Domains and configuration of email routing

This section contains information on how to add domains and email addresses to a transport map, configure email routing for those domains, remove domains from the list, configure TLS security modes for incoming and outgoing email messages, and add a DKIM signature to messages.

By default, Kaspersky Secure Mail Gateway uses the settings of your DNS server for email routing. You can manually configure email routing. To do so, you must create a transport map. In the transport map, enter the names of the domains for which the email messages are intended and then enter the IP addresses or fully qualified domain names (FQDN) to which Kaspersky Secure Mail Gateway will be redirecting messages intended for these domains.

This section also describes configuration of email routing for local domains (relay_domains).

Local domains (relay_domains) are domains of your organization for which Kaspersky Secure Mail Gateway will be receiving email messages from the outside. Kaspersky Secure Mail Gateway will receive messages only for the domains you specified. Messages intended for other domains are rejected.

If local domains are not specified, Kaspersky Secure Mail Gateway will not be receiving messages for your internal mail servers.

Adding a record to the transport map and configuring email routing (transport_map)

To add a record to the transport map and configure email routing:

1. In the main window of the application web interface, open the management console tree and select the Domains section.
2. Click the Add button.

   The record creation window opens.

3. In the Record type settings group, select one of the following record types:
   • Domain, if you want to add a domain to the transport map.
   • Subdomains of, if you want to add subdomains of a domain to the transport map.
   • Email address, if you want to add an email address to the transport map.
4. In the Domain/Email address field, enter the domain name and the name of subdomains in FQDN format, or the email address.
5. Select the check box next to the name of the Local domain setting if you want to add a local domain.
6. In the Email routing settings group, select the switch next to the name of the Configure email routing setting.
7. In the Protocol settings group, select one of the email transmission protocols:
   • SMTP, if you want to configure email transmission via the SMTP protocol.
   • LMTP, if you want to configure email transmission via the LMTP protocol.
8. In the Destination address and port number field, enter the IP address or the domain name of the server to which you want to configure routing of email.

   You can enter an IPv4 address (for example, 192.0.0.1 or 192.0.0.0/16), a subnet mask in CIDR notation (for example: fc00::/7), a domain name or FQDN.

9. In the MX lookup section, enable or disable MX record lookup. Select one of the following options:
   • Disabled, if you want to disable MX record lookup.
   • Enabled, if you want to enable MX record lookup.
10. If you are adding a domain or subdomains, in the TLS Encryption mode for all outgoing mail of the mail server settings group select one of the following options:
    • Use TLS Encryption mode, set for all outgoing mail from the server, if you want to use the TLS encryption mode set for all outgoing messages from the mail server for this domain.
    • Override TLS Encryption mode for this domain, if you want to configure a different TLS encryption mode for this domain.
11. If you have chosen to modify the TLS encryption mode for this domain, in the Override TLS Encryption mode for this domain list select the mode of TLS encryption of the connection that you want to set.
12. If you want to configure the DKIM signature for messages from addresses of this domain, in the DKIM signature for messages from domain addresses settings group, do the following:
    1. Click the Add button.

       The Creating DKIM signature for the domain window opens.

    2. In the Selector field, type the name that will help you find the DKIM signature.
    3. In the Key name list, select the DKIM key based on which the DKIM signature will be added to messages.
    4. Click the OK button.

       The Creating DKIM signature for the domain window closes.

13. Click Add in the lower part of the window.

The added record is displayed in the transport map.

Adding a local domain (relay_domain)

To add a local domain of your organization:

1. In the main window of the application web interface, open the management console tree and select the Domains section.
2. Click the Add button.

   The record creation window opens.

3. In the Record type settings group, select Domain as the record type.
4. In the Domain/Email address field, type the name of the domain for which Kaspersky Secure Mail Gateway will be receiving email messages from the outside.

   Type the fully qualified domain name (FQDN).

5. Select the check box next to the name of the Local domain setting.

   Kaspersky Secure Mail Gateway will receive messages only for the domains you specified. Messages intended for other domains are rejected.

6. In the Email routing settings group, select the switch next to the name of the Configure email routing setting.
7. In the Protocol settings group, select one of the email transmission protocols:
   • SMTP, if you want to configure email transmission via the SMTP protocol.
   • LMTP, if you want to configure email transmission via the LMTP protocol.
8. In the Destination address and port number field, enter the IP address or the domain name of the server to which you want to configure routing of email.

