the file:

   POSTFIX_INTEGRATION_TYPE=prequeue

   START_SMTP_PROXY=1

6. Open the file /etc/opt/kaspersky/klms/klms_filters.conf (under Linux) or /usr/local/etc/kaspersky/klms/klms_filters.conf (under FreeBSD).
7. In the [global] section, set the false value for the header-guard setting.
8. In the [smtp_proxy] section, specify the following settings:

   socket-in=<IP address and port number> or <local socket> specified at Step 2 of the wizard for $sock_postfix_format

   socket-out=<IP address and port number> or <local socket> specified at step 3 of the instructions for $forward_port or $unix_socket_name in the inet:<port>@<IP address> format (for a network socket) or unix:<path to the local socket>.

   integration=prequeue

   Example 1: socket-in=inet:[email protected] socket-out=inet:[email protected] integration=prequeue Example 2: socket-in=unix:/var/run/ksmg/ksmg_smtp_sock socket-out=unix:/var/spool/postfix/public/ksmg_forward_sock integration=prequeue

9. Restart the klms service.
10. Restart the Postfix mail server.