Sie sind auf Seite 1von 130

Kaspersky Secure Mail Gateway

Deployment Guide
Application version: 1.0.0.557
Dear User,

Thank you for choosing our product. We hope that this document will help you in your work and will
provide answers regarding this software product.

Attention! This document is the property of AO Kaspersky Lab (herein also referred to as
Kaspersky Lab): all rights to this document are reserved by the copyright laws of the Russian
Federation and by international treaties. Illegal reproduction and distribution of this document or
parts hereof incur civil, administrative, or criminal liability under applicable law.

Any type of reproduction or distribution of any materials, including translations, is allowed only with
the written permission of Kaspersky Lab.

This document, and graphic images related to it, may only be used for informational, non-
commercial, and personal purposes.

Kaspersky Lab reserves the right to amend this document without additional notification. You can
find the latest version of this document on the Kaspersky Lab website, at
http://www.kaspersky.com/docs.

Kaspersky Lab assumes no liability for the content, quality, relevance, or accuracy of any materials
used in this document to which rights are held by third parties, or for any potential damages
associated with the use of such documents.

Document revision date: 10/19/2015

2015 AO Kaspersky Lab. All Rights Reserved.

http://www.kaspersky.com
http://support.kaspersky.com
Table of Contents
About this Guide ..............................................................................................................7
In this Guide ................................................................................................................7
Document conventions ................................................................................................9

Sources of information about the application ................................................................. 11


Sources of information for independent research ...................................................... 11
Discussing Kaspersky Lab applications on the forum ................................................ 12

Kaspersky Secure Mail Gateway ................................................................................... 13


About Kaspersky Secure Mail Gateway .................................................................... 13
Hardware and software requirements ........................................................................ 15
Distribution kit ............................................................................................................ 16
About data provision .................................................................................................. 17

Deploying the Kaspersky Secure Mail Gateway virtual machine image ........................ 20
Preparing to deploy ................................................................................................... 20
Step 1. Selecting a virtual machine image ................................................................. 21
Step 2. Viewing details of the virtual machine image ................................................. 23
Step 3. Reviewing the License Agreement ................................................................ 24
Step 4. Naming the virtual machine ........................................................................... 25
Step 5. Selecting a destination storage for the virtual machine ................................. 26
Step 6. Selecting a storage option for virtual machine files ....................................... 27
Step 7. Starting and finishing deployment of the virtual machine image .................... 29

Initial configuration of Kaspersky Secure Mail Gateway ................................................ 31


Preparing for initial configuration ............................................................................... 32
Step 1. Selecting the End User License Agreement language .................................. 33
Step 2. Reviewing the License Agreement ................................................................ 34
Step 3. Selecting the mode of operation of Kaspersky Secure Mail Gateway ........... 35
Step 4. Configuring participation in Kaspersky Security Network .............................. 37
Step 5. Selecting the input language for Kaspersky Secure Mail Gateway ............... 39
Step 6. Setting the time zone ..................................................................................... 40
Step 7. Assigning the host name (myhostname) ....................................................... 41
Step 8. Configuring the network interface .................................................................. 42
Enabling and disabling the network interface ........................................................ 43
Assigning the IP address and network mask using the DHCP server ................... 44
Assigning a static IP address and network mask .................................................. 45
Step 9. Configuring network routes ........................................................................... 47
Assigning a gateway address using the DHCP server .......................................... 47
Assigning a static gateway address ...................................................................... 48
Adding an additional static route ........................................................................... 50
Modifying an additional static route ....................................................................... 53
Deleting an additional static route ......................................................................... 56
Step 10. Configuring DNS settings ............................................................................ 58
Assigning DNS addresses using the DHCP server ............................................... 59
Assigning static DNS addresses ........................................................................... 60
Step 11. Setting the web interface administrator password ....................................... 62
Step 12. Setting the administrator password for using the console ........................... 64
Step 13. Specifying email addresses of the mail server administrator ....................... 65
Step 14. Configuring the connection of Kaspersky Secure Mail Gateway to
Kaspersky Security Center ........................................................................................ 66
Enabling Network Agent ........................................................................................ 67
Entering the Administration Server address .......................................................... 67
Specifying the number of the port for connecting to the Administration Server ..... 68
Using the SSL connection for data transfer ........................................................... 69
Using a gateway for connecting to the Administration Server ............................... 70
Step 15. Checking the connection of Kaspersky Secure Mail Gateway to
Kaspersky Security Center ........................................................................................ 71
Step 16. Displaying the settings of the connection to the web interface .................... 73

Starting the Kaspersky Secure Mail Gateway virtual machine ....................................... 74

Connecting to the Kaspersky Secure Mail Gateway web interface ................................ 75

Integrating Kaspersky Secure Mail Gateway into the corporate mail infrastructure ....... 76
Direct integration ....................................................................................................... 77
Step 1. Adding local domains (relay_domains) ..................................................... 78
Step 2. Configuring email routing (transport_map) ................................................ 79
Step 3. Adding trusted networks and network hosts (mynetworks) ....................... 80
Step 4. Completing direct integration of Kaspersky Secure Mail Gateway ............ 82

Table of Contents

4
Integration through an edge gateway (SMTP verification of recipient email
addresses is enabled)................................................................................................ 82
Step 1. Adding local domains (relay_domains) ..................................................... 83
Step 2. Configuring email routing (transport_map) ................................................ 84
Step 3. Entering address of your Edge Gateway (relayhost) ................................. 86
Step 4. Adding trusted networks and network hosts (mynetworks) ....................... 87
Step 5. Finishing integration through an edge gateway (SMTP verification is
enabled) ................................................................................................................ 88
Integration through an edge gateway (SMTP verification of recipient email
addresses is disabled) ............................................................................................... 89
Step 1. Configuring email routing (transport_map) ................................................ 90
Step 2. Entering address of your Edge Gateway (relayhost) ................................. 92
Step 3. Adding trusted networks and network hosts (mynetworks) ....................... 93
Step 4. Finishing integration through an edge gateway (SMTP verification is
disabled) ................................................................................................................ 94

Managing settings of Kaspersky Secure Mail Gateway from the administrator's menu . 96
Running Kaspersky Secure Mail Gateway in Technical Support Mode ..................... 97
Checking the connection of Kaspersky Secure Mail Gateway to Kaspersky
Security Center .......................................................................................................... 99

Upgrading Kaspersky Secure Mail Gateway via the web interface .............................. 102

Preparing to perform certain tasks in the web interface of Kaspersky Secure Mail
Gateway....................................................................................................................... 104
Preparing to add the DKIM signature to outgoing messages................................... 104
Preparing to configure SPF and DMARC message authentication for outgoing
messages ................................................................................................................ 107
Preparing to configure TLS encryption of the connection ........................................ 109
Preparing a self-signed TLS certificate for import ................................................ 110
Preparing to import a TLS certificate signed by a certification authority .............. 111
Preparing to upgrade Kaspersky Secure Mail Gateway via the web interface......... 113

Kaspersky Secure Mail Gateway trace log .................................................................. 116

Contacting the Technical Support Service ................................................................... 117


About technical support ........................................................................................... 117
Technical support by phone..................................................................................... 118
Technical Support via Kaspersky CompanyAccount ............................................... 118

Table of Contents

5
Glossary....................................................................................................................... 120

AO Kaspersky Lab ....................................................................................................... 123

Information about third-party code ............................................................................... 125

Trademark notices ....................................................................................................... 126

Index ............................................................................................................................ 127

Table of Contents

6
About this Guide

This document is the administrator's guide to deploying and configuring a Kaspersky Secure Mail
Gateway virtual machine (hereinafter referred to as "the virtual machine").

This Guide is intended to do the following:

Explain how to install and use the virtual machine.

Provide readily available information on issues related to the operation of the virtual
machine.

Describe additional sources of information about the application and ways of receiving
technical support.

In this section
In this Guide ................................................................................................................................ 7

Document conventions ................................................................................................................ 9

In this Guide
This document includes the following sections:

Sources of information about the application (see page 11)

This section describes sources of information about the application and lists websites that you can
use to discuss application use.

Kaspersky Secure Mail Gateway (see page 13)

This section describes the purpose and key features of Kaspersky Secure Mail Gateway. This
section specifies the hardware and software requirements for the hypervisor on which a virtual
machine is to be deployed and for web browsers for accessing the web interface, and also
describes the distribution kit.
Deploying the Kaspersky Secure Mail Gateway virtual machine image (see page 20)

This section covers deployment of the virtual machine image.

Initial configuration of Kaspersky Secure Mail Gateway (see page 31)

This section covers initial configuration of Kaspersky Secure Mail Gateway.

Starting the Kaspersky Secure Mail Gateway virtual machine (see page 74)

This section describes how you can start the Kaspersky Secure Mail Gateway virtual machine.

Connecting to the Kaspersky Secure Mail Gateway web interface (see page 75)

This section describes ways to connect to the web interface of Kaspersky Secure Mail Gateway
(hereinafter referred to as the "web interface").

Integrating Kaspersky Secure Mail Gateway into the corporate mail infrastructure (see
page 76)

This section describes the procedure for integrating Kaspersky Secure Mail Gateway into the
corporate mail infrastructure.

Managing settings of Kaspersky Secure Mail Gateway from the administrator's menu (see
page 96)

This section describes how you can manage the settings of Kaspersky Secure Mail Gateway from
the administrator's menu.

Upgrading Kaspersky Secure Mail Gateway via the web interface (see page 102)

This section describes how you can upgrade Kaspersky Secure Mail Gateway via the web interface.

Preparing to perform certain tasks in the web interface of Kaspersky Secure Mail Gateway
(see page 104)

This section describes how you can prepare to perform certain tasks in the web interface of
Kaspersky Secure Mail Gateway.

Kaspersky Secure Mail Gateway trace log (see page 116)

This section contains information about the Kaspersky Secure Mail Gateway trace log.

About this Guide

8
Contacting the Technical Support (see page 117)

This section contains information about technical support and ways to receive it.

Glossary

This section contains a list of terms mentioned in the document and their definitions.

AO Kaspersky Lab (see page 123)

This section provides information about Kaspersky Lab.

Information about third-party code (see page 125)

This section provides information about the third-party code used in the application.

Trademark notices (see page 126)

This section lists trademarks of third-party manufacturers that are used in the document.

Index

This section allows you to quickly find the required information within the document.

Document conventions
This document uses the following conventions (see table below).

Table 1. Document conventions

Sample text Description of document convention

Note that... Warnings are highlighted in red and boxed. Warnings show
information about actions that may have unwanted consequences.

Notes are boxed. Notes provide additional and reference


We recommend that you information.
use...

About this Guide

9
Sample text Description of document convention

Examples are given on a yellow background under the heading


Example:
"Example".
...

Update means... The following elements are italicized in the text:

The Databases are out of New terms.


date event occurs.
Names of application statuses and events.

Press ENTER. Names of keyboard keys appear in bold and are capitalized.

Press ALT+F4. Names of keys that are connected by a + (plus) sign indicate
the use of a key combination. These keys have to be pressed
simultaneously.

Click the Enable button. Names of application interface elements, such as entry fields,
menu items, and buttons, are set off in bold.

Introductory phrases of instructions are italicized and are


To configure a task
schedule: accompanied by the arrow sign.

In the command line, type The following types of text content are set off with a special
help. font:

The following message then Text in the command line.


appears: Text of messages that the application displays on screen.
Specify the date in
Data to be entered using the keyboard.
dd:mm:yy format.

<User name> Variables are enclosed in angle brackets. Instead of a variable,


the corresponding value should be inserted, with angle brackets
omitted.

About this Guide

10
Sources of information about the
application

This section lists the sources of information about the application.

You can select the most suitable information source, depending on the issue's level of importance
and urgency.

In this section
Sources of information for independent research ...................................................................... 11

Discussing Kaspersky Lab applications on the Forum ............................................................... 12

Sources of information for independent


research
You can use the following sources to search for information about Kaspersky Secure Mail Gateway
on your own:

Kaspersky Secure Mail Gateway web interface help.

Documentation.

If you cannot find a solution for your issue, we recommend contacting Kaspersky Lab
Technical Support (see the section "Contacting Technical Support" on page 117).

Web interface help

Help provides information on integrating Kaspersky Secure Mail Gateway into your corporate mail
infrastructure, configuring the settings of Kaspersky Secure Mail Gateway, managing protection,
and performing typical user tasks using the web interface.
Documentation

The distribution kit of Kaspersky Secure Mail Gateway includes this Kaspersky Secure Mail
Gateway Deployment Guide that will help you deploy the image of a Kaspersky Secure Mail
Gateway virtual machine and perform initial configuration of the application.

Discussing Kaspersky Lab applications


on the forum
If your question does not require an immediate answer, you can discuss it with Kaspersky Lab
experts and other users on our forum (http://forum.kaspersky.com).

In this forum you can view existing topics, leave your comments, create new topics.

Sources of information about the application

12
Kaspersky Secure Mail Gateway

This section describes the purpose and key features of Kaspersky Secure Mail Gateway. This
section specifies the hardware and software requirements for the hypervisor on which a virtual
machine is to be deployed and for web browsers for accessing the web interface, and also
describes the distribution kit.

In this section
About Kaspersky Secure Mail Gateway .................................................................................... 13

Hardware and software requirements........................................................................................ 15

Distribution kit ........................................................................................................................... 16

About data provision ................................................................................................................. 17

About Kaspersky Secure Mail Gateway


Kaspersky Secure Mail Gateway lets you deploy a virtual mail gateway and integrate it into the
existing corporate mail infrastructure. An operating system, mail server, and Kaspersky Lab anti-
virus application are preinstalled on the virtual mail gateway.

Kaspersky Secure Mail Gateway protects incoming and outgoing email against malware and spam
and performs content filtering of messages.

Kaspersky Secure Mail Gateway:

Scans incoming and outgoing email for spam, phishing, and malware. To respond to new
threats promptly, Kaspersky Secure Mail Gateway protection components can use
information from Kaspersky Security Network.

Detects infected messages and disinfects attachments.

Filters messages with links to malicious objects.

Detects and blocks mass mailing (including marketing mail-outs).


Saves backup copies of messages in Backup based on the verdicts of Anti-Virus, Anti-
Spam, Anti-Phishing modules and Content filtering.

Saves messages from Backup to file and delivers messages to recipients.

Processes mail in accordance with the rules defined for groups of senders and recipients.

Performs content filtering of messages by the name, type and size of attachment
(Kaspersky Secure Mail Gateway can determine the actual format and type of attachment
regardless of its extension).

Lets you use mail filtering rules to specify users and user groups from Microsoft Active
Directory and generic LDAP to enable message routing for certain email accounts and
user groups.

Notifies the sender, recipients, and administrator about messages containing objects that
are infected, suspicious, password-protected, or cannot be scanned.

Updates Anti-Virus, Anti-Spam, and Anti-Phishing databases from Kaspersky Lab update
servers or custom resources (http and ftp servers) according to schedule or on demand.