   You can enter an IPv4 address (for example, 192.0.0.1 or 192.0.0.0/16), a subnet mask in CIDR notation (for example: fc00::/7), a domain name or FQDN.

9. In the MX lookup section, enable or disable MX record lookup. Select one of the following options:
   • Disabled, if you want to disable MX record lookup.
   • Enabled, if you want to enable MX record lookup.
10. In the TLS Encryption mode for all outgoing mail of the mail server settings group, select one of the following options:
    • Use TLS Encryption mode, set for all outgoing mail from the server, if you want to use the TLS encryption mode set for all outgoing messages from the mail server for this domain.
    • Override TLS Encryption mode for this domain, if you want to configure a different TLS encryption mode for this domain.
11. If you have chosen to configure a different TLS encryption mode for this domain, in the Override TLS Encryption mode for this domain list select the mode of TLS encryption of the connection that you want to set.
12. If you want to configure the DKIM signature for messages from addresses of this domain, in the DKIM signature for messages from domain addresses settings group, do the following:
    1. Click the Add button.

       The Creating DKIM signature for the domain window opens.

    2. In the Selector field, type the name that will help you find the DKIM signature.
    3. In the Key name list, select the DKIM key based on which the DKIM signature will be added to messages.
    4. Click the OK button.

       The Creating DKIM signature for the domain window closes.

13. Click Add in the lower part of the window.

The domain for which Kaspersky Secure Mail Gateway will be receiving messages appears in the list of domains.

Deleting a record from the transport map

To delete a record from the transport map:

1. In the main window of the application web interface, open the management console tree and select the Domains section.
2. In the list of domains, select the check box next to each record that you want to delete from the transport map.
3. Click the Delete button.

   The Delete action confirmation window opens.

4. Click the Yes button.

The record will be removed from the transport map.

Modifying email routing for a domain (transport_map)

To modify email routing for a domain:

1. In the main window of the application web interface, open the management console tree and select the Domains section.
2. Within the transport map, click the link with the domain name to expand the email routing settings for this domain.
3. In the Protocol settings group, select one of the email transmission protocols:
   • SMTP, if you want to configure email transmission via the SMTP protocol.
   • LMTP, if you want to configure email transmission via the LMTP protocol.
4. In the Destination address and port number field, enter the IP address or the domain name of the server to which you want to configure routing of email.

   You can enter an IPv4 address (for example, 192.0.0.1 or 192.0.0.0/16), a subnet mask in CIDR notation (for example: fc00::/7), a domain name or FQDN.

5. In the MX lookup section, enable or disable MX record lookup. Select one of the following options:
   • Disabled, if you want to disable MX record lookup.
   • Enabled, if you want to enable MX record lookup.
6. In the Destination address and port number field, type the IP address of the server to which you want to configure routing of email.

   You can enter an IPv4 address (for example, 192.0.0.1 or 192.0.0.0/16), domain name or FQDN.

7. Click OK in the lower part of the window.

Email routing will be modified for the domain.

About using the TLS protocol in the operation of Kaspersky Secure Mail Gateway

TLS (Transport Layer Security) protocol is a protocol for encrypting the connection between two servers, which ensures secure transmission of data between network hosts on the Internet.

TLS session is a sequence of the following events:

1. The server from which email messages are sent (Client) establishes a connection to the server to which email messages are sent (Server).
2. Servers start interacting via the SMTP protocol.
3. The Client uses the STARTTLS command to offer the Server to use TLS during SMTP interaction.
4. If the Server is able to use TLS, it responds with the Ready to start TLS command and sends the Server certificate to the Client.
5. The Client receives the certificate and, if the necessary parameter values are specified within it, verifies the authenticity of the Server certificate.
6. The Client and the Server enable the data encryption mode.
7. The servers exchange data.
8. The session ends.

You can configure TLS security mode for situations when Kaspersky Secure Mail Gateway receives messages from another server (acts in the Server role) and sends messages to another server (acts in the Client role), as well as configure TLS settings for individual domains and domain groups that use the same IP address.

Configuring TLS security for incoming email messages

To configure TLS security mode for situations when Kaspersky Secure Mail Gateway receives messages from another server (acts in the Server role):

1. In the main window of the application web interface, open the management console tree and select the Domains section.
2. Click any link to open the TLS settings window.
3. In the Server TLS security level settings group, select one of the following modes of TLS encryption of the connection between Kaspersky Secure Mail Gateway and the server that sends email messages:
   • No TLS Encryption if you do not want to use TLS encryption of the connection to the server that sends email messages.

     In this case, Kaspersky Secure Mail Gateway receives all messages in unencrypted form.

   • Accept TLS Encryption, if you want Kaspersky Secure Mail Gateway to prompt the server sending email messages to use TLS encryption of the connection.

     In this case, Kaspersky Secure Mail Gateway uses the STARTTLS command to offer the server that sends email messages to use TLS encryption, but accepts messages regardless of the server's response.

   • Require TLS Encryption, if you want Kaspersky Secure Mail Gateway to require that the server sending email messages must use TLS encryption of the connection.

     In this case, the server that is sending email messages (Client) uses the STARTTLS command to offer Kaspersky Secure Mail Gateway to use TLS encryption. Kaspersky Secure Mail Gateway responds with the Ready to start TLS command and sends the Server certificate to the Client and also requires the Client to verify the authenticity of the Server certificate. The encrypted TLS connection is established after the Client has verified the authenticity of the Server certificate.

4. In the Providing Server TLS certificate settings group, select the TLS certificate of the server to be sent by Kaspersky Secure Mail Gateway to the Client for authentication at the beginning of each TLS session.

   You can create or import a TLS certificate in the Encryption Keys section, TLS subsection of the main window of the Kaspersky Secure Mail Gateway web interface.

5. In the Requesting Client TLS certificate settings group, select one of the following options:
   • Do not request if you want Kaspersky Secure Mail Gateway not to request the client's TLS certificate.
   • Request if you want Kaspersky Secure Mail Gateway to request the client's TLS certificate but to still be able to redirect messages regardless of the certificate verification result.
   • Require if you want Kaspersky Secure Mail Gateway to require the client's TLS certificate and not forward messages on detecting an invalid name or invalid TLS certificate of the client.

     Set the Request or Require mode only if you are certain that the clients supported by your mail server can provide a verifiable TLS certificate.

6. Click the OK button.

Configuring TLS security for outgoing email messages

To configure TLS security mode for situations when Kaspersky Secure Mail Gateway redirects messages from another server (acts in the Client role):

1. In the main window of the application web interface, open the management console tree and select the Domains section.
2. Click any link to open the TLS settings window.
3. In the Client TLS security level settings group, select one of the following modes of TLS encryption of the connection between Kaspersky Secure Mail Gateway and the server that receives email messages:
   • No TLS Encryption, if you do not want to use TLS encryption of the connection with the server that receives email messages.

     In this case, Kaspersky Secure Mail Gateway redirects all messages in unencrypted form.

   • Attempt TLS Encryption, if you want Kaspersky Secure Mail Gateway to attempt to establish a TLS session with the receiving mail server and, if the receiving server does not support TLS, redirect messages in unencrypted form.
   • Require TLS Encryption and don't verify certificate, if you want Kaspersky Secure Mail Gateway to redirect messages only if the receiving mail server supports TLS, but regardless of the authenticity of its TLS certificate.
   • Require TLS Encryption and verify certificate, if you want Kaspersky Secure Mail Gateway to redirect messages only if the receiving mail server supports TLS, its TLS certificate has been verified, and the certificate name matches the domain name of the server.

     Kaspersky Secure Mail Gateway does not redirect messages when these conditions are not satisfied.

4. Click the OK button.

About the DKIM signature for outgoing messages

A DKIM signature for outgoing messages  is a digital signature added to messages sent from email addresses of a certain domain for purposes of identifying users by the name of the corporate domain.

DomainKeys Identified Mail (DKIM) technology combines several existing anti-phishing and anti-spam methods to improve the quality of classification and identification of legitimate email. Instead of a traditional IP address, DKIM technology adds a digital signature associated with the name of the corporate domain to the message for the purpose of identifying its sender.

Enabling and disabling the DKIM signature for outgoing messages

To enable or disable the DKIM signature for outgoing messages:

1. In the main window of the application web interface, open the management console tree and select the Domains section.
2. In the upper part of the workspace, click the DKIM signature link to open the DKIM settings window.
3. Select one of the following options in the DKIM signature drop-down list:
   • Enabled, if you want to add the DKIM signature to outgoing messages.
   • Disabled, if you do not want to add the DKIM signature to outgoing messages.
4. Click the OK button.

The DKIM settings window closes.

Preparing to add the DKIM signature to outgoing messages

You can configure the DKIM signature for messages in the web interface of Kaspersky Secure Mail Gateway.

