Contents
Configuring MTA settings
Kaspersky Secure Mail Gateway is integrated into the existing corporate mail infrastructure and is not a standalone mail system. For example, Kaspersky Secure Mail Gateway does not deliver email messages to recipients and does not manage user accounts.
You can configure the basic MTA settings using the Quick MTA Setup Wizard or manually in the application web interface.
This section describes how you can configure the MTA settings manually.
Configuring basic MTA settings
To configure basic MTA settings:
- In the main window of the application web interface, open the management console tree and select the Settings section and MTA subsection.
- Open the Basic Settings section if it is not already open.
- Click any link in the Basic Settings section to open the Basic MTA settings window.
- If you want to change the domain name of Kaspersky Secure Mail Gateway (mydomain), enter the new domain name of the application server in the Domain name field.
- If you want to change the fully qualified domain name of Kaspersky Secure Mail Gateway (myhostname), enter the new fully qualified domain name of the application server in the Hostname field.
- In the Message size limit field, specify the maximum size of the email message received or forwarded through Kaspersky Secure Mail Gateway, including SMTP headers. Specify the maximum size in bytes.
Type 0 if restrictions are not required.
The default value is 20971520 bytes.
- Create a list of trusted networks and network hosts that are allowed to send email messages via Kaspersky Secure Mail Gateway (mynetworks). As a rule, these are internal networks and network hosts of your organization. For example, you can specify the IP addresses of Microsoft Exchange servers used at your organization.
If trusted networks are not specified, Kaspersky Secure Mail Gateway will not be receiving messages from internal mail servers and redirect them outside the network of your organization.
Perform the following actions for each address that you want to add:
- In the Trusted networks field, enter the network IP address or the subnet address.
Type IP addresses in IPv4 format or subnet addresses in CIDR format.
- Click the Add button.
The network IP address or subnet address that you added will be displayed in the list of trusted networks and network hosts.
Addresses should be entered one at a time. Repeat the actions for adding IP addresses or subnet addresses to the list for all trusted networks and network hosts that you are adding.
- In the Trusted networks field, enter the network IP address or the subnet address.
- In the Email destination address field, enter the address of your edge gateway (relayhost). Kaspersky Secure Mail Gateway will be redirecting all messages to this address.
You can enter an IPv4 address (for example, 192.0.0.1 or 192.0.0.0/16), domain name or FQDN.
If you have configured email routing for individual domains, Kaspersky Secure Mail Gateway will be redirecting email messages to the addresses specified for each domain.
- In the MX record lookup list, select one of the following values:
- Enabled, if you want to enable the search for MX records for domain names or FQDNs.
- Disabled, if you want to disable MX record lookup.
- Click the OK button.
The Basic MTA settings window closes.
Configuring advanced MTA settings
To configure advanced MTA settings:
- In the main window of the application web interface, open the management console tree and select the Settings section and MTA subsection.
- Open the Advanced Settings section.
- Click any link in the upper part of the list of settings to open the Advanced MTA settings window.
- In the SMTP greeting text field, type the text that will accompany code 220 in the SMTP greeting.
- In the Maximum connection attempts field, specify the maximum number of connection attempts by one remote SMTP client to the service of the SMTP server per minute.
Type 0 if restrictions are not required.
The default value is 0 (unlimited).
- In the Maximum simultaneous connection attempts field, specify the maximum number of simultaneous connection attempts by one remote SMTP client to the SMTP server.
Type 0 if restrictions are not required.
The default value is 50.
- In the Maximum mail delivery requests field, specify the maximum number of message delivery requests from one remote SMTP client to the SMTP server per minute, regardless of whether this mail server accepts these messages or not.
Type 0 if restrictions are not required.
The default value is 0 (unlimited).
- In the SMTP session timeout field, specify the maximum period of time during which a request has to be received from the remote SMTP client and a response sent by the SMTP server.
The default value is 30 seconds.
- In the Interval between destination address connection attempts, specify the interval between attempts by the MTA queue manager to connect to the message destination address if the destination address is unavailable.
The default value is 60 seconds.
- In the Minimum delivery interval for Deferred queue field, specify the minimum interval between attempts to deliver a message that has been deferred into the Deferred queue.
The default value is 300 seconds.
- In the [[LabelTitleSettingsMTAAdvancedDialog_maximalBackoffTime] field, specify the maximum interval between attempts to send a message that has been deferred into the Deferred queue.