Receives application runtime statistics via the SNMP protocol and lets you configure the
application to send SNMP traps when certain events occur.

Lets you configure the settings and manage the application via a web interface.

Sends and receives messages via a secure TLS/SSL link.

Lets you verify the authenticity of senders using SPF, DKIM, and DMARC technologies.

Lets you sign outgoing email messages with DKIM signatures.

Lets you add notes to incoming and outgoing messages.

Adds dangerous attachment warnings to incoming messages.

Retrieves user information from various domains and grants users access to a personal
Backup storage.

Lets you add, edit or delete information about domains (including local domains) and email
addresses, configure Kaspersky Secure Mail Gateway settings for these domains and
email addresses and configure email routing.

Kaspersky Secure Mail Gateway

14
Lets you configure TLS security modes for situations when Kaspersky Secure Mail
Gateway receives messages from another server (acts in the Server role) or sends
messages to another server (acts in the Client role), as well as configure TLS settings for
individual domains.

Lets you monitor the status of email traffic and usage of system resources and view lists of
the latest detected threats in the web interface of the application.

Lets you monitor the program operating capacity via Kaspersky Security Center.

Lets you view the application event Log and download it to the hard drive.

Lets you upgrade the system via the web interface of Kaspersky Secure Mail Gateway.

Lets you quickly configure the MTA using the Quick MTA Setup Wizard.

Lets you add, change and delete TLS and DKIM encryption keys.

Lets you generate and view reports on the email message processing rules.

Kaspersky Secure Mail Gateway is distributed in the virtual machine template format OVA (Open
Virtual Appliance).

Deployment of the template creates a virtual machine with a preinstalled CentOS 6.7 operating
system, a mail server, and Kaspersky Security for Linux Mail Server application (hereinafter also
referred to as "Kaspersky Security"). After deploying the virtual machine, you can configure it using
the Initial Configuration Wizard.

Hardware and software requirements


Software requirements for deploying the Kaspersky Secure Mail Gateway virtual machine
image

An image of the Kaspersky Secure Mail Gateway virtual machine can be deployed on the following
hypervisors:

VMware ESXi 5.5 Update 2

VMware ESXi 6.0

Kaspersky Secure Mail Gateway

15
Hardware requirements for deploying the Kaspersky Secure Mail Gateway virtual machine
image

To support deployment of the Kaspersky Secure Mail Gateway image, the resources allocated for
the virtual machine must meet the following requirements:

E1000 network adapter

Available disk space: at least 100 GB

At least 4 GB of RAM

One quad-core processor

Software requirements for managing Kaspersky Secure Mail Gateway via the web interface

To run the web interface, one of the following web browsers must be installed on the computer:

Mozilla Firefox version 38.0.5 (39) or later

Internet Explorer version 11 or later

Google Chrome version 43 or later

See also
About Kaspersky Secure Mail Gateway .................................................................................... 13

Distribution kit ........................................................................................................................... 16

About data provision ................................................................................................................. 17

Distribution kit
The application is available from online stores of Kaspersky Lab (for example,
http://www.kaspersky.com, in the eStore section) and from partner companies.

The content of the distribution kit may differ depending on the region in which the application is
distributed.

Kaspersky Secure Mail Gateway

16
If Kaspersky Secure Mail Gateway is purchased through an online store, the application is copied
from the store's website. Information that is required for activating the application will be sent to
you by email after your payment has been received.

About data provision


Kaspersky Secure Mail Gateway operates with the use of data whose transmission and processing
requires the consent of the Kaspersky Secure Mail Gateway administrator.

You can view the list of data and the terms on which it is used as well as give consent to data
processing in the following agreements between your organization and Kaspersky Lab:

In the End User License Agreement (for example, when installing Kaspersky Secure Mail
Gateway or upgrading the system in the Settings section, System Upgrade subsection of
the main window of the Kaspersky Secure Mail Gateway web interface).

According to the terms of the End User License Agreement that you have accepted, you
consent to the automatic transmission to Kaspersky Lab of the information enumerated in
the License Agreement under "Data Submission". This information is needed to improve the
level of mail server security.

In the KSN Statement.

When you participate in Kaspersky Security Network, information obtained as a result of


Kaspersky Secure Mail Gateway operation is automatically sent from the computer to
Kaspersky Lab. The KSN Statement specifies the list of data that is transmitted.

Kaspersky Lab protects any information received in this way as prescribed by law and applicable
rules of Kaspersky Lab.

Kaspersky Lab uses any received information in anonymized form and as general statistics
only. General statistics are automatically generated using original collected information and do
not contain any private data or other confidential information. The original information received
is destroyed as new information is accumulated (once a year). General statistics are stored
indefinitely.

Kaspersky Secure Mail Gateway

17
User data may be present in the following Kaspersky Secure Mail Gateway components:

Message queue (file names, email addresses of message senders and recipients, message
texts).

Backup (file names, email addresses of message senders and recipients, message texts).

Kaspersky Secure Mail Gateway operation reports (file names, email addresses of
message senders and recipients).

Kaspersky Secure Mail Gateway event log (email addresses of message senders and
recipients, names of attachment files, IP addresses of computers of message senders).

Trace files (files names, paths to files, proxy server names, user account data, IP
addresses of computers that connect to Kaspersky Secure Mail Gateway database update
sources, names and IP addresses of update sources, information about files downloaded
and the download speed).

Files storing settings of the connection to the LDAP server and proxy server (data of LDAP
server and proxy server user accounts).

When Kaspersky Secure Mail Gateway connects to DNS, SURBL, and DNSBL servers, Kaspersky
Secure Mail Gateway uses IP addresses and FQDN names of domains that contact these servers.

Managing Kaspersky Secure Mail Gateway via the administration console of Kaspersky Secure
Mail Gateway in Technical Support Mode with super-user account privileges lets you manage
dump settings. A dump is generated during application crashes and may be needed to analyze the
causes of the crash. The dump may include any data, including fragments of messages and files
analyzed.

The corporate LAN administrator is responsible for access to this information.

By default, dump generation in Kaspersky Secure Mail Gateway is disabled.

Data of the email message queue currently being processed by Kaspersky Secure Mail
Gateway as well as data of LDAP server and proxy server user accounts are stored in
Kaspersky Secure Mail Gateway in unencrypted form.

Kaspersky Secure Mail Gateway

18
Such data can be accessed from the Kaspersky Secure Mail Gateway Administration Console
in Technical Support Mode with super-user account privileges.

The administrator of Kaspersky Secure Mail Gateway must personally ensure the security of
such data.

The administrator of Kaspersky Secure Mail Gateway is responsible for access to this
information.

Data about events and processes of Kaspersky Secure Mail Gateway is logged and stored in the
following Kaspersky Secure Mail Gateway logs:

Event log

Trace log

Kaspersky Secure Mail Gateway

19
Deploying the Kaspersky Secure
Mail Gateway virtual machine image

This section provides step-by-step instructions for deploying the image of the Kaspersky Secure
Mail Gateway virtual machine on a VMware ESXi host.

In this section
Preparing to deploy ................................................................................................................... 20

Step 1. Selecting a virtual machine image ................................................................................. 21

Step 2. Viewing details of the virtual machine image ................................................................. 23

Step 3. Reviewing the License Agreement ................................................................................ 24

Step 4. Naming the virtual machine ........................................................................................... 25

Step 5. Selecting a destination storage for the virtual machine.................................................. 26

Step 6. Selecting a storage option for virtual machine files ........................................................ 27

Step 7. Starting and finishing deployment of the virtual machine image .................................... 29

Preparing to deploy
Before deploying the image of the Kaspersky Secure Mail Gateway virtual machine, verify that the
VMware ESXi version and hardware resources allocated for the virtual machine meet the software
and hardware requirements (see section "Hardware requirements" on page 15).
Step 1. Selecting a virtual machine
image
The Kaspersky Secure Mail Gateway virtual machine image is distributed in an OVF package.

To deploy the virtual machine image from the OVF package:

1. Start VMware vSphere Client.

2. In the File menu, select Deploy OVF Template (see figure below).

Figure 1. Selecting deployment of a virtual machine out of an OVF template

Deploying the Kaspersky Secure Mail Gateway virtual machine image

21
The Deploy OVF Template window opens (see figure below).

Figure 2. Selecting a template to deploy

3. In the Deploy OVF Template window, select a file with the OVA extension, which contains
the image of the Kaspersky Secure Mail Gateway virtual machine.

4. Click Next.

The Wizard proceeds to the next step.

Deploying the Kaspersky Secure Mail Gateway virtual machine image

22
Step 2. Viewing details of the virtual
machine image
To view the details of the Kaspersky Secure Mail Gateway virtual machine image:

1. View the details of the virtual machine image selected at the previous step (see figure below).

Figure 3. Viewing details of the virtual machine image

2. Click Next.

The Wizard proceeds to the next step.

Deploying the Kaspersky Secure Mail Gateway virtual machine image

23
Step 3. Reviewing the License
Agreement
To continue the deployment process, you have to accept the terms of the End User License
Agreement. Deployment will not continue if the terms of the End User License Agreement are not
accepted.

To accept the terms of the End User License Agreement:


1. In the Deploy OVF Template window (see figure below), click Accept.

Figure 4. Reviewing the License Agreement

2. Click Next.

The Wizard proceeds to the next step.

Deploying the Kaspersky Secure Mail Gateway virtual machine image

24
Step 4. Naming the virtual machine
To name the Kaspersky Secure Mail Gateway virtual machine image:
1. Type the name of the virtual machine in the Name field (see figure below).

The name must be unique among the names of all existing virtual machines.

Figure 5. Naming the virtual machine

2. Click Next.

The Wizard proceeds to the next step.

Deploying the Kaspersky Secure Mail Gateway virtual machine image

25
Step 5. Selecting a destination storage
for the virtual machine
To select a destination storage of the VMware ESXi host to store files of the
Kaspersky Secure Mail Gateway virtual machine:
1. Select a destination storage in the list (see figure below).

Figure 6. Selecting a destination storage for the Kaspersky Secure Mail Gateway virtual machine

2. Click Next.

The Wizard proceeds to the next step.

Deploying the Kaspersky Secure Mail Gateway virtual machine image

26
Step 6. Selecting a storage option for
virtual machine files
To select a storage option for files of the Kaspersky Secure Mail Gateway virtual
machine in the destination storage of the VMware ESXi host:

1. Select one of the following list options (see figure below).

Thick Provision Lazy Zeroed. The specified disk space is immediately reserved for
virtual machine files. Data blocks inside the allocated space are overwritten with virtual
machine data as they are accessed.

Thick Provision Eager Zeroed. The specified disk space is immediately reserved for
virtual machine files. Data blocks of the disk space are cleared immediately.

Thin Provision. The minimum required disk space is reserved for virtual machine files.
This disk space can be increased if necessary.

Deploying the Kaspersky Secure Mail Gateway virtual machine image

27
We recommend using one of the Thick Provision options.

Figure 7. Selecting a storage option for virtual machine files

2. Click Next.

The Wizard proceeds to the next step.

Deploying the Kaspersky Secure Mail Gateway virtual machine image

28
Step 7. Starting and finishing
deployment of the virtual machine
image
To start deploying a virtual machine image and verify that deployment has finished
correctly:

1. Verify that the virtual machine settings configured at previous steps are correct (see figure
below).

Figure 8. Viewing the virtual machine deployment settings

Deploying the Kaspersky Secure Mail Gateway virtual machine image

29
2. Select the Power on after deployment check box if you want the virtual machine to start
automatically after deployment.

3. If all settings are configured correctly, click the Finish button.

The virtual machine image deployment process starts (see figure below).

Figure 9. Progress of virtual machine deployment

4. Select the Close this dialog when completed check box if you want the virtual machine
image deployment progress window to close automatically as soon as deployment finishes.

5. Click Close(see figure below) when deployment finishes.

Figure 10. Finishing virtual machine deployment

After deploying the virtual machine image, perform initial configuration of the virtual
machine (see page. 31).

Deploying the Kaspersky Secure Mail Gateway virtual machine image

30
Initial configuration of Kaspersky
Secure Mail Gateway

Perform initial configuration of the Kaspersky Secure Mail Gateway virtual machine image after
deploying it.

Initial configuration of the virtual machine is a sequence of steps. The Initial Configuration Wizard
of Kaspersky Secure Mail Gateway is started automatically when the virtual machine is powered
on for the first time.

In this section
Preparing for initial configuration ............................................................................................... 32
Step 1. Selecting the End User License Agreement language .................................................. 33
Step 2. Reviewing the License Agreement ................................................................................ 34
Step 3. Selecting the mode of operation of Kaspersky Secure Mail Gateway ............................ 35
Step 4. Configuring participation in Kaspersky Security Network ............................................... 37
Step 5. Selecting the input language for Kaspersky Secure Mail Gateway ................................ 39
Step 6. Setting the time zone .................................................................................................... 40
Step 7. Assigning the host name (myhostname) ....................................................................... 41
Step 8. Configuring the network interface .................................................................................. 42
Step 9. Configuring network routes ........................................................................................... 47
Step 10. Configuring DNS settings ............................................................................................ 58
Step 11. Setting the web interface administrator password ....................................................... 62
Step 12. Setting the administrator password for using the console ............................................ 64
Step 13. Specifying email addresses of the mail server administrator ....................................... 65
Step 14. Configuring the connection of Kaspersky Secure Mail Gateway to Kaspersky
Security Center ......................................................................................................................... 66
Step 15. Checking the connection of Kaspersky Secure Mail Gateway to Kaspersky
Security Center ......................................................................................................................... 71
Step 16. Displaying the settings of the connection to the web interface..................................... 73
Preparing for initial configuration
To begin initial configuration of the Kaspersky Secure Mail Gateway virtual machine:
1. Start VMware vSphere Client.

2. Select a Kaspersky Secure Mail Gateway virtual machine in the list of virtual machines in
the left part of the main application window.

3. Power on the virtual machine by clicking the button on the control panel of the main
application window.

4. Open the VMware vSphere Client console by selecting the Console tab in the right part of
the main application window (see figure below) and follow the steps of the wizard.

Figure 11. Opening the VMware vSphere Client console

Initial configuration of Kaspersky Secure Mail Gateway

32
Step 1. Selecting the End User License
Agreement language
To set the language in which the texts of the End User License Agreement for Kaspersky
Secure Mail Gateway and the Kaspersky Security Network Statement will be displayed:
1. Select a language in the list (see figure below).

Figure 12. Selecting the language for viewing the End User License Agreement and the Kaspersky Security
Network Statement

The available languages depend on the localization packages included in your Kaspersky
Secure Mail Gateway distribution kit.

2. Press Enter.

The Initial Configuration Wizard of the Kaspersky Secure Mail Gateway virtual machine
proceeds to the next step.

Initial configuration of Kaspersky Secure Mail Gateway

33
Step 2. Reviewing the License
Agreement
At this step, you have to accept or reject the terms of the Kaspersky Secure Mail Gateway End
User License Agreement (see figure below). Use the arrow buttons to navigate the text.