The process of configuring the DKIM signature for messages consists of the following steps:

1. Enabling the DKIM signature for outgoing messages.
2. Creating or importing a DKIM key.
3. Adding the DKIM signature to messages sent from email addresses in a specific domain.

In order for the remote mail server to be able to verify the DKIM signature added to outgoing messages, you need to obtain the DNS record of the public DKIM key via the web interface of Kaspersky Secure Mail Gateway and add it to the settings of your DNS server.

To obtain the DNS record of the public DKIM key, do the following in the web interface of Kaspersky Secure Mail Gateway:

1. In the main window of the application web interface, open the management console tree and select the Domains section.
2. If the workspace shows the value of the setting as Disabled, do the following:
   1. Click the DKIM signature link to open the DKIM settings window.
   2. In the DKIM signature drop-down list, select Enabled.
   3. Click the OK button.

      The DKIM settings window closes.

3. In the list of domains, open the record editing window by clicking the link containing the name of the domain for whose addresses you want to configure the DKIM signature to be added to outgoing messages.
4. In the DKIM signature for messages from domain addresses settings group, click the Add button.

   The Creating DKIM signature for the domain window opens.

5. In the Selector field, type the name that will help you find the DKIM signature.
6. In the Key name list, select the DKIM key based on which the DKIM signature will be added to messages.
7. Click the OK button.

   The Creating DKIM signature for the domain window closes.

In the DKIM signature for messages from domain addresses settings group, the DNS record field displays the DNS record of the public DKIM key for the specific domain.

To add a public DKIM key to the settings of your DNS server:

1. Sign in to your DNS server under the administrator account.
2. Locate the page with information on updating DNS records of the domain for whose addresses you want to configure the DKIM signature to be added to outgoing messages.

   For example, this page can be named "DNS Management", "Name Server Management", or "Advanced Settings".

3. Find records in TXT format for the domain for whose addresses you want to configure the DKIM signature to be added to outgoing messages.
4. In the list of records in TXT format, add the DNS record of the public DKIM key for a certain domain with the following contents:

   <selector>._domainkey.<name of the domain for which you want to add the public DKIM key>. IN TXT ( "v=<DKIM version>; k=rsa; s=email" "p=<DNS record of the public DKIM key>" )

    

   Example of a DNS record for an opened DKIM key: mail._domainkey.example.com IN TXT ( "v=DKIM1; k=rsa; s=email; " "p=MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAtyb09IeTJtIxTEohP/wa8eZOuiFJxL3pjk+1R81ajQyTb4J8Dj23RbjOKCZGFdyJfj7MUUL9MpvAo6OL9KrfaF8ehR7MbHhaix1qPDfSP5a97vl9/6KR2TKJfi+0dQ/pMLJMbnXfdWeoDoDBUK0++B8HHCnSpLTxsH/YDOtjKaHFxbU6DMEICTiVBWR+yeWopdWi9kPNT5SJ5H" )

   See Document RFC 5617 for details on configuring settings of the DNS record of a public DKIM key.

5. Save changes.

The syntax of the sample DNS record is provided for purposes of adding it to the settings of a BIND DNS server. The syntax of the DNS record to be added to other DNS servers may differ slightly from the example provided.

Adding the DKIM signature to messages from addresses from a specific domain

Before adding the DKIM signature to messages from addresses belonging to a certain domain, you have to create or import a DKIM key.

To add the DKIM key to messages sent from email addresses belonging to a certain domain:

1. In the main window of the application web interface, open the management console tree and select the Domains section.
2. If the workspace shows the value of the setting as Disabled, do the following:
   1. Click the DKIM signature link to open the DKIM settings window.
   2. In the DKIM signature drop-down list, select Enabled.
   3. Click the OK button.

      The DKIM settings window closes.

3. In the list of domains, select the domain for which you want to add the DKIM signature to outgoing messages.
4. In the DKIM signature for messages from domain addresses settings group, click the Add button.
5. The Creating DKIM signature for the domain window opens.
6. In the Selector field, type the name that will help you find the DKIM signature.
7. In the Key name list, select the DKIM key based on which the DKIM signature will be added to messages.
8. Click the OK button.

The Creating DKIM signature for the domain window closes.

After you have configured the DKIM signature for messages in the web interface of Kaspersky Secure Mail Gateway, to enable the remote mail server to be able to verify this DKIM signature you must add the public DKIM key to the settings of your DNS server.