About data provision

Support

Support for business applications

Kaspersky Secure Mail Gateway

Application licensing

About data provision

16 April 2024

ID 171771

In the course of its operation, the application uses data that requires the consent of the KSMG administrator to be transmitted and processed.

You can view the list of data and the terms on which it is used as well as give consent to data processing in the following agreements between your organization and Kaspersky:

In the End User License Agreement.
In accordance with the terms and conditions of the End User License Agreement that you have accepted, you consent to automatic real-time provision of information required for improving the security level of the mail server to Kaspersky. This information is enumerated in the End User License Agreement under "Conditions regarding Data Processing":
- Type, version, and localization of the application
- Versions of installed updates
- Activation code and unique activation ID of the current license activation code
- Computer ID and application installation ID
- Type, version, and number of bits of the operating system
- Name of the virtual environment
- IDs of application components that were active at the time of data submission
You can view the End User License Agreement when installing KSMG or in the /opt/kaspersky/ksmg/share/doc directory.
In the Privacy Policy.
In the Kaspersky Security Network Statement and the Supplementary Kaspersky Security Network Statement.
In the course of participation in the Kaspersky Security Network and submission of KSN statistics to Kaspersky, information can be transmitted that was obtained as a result of the application operation. The list of data that is transmitted is provided in the Kaspersky Security Network Statement and the Supplementary Kaspersky Security Network Statement. You can read these Statements in the web interface in the Settings → External services → KSN/KPSN → KSN/KPSN settings section.

Memory contents and access of user accounts to personal data of users

Kaspersky protects any information received in this way as prescribed by law and applicable rules of Kaspersky. Data is transmitted over encrypted data links.

KSMG RAM may contain any application user data that is being processed. The KSMG administrator must take steps to ensure the security of such data.

By default, the following user accounts have access to personal data of users:

Operating system user accounts:
- A user with root privileges.
- kluser.
- Users that start application processes:
  - Exim (hereinafter referred to as the Exim user)
  - Postfix (hereinafter referred to as the Postfix user)
  - Nginx (hereinafter referred to as the Nginx user)
- User accounts in one of the following groups:
  - klusers
  - kl_web_users
  - kl_var_users
User accounts of privileged KSMG users.

Restricting user account permissions

User accounts of operating system users are not part of the application. These user accounts are created on the administrator's computer when the administrator independently installs third-party software (for example, Exim, Postfix, Nginx).

The application does not provide any functionality to restrict the rights of administrator and user accounts of the operating system on which the application is installed. Access to the storage location of the data is restricted by the file system. The administrator should take steps to control access to personal information of other users by any system level measures at the administrator's own discretion.

A privileged user of the application that has permission to create and edit user accounts and roles, can grant access to the web interface. Access to personal data is provided in accordance with access rights configured for the role of the account.

Transferring data between cluster nodes, connecting to Active Directory, delivering mail, managing the application

Data is sent between cluster nodes through an encrypted connection (over HTTPS with authorization using a security certificate). Data is sent to the web interface through an encrypted connection over HTTPS. Privileged users with a local user account are authorized with a password; other users of the web interface are authorized over Kerberos or NTLM protocol.

Connection to Active Directory is established through an encrypted channel (SASL) with Kerberos authorization.

Using the superuser account to manage the application on the command line of the server on which the application is installed lets you manage dump settings. A dump is generated whenever the application crashes and can be useful for analyzing the causes of the crash. The dump may include any data, including fragments of analyzed files. By default, dump generation in KSMG is disabled.

Access to such data can be gained from the command line of the server on which the application is installed, using a user account with superuser privileges.

When sending diagnostic information to Kaspersky Technical Support, the KSMG administrator must take steps to ensure the security of dumps and trace files. The KSMG administrator is responsible for managing access to this information.

Scanning files with the kavscanner and klms_eml_scanner utilities

KSMG 2.1 includes the following utilities:

The 'kavscanner' utility allows the Anti-Virus module to scan file system objects to which the 'kluser' user has access.
The utility can only be managed on the command line of the server. The utility must be run as root or kluser. After completion, the utility outputs the scan result for each file to stdout. Modifying or deleting files based on the results of the scan by the utility may damage the application and the operating system or make them inoperable.

The utility is located in the /opt/kaspersky/ksmg/bin directory.
The 'klms_eml_scanner' utility allows scanning messages in EML format by the Anti-Phishing, Anti-Virus, Anti-Spam, and Link Scanning modules (if a current license for the corresponding scan technology is available). You can scan only those messages that are available to the 'kluser' user.
The utility can only be managed on the command line of the server. The utility must be run as root or kluser. After completion, the utility outputs the message scan result to stdout. Modifying the message based on the scan results may damage the message.

The utility is located in the /opt/kaspersky/ksmg/libexec directory.

Scope of data that can be stored by the application

The following table contains the complete list of user data that can be stored in KSMG.