Figure 13. Reviewing the License Agreement

To accept or reject the terms of the End User License Agreement:

1. Select one of the following options:

I do not accept the agreement if you want to reject the terms of the End User License
Agreement.

I accept the agreement if you want to accept the terms of the End User License
Agreement.

2. Press Enter.

Initial configuration of Kaspersky Secure Mail Gateway

34
If you rejected the terms of the End User License Agreement, initial configuration of
Kaspersky Secure Mail Gateway is aborted. The Initial Configuration Wizard prompts you to
power down the virtual machine (see figure below).

Figure 14. Powering down the virtual machine if the End User License Agreement has been rejected

The Initial Configuration Wizard of the Kaspersky Secure Mail Gateway virtual machine
proceeds to the next step if you accept the terms of the End User License Agreement.

Step 3. Selecting the mode of operation


of Kaspersky Secure Mail Gateway
At this step you have to select the mode of operation of Kaspersky Secure Mail Gateway within the
IT infrastructure of your organization.

Kaspersky Secure Mail Gateway can run in normal mode or in certified mode.

In normal mode, Kaspersky Secure Mail Gateway is allowed to access the Internet and connect to
the following servers outside the IT infrastructure of your organization:

KSN database update servers

DNS servers

Kaspersky Secure Mail Gateway database update servers

In certified mode, Kaspersky Secure Mail Gateway is not allowed to access the Internet and
connect to servers outside the IT infrastructure of your organization. Besides, when Kaspersky
Secure Mail Gateway operates in certified mode, the administrator is not allowed to view the event
Log from the Kaspersky Secure Mail Gateway administrator's menu.

Initial configuration of Kaspersky Secure Mail Gateway

35
In certified mode, the settings of Kaspersky Secure Mail Gateway components that require Internet
access take the following values by default:

KSN usage is disabled.

SPF, DKIM, and DMARC message authentication is disabled. Connection to DNS servers
is prohibited.

The Enforced Anti-Spam Updates service is disabled in the settings of the Anti-Spam
component.

Kaspersky Secure Mail Gateway receives database updates from Kaspersky Security
Center or a local source of Kaspersky Secure Mail Gateway database updates.

To select the operation mode of Kaspersky Secure Mail Gateway:

1. Select one of the following options for switching Kaspersky Secure Mail Gateway to
certified mode of operation (see figure below).

No, if you do not want to switch Kaspersky Secure Mail Gateway to certified mode of
operation and want Kaspersky Secure Mail Gateway to run in normal mode.

Yes, if you want to switch Kaspersky Secure Mail Gateway to certified mode of
operation.

Figure 15. Kaspersky Secure Mail Gateway in certified mode of operation

2. Press Enter.

The Initial Configuration Wizard of the Kaspersky Secure Mail Gateway virtual machine
proceeds to the next step.

Initial configuration of Kaspersky Secure Mail Gateway

36
You can change the mode of operation of Kaspersky Secure Mail Gateway in the web
interface of Kaspersky Secure Mail Gateway.

Step 4. Configuring participation in


Kaspersky Security Network
If you have selected the normal mode of operation of Kaspersky Secure Mail Gateway (see
page 35), the initial configuration wizard of Kaspersky Secure Mail Gateway prompts you to accept
or reject the terms of participation in Kaspersky Security Network (KSN).

Kaspersky Security Network (KSN) is an infrastructure of cloud services providing access to


Kaspersky Lab's online knowledge base with information about the reputation of files, web
resources, and software. Data from Kaspersky Security Network ensures faster response by
Kaspersky Secure Mail Gateway to new threats that have not been added to the antivirus
databases yet, improves the performance of some protection components, and reduces the risk of
false alarms.

Thanks to users who participate in Kaspersky Security Network, Kaspersky Lab is able to promptly
gather information about types and sources of threats, develop solutions for neutralizing them, and
minimize the number of false positives. In addition, participation in Kaspersky Security Network
provides you with access to information about the reputation of various applications and websites.

If you participate in Kaspersky Security Network, Kaspersky Secure Mail Gateway performance
statistics are submitted to Kaspersky Lab. These statistics are sent automatically.

No personal data is collected, processed, or stored.

Participation in Kaspersky Security Network is voluntary. The decision on whether or not to


participate in Kaspersky Security Network is made during initial configuration of Kaspersky Secure
Mail Gateway. However, you can change your decision later at any time.

Initial configuration of Kaspersky Secure Mail Gateway

37
The text of the Kaspersky Security Network Statement is displayed on the screen of the virtual
machine console (see figure below). Use the arrow buttons to navigate the text. The text of the
Kaspersky Security Network Statement is displayed in the language selected at Step 1 (see
section "Step 1. Selecting the End User License Agreement language" on page 33).

Figure 16. Viewing the Kaspersky Security Network Statement

To accept or decline participation in Kaspersky Security Network:

1. Select one of the following options:

I do not agree to participate in Kaspersky Security Network if you want to decline


participation in Kaspersky Security Network.

I agree to participate in Kaspersky Security Network if you want to accept


participation in Kaspersky Security Network.

2. Press Enter.

The Initial Configuration Wizard of the Kaspersky Secure Mail Gateway virtual machine
proceeds to the next step.

Initial configuration of Kaspersky Secure Mail Gateway

38
Step 5. Selecting the input language for
Kaspersky Secure Mail Gateway
To configure the input language to be used when managing Kaspersky Secure Mail
Gateway:

1. Select the input language in the list (see figure below).

Figure 17. Selecting the input language

2. Click OK.

The virtual machine Initial Configuration Wizard proceeds to the next step.

Initial configuration of Kaspersky Secure Mail Gateway

39
Step 6. Setting the time zone
To set a time zone for Kaspersky Secure Mail Gateway:

1. Select a country from the list displayed on the screen of the VMware vSphere Client
console (see figure below).

Figure 18. Selecting a country when setting the time zone

2. Press Enter.

A list of time zones available for the selected country is displayed (see figure below).

Figure 19. Selecting the time zone

3. Select a time zone.

4. Press Enter.

Initial configuration of Kaspersky Secure Mail Gateway

40
A time zone selection confirmation window opens (see figure below).

Figure 20. Confirming time zone selection

5. If the time zone has been selected correctly, click Yes.

The Initial Configuration Wizard of Kaspersky Secure Mail Gateway proceeds to the next step.

Step 7. Assigning the host name


(myhostname)
To specify the name of the Kaspersky Secure Mail Gateway host to be used by DNS
servers (myhostname):

1. In the hostname field, enter the full domain name of the Kaspersky Secure Mail Gateway
server (see figure below).

Initial configuration of Kaspersky Secure Mail Gateway

41
Specify the server name in FQDN format (for example: host.domain.com or
host.domain.subdomain.com).

Figure 21. Assigning the host name

2. Click OK.

After you have assigned the Kaspersky Secure Mail Gateway host name, the virtual
machine attempts to acquire the network settings automatically using the DHCP server and
download Kaspersky Secure Mail Gateway databases.

The Initial Configuration Wizard of Kaspersky Secure Mail Gateway proceeds to the next step.

Step 8. Configuring the network


interface
At this step, configure the settings of the Kaspersky Secure Mail Gateway network interface:
enable or disable the network interface, assign the IP address and network mask.

In this section
Enabling and disabling the network interface ............................................................................ 43

Assigning the IP address and network mask using the DHCP server ........................................ 44

Assigning a static IP address and network mask ....................................................................... 45

Initial configuration of Kaspersky Secure Mail Gateway

42
Enabling and disabling the network
interface
At least one network interface has to be enabled to make configuration of Kaspersky Secure Mail
Gateway possible. You may have to disable a network interface if you are using several network
interfaces and want to disable one of them temporarily.

To disable a network interface:

1. Select the Enabled setting (see figure below).

Figure 22. Enabling and disabling the network interface

2. Press Enter.

The value of the Enabled setting changes to no.

3. Proceed to assign the IP address and network mask (see section "Assigning the IP address
and network mask using the DHCP server" on page 44, "Assigning a static IP address and
network mask" on page 45) to finish configuring the network interface.

To enable a network interface:

1. Make sure that value of the Enabled setting is set to yes.

The network interface is enabled by default.

2. Proceed to assign the IP address and network mask (see section "Assigning the IP address
and network mask using the DHCP server" on page 44, "Assigning a static IP address and
network mask" on page 45) to finish configuring the network interface.

Initial configuration of Kaspersky Secure Mail Gateway

43
Assigning the IP address and network mask
using the DHCP server
To assign the IP address and network mask using the DHCP server:

1. Make sure that the value of the Use DHCP setting is set to yes (see figure below).

You may need to use the DHCP server for assigning the IP address and network mask
if you are configuring Kaspersky Secure Mail Gateway in test mode.

The use of the DHCP server for assigning the IP address and network mask is enabled by
default.

Figure 23. Assigning the IP address and network mask using the DHCP server

2. Select Continue.

3. Press Enter.

The Initial Configuration Wizard of the Kaspersky Secure Mail Gateway virtual machine
proceeds to the next step.

Initial configuration of Kaspersky Secure Mail Gateway

44
Assigning a static IP address and network
mask
To assign a static IP address and network mask:
1. Select the Use DHCP setting (see figure below).

Assigning a static IP address and network mask is recommended if you are configuring
Kaspersky Secure Mail Gateway in production mode.

Figure 24. Assigning a static IP address and network mask

2. Press Enter.

A window opens prompting you to confirm assignment of static settings for the network
interface (see figure below).

Figure 25. Confirming assignment of static settings for the network interface

Initial configuration of Kaspersky Secure Mail Gateway

45
3. Click Yes.

A window for entering the static IP address and network mask opens (see figure below).

Figure 26. Specifying a static IP address and network mask

4. In the Address field, type the IP address that you want to assign for Kaspersky Secure Mail
Gateway.

5. In the Netmask field, type the mask of the network on which you are using Kaspersky
Secure Mail Gateway.

6. Click OK.

The Initial Configuration Wizard of Kaspersky Secure Mail Gateway returns to the network
interface configuration window (see figure below).

Figure 27. Finishing configuration of the network interface

Initial configuration of Kaspersky Secure Mail Gateway

46
7. Verify that the network settings are correct.

8. Select Continue.

9. Press Enter.

The Initial Configuration Wizard of the Kaspersky Secure Mail Gateway virtual machine
proceeds to the next step.

Step 9. Configuring network routes


At this step, assign the gateway address for configuring the network route. You can also add,
delete, or modify additional static network routes at this step.

In this section
Assigning a gateway address using the DHCP server ............................................................... 47

Assigning a static gateway address........................................................................................... 48

Adding an additional static route ............................................................................................... 50

Modifying an additional static route ........................................................................................... 53

Deleting an additional static route ............................................................................................. 56

Assigning a gateway address using the


DHCP server
To assign the gateway address using the DHCP server:

1. Make sure that the value of the Gateway setting is set to dhcp (see figure below).

You may need to use the DHCP server for assigning the gateway address if you are
configuring Kaspersky Secure Mail Gateway in test mode.

Initial configuration of Kaspersky Secure Mail Gateway

47
The use of the DHCP server for assigning the gateway address is enabled by default.

Figure 28. Assigning a gateway address using the DHCP server

2. Select Continue.

3. Press Enter.

The Initial Configuration Wizard of the Kaspersky Secure Mail Gateway virtual machine
proceeds to the next step.

Assigning a static gateway address


To assign a static gateway address:

1. Select the Gateway setting (see figure below).

Figure 29. Assigning a static gateway address

2. Press Enter.

3. If at the previous step of the Initial Configuration Wizard of Kaspersky Secure Mail Gateway
(see section "Step 8. Configuring the network interface" on page 42) you chose to use the

Initial configuration of Kaspersky Secure Mail Gateway

48
DHCP server for configuring the network interface, click Yes in the window prompting you
to confirm assignment of the static gateway address (see figure below).

Figure 30. Confirming assignment of a static gateway address

A window for entering the static gateway address opens (see figure below).

Figure 31. Specifying a static gateway address

4. Type the gateway address in the Gateway field.

5. Click OK.

Initial configuration of Kaspersky Secure Mail Gateway

49
The Initial Configuration Wizard of the Kaspersky Secure Mail Gateway virtual machine
returns to the network routes configuration window (see figure below).

Figure 32. Finishing the configuration of network routes

6. Make sure that the network route settings have been configured correctly.

To modify, delete, or add additional static routes, proceed to configuring additional


static network routes.

7. Select Continue.

8. Press Enter.

The Initial Configuration Wizard of the Kaspersky Secure Mail Gateway virtual machine
proceeds to the next step.

Adding an additional static route


To add an additional static network route:
1. Select the Edit static routes setting (see figure below).

Figure 33. Configuring additional static network routes

Initial configuration of Kaspersky Secure Mail Gateway

50
2. Press Enter.

A window for select additional static route configuration options opens (see figure below).

Figure 34. Adding a new static route

3. Select New route.

4. Press Enter.

A window for entering the static route settings opens (see figure below).

Figure 35. Specifying static route settings

5. In the Address field, enter the IP address of the static route.

6. In the Netmask field, enter the mask of the static route network.

7. Type the gateway address in the Gateway field.

8. Click OK.

Initial configuration of Kaspersky Secure Mail Gateway

51
A window opens, letting you select the network interface for which you want to configure
the static route (see figure below).

Figure 36. Selecting the network interface of the static route

9. Select a network interface.

10. Press Enter.

A window with a list of additional static routes opens (see figure below).

Figure 37. List of additional static network routes

11. Select Go back.

12. Press Enter.

The Initial Configuration Wizard of the Kaspersky Secure Mail Gateway virtual machine
returns to the network routes configuration window (see figure below).

Figure 38. Finishing the configuration of network routes

Initial configuration of Kaspersky Secure Mail Gateway

52
13. Make sure that the network route settings have been configured correctly.

14. Select Continue.

15. Press Enter.

The Initial Configuration Wizard of the Kaspersky Secure Mail Gateway virtual machine
proceeds to the next step.

Modifying an additional static route


To modify an additional static route:

1. Select the Edit static routes setting (see figure below).

Figure 39. Configuring additional static network routes

2. Press Enter.

A window with a list of additional static routes opens (see figure below).

Figure 40. List of additional static network routes to modify

3. Select an additional static network route that you want to modify.

Initial configuration of Kaspersky Secure Mail Gateway

53
4. Press Enter.

5. A window for entering the static route settings opens (see figure below).

Figure 41. Specifying static route settings

6. Make changes in the Address field to modify the IP address of the static route.

7. Make changes in the Netmask field to modify the mask of the static route network.

8. Make changes in the Gateway field to modify the gateway address.

9. Click OK.

A window opens, letting you select the network interface for which you want to configure
the static route (see figure below).