The default value is 4000 seconds.
- In the Maximum queue lifetime for a message, set a limit on the time during which a message with a permanent error status will be stored in the queue. When this time elapses, the message is considered undelivered.
The default value is 3 days.
- In the Deferred queue processing interval field, specify the frequency at which the Deferred queue is scanned by the queue manager.
The default value is 1000 seconds.
- In the Maximum queue lifetime for a bounce message, set a limit on the time during which a bounce message with a permanent error status will be stored in the queue. When this time elapses, the message is considered undelivered.
The default value is 3 days.
- In the BCC address for all messages field, specify an optional email address for receiving blind carbon copies of all messages received by the MTA.
- In the Check addresses format for RFC 821 compliance list, configure (enable or disable) checking of email addresses in the
SMTP MAIL FROM
andRCPT TO
to verify that such addresses are in angle brackets and do not contain RFC 822 comments and phrases. This check prevents reception of messages from malicious applications.To configure the scanning of addresses, in the Check addresses format for RFC 821 compliance list, select one of the following values:
- Yes, if you want to enable checking.
- No if you want to disable checking.
The default value is Yes.
- Configure the Disable recipient verification SMTP VRFY setting, which enables or disables the
SMTP VRFY
command. TheSMTP VRFY
command prevents specific services from collecting email addresses.To enable or disable the
SMTP VRFY
command, select one of the following values in the Disable recipient verification SMTP VRFY list:- Yes, if you want to enable the command.
- No, if you want to disable the command.
The default value is Yes.
- In the EHLO keywords not sent by SMTP server in response field, select check boxes next to those non-case-sensitive
EHLO
commands (for example:pipelining
,starttls
,auth
), which your SMTP server will not announce in the response to theEHLO
request from an external SMTP client.Default values are:
silent-discard
,dsn
,etrn
. - Click the OK button.
The Advanced MTA settings window closes.
SMTP verification of recipient email addresses
This section contains information about SMTP authentication of message recipients and how to configure it.
About SMTP verification of recipient email addresses
SMTP verification of recipient email addresses – verification performed to check if email addresses of message recipients actually exist.
When Kaspersky Secure Mail Gateway receives messages for secure domains and redirects them to a back-end mail server, Kaspersky Secure Mail Gateway must be prevented from receiving messages for non-existent email addresses. This is required for two reasons:
- Receiving messages to be sent to nonexistent email addresses loads the processor because mail is processed unnecessarily.
- Attempts to deliver messages to non-existent email addresses can cause Kaspersky Secure Mail Gateway or the back-end server to create delivery failure notifications; because of such notifications, Kaspersky Secure Mail Gateway or your back-end mail server will be added to the black list.
Authentication of message recipients is not performed when Kaspersky Secure Mail Gateway receives messages from trusted network nodes.
Enabling and disabling SMTP verification of recipient email addresses
To enable or disable SMTP verification of recipient email addresses:
- In the main window of the application web interface, open the management console tree and select the Settings section and MTA subsection.
- Open the Advanced Settings section.
- Click the Reject messages for unknown recipient domains or Reject messages for unverified recipients link to open the Advanced MTA settings window.
In the Reject messages for unknown recipient domains list, select one of the following values:
- Yes if you want Kaspersky Secure Mail Gateway to reject the message delivery request if the
RCPT TO
domain name does not contain MX records of the DNS server and the DNS address or MX record is distorted (for example, a zero-length address of the MX host is specified). - No if you do not want Kaspersky Secure Mail Gateway to reject the message delivery request if the
RCPT TO
domain name does not contain MX records of the DNS server and the DNS address or MX record is distorted (for example, a zero-length address of the MX host is specified).
The default value is Yes.
- Yes if you want Kaspersky Secure Mail Gateway to reject the message delivery request if the
- To the right of the Reject messages for unverified recipients setting name, select one of the following options:
- None, if you do not want to reject messages to unverified addresses.
- Reject for unverified recipients, if you want to reject the message delivery request if the
RCPT TO
is not available. - Reject for recipients not in valid list, if you want to reject the message delivery request if the
RCPT TO
address is not in the list of valid domains for its domain class.
- Click the OK button.
The Advanced MTA settings window closes.
SMTP verification of recipient email addresses is not performed when Kaspersky Secure Mail Gateway receives messages from trusted network hosts.
Intense mail traffic can increase the load on the mail server due to transmission of failed message delivery notifications.