User data that can be stored in KSMG

Data type	Where data is used	Storage location	Storage duration	Access

Basic functionality of the application
Account names of application administrator and users. Access permissions of user accounts of the application. User account name and password that the application uses to connect to the proxy server. Keytab files and settings for connecting to the LDAP server. Keytab files for connecting via SSO Kerberos and settings for connecting to the NTLM server. Comments. Activation code or activation key (used to activate the cluster nodes being added; the code or key is sent to the activation server). Public certificates of the web servers of the cluster nodes.	Application configuration	/var/opt/kaspersky/ksmg	Indefinite.	The root user has access to the storage location of the information. The kluser user has access to the storage location of the information as well as the data while it is being processed. The Nginx service has access to the data while it is transmitted between nodes or to the web interface. Users of the application web interface that have rights to view application settings and rights to view user accounts.
Private certificates for establishing TLS connections	Application configuration	/var/opt/kaspersky/ksmg/certs/	Indefinite.	The root user has access to the storage location of the information. The kluser user has access to the storage location of the information as well as the data while it is being processed.
A hash of the password of a local privileged user account. MTA filter settings. Kaspersky Security Center and KATA integration settings.	Application configuration	/var/opt/kaspersky/ksmg/certs/	Indefinite.	The root user has access to the storage location of the information. The kluser user has access to the storage location of the information as well as the data while it is being processed. The Nginx user has access to the data while it is being transmitted between nodes.
Names of user accounts and contacts in LDAP and other LDAP attributes. Email addresses of message senders and recipients. IP addresses of message senders. Comments.	Message processing rules and custom lists.	/var/opt/kaspersky/ksmg	Indefinite.	The root user has access to the storage location of the information. The kluser user has access to the storage location of the information as well as the data while it is being processed. The Nginx service has access to the data while it is transmitted between nodes or to the web interface. Users of the application web interface that have permissions to view message processing rules.
Information from email messages: IP addresses of message senders. Email addresses of message senders and recipients.	Application statistics	/var/opt/kaspersky/ksmg	Indefinite.	The root user has access to the storage location of the information. The kluser user has access to the storage location of the information as well as the data while it is being processed. The Nginx service has access to the data while it is transmitted between nodes or to the web interface. Users of the application web interface that have permissions to view reports and the Monitoring section. If the SNMP protocol is enabled in the KSMG settings, the snmpd service and the user that starts the snmpd service have access to the application performance statistics.
Information from email messages: IP addresses of message senders. Email addresses of message senders and recipients. Names and size of email attachments. Message subject. Names of user accounts and contacts in LDAP and other LDAP attributes.	Message processing event log	/var/opt/kaspersky/ksmg	In accordance with settings specified by the user of the application. By default, the storage duration is 3 days and the maximum size of the log is 1 GB. When this limit is reached, older records are deleted.	The root user has access to the storage location of the information. The kluser user has access to the storage location of the information as well as the data while it is being processed. The Nginx service has access to the data while it is transmitted between nodes or to the web interface. Users of the application web interface that have the View mail traffic events permission.
	Message processing event log	Depends on the settings of the logging subsystem of the operating system. Example storage location: /var/log/messages	Depends on the settings of the logging subsystem of the operating system	The root user has access to the storage location of the information. The final list of users depends on the issued access rights to files with messages of the logging subsystem. Access rights are issued by the operating system administrator. If read access is granted to the 'kluser' user, the information is available for viewing to the following users: The Nginx user has access to the data while it is transmitted between nodes or to the web interface. Users of the application web interface that have the View mail traffic events permission.
The name of the user account that initiated the event. IP address and port of the node on which the event occurred. Event parameters.	Application event log	/var/opt/kaspersky/ksmg	In accordance with settings specified by the user of the application. By default, the storage duration is 1100 days, or the maximum size of the log is 1 GB. When this limit is reached, older records are deleted.	The root user has access to the storage location of the information. The kluser user has access to the storage location of the information as well as the data while it is being processed. The Nginx service has access to the data while it is transmitted between nodes or to the web interface. Users of the application web interface that have the View application events permission.
	Application event log	Depends on the settings of the logging subsystem of the operating system. Example storage location: /var/log/messages	Depends on the settings of the logging subsystem of the operating system.	The root user has access to the storage location of the information. The final list of users depends on the issued access rights to files with messages of the logging subsystem. Access rights are issued by the operating system administrator. If access is granted to the 'kluser' user, the information is available for viewing to the following users: The Nginx user has access to the data while it is transmitted between nodes or to the web interface. Users of the application web interface that have the View mail traffic events permission.