Figure 42. Selecting the network interface of the static route

10. Select a network interface.

11. Press Enter.

Initial configuration of Kaspersky Secure Mail Gateway

54
A window with a list of additional static routes opens (see figure below).

Figure 43. List of additional static network routes

12. Select Go back.

13. Press Enter.

The Initial Configuration Wizard of the Kaspersky Secure Mail Gateway virtual machine
returns to the network routes configuration window (see figure below).

Figure 44. Finishing the configuration of network routes

14. Make sure that the network route settings have been configured correctly.

15. Select Continue.

16. Press Enter.

The Initial Configuration Wizard of the Kaspersky Secure Mail Gateway virtual machine
proceeds to the next step.

Initial configuration of Kaspersky Secure Mail Gateway

55
Deleting an additional static route
To delete an additional static route:

1. Select the Edit static routes setting (see figure below).

Figure 45. Configuring additional static network routes

2. Press Enter.

A window with a list of additional static routes opens (see figure below).

Figure 46. Removing additional static network routes

3. Select Delete routes.

4. Press Enter.

Initial configuration of Kaspersky Secure Mail Gateway

56
5. A window for selecting the static route to delete opens (see figure below).

Figure 47. Selecting a static route to delete

6. Select the route that you want to delete.

7. Click the Delete button.

The Initial Configuration Wizard of the Kaspersky Secure Mail Gateway virtual machine
returns to the window with a list of additional static routes that remain after deletion or, if
you have deleted all additional routes, displays a window where you can select the action to
take on the routes (see figure below).

Figure 48. Selecting the action to perform after all static routes have been removed

8. Select Go back.

9. Press Enter.

Initial configuration of Kaspersky Secure Mail Gateway

57
The Initial Configuration Wizard of the Kaspersky Secure Mail Gateway virtual machine
returns to the network routes configuration window (see figure below).

Figure 49. Finishing the configuration of network routes

10. Make sure that the network route settings have been configured correctly.

11. Select Continue.

12. Press Enter.

The Initial Configuration Wizard of the Kaspersky Secure Mail Gateway virtual machine
proceeds to the next step.

Step 10. Configuring DNS settings


At this step, configure the DNS settings of the Kaspersky Secure Mail Gateway virtual machine.

In this section
Assigning DNS addresses using the DHCP server.................................................................... 59

Assigning static DNS addresses ............................................................................................... 60

Initial configuration of Kaspersky Secure Mail Gateway

58
Assigning DNS addresses using the DHCP
server
To assign the DNS address using the DHCP server:

1. Select the name of your network interface (for example: eth0) in the list of settings for using
the DHCP server for assigning DNS addresses (see figure below) .

You may need to use the DHCP server for assigning DNS addressed if you are
configuring Kaspersky Secure Mail Gateway in test mode.

Figure 50. Enabling the use of the DHCP server for assigning DNS addresses

2. Press Enter.

A window for configuring DNS settings with the use of the DHCP server opens (see figure
below).

Figure 51. Finishing configuration of DNS settings with the use of the DHCP server

3. Make sure that the values of the Search list, Primary DNS, Secondary DNS settings are
set to dhcp.

4. Select Continue.

Initial configuration of Kaspersky Secure Mail Gateway

59
5. Press Enter.

A window with the settings of the Kaspersky Secure Mail Gateway network opens (see
figure below).

Figure 52. Kaspersky Secure Mail Gateway network settings

6. Select Continue.

7. Press Enter.

The Initial Configuration Wizard of the Kaspersky Secure Mail Gateway virtual machine restarts
the virtual machine with the new values of settings and proceeds to the next step.

Assigning static DNS addresses


To assign static DNS addresses:
1. Select no in the list of settings for using the DHCP server for assigning DNS addresses
(see figure below).

Assigning static DNS addresses is recommended if you are configuring Kaspersky


Secure Mail Gateway in production mode.

Figure 53. Disabling the use of the DHCP server for assigning DNS addresses

Initial configuration of Kaspersky Secure Mail Gateway

60
2. Press Enter.

A window for entering static DNS addresses opens (see figure below).

Figure 54. Specifying static DNS addresses

3. In the Search list field, type the DNS suffix that you want to use with Kaspersky Secure
Mail Gateway.

4. In the Primary field, type the IP address of the primary DNS server in IPv4 format.

5. In the Secondary field, type the IP address of the secondary DNS server in IPv4 format.

6. Click OK.

A window for configuring static DNS settings opens (see figure below).

Figure 55. Finishing configuration of static DNS settings

7. Verify that the DNS settings are correct.

Initial configuration of Kaspersky Secure Mail Gateway

61
8. Select Continue.

9. Press Enter.

A window with the settings of the Kaspersky Secure Mail Gateway network opens (see
figure below).

Figure 56. Kaspersky Secure Mail Gateway network settings

10. Select Continue.

11. Press Enter.

The Initial Configuration Wizard of the Kaspersky Secure Mail Gateway virtual machine restarts
the virtual machine with the new values of settings and proceeds to the next step.

Step 11. Setting the web interface


administrator password
To set an administrator's password for accessing the web interface (Administrator
account):

1. Type any characters in the Test input field to check the keyboard layout.

Initial configuration of Kaspersky Secure Mail Gateway

62
2. In the Password field, enter the administrator's password for accessing the web interface
of Kaspersky Secure Mail Gateway (see section "Connecting to the Kaspersky Secure Mail
Gateway web interface" on page 75) (see figure below).

Figure 57. Setting the administrator's password for the web interface of Kaspersky Secure Mail Gateway

The password must contain:

At least eight characters

Only characters in ASCII encoding

At least one upper-case character

At least one lower-case character

At least one numeral

3. Type the password again in the Confirm password field.

4. Click OK.

The Initial Configuration Wizard of Kaspersky Secure Mail Gateway proceeds to the next step.

Initial configuration of Kaspersky Secure Mail Gateway

63
Step 12. Setting the administrator
password for using the console
The administrator of Kaspersky Secure Mail Gateway has the rights to manage the virtual
machine. The administrator can power down or restart the virtual machine or edit its network
settings in the WMware console. The admin account with a separate administrator password is
used for administering Kaspersky Secure Mail Gateway.

To set the administrator's password for managing Kaspersky Secure Mail Gateway in
the VMware console (under the admin account):

1. Type any characters in the Test input field to check the keyboard layout.

2. In the Password field, enter the administrator's password for managing the settings of
Kaspersky Secure Mail Gateway (see section "Managing settings of Kaspersky Secure Mail
Gateway from the administrator's menu" on page 96) (see figure below).

Figure 58. Setting the administrator password for using the VMware console

The password must contain:

At least eight characters

Only characters in ASCII encoding

Initial configuration of Kaspersky Secure Mail Gateway

64
At least one upper-case character

At least one lower-case character

At least one numeral

3. Type the password again in the Confirm password field.

4. Click OK.

The Initial Configuration Wizard of the Kaspersky Secure Mail Gateway virtual machine
proceeds to the next step.

Step 13. Specifying email addresses of


the mail server administrator
To specify email addresses of the Kaspersky Secure Mail Gateway mail server
administrator:

1. In the admins' emails field, enter the email addresses of the Kaspersky Secure Mail
Gateway administrator (see figure below). You can specify several addresses, separating
them with commas.

Figure 59. Specifying email addresses of the administrator

2. Click OK.

The Initial Configuration Wizard of the Kaspersky Secure Mail Gateway virtual machine
proceeds to the next step.

Initial configuration of Kaspersky Secure Mail Gateway

65
Step 14. Configuring the connection of
Kaspersky Secure Mail Gateway to
Kaspersky Security Center
At this step, configure the connection of Kaspersky Secure Mail Gateway to Kaspersky Security
Center using the wizard for configuring the connection of Kaspersky Secure Mail Gateway to
Kaspersky Security Center (see figure below).

Figure 60. Wizard for configuring the connection of Kaspersky Secure Mail Gateway to
Kaspersky Security Center

Kaspersky Security Center is designed for centrally managing and monitoring Kaspersky Secure
Mail Gateway by performing the primary administrative tasks.

Kaspersky Security Center acts as the Administration Server.

Kaspersky Secure Mail Gateway includes Network Agent (nagent).

Kaspersky Security Center lets the administrator perform the following Kaspersky Secure Mail
Gateway management tasks:

Add the active and additional keys

Start the Kaspersky Secure Mail Gateway database update task

Display information about the status of protection of Kaspersky Secure Mail Gateway

Start and stop Kaspersky Secure Mail Gateway

Initial configuration of Kaspersky Secure Mail Gateway

66
In this section
Enabling Network Agent ............................................................................................................ 67

Entering the Administration Server address .............................................................................. 67

Specifying the number of the port for connecting to the Administration Server .......................... 68

Using the SSL connection for data transfer ............................................................................... 69

Using a gateway for connecting to the Administration Server .................................................... 70

Enabling Network Agent


Configuring the connection of Kaspersky Secure Mail Gateway to Kaspersky Security Center
requires enabling Network Agent.

Network Agent is disabled by default.

To enable Network Agent, do the following in the window of the wizard for configuring
the connection of Kaspersky Secure Mail Gateway to Kaspersky Security Center:

1. Select the Enabled setting.

2. Make sure that value of the Enabled setting is set to yes.

3. If the value of the Enabled setting is set to no, press Enter.

Continue performing steps in the window of the wizard for configuring the connection of
Kaspersky Secure Mail Gateway to Kaspersky Security Center.

Entering the Administration Server address


To enter the address of the Kaspersky Security Center Administration Server, do the
following in the window of the wizard for configuring the connection of Kaspersky
Secure Mail Gateway to Kaspersky Security Center:

1. Select the Address setting.

2. Press Enter.

Initial configuration of Kaspersky Secure Mail Gateway

67
A window for entering the Administration Server address opens (see figure below).

Figure 61. Entering the Administration Server address

3. Specify the DNS name or IP address of the Administration Server of Kaspersky Security
Center.

4. Click OK.

Continue performing the steps of configuring the connection of Kaspersky Secure Mail
Gateway to Kaspersky Security Center.

Specifying the number of the port for


connecting to the Administration Server
To specify the number of the port for connecting to the Kaspersky Security Center
Administration Server, do the following in the window of the wizard for configuring the
connection of Kaspersky Secure Mail Gateway to Kaspersky Security Center:

1. Select the Port setting.

2. Press Enter.

Initial configuration of Kaspersky Secure Mail Gateway

68
A window opens where you can enter the number of the port for connecting to the
Administration Server (see figure below).

Figure 62. Specifying the port for connecting to the Administration Server

3. Specify the number of the port for connecting to the Administration Server or use the
default port number (13000).

4. Click OK.

Continue performing steps in the window of the wizard for configuring the connection of
Kaspersky Secure Mail Gateway to Kaspersky Security Center.

Using the SSL connection for data transfer


You can enable the SSL connection for transferring data to the Administration Server of Kaspersky
Security Center.

By default, the SSL connection for transferring data to the Administration Server of Kaspersky
Security Center is enabled.

To enable SSL connection, do the following in the window of the wizard for configuring
the connection of Kaspersky Secure Mail Gateway to Kaspersky Security Center:
1. Select the Use SSL setting.

2. Make sure that value of the Use SSL setting is set to yes.

3. If the value of the Use SSL setting is set to no, press Enter.

Continue performing steps in the window of the wizard for configuring the connection of
Kaspersky Secure Mail Gateway to Kaspersky Security Center.

Initial configuration of Kaspersky Secure Mail Gateway

69
Using a gateway for connecting to the
Administration Server
You can choose one of the options for using the gateway when connecting Kaspersky Secure Mail
Gateway to the Administration Server of Kaspersky Security Center:

Disable the use of the gateway

Enable the use of the gateway

Enable the use of Network Agent as a gateway

By default, the use of a gateway is disabled when connecting to the Administration Server, and the
connection to Kaspersky Security Center is established directly.

To disable the use of the gateway for connecting Kaspersky Secure Mail Gateway to
the Administration Server, do the following in the window of the wizard for configuring
the connection of Kaspersky Secure Mail Gateway to Kaspersky Security Center:

1. Select the Gw mode setting.

2. Make sure that the value of the Gw mode setting is set to don't use.

3. If the Gw mode setting has any other value, keep pressing the Enter key until the value of
the Gw mode setting changes to don't use.

To enable the use of the gateway for connecting Kaspersky Secure Mail Gateway to
the Administration Server, do the following in the window of the wizard for configuring
the connection of Kaspersky Secure Mail Gateway to Kaspersky Security Center:

1. Select the Gw mode setting.

2. Keep pressing the Enter key until the value of the Gw mode setting changes to use
gateway.

3. Select the Gateway setting.

4. Press Enter.

Initial configuration of Kaspersky Secure Mail Gateway

70
A window for entering the gateway address opens (see figure below).

Figure 63. Entering the address of a gateway for connecting to the Administration Server

5. Enter the DNS name or IP address of the gateway that you want to use for connecting to
the Administration Server of Kaspersky Security Center.

6. Click OK.

To enable the use of Network Agent as a gateway for connecting Kaspersky Secure
Mail Gateway to the Administration Server, do the following in the window of the wizard
for configuring the connection of Kaspersky Secure Mail Gateway to Kaspersky
Security Center:
1. Select the Gw mode setting.

2. Keep pressing the Enter key until the value of the Gw mode setting changes to act as
gateway.

Proceed to check the connection of Kaspersky Secure Mail Gateway to Kaspersky Security
Center in the window of the wizard for configuring the connection of Kaspersky Secure Mail
Gateway to Kaspersky Security Center.

Step 15. Checking the connection of


Kaspersky Secure Mail Gateway to
Kaspersky Security Center
To check the connection of Kaspersky Secure Mail Gateway to Kaspersky Security
Center, do the following in the window of the wizard for configuring the connection of
Kaspersky Secure Mail Gateway to Kaspersky Security Center:
1. Select the Check Status setting.

2. Press Enter.

Initial configuration of Kaspersky Secure Mail Gateway

71
3. If you have changed the values of the settings of Kaspersky Secure Mail Gateway
connection to Kaspersky Security Center when configuring the connection of Kaspersky
Secure Mail Gateway to Kaspersky Security Center (see section "Step 14. Configuring the
connection of Kaspersky Secure Mail Gateway to Kaspersky Security Center" on page 66),
click Yes in the window prompting you to confirm changes (see figure below).

Figure 64. Confirming changes to Kaspersky Security Center connection settings


The window prompting you to confirm saving changes to Kaspersky Security Center
connection settings closes.

The Check Status setting takes the value corresponding to the status of Kaspersky Secure
Mail Gateway connection to Kaspersky Security Center.

For example, if the connection of Kaspersky Secure Mail Gateway to Kaspersky Security
Center has been established successfully, the value of the Check Status setting changes
to OK.

4. Select Continue.

5. Press Enter.

The Initial Configuration Wizard of the Kaspersky Secure Mail Gateway virtual machine
proceeds to the next step.

Initial configuration of Kaspersky Secure Mail Gateway

72
Step 16. Displaying the settings of the
connection to the web interface
If the network connection has been configured successfully, initial configuration of Kaspersky
Secure Mail Gateway finishes at this step, and a window with the web interface connection settings
opens (see figure below).

Figure 65. Finishing initial configuration of Kaspersky Secure Mail Gateway

Remember or write down the IP address specified in the IP address information window and
click OK.

Initial configuration of Kaspersky Secure Mail Gateway has finished.

If your network does not use a DHCP server, Kaspersky Secure Mail Gateway is unable to
retrieve the Kaspersky Secure Mail Gateway web interface connection settings automatically,
and the IP address of the connection to the web interface is not displayed in the IP address
information window. In this case, you can configure the Kaspersky Secure Mail Gateway web
interface connection settings manually via the Kaspersky Secure Mail Gateway administrator's
menu (see section "Managing settings of Kaspersky Secure Mail Gateway from the
administrator's menu" on page 96).

Initial configuration of Kaspersky Secure Mail Gateway

73
Starting the Kaspersky Secure Mail
Gateway virtual machine

After performing initial configuration (see section "Initial configuration of Kaspersky Secure Mail
Gateway" on page 31), the Kaspersky Secure Mail Gateway virtual machine is started
automatically. To ensure interaction with the existing mail infrastructure, the mail server
preinstalled on the virtual machine needs to be configured additionally.

You can view information about the operation of Kaspersky Secure Mail Gateway and configure
message processing rules and protection settings via the web interface (see page 75).

You can also configure settings and manage the operation (see section "Managing settings of
Kaspersky Secure Mail Gateway from the administrator's menu" on page 96) of the virtual machine
via the administrator's menu in the WMware console.
Connecting to the Kaspersky
Secure Mail Gateway web interface

After performing initial configuration (see section "Initial configuration of Kaspersky Secure Mail
Gateway" on page 31), you can connect to the web interface of Kaspersky Secure Mail Gateway.

To connect to the web interface of Kaspersky Secure Mail Gateway:

1. Type the following address in the address line of the web browser:

https://<IP-address-of-deployed-appliance>/ksmg, using the IP address


received at Step 16 of the Initial Configuration Wizard of Kaspersky Secure Mail Gateway
(see section "Step 16. Displaying the settings of the connection to the web interface" on
page 73).

A web interface login page opens, prompting you to enter the user name and password of
the web address administrator.

2. In the User name field, type Administrator.

3. In the Password field, type the password specified at Step 11 of the Initial Configuration
Wizard of Kaspersky Secure Mail Gateway (see section "Step 11. Setting the web interface
administrator password" on page 62).

4. Click the Log in button.

The main page of the Kaspersky Secure Mail Gateway web interface opens.
Integrating Kaspersky Secure Mail
Gateway into the corporate mail
infrastructure

Kaspersky Secure Mail Gateway is integrated into the existing corporate mail infrastructure
and is not a standalone mail system. For example, Kaspersky Secure Mail Gateway does not
deliver email messages to recipients and does not manage user accounts.

You can integrate Kaspersky Secure Mail Gateway into the corporate mail infrastructure in one of
the following ways:

Directly (see figure below).

Figure 66. Direct integration

Through an edge gateway (see figure below) on which SMTP verification of recipient email
addresses is enabled.

Figure 67. Integration through an edge gateway

Before configuring integration of Kaspersky Secure Mail Gateway via an edge gateway,
specify whether or not SMTP verification of recipient email addresses is enabled on the
edge gateway to which Kaspersky Secure Mail Gateway will be relaying messages
from internal domains.

Through an edge gateway (see figure above) on which SMTP verification of recipient email
addresses is disabled.
You can configure the basic settings of Kaspersky Secure Mail Gateway integration into the
corporate mail infrastructure using the Quick MTA Setup Wizard as well as integrate Kaspersky
Secure Mail Gateway into the corporate mail infrastructure through the web interface of the
application.

After you complete all steps of the quick MTA setup, Kaspersky Secure Mail Gateway resets
all values of MTA setting and replaces them with values that you specified in the Quick MTA
Setup Wizard.

In this section
Direct integration ....................................................................................................................... 77

Integration through an edge gateway (SMTP verification of recipient email addresses is


enabled) .................................................................................................................................... 82

Integration through an edge gateway (SMTP verification of recipient email addresses is


disabled) ................................................................................................................................... 89

Direct integration
Direct integration is the type of integration where Kaspersky Secure Mail Gateway receives email
messages directly from the Internet and redirects them to internal mail servers, and also receives
messages from internal mail servers and redirects them to the Internet.

To configure direct integration of Kaspersky Secure Mail Gateway into the corporate
mail infrastructure:

1. In the main window of the application web interface, open the administration console tree
and select the Quick MTA Setup section.

2. In the Integrating Kaspersky Secure Mail Gateway into mail infrastructure section,
select Integrate directly.

3. Click the Start integration link to begin performing the steps of the wizard.

Integrating Kaspersky Secure Mail Gateway into the corporate mail infrastructure

77
In this section
Step 1. Adding local domains (relay_domains) .......................................................................... 78

Step 2. Configuring email routing (transport_map) .................................................................... 79

Step 3. Adding trusted networks and network hosts (mynetworks) ............................................ 80

Step 4. Completing direct integration of Kaspersky Secure Mail Gateway ................................. 82

Step 1. Adding local domains


(relay_domains)
At this step, add local domains of your organization for which Kaspersky Secure Mail Gateway will
be receiving email messages from the outside. Kaspersky Secure Mail Gateway will receive
messages only for the domains you specified. Messages intended for other domains are rejected.

If local domains are not specified, Kaspersky Secure Mail Gateway will not be receiving
messages for your internal mail servers.

To add local domains of your organization:

1. Click the Add a domain link to open the Adding a domain window.

2. In the Enter domain name field, type the name of the domain for which Kaspersky Secure
Mail Gateway will be receiving messages.

Type the domain names in FQDN format.

3. Click the Add button.

4. The Adding a domain window closes.

The domain names have to be entered one at a time. Repeat the process of adding
domain names to the list for all domain names that you are adding.

Proceed to the next step of the wizard.

Integrating Kaspersky Secure Mail Gateway into the corporate mail infrastructure

78
See also
Step 2. Configuring email routing (transport_map) .................................................................... 79

Step 3. Adding trusted networks and network hosts (mynetworks) ............................................ 80

Step 4. Completing direct integration of Kaspersky Secure Mail Gateway ................................. 82

Step 2. Configuring email routing


(transport_map)
Configure email routing at this step.

By default, Kaspersky Secure Mail Gateway uses the settings of your DNS server for email routing.
To configure email routing manually, create a transport map: enter the names of the domains for
which email messages are intended and then type the IP addresses or FQDN names of the
domains to which Kaspersky Secure Mail Gateway will be redirecting messages intended for the
domains.

For example, if you want messages intended for the example.com domain to be redirected to the
address 1.1.1.0:25, add the example.com domain to the transport map and then specify the IP
address 1.1.1.0 and port number 25 for routing messages intended for the example.com domain.

To configure email routing:

1. Click the Add a record to the transport map link to open the Email routing window.

2. In the Enter domain name field, type the name of the domain for which email messages
are intended.

Type the domain names in FQDN format.

3. In the Enter email destination address (IPv4, domain name or FQDN) field, type the IP
address or domain name of the server the routing of email to which you want to configure.

You can enter an IPv4 address (for example: 192.0.0.1 or 192.0.0.0/16), an IPv6 address
(for example: 2607:f0d0:1002:51::4), subnet mask in CIDR format (for example: fc00::/7),
domain name or FQDN.

Integrating Kaspersky Secure Mail Gateway into the corporate mail infrastructure

79
4. In the Enter the port number to connect with the email destination address, select the
port number.

The default value is 25.

5. Select one of the following options:

Do not enable MX lookup.

Enable MX lookup (for domain names or FQDNs).

6. Click OK.

7. The Email routing window closes.

Transport map records are added one at a time. Repeat the process of adding records to
the transport map for all records that you are adding.

Proceed to the next step of the wizard.

See also
Step 1. Adding local domains (relay_domains).......................................................................... 78

Step 3. Adding trusted networks and network hosts (mynetworks) ............................................ 80

Step 4. Completing direct integration of Kaspersky Secure Mail Gateway ................................. 82

Step 3. Adding trusted networks and


network hosts (mynetworks)
At this step, create a list of trusted networks and network hosts that are allowed to send email
messages via Kaspersky Secure Mail Gateway.

As a rule, these are internal networks and network nodes of your organization.

For example, you can specify the IP addresses of Microsoft Exchange servers used at your
organization.

Integrating Kaspersky Secure Mail Gateway into the corporate mail infrastructure

80
If trusted networks are not specified, Kaspersky Secure Mail Gateway will not be receiving
messages from internal mail servers and redirect them outside the network of your
organization.

To add a list of trusted networks and network hosts:

1. Click the Add a trusted network or network host link to open the Adding a trusted
network window.

2. In the Enter network address or network host address field, type the name of the
domain for which email messages are intended.

Type the domain names in FQDN format.

3. In the Enter email destination address (IPv4, domain name or FQDN) field, type the IP
address of the network or a subnet address.

Type IP addresses in IPv4 format or subnet addresses in CIDR format.

4. Click OK.

5. The Adding a trusted network window closes.

Addresses are added one at a time. Repeat the process of adding addresses to the list for
all addresses that you are adding.

Proceed to the next step of the wizard.

See also
Step 1. Adding local domains (relay_domains) .......................................................................... 78

Step 2. Configuring email routing (transport_map) .................................................................... 79

Step 4. Completing direct integration of Kaspersky Secure Mail Gateway ................................. 82

Integrating Kaspersky Secure Mail Gateway into the corporate mail infrastructure

81
Step 4. Completing direct integration of
Kaspersky Secure Mail Gateway
At this step, check the settings you have specified for integrating Kaspersky Secure Mail Gateway
into the corporate mail infrastructure and confirm your choice.

When integration into the corporate mail infrastructure is completed, the following settings of
Kaspersky Secure Mail Gateway are configured automatically.

SPF authentication of message senders is enabled.

SMTP verification of recipient email addresses is enabled.

After you complete all steps of the Quick MTA Setup, Kaspersky Secure Mail Gateway resets
all values of MTA setting and replaces them with values that you specified in the Quick MTA
Setup Wizard.

See also
Step 1. Adding local domains (relay_domains) .......................................................................... 78

Step 2. Configuring email routing (transport_map) .................................................................... 79

Step 3. Adding trusted networks and network hosts (mynetworks) ............................................ 80

Integration through an edge gateway


(SMTP verification of recipient email
addresses is enabled)
Integration through an edge gateway on which SMTP verification of recipient email addresses is
enabled is a type of integration where Kaspersky Secure Mail Gateway receives messages from
an intermediate gateway and relays them to internal mail servers, and also receives messages
from internal mail servers and relays them to the edge gateway. In this case, SMTP verification of
recipient email addresses is enabled on the edge gateway.

Integrating Kaspersky Secure Mail Gateway into the corporate mail infrastructure

82
SMTP verification of recipient email addresses is used by mail systems to prevent reception of
messages for nonexistent addresses.

To configure integration of Kaspersky Secure Mail Gateway into the corporate mail
infrastructure through an edge gateway on which SMTP verification of recipient email
addresses is enabled:

1. In the main window of the application web interface, open the administration console tree
and select the Quick MTA Setup section.

2. In the Integrating Kaspersky Secure Mail Gateway into mail infrastructure section,
select Integrate through Edge Gateway.

3. Click the Start integration link to go to the SMTP verification of recipient email
addresses on the Edge Gateway section.

4. Select SMTP verification of recipient email addresses is enabled on the Edge


Gateway.

5. Click the Go to adding local domains link to start performing the steps of the wizard.

In this section
Step 1. Adding local domains (relay_domains) .......................................................................... 83

Step 2. Configuring email routing (transport_map) .................................................................... 84

Step 3. Entering address of your Edge Gateway (relayhost) ..................................................... 86

Step 4. Adding trusted networks and network hosts (mynetworks) ............................................ 87

Step 5. Finishing integration through an edge gateway (SMTP verification is enabled) ............. 88

Step 1. Adding local domains


(relay_domains)
At this step, add local domains of your organization for which Kaspersky Secure Mail Gateway will
be receiving email messages from the outside. Kaspersky Secure Mail Gateway will receive
messages only for the domains you specified. Messages intended for other domains are rejected.

Integrating Kaspersky Secure Mail Gateway into the corporate mail infrastructure

83
If local domains are not specified, Kaspersky Secure Mail Gateway will not be receiving
messages for your internal mail servers.

To add local domains of your organization:


1. Click the Add a domain link to open the Adding a domain window.

2. In the Enter domain name field, type the name of the domain for which Kaspersky Secure
Mail Gateway will be receiving messages.

Type the domain names in FQDN format.

3. Click the Add button.

4. The Adding a domain window closes.

The domain names have to be entered one at a time. Repeat the process of adding
domain names to the list for all domain names that you are adding.

Proceed to the next step of the wizard.

See also
Step 2. Configuring email routing (transport_map) .................................................................... 84

Step 3. Entering address of your Edge Gateway (relayhost) ..................................................... 86

Step 4. Adding trusted networks and network hosts (mynetworks) ............................................ 87

Step 5. Finishing integration through an edge gateway (SMTP verification is enabled) ............. 88

Step 2. Configuring email routing


(transport_map)
Configure email routing at this step.

By default, Kaspersky Secure Mail Gateway uses the settings of your DNS server for email routing.
To configure email routing manually, create a transport map: enter the names of the domains for
which email messages are intended and then type the IP addresses or FQDN names of the domains
to which Kaspersky Secure Mail Gateway will be redirecting messages intended for the domains.

Integrating Kaspersky Secure Mail Gateway into the corporate mail infrastructure

84
For example, if you want messages intended for the example.com domain to be redirected to the
address 1.1.1.0:25, add the example.com domain to the transport map and then specify the IP
address 1.1.1.0 and port number 25 for routing messages intended for the example.com domain.

To configure email routing:

1. Click the Add a record to the transport map link to open the Email routing window.

2. In the Enter domain name field, type the name of the domain for which email messages
are intended.

Type the domain names in FQDN format.

3. In the Enter email destination address (IPv4, domain name or FQDN) field, type the IP
address or domain name of the server the routing of email to which you want to configure.

You can enter an IPv4 address (for example: 192.0.0.1 or 192.0.0.0/16), an IPv6 address
(for example: 2607:f0d0:1002:51::4), subnet mask in CIDR format (for example: fc00::/7),
domain name or FQDN.

4. In the Enter the port number to connect with the email destination address, select the
port number.

The default value is 25.

5. Select one of the following options:

Do not enable MX lookup.

Enable MX lookup (for domain names or FQDNs).

6. Click OK.

The Email routing window closes.

Transport map records are added one at a time. Repeat the process of adding records to
the transport map for all records that you are adding.

Proceed to the next step of the wizard.

Integrating Kaspersky Secure Mail Gateway into the corporate mail infrastructure

85
See also
Step 1. Adding local domains (relay_domains) .......................................................................... 83

Step 3. Entering address of your Edge Gateway (relayhost) ..................................................... 86

Step 4. Adding trusted networks and network hosts (mynetworks) ............................................ 87

Step 5. Finishing integration through an edge gateway (SMTP verification is enabled) ............. 88

Step 3. Entering address of your Edge


Gateway (relayhost)
At this step, enter the address of your edge gateway. Kaspersky Secure Mail Gateway will be
redirecting all messages to this address.

For example: 192.0.2.1 or domain.com.

If you have configured email routing for individual domains, Kaspersky Secure Mail Gateway will
be redirecting email messages to the addresses specified for each domain.

To enter the address of an edge gateway:

1. In the Entering address of your Edge Gateway field, type the IP address of the edge
gateway.

Type the address in IPv4 format, domain name or FQDN format.

2. Select one of the following options:

Do not enable MX lookup.

Enable MX lookup (for domain names or FQDNs).

Proceed to the next step of the wizard.

Integrating Kaspersky Secure Mail Gateway into the corporate mail infrastructure

86
See also
Step 1. Adding local domains (relay_domains) .......................................................................... 83

Step 2. Configuring email routing (transport_map) .................................................................... 84

Step 4. Adding trusted networks and network hosts (mynetworks) ............................................ 87

Step 5. Finishing integration through an edge gateway (SMTP verification is enabled) ............. 88

Step 4. Adding trusted networks and


network hosts (mynetworks)
At this step, create a list of trusted networks and network hosts that are allowed to send email
messages via Kaspersky Secure Mail Gateway.

As a rule, these are internal networks and network nodes of your organization.

For example, you can specify the IP addresses of Microsoft Exchange servers used at your
organization.

If trusted networks are not specified, Kaspersky Secure Mail Gateway will not be receiving
messages from internal mail servers and redirect them outside the network of your organization.

To add a list of trusted networks and network hosts:

1. Click the Add a trusted network or network host link to open the Adding a trusted
network window.

2. In the Enter network address or network host address field, type the name of the
domain for which email messages are intended.

Type the domain names in FQDN format.

3. In the Enter email destination address (IPv4, domain name or FQDN) field, type the IP
address of the network or a subnet address.

Type IP addresses in IPv4 format or subnet addresses in CIDR format.

Integrating Kaspersky Secure Mail Gateway into the corporate mail infrastructure

87
4. Click OK.

5. The Adding a trusted network window closes.

Addresses are added one at a time. Repeat the process of adding addresses to the list for
all addresses that you are adding.

Proceed to the next step of the wizard.

See also
Step 1. Adding local domains (relay_domains).......................................................................... 83

Step 2. Configuring email routing (transport_map) .................................................................... 84

Step 3. Entering address of your Edge Gateway (relayhost) ..................................................... 86

Step 5. Finishing integration through an edge gateway (SMTP verification is enabled) ............. 88

Step 5. Finishing integration through an


edge gateway (SMTP verification is
enabled)
At this step, check the settings you have specified for integrating Kaspersky Secure Mail Gateway
into the corporate mail infrastructure and confirm your choice.

When integration into the corporate mail infrastructure is completed, the following settings of
Kaspersky Secure Mail Gateway are configured automatically.

SPF authentication of message senders is disabled.

Do not enable SPF authentication of message recipients because the message sender
is the edge gateway from which Kaspersky Secure Mail Gateway receives messages.

DMARC authentication of domains from which Kaspersky Secure Mail Gateway receives
messages is disabled.

Integrating Kaspersky Secure Mail Gateway into the corporate mail infrastructure

88
Do not enable DMARC authentication of domains because Kaspersky Secure Mail
Gateway receives messages from an intermediate gateway.

SMTP verification of recipient email addresses is enabled.

Do not disable SMTP verification of recipient email addresses because SMTP


verification of recipient email addresses is enabled on the edge gateway.

After you complete all steps of the Quick MTA Setup, Kaspersky Secure Mail Gateway resets
all values of MTA setting and replaces them with values that you specified in the Quick MTA
Setup Wizard.

See also
Step 1. Adding local domains (relay_domains) .......................................................................... 83

Step 2. Configuring email routing (transport_map) .................................................................... 84

Step 3. Entering address of your Edge Gateway (relayhost) ..................................................... 86

Step 4. Adding trusted networks and network hosts (mynetworks) ............................................ 87

Integration through an edge gateway


(SMTP verification of recipient email
addresses is disabled)
Integration through an edge gateway on which SMTP verification of recipient email addresses is
disabled is a type of integration where Kaspersky Secure Mail Gateway receives messages from
an edge gateway and relays them to internal mail servers, and also receives messages from
internal mail servers and relays them to the edge gateway. In this case, SMTP verification of
recipient email addresses is disabled on the edge gateway.

SMTP verification of recipient email addresses is used by mail systems to prevent reception of
messages for nonexistent addresses.

Integrating Kaspersky Secure Mail Gateway into the corporate mail infrastructure

89
To configure integration of Kaspersky Secure Mail Gateway into the corporate mail
infrastructure through an edge gateway on which SMTP verification of recipient email
addresses is disabled:

1. In the main window of the application web interface, open the administration console tree
and select the Quick MTA Setup section.

2. In the Integrating Kaspersky Secure Mail Gateway into mail infrastructure section,
select Integrate through Edge Gateway.

3. Click the Start integration link to go to the SMTP verification of recipient email
addresses on the Edge Gateway section.

4. Select SMTP verification of recipient email addresses is disabled on the Edge


Gateway.

5. Click the Go to configuring email routing link to start performing the steps of the wizard.

In this section
Step 1. Configuring email routing (transport_map) .................................................................... 90

Step 2. Entering address of your Edge Gateway (relayhost) ..................................................... 92

Step 3. Adding trusted networks and network hosts (mynetworks) ............................................ 93

Step 4. Finishing integration through an edge gateway (SMTP verification is disabled)............. 94

Step 1. Configuring email routing


(transport_map)
Configure email routing at this step.

By default, Kaspersky Secure Mail Gateway uses the settings of your DNS server for email routing.
To configure email routing manually, create a transport map: enter the names of the domains for
which email messages are intended and then type the IP addresses or FQDN names of the
domains to which Kaspersky Secure Mail Gateway will be redirecting messages intended for the
domains.

Integrating Kaspersky Secure Mail Gateway into the corporate mail infrastructure

90
For example, if you want messages intended for the example.com domain to be redirected to the
address 1.1.1.0:25, add the example.com domain to the transport map and then specify the IP
address 1.1.1.0 and port number 25 for routing messages intended for the example.com domain.

To configure email routing:

1. Click the Add a record to the transport map link to open the Email routing window.

2. In the Enter domain name field, type the name of the domain for which email messages
are intended.

Type the domain names in FQDN format.

3. In the Enter email destination address (IPv4, domain name or FQDN) field, type the IP
address or domain name of the server the routing of email to which you want to configure.

You can enter an IPv4 address (for example: 192.0.0.1 or 192.0.0.0/16), an IPv6 address
(for example: 2607:f0d0:1002:51::4), subnet mask in CIDR format (for example: fc00::/7),
domain name or FQDN.

4. In the Enter the port number to connect with the email destination address, select the
port number.

The default value is 25.

5. Select one of the following options:

Do not enable MX lookup.

Enable MX lookup (for domain names or FQDNs).

6. Click OK.

The Email routing window closes.

Transport map records are added one at a time. Repeat the process of adding records to
the transport map for all records that you are adding.

Proceed to the next step of the wizard.

Integrating Kaspersky Secure Mail Gateway into the corporate mail infrastructure

91
See also
Step 2. Entering address of your Edge Gateway (relayhost) ..................................................... 92

Step 3. Adding trusted networks and network hosts (mynetworks) ............................................ 93

Step 4. Finishing integration through an edge gateway (SMTP verification is disabled)............. 94

Step 2. Entering address of your Edge


Gateway (relayhost)
At this step, enter the address of your edge gateway. Kaspersky Secure Mail Gateway will be
redirecting all messages to this address.

For example: 192.0.2.1 or domain.com.

If you have configured email routing for individual domains, Kaspersky Secure Mail Gateway will
be redirecting email messages to the addresses specified for each domain.

To enter the address of an edge gateway:


1. In the Entering address of your Edge Gateway field, type the IP address of the edge
gateway.

Type the address in IPv4 format, domain name or FQDN format.

2. Select one of the following options:

Do not enable MX lookup.

Enable MX lookup (for domain names or FQDNs).

Proceed to the next step of the wizard.

See also
Step 1. Configuring email routing (transport_map) .................................................................... 90

Step 3. Adding trusted networks and network hosts (mynetworks) ............................................ 93

Step 4. Finishing integration through an edge gateway (SMTP verification is disabled)............. 94

Integrating Kaspersky Secure Mail Gateway into the corporate mail infrastructure

92
Step 3. Adding trusted networks and
network hosts (mynetworks)
At this step, create a list of trusted networks and network hosts that are allowed to send email
messages via Kaspersky Secure Mail Gateway.

As a rule, these are internal networks and network nodes of your organization.

For example, you can specify the IP addresses of Microsoft Exchange servers used at your
organization.

If trusted networks are not specified, Kaspersky Secure Mail Gateway will not be receiving
messages from internal mail servers and redirect them outside the network of your organization.

To add a list of trusted networks and network hosts:

1. Click the Add a trusted network or network host link to open the Adding a trusted
network window.

2. In the Enter network address or network host address field, type the name of the
domain for which email messages are intended.

Type the domain names in FQDN format.

3. In the Enter email destination address (IPv4, domain name or FQDN) field, type the IP
address of the network or a subnet address.

Type IP addresses in IPv4 format or subnet addresses in CIDR format.

4. Click OK.

The Adding a trusted network window closes.

Addresses are added one at a time. Repeat the process of adding addresses to the list for
all addresses that you are adding.

Proceed to the next step of the wizard.

Integrating Kaspersky Secure Mail Gateway into the corporate mail infrastructure

93
See also
Step 1. Configuring email routing (transport_map) .................................................................... 90

Step 2. Entering address of your Edge Gateway (relayhost) ..................................................... 92

Step 4. Finishing integration through an edge gateway (SMTP verification is disabled)............. 94

Step 4. Finishing integration through an


edge gateway (SMTP verification is
disabled)
At this step, check the settings you have specified for integrating Kaspersky Secure Mail Gateway
into the corporate mail infrastructure and confirm your choice.

When integration into the corporate mail infrastructure is completed, the following settings of
Kaspersky Secure Mail Gateway are configured automatically.

SPF authentication of message senders is disabled.

Do not enable SPF authentication of message recipients because the message sender
is the edge gateway from which Kaspersky Secure Mail Gateway receives messages.

DMARC authentication of domains from which Kaspersky Secure Mail Gateway receives
messages is disabled.

Do not enable DMARC authentication of domains because Kaspersky Secure Mail


Gateway receives messages from an intermediate gateway.

SMTP verification of recipient email addresses is disabled.

Do not enable SMTP verification of recipient email addresses because SMTP


verification of recipient email addresses is disabled on the edge gateway.

Integrating Kaspersky Secure Mail Gateway into the corporate mail infrastructure

94
After you complete all steps of the Quick MTA Setup, Kaspersky Secure Mail Gateway resets
all values of MTA setting and replaces them with values that you specified in the Quick MTA
Setup Wizard.

See also
Step 1. Configuring email routing (transport_map) .................................................................... 90

Step 2. Entering address of your Edge Gateway (relayhost) ..................................................... 92

Step 3. Adding trusted networks and network hosts (mynetworks) ............................................ 93

Integrating Kaspersky Secure Mail Gateway into the corporate mail infrastructure

95
Managing settings of Kaspersky
Secure Mail Gateway from the
administrator's menu

You can manage the settings of the Kaspersky Secure Mail Gateway virtual machine via the
administrator's menu (admin account) in the VMware console.

To start managing the settings of the Kaspersky Secure Mail Gateway virtual machine:

1. Start VMware vSphere Client.

2. Select a Kaspersky Secure Mail Gateway virtual machine in the list of virtual machines in
the left part of the main application window.

3. Make sure that the virtual machine is powered on or power on the virtual machine by

clicking the button on the control panel of the main application window.

4. Open the VMware vSphere Client console by selecting the Console tab in the right part of
the main application window (see figure below).

Figure 68. Opening the console for managing Kaspersky Secure Mail Gateway settings

5. In response to the system invitation, enter the user name admin and the password
specified at Step 12 of the Initial Configuration Wizard of Kaspersky Secure Mail Gateway
(see section "Step 12. Setting the administrator password for using the console" on
page 64).
The virtual machine administrator's menu opens (see figure below) from which you can
manage the Kaspersky Secure Mail Gateway virtual machine.

Figure 69. Virtual machine administrator's menu

In this section
Running Kaspersky Secure Mail Gateway in Technical Support Mode ...................................... 97

Checking the connection of Kaspersky Secure Mail Gateway to Kaspersky Security Center .... 99

Running Kaspersky Secure Mail


Gateway in Technical Support Mode
Technical Support Mode gives the Kaspersky Secure Mail Gateway administrator unlimited
(root) privileges for the application and all data (including personal data) stored in it.

It is not recommended to run Kaspersky Secure Mail Gateway in Technical Support Mode
without consulting Technical Support representatives or being instructed to do so by them.

Managing settings of Kaspersky Secure Mail Gateway from the administrator's menu

97
To run Kaspersky Secure Mail Gateway in Technical Support Mode:

1. Start VMware vSphere Client.

2. Select a Kaspersky Secure Mail Gateway virtual machine in the list of virtual machines in
the left part of the main application window.

3. Make sure that the virtual machine is powered on or power on the virtual machine by

clicking the button on the control panel of the main application window.

4. Open the VMware vSphere Client console by selecting the Console tab in the right part of
the main application window.

5. In response to the system invitation, enter the user name admin and the password
specified at Step 12 of the Initial Configuration Wizard of Kaspersky Secure Mail Gateway
(see section "Step 12. Setting the administrator password for using the console" on
page 64).

The virtual machine administrator's menu opens from which you can manage the
Kaspersky Secure Mail Gateway virtual machine.

6. Select Technical Support Mode in the virtual machine administrator's menu (see figure
below).

Figure 70. Selecting Technical Support Mode

7. Press ENTER.

Managing settings of Kaspersky Secure Mail Gateway from the administrator's menu

98
A window for entering the password of the web interface administrator account opens (see
page 62) (see figure below).

Figure 71. Administrator account password input window

8. In the Password field, enter the account password that you specified at Step 11 of the
Kaspersky Secure Mail Gateway initial configuration process (see section Step 11 ). Setting
the web interface administrator password" on page 62).

A window prompting you to confirm activation of Technical Support Mode opens.

9. If you really want to run Kaspersky Secure Mail Gateway in Technical Support Mode, select
Yes and press ENTER.

Checking the connection of Kaspersky


Secure Mail Gateway to Kaspersky
Security Center
To check the connection of Kaspersky Secure Mail Gateway to Kaspersky Security
Center from the administrator's menu, execute the following command in the command
line of the Kaspersky Secure Mail Gateway management console:

# /opt/kaspersky/klnagent/bin/klnagchk

Managing settings of Kaspersky Secure Mail Gateway from the administrator's menu

99
The klnagchk utility checks the connection of Kaspersky Secure Mail Gateway to Kaspersky
Security Center and displays the following connection settings:

Server address address of the Kaspersky Security Center server.

Use SSL whether or not a secure connection to Kaspersky Security Center is used
(value: 1 or 0).

Compress traffic whether or not traffic compression is used (value: 1 or 0).

Server SSL ports numbers of available ports for connecting to Kaspersky Security
Center via SSL.

Server ports numbers of available ports for connecting to Kaspersky Security Center
without using SSL.

Use proxy whether or not a proxy server is used (value: 1 or 0).

Certificate whether a Kaspersky Security Center certificate is present in Kaspersky


Secure Mail Gateway (value: present or absent).

The certificate may be absent if Kaspersky Secure Mail Gateway has not yet established a
single successful connection to Kaspersky Security Center.

Open UDP port whether or not Network Agent of Kaspersky Secure Mail Gateway uses a
UDP port to receive synchronization requests from Kaspersky Security Center (value: 1 or 0).

UDP ports the numbers of UDP that can be used by Kaspersky Secure Mail Gateway.

Ping period, minutes a standard synchronization interval in minutes.

Conn timeout, s a connection timeout in seconds.

RW timeout, s read-write timeout in seconds.

HostId a unique ID of the Kaspersky Secure Mail Gateway server on the network.

Regardless of whether or not the connection to Kaspersky Security Center is successful, the utility
attempts to determine whether Network Agent is running.

If the service of Network Agent is not running, the utility is terminated.

Managing settings of Kaspersky Secure Mail Gateway from the administrator's menu

100
If Network Agent is running, the utility displays the following data on the statistics of Kaspersky
Secure Mail Gateway Network Agent connection to the Kaspersky Security Center Administration
Server:

Ping count number of connection attempts.

Succ. pings number of successful connection attempts

Sync count number of synchronization attempts.

Succ. syncs number of successful synchronization attempts.

Last ping date and time of the last connection.

If problems occurred during the connection check, look for a solution in the Administrator's Guide
for Kaspersky Security Center.

Managing settings of Kaspersky Secure Mail Gateway from the administrator's menu

101
Upgrading Kaspersky Secure Mail
Gateway via the web interface

Kaspersky Lab may release upgrade packages for Kaspersky Secure Mail Gateway. For example,
Kaspersky Lab can release critical fixes for vulnerabilities or bugs, scheduled upgrades that add
new or improve existing features of Kaspersky Secure Mail Gateway, and packages with additional
localizations for Kaspersky Secure Mail Gateway.

Following the release of Kaspersky Secure Mail Gateway upgrades, you can install them via the
web interface of Kaspersky Secure Mail Gateway.

Prior to installing upgrades via the web interface of Kaspersky Secure Mail Gateway, you have
to download the upgrade package or the localization package in TGZ format along with
instructions on how to install this upgrade from the eStore website to your computer.

Kaspersky Secure Mail Gateway services may be suspended for the duration of upgrade
installation.

The upgrade process may take several minutes.

After starting an upgrade of Kaspersky Secure Mail Gateway, do not interrupt the upgrade
process or turn off the virtual machine.

You may need to restart Kaspersky Secure Mail Gateway after upgrading.

To upgrade Kaspersky Secure Mail Gateway via the web interface:

1. In the main window of the application web interface, open the management console tree
and select the Settings section and System Upgrade subsection.

2. Click the Start upgrade link to open the System Upgrade window.

3. Click the Browse button to the right of the Uploading Upgrade Package field.

The file selection window opens in the web browser that you use.
4. Choose the upgrade file that you want to upload and click the Open button in your web
browser.

The file selection window closes.

5. Click the Next button.

6. Follow the steps of the Upgrade Wizard.

The steps of the Upgrade Wizard may vary depending on the type of upgrade.

More detailed instructions on installing each upgrade are provided in the instruction
manual that comes with this upgrade.

Upgrading Kaspersky Secure Mail Gateway via the web interface

103
Preparing to perform certain tasks
in the web interface of Kaspersky
Secure Mail Gateway

Before performing certain tasks in the web interface of Kaspersky Secure Mail Gateway, you need
to make preparations outside the web interface of Kaspersky Secure Mail Gateway.

Preparations are needed to perform the following tasks:

Adding the DKIM signature to outgoing messages.

Configuring SPF and DMARC message authentication for outgoing messages.

Configuring TLS encryption between Kaspersky Secure Mail Gateway and other servers in
situations when Kaspersky Secure Mail Gateway receives messages from another server
(acts in the Server role) or sends messages to another server (acts in the Client role).

Upgrading Kaspersky Secure Mail Gateway via the web interface.

In this section
Preparing to add the DKIM signature to outgoing messages ................................................... 104

Preparing to configure SPF and DMARC message authentication for outgoing messages ..... 107

Preparing to configure TLS encryption of the connection ........................................................ 109

Preparing to upgrade Kaspersky Secure Mail Gateway via the web interface ......................... 113

Preparing to add the DKIM signature to


outgoing messages
A DKIM signature for outgoing messages is a digital signature added to messages sent from email
addresses of a certain domain for purposes of identifying users by the name of the corporate domain.
DomainKeys Identified Mail (DKIM) technology combines several existing anti-phishing and anti-
spam methods to improve the quality of classification and identification of legitimate email. Instead
of a traditional IP address, DKIM technology adds a digital signature associated with the name of
the corporate domain to the message for the purpose of identifying its sender. The signature is
automatically verified on the recipient's side, after which white and black lists are used to
determine the sender's reputation.

You can configure the DKIM signature for messages in the web interface of Kaspersky Secure Mail
Gateway.

The process of configuring the DKIM signature for messages consists of the following steps:

1. Enabling the DKIM signature for outgoing messages.

2. Creating or importing a DKIM key.

3. Adding the DKIM signature to messages sent from email addresses in a specific domain.

For instructions on configuring the DKIM signature for messages via the web interface of
Kaspersky Secure Mail Gateway, see the Kaspersky Secure Mail Gateway web interface help.

In order for the remote mail server to be able to verify the DKIM signature added to outgoing
messages, you need to obtain the DNS record of the public DKIM key via the web interface of
Kaspersky Secure Mail Gateway and add it to the settings of your DNS server.

To obtain the DNS record of the public DKIM key, do the following in the web interface
of Kaspersky Secure Mail Gateway:

1. In the main window of the application web interface, open the management console tree
and select the Domains section.

2. If the workspace shows the value of the DKIM signature setting as Disabled, do the
following:

a. Click the DKIM signature link to open the DKIM settings window.

b. In the DKIM signature drop-down list, select Enabled.

c. Click OK.

The DKIM settings window closes.

Preparing to perform certain tasks in the web interface of Kaspersky Secure Mail Gateway

105
3. In the list of domains, select the domain for whose addresses you want to configure the
DKIM signature to be added to outgoing messages.

4. In the DKIM signature for messages from domain addresses section, click Add.

The Creating DKIM signature for the domain window opens.

5. In the Selector field, type the name that will help you find the DKIM signature.

6. In the Key name list, select the DKIM key based on which the DKIM signature will be
added to messages.

7. Click OK.

The Creating DKIM signature for the domain window closes.

In the DKIM signature for messages from domain addresses section, the DNS record field
shows the DNS record of the public DKIM key for a specific domain.

To add a public DKIM key to the settings of your DNS server:

1. Sign in to your DNS server under the administrator account.

2. Locate the page with information on updating DNS records of the domain for whose
addresses you want to configure the DKIM signature to be added to outgoing messages.

For example, this page can be named "DNS Management", "Name Server Management",
or "Advanced Settings".

3. Find records in TXT format for the domain for whose addresses you want to configure the
DKIM signature to be added to outgoing messages.

4. In the list of records in TXT format, add the DNS record of the public DKIM key for a certain
domain with the following contents:

<selector>._domainkey.<name of the domain for which you want to add


the public DKIM key>. IN TXT ( "v=<DKIM version>; k=rsa; s=email"
"p=<DNS record of the public DKIM key>" )

Preparing to perform certain tasks in the web interface of Kaspersky Secure Mail Gateway

106
For example, you can add the following string:

mail._domainkey.example.com IN TXT ( "v=DKIM1; k=rsa; s=email; "


"p=MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAtyb09IeTJtIxTEohP/wa
8eZOuiFJxL3pjk+1R81ajQyTb4J8Dj23RbjOKCZGFdyJfj7MUUL9MpvAo6OL9KrfaF8
ehR7MbHhaix1qPDfSP5a97vl9/6KR2TKJfi+0dQ/pMLJMbnXfdWeoDoDBUK0++B8HHC
nSpLTxsH/YDOtjKaHFxbU6DMEICTiVBWR+yeWopdWi9kPNT5SJ5H" )

See Document RFC 5617 for details on configuring settings of the DNS record of a
public DKIM key.

5. Save changes.

The syntax of the sample DNS record is provided for purposes of adding it to the settings of a
BIND DNS server. The syntax of the DNS record to be added to other DNS servers may differ
slightly from the example provided.

Preparing to configure SPF and DMARC


message authentication for outgoing
messages
SPF message authentication comparing IP addresses of message senders with the list of
possible message sources, which has been created by the mail server administrator.

DMARC message authentication authentication performed to verify that the message was
actually sent from the specified domain.

For instructions on configuring message authentication for outgoing messages via the web
interface of Kaspersky Secure Mail Gateway, see the Kaspersky Secure Mail Gateway web
interface help.

In order for the remote mail server to be able to perform message authentication when the
message sender is Kaspersky Secure Mail Gateway (authentication of the sender of outgoing
messages), you have to add the SPF and DMARC records to the settings of your DNS server.

Preparing to perform certain tasks in the web interface of Kaspersky Secure Mail Gateway

107
To add SPF and DMARC records to the settings of your DNS server:

1. Sign in to your DNS server under the administrator account.

2. Locate the page with information on updating DNS records of the domain for whose
addresses you want to configure authentication of senders of outgoing messages.

For example, this page can be named "DNS Management", "Name Server Management",
or "Advanced Settings".

3. Find records in TXT format for the domain for whose addresses you want to configure
authentication of senders of outgoing messages.

4. In the list of records in TXT format, add the SPF record for a certain domain with the
following contents:

<name of the domain for whose addresses you want to configure SPF
authentication of the sender of outgoing messages> IN TXT "v=<SPF
version> +all>"

For example, you can add the following string:

example.com IN TXT "v=spf1 +all"

See Document RFC 4408 for details on configuring settings of the SPF record.

5. In the list of records in TXT format, add the DMARC record for a certain domain with the
following contents:

_dmarc.<name of the domain for whose addresses you want to


configure DMARC authentication of the sender of outgoing messages>.
IN TXT "v=<DMARC version>; p=<action that the remote mail server
will perform on all email messages that do not satisfy the DMARC
requirements>;"

For example, you can add the following string:

_dmarc.example.com. IN TXT "v=DMARC1; p=quarantine;"

See DMARC documentation for details on configuring settings of the DMARC record.

6. Save changes.

Preparing to perform certain tasks in the web interface of Kaspersky Secure Mail Gateway

108
The syntax of the sample SPF and DMARC records is provided for purposes of adding it to the
settings of a BIND DNS server. The syntax of the SPF and DMARC records to be added to other
DNS servers may differ slightly from the examples provided.

Preparing to configure TLS encryption


of the connection
TLS (Transport Layer Security) protocol is a protocol for encrypting the connection between two
servers, which ensures secure transmission of data between network nodes on the Internet.

TLS session is a sequence of the following events:

1. The server from which email messages are sent (Client) establishes a connection to the
server to which email messages are sent (Server).

2. Servers start interacting via the SMTP protocol.

3. The Client uses the STARTTLS command to offer the Server to use TLS during SMTP
interaction.

4. If the Server is able to use TLS, it responds with the STARTTLS command and sends the
certificate of the Server to the Client.

5. The Client receives the certificate and, if the relevant parameter values are specified in it,
verifies the authenticity of the Server certificate.

6. The Client and the Server enable the data encryption mode.

7. The servers exchange data.

8. The session ends.

You can configure TLS security mode for situations when Kaspersky Secure Mail Gateway
receives messages from another server (acts in the Server role) and sends messages to another
server (acts in the Client role), as well as configure TLS settings for individual domains and domain
groups that use the same IP address.

Preparing to perform certain tasks in the web interface of Kaspersky Secure Mail Gateway

109
You can create a TLS certificate or import it via the web interface of Kaspersky Secure Mail
Gateway.

For instructions on configuring TLS encryption between Kaspersky Secure Mail Gateway and
other servers and on creating and importing the TLS certificate via the web interface of
Kaspersky Secure Mail Gateway, see the Kaspersky Secure Mail Gateway web interface help.

Before importing TLS certificates via the web interface of Kaspersky Secure Mail Gateway, you
have to prepare them for import.

You can prepare certificates of the following types for import:

Self-signed TLS certificate

TLS certificate signed by a certification authority (hereinafter also CA certificate)

Self-signed certificates are normally used to test and debug SSL and TLS encryption of
connections. You are advised to use certificates signed by a certification authority (CA certificates)
on public servers.

Preparing a self-signed TLS certificate for


import
A self-signed TLS certificate intended to be imported into Kaspersky Secure Mail Gateway must
meet the following requirements:

The certificate file must have a unique name in the list of certificates used in Kaspersky
Secure Mail Gateway.

The certificate file and the private key file must be in PEM format.

The key length must be 1024 bits or longer.

By way of an example, below are instructions on how to prepare for import the self-signed TLS
server certificate server_cert.pem, whose private key is contained in the key.pem file.

Preparing to perform certain tasks in the web interface of Kaspersky Secure Mail Gateway

110
To prepare a self-signed TLS certificate for import into Kaspersky Secure Mail
Gateway:
1. In the private key file, remove the password (if any) for accessing the certificate. To do so,
execute the command:

# openssl rsa -in <name of the private key file>.pem -out <name of
the private key file with the password removed>.pem

For example, you can execute the following command:

# openssl rsa -in key.pem -out key-nopass.pem

2. Combine the private key and the server certificate in a single file. To do so, execute the
command:

% cat <name of the private key file with the password removed>.pem
<name of the server certificate>.pem <name of the server
certificate after the files were combined>.pem

For example, you can execute the following command:

% cat key-nopass.pem server_cert.pem > cert.pem

The self-signed TLS certificate (for example, cert.pem) is ready for import into Kaspersky
Secure Mail Gateway.

See also
Preparing to import a TLS certificate signed by a certification authority ................................... 111

Preparing to import a TLS certificate signed


by a certification authority
A TLS certificate signed by a certification authority (CA certificate) intended for import into
Kaspersky Secure Mail Gateway must meet the following requirements:

The certificate file must have a unique name in the list of certificates used in Kaspersky
Secure Mail Gateway.

The files of the server certificate, intermediate and root CA certificates, and the private key
file must be in PEM format.

Preparing to perform certain tasks in the web interface of Kaspersky Secure Mail Gateway

111
The key length must be 1024 bits or longer.

You must have the complete certificate chain the path from the server certificate to the
roof CA certificate.

On receiving the CA certificate, you may need to use the intermediate certificate in addition
to the server certificate.

Certificates must be specified in the certificate chain in the following order: first the server
certificate followed by intermediate CA certificates.

Intermediate certificates must not be skipped in the certificate chain.

The certificate chain must not include any certificates unrelated to current certification.

By way of an example, below are instructions on how to prepare for import a TLS server
certificate signed by a certification authority, server_cert.pem, whose private key is contained
in the key.pem file. The name of the intermediate server certificate is intermediate CA. The
name of the root certificate is root CA.

To prepare a TLS certificate signed by a certification authority for import into Kaspersky
Secure Mail Gateway:

1. In the file of the TLS certificate, remove the password (if any) for accessing the certificate.
To do so, execute the command:

# openssl rsa -in <name of the private key file>.pem -out <name of
the private key file with the password removed>.pem

For example, you can execute the following command:

# openssl rsa -in key.pem -out key-nopass.pem

2. Do one of the following:

If you are certain that the clients to which the server will provide this certificate have
their own copies of the root and intermediate CA certificates, combine the private key,
server certificate, intermediate and root CA certificates into a single file. To do so,
execute the command:

% cat <name of the private key file with the password


removed>.pem <name of the server certificate>.pem <name of the

Preparing to perform certain tasks in the web interface of Kaspersky Secure Mail Gateway

112
intermediate CA certificate>.pem <name of the root CA
certificate>.pem <name of the TLS certificate after the files
were combined>.pem

For example, you can execute the following command:

% cat key-nopass.pem server_cert.pem intermediate_CA.pem


root_CA.pem > cert.pem

If you are not sure that the clients to which the server will provide this certificate have
their own copies of the root and intermediate CA certificates, combine the private key
and server certificate into a single file. To do so, execute the command:

% cat <name of the private key file with the password


removed>.pem <name of the server certificate>.pem <name of the
server certificate after the files were combined>.pem

For example, you can execute the following command:

% cat key-nopass.pem server_cert.pem > cert.pem

The TLS certificate signed by the certification authority (for example, cert.pem) is ready for
import into Kaspersky Secure Mail Gateway.

See also
Preparing a self-signed TLS certificate for import .................................................................... 110

Preparing to upgrade Kaspersky Secure


Mail Gateway via the web interface
Before upgrading Kaspersky Secure Mail Gateway, you are strongly advised to make a copy of
your Kaspersky Secure Mail Gateway virtual machine (a snapshot of the virtual machine in the
hypervisor) to be able to return to the previous version of Kaspersky Secure Mail Gateway if
installation of the new version of Kaspersky Secure Mail Gateway fails.

To take a snapshot of a Kaspersky Secure Mail Gateway virtual machine:


1. Start VMware vSphere Client.

2. Select the virtual machine that you want to take a snapshot of.

Preparing to perform certain tasks in the web interface of Kaspersky Secure Mail Gateway

113
3. Open the menu by right-clicking.

4. In the menu, select the Snapshot item and Take Snapshot sub-item (see figure below).

Figure 72. Snapshot of the virtual machine

The Take Virtual Machine Snapshot window opens (see figure below).

Figure 73. Input of virtual machine snapshot data

Preparing to perform certain tasks in the web interface of Kaspersky Secure Mail Gateway

114
5. In the Name field, enter the name of the virtual machine snapshot.

6. In the Description field, enter a description of the virtual machine snapshot.

7. Select the Snapshot the virtual machine's memory check box.

A snapshot of your virtual machine appears in the list of virtual machines in the left part of the
main application window.

See VMware vSphere Client manuals for details on managing virtual machines in VMware
vSphere Client.

Preparing to perform certain tasks in the web interface of Kaspersky Secure Mail Gateway

115
Kaspersky Secure Mail Gateway
trace log

The trace log of Kaspersky Secure Mail Gateway system services is created automatically and
stored on the virtual machine in unencrypted form in the /var/log/ folder and its subfolders.

Since the trace log may contain personal data of users, the Kaspersky Secure Mail Gateway
administrator has to ensure protection of such data manually.

To view the contents of the trace log:

1. Open the Kaspersky Secure Mail Gateway administrator's menu (see section "Managing
settings of Kaspersky Secure Mail Gateway from the administrator's menu" on page 96).

2. Select View logs in the menu.

A list of folders with trace files is displayed (see figure below).

Figure 74. Viewing trace files

3. Select the file or folder that you need.

The contents of the selected file or folder are displayed.


Contacting the Technical Support
Service

This section describes the ways to get technical support and the terms on which it is available.

In this section
About technical support ........................................................................................................... 117

Technical support by phone .................................................................................................... 118

Technical Support via Kaspersky CompanyAccount ............................................................... 118

About technical support


If you could not find a solution to your problem in the documentation or in one of the sources of
information about the application (see the section "Sources of information about the application" on
page 11), we recommend that you contact Kaspersky Lab Technical Support. Technical Support
specialists will answer your questions about installing and using the application.

Technical support is only available to users who purchased the commercial license. Users who
have received a trial license are not entitled to technical support.

Before contacting Technical Support, please read the technical support rules
(http://support.kaspersky.com/support/rules).

You can contact Technical Support in one of the following ways:

By calling Kaspersky Lab Technical Support.

By sending a request to Technical Support through the Kaspersky CompanyAccount portal.


Technical support by phone
In most regions, you can call Kaspersky Lab Technical Support representatives. You can find
information about how to obtain technical support in your region and contact information for
Technical Support on the Kaspersky Lab Technical Support website
(http://support.kaspersky.com/support/international).

Before contacting Technical Support, please read the support rules


(http://support.kaspersky.com/support/rules). These rules contain information about the working
hours of Kaspersky Lab Technical Support and about the information that you must provide so that
Kaspersky Lab Technical Support specialists can help you.

Technical Support via Kaspersky


CompanyAccount
Kaspersky CompanyAccount (https://companyaccount.kaspersky.com) is a portal for companies
that use Kaspersky Lab applications. The portal Kaspersky CompanyAccount is designed to
facilitate interaction between users and Kaspersky Lab specialists via online requests. The portal
Kaspersky CompanyAccount lets you monitor the progress of electronic request processing by
Kaspersky Lab specialists and store a history of electronic requests.

You can register all of your organization's employees under a single account on Kaspersky
CompanyAccount. A single account lets you centrally manage electronic requests from registered
employees to Kaspersky Lab and also manage the privileges of these employees via Kaspersky
CompanyAccount.

The portal Kaspersky CompanyAccount is available in the following languages:

English

Spanish

Italian

German

Polish

Contacting the Technical Support Service

118
Portuguese

Russian

French

Japanese

To learn more about Kaspersky CompanyAccount, visit the Technical Support website
(http://support.kaspersky.com/faq/companyaccount_help).

Contacting the Technical Support Service

119
Glossary

Backup

A special storage for backup copies of files that are created before disinfection or deletion is
attempted.

Directory service

A software system that can store information about network resources (such as users) in one place
and provides centralized management capabilities.

DKIM message authentication

Verification of the digital signature added to messages.

DMARC message authentication

Authentication performed to verify that the message was actually sent from the specified domain.

Email notification

An email message describing an application event or a message scan event, which Kaspersky
Secure Mail Gateway sends to the specified email addresses.
K

Kaspersky Security Network (KSN)

An infrastructure of cloud services that provides access to the online Knowledge Base of
Kaspersky Lab which contains information about the reputation of files, web resources, and
software. Use of data from Kaspersky Security Network ensures faster responses by Kaspersky
Lab applications to threats, improves the performance of some protection components, and
reduces the likelihood of false positives.

LDAP

Lightweight Directory Access Protocol for accessing directory services.

SNMP agent

A network management software module of Kaspersky Secure Mail Gateway, which monitors the
operation of Kaspersky Secure Mail Gateway.

SNMP trap

An application event notification sent by the SNMP agent.

Glossary

121
SPF message authentication

Comparison of IP addresses of message senders with the list of possible message sources, which
has been created by the mail server administrator.

Virtual machine

A fully isolated software system that executes machine-independent or machine code of the
processor and can imitate the operating system of an application or device (such as a computer).

Glossary

122
AO Kaspersky Lab

Kaspersky Lab is a world-renowned vendor of systems protecting computers against various


threats, including viruses and other malware, unsolicited email (spam), network and hacking
attacks.

In 2008, Kaspersky Lab was rated among the worlds top four leading vendors of information
security software solutions for end users (IDC Worldwide Endpoint Security Revenue by Vendor).
Kaspersky Lab is the preferred vendor of computer protection systems for home users in Russia
(IDC Endpoint Tracker 2014).

Kaspersky Lab was founded in Russia in 1997. It has since grown into an international group of
companies with 34 offices in 31 countries. The company employs more than 3000 qualified
specialists.

PRODUCTS. Kaspersky Labs products provide protection for all systemsfrom home computers
to large corporate networks.

The personal product range includes security applications for desktop, laptop, and tablet
computers, smartphones and other mobile devices.

The company offers protection and control solutions and technologies for workstations and mobile
devices, virtual machines, file and web servers, mail gateways, and firewalls. The company's
portfolio also features specialized products providing protection against DDoS attacks, protection
for industrial control systems, and prevention of financial fraud. Used in conjunction with Kaspersky
Labs centralized management system, these solutions ensure effective automated protection for
companies and organizations of any size against computer threats. Kaspersky Lab's products are
certified by the major test laboratories, are compatible with the software of many suppliers of
computer applications, and are optimized to run on many hardware platforms.

Kaspersky Labs virus analysts work around the clock. Every day they uncover hundreds of
thousands of new computer threats, create tools to detect and disinfect them, and include them in
databases used by Kaspersky Lab applications.
TECHNOLOGIES. Many technologies that are now part and parcel of modern anti-virus tools were
originally developed by Kaspersky Lab. It is no coincidence that many other developers use the
Kaspersky Anti-Virus kernel in their products, including: Alcatel-Lucent, Alt-N, Asus, BAE Systems,
Blue Coat, Check Point, Cisco Meraki, Clearswift, D-Link, General Dynamics, Facebook, Juniper
Networks, Lenovo, H3C, Microsoft, NETGEAR, Openwave Messaging, Parallels, Qualcomm,
Samsung, Stormshield, Toshiba, Trustwave, Vertu, ZyXEL. Many of the companys innovative
technologies are patented.

ACHIEVEMENTS. Over the years, Kaspersky Lab has won hundreds of awards for its services in
combating computer threats. Following tests and research conducted by the reputed Austrian test
laboratory AV-Comparatives in 2014, Kaspersky Lab ranked among the top two vendors by the
number of Advanced+ certificates earned and was eventually awarded the Top Rated certificate.
But Kaspersky Lab's main achievement is the loyalty of its users worldwide. The companys
products and technologies protect more than 400 million users, and its corporate clients number
more than 270,000.

Kaspersky Labs website: http://www.kaspersky.com

Virus encyclopedia: http://www.securelist.com

Virus Lab: http://newvirus.kaspersky.com (for analyzing


suspicious files and websites)

Kaspersky Labs web forum: http://forum.kaspersky.com

AO Kaspersky Lab

124
Information about third-party code

Information about third-party code is contained in the file legal_notices.txt, in the application
installation folder.
Trademark notices

Registered trademarks and service marks are the property of their respective owners.

Microsoft, Active Directory, and Internet Explorer are trademarks of Microsoft Corporation
registered in the United States of America and elsewhere.

Linux is a trademark of Linus Torvalds registered in the USA and elsewhere.

Mozilla and Firefox are Trademarks of the Mozilla Foundation.

Google Chrome is a trademark of Google, Inc.

VMware, ESXi and VMware vSphere are trademarks of VMware, Inc or trademarks of VMware,
Inc. registered in the United States or other jurisdictions.
Index

A
About Kaspersky Secure Mail Gateway .................................................................................... 13

Administrator

administrator password for using the console ....................................................................... 64

email addresses of the administrator .................................................................................... 65

Managing settings of Kaspersky Secure Mail Gateway from the administrator's menu ......... 96

web interface administrator password .................................................................................. 62

AO Kaspersky Lab .................................................................................................................. 123

C
Console

Managing Kaspersky Secure Mail Gateway settings from the console ................................. 96

D
DNS

assigning addresses using the DHCP server ........................................................................ 59

assigning static DNS addresses ........................................................................................... 60

Domains ............................................................................................................................. 78, 83

E
Email routing ................................................................................................................. 79, 84, 90
End User License Agreement

selecting the language.......................................................................................................... 33

viewing during initial configuration of Kaspersky Secure Mail Gateway ................................ 34

viewing during virtual machine image deployment ................................................................ 24

I
Integration into the corporate mail infrastructure ........................................................... 77, 82, 89

K
KSN

configuring participation in Kaspersky Security Network ....................................................... 37

M
myhostname

assigning the Kaspersky Secure Mail Gateway host name ................................................... 41

N
Network interface

Assigning a static IP address and network mask .................................................................. 45

assigning the IP address and network mask using the DHCP server.................................... 44

enabling and disabling .......................................................................................................... 43

Network routes

adding a network route ......................................................................................................... 50

assigning a gateway address using the DHCP server .......................................................... 47

assigning a static gateway address ...................................................................................... 48

Index

128
deleting a network route ....................................................................................................... 56

modifying a network route .................................................................................................... 53

O
Operation mode

switching to certified mode of operation ................................................................................ 35

switching to Technical Support Mode ................................................................................... 96

S
SMTP verification of recipient email addresses ................................................................... 82, 89

T
Technical Support Mode

Managing Kaspersky Secure Mail Gateway settings ............................................................ 96

Time zone

setting the time zone ............................................................................................................ 40

Trusted networks .......................................................................................................... 80, 87, 93

V
Virtual machine

naming the virtual machine ................................................................................................... 25

selecting a destination storage for the virtual machine.......................................................... 26

selecting a virtual machine image ......................................................................................... 21

starting the virtual machine ................................................................................................... 29

viewing details of the virtual machine image ......................................................................... 23

Index

129
W
Web interface

assigning a static IP address and network mask .................................................................. 45

assigning the IP address using the DHCP server ................................................................. 44

connecting to the web interface ............................................................................................ 75

displaying the connection settings ........................................................................................ 73

setting the administrator password ....................................................................................... 62

Index

130