Information from email messages: IP addresses of message senders. Email addresses of message senders and recipients. Message subject. Message body and size. Message control headers. Names, size, and bodies of email attachments. Data on application updates: IP addresses used for downloading updates. IP addresses of update sources. Information about downloaded files and download speed. Information about user accounts: Names of administrator accounts and application web interface user accounts. Names of user accounts in LDAP and other LDAP attributes.	Trace files	/var/log/kaspersky/ksmg	Indefinite. When the size reaches 150 MB per trace stream, older records are deleted.	The root user has access to the storage location of the information. The kluser user has access to the storage location of the information as well as the data when receiving diagnostic information. The Nginx service has access to the data while it is transmitted between nodes or to the web interface. Users of the application web interface that have permissions to receive diagnostic information.
		Depends on the settings of the logging subsystem of the operating system. Example storage location: /var/log/messages	Depends on the settings of the logging subsystem of the operating system.	The root user has access to the storage location of the information. The final list of users depends on the issued access rights to files with messages of the logging subsystem. Access rights are issued by the operating system administrator. If access is granted to the 'kluser' user, the information is available for viewing to the following users: The Nginx user has access to the data while it is transmitted between nodes or to the web interface. Users of the application web interface that have the View mail traffic events permission.
		/var/log/kaspersky/extra	Indefinite. When the size reaches 400 MB per trace file, older records are deleted.	The root user has access to the storage location of the information. The kluser user has access to the storage location of the information and can also have access to data when receiving diagnostic information and logging events. The Nginx service has access to the data while it is transmitted between nodes or to the web interface. Users of the application web interface that have the View mail traffic events permission.
Information from email messages: IP addresses of message senders. Email addresses of message senders and recipients. Message subject. Message body and size. Message control headers. Names, size, and bodies of email attachments.	Backup	/var/opt/kaspersky/ksmg	Until the message storage duration in Backup expires. The storage duration is configured through the web interface of the application. When the size reaches 7 GB, older records are deleted. The administrator can change this value.	The root user has access to the storage location of the information. The kluser user has access to the storage location of the information as well as the data while it is being processed. The Nginx service has access to the data while it is transmitted between nodes or to the web interface. The Exim or Postfix user has access to messages while they are being delivered from Backup. Users of the application web interface that have permissions to view Backup.
Information from email messages: IP addresses of message senders. Email addresses of message senders and recipients. Message subject. Message body and size. Message control headers. Names, size, and bodies of email attachments.	Anti-Spam Quarantine	/var/opt/kaspersky/ksmg	Until the message is released from quarantine. When a message is released from quarantine, some data is used for routing the message. When the size reaches 1 GB, older records are deleted. The administrator can change this value.	The root user has access to the storage location of the information. The kluser user has access to the storage location of the information as well as the data while it is being processed. The Nginx service has access to the data while it is transmitted between nodes or to the web interface. Users of the application web interface that have permissions to view the message queue.
Information from email messages: IP addresses of message senders. Email addresses of message senders and recipients. Message subject. Message body and size. Message control headers. Names, size, and bodies of email attachments. URLs contained in the message. LDAP user DN records of users looked up by message recipient email addresses.	KATA Quarantine.	/var/opt/kaspersky/ksmg	Until the message is released from quarantine. When a message is released from quarantine, some data is used for routing the message. When the 1 GB or 5000 message limit is reached (the values can be configured by the administrator), new messages are not placed in KATA Quarantine.	The root user has access to the storage location of the information. The kluser user has access to the storage location of the information as well as the data while it is being processed. The Nginx service has access to the data while it is transmitted between nodes or to the web interface. Users of the application web interface that have permissions to view the message queue.
Information from email messages: IP addresses of message senders. Email addresses of message senders and recipients. Message subject. Message body. Message control headers. Names and bodies of email attachments.	Temporary files	/tmp/ksmgtmp /tmp/ksmg_filter (if in the Exim configuration file, the PrivateTmp setting is set to 'no') /var/opt/kaspersky/ksmg/ /tmp/ksmg_filter (if in the Exim configuration file, the PrivateTmp setting is set to 'yes')	Depends on the operating system and its settings.	The root user has access to the storage location of the information. The kluser user has access to the storage location of the information as well as the data while it is being processed. The Exim or Postfix user has access to processed messages while they are being delivered.
Connecting over the web interface: IP address of the user. Name of the user account.	Authorization event log	Depends on the settings of the logging subsystem of the operating system. Example storage location: /var/log/secure	Depends on the settings of the logging subsystem of the operating system	The final list of users depends on the issued access rights to files with messages of the logging subsystem. Access rights are issued by the operating system administrator.
Integration with Active Directory
User Object attributes: distinguishedName sAMAccountName msDS-PrincipalName userPrincipalName canonicalName displayName cn primaryGroupID proxyAddresses mail memberOf Contacts Object attributes: distinguishedName displayName cn proxyAddresses mail memberOf Group Object attributes: distinguishedName canonicalName objectSid proxyAddresses mail memberOf	Message processing rules. Authentication using the single sign-on technology. Autocompletion of user accounts when managing user roles and permissions, or when configuring message and custom list processing rules.	/var/opt/kaspersky/ ksmg/ldap/cache.dbm /var/opt/kaspersky/ ksmg/ldap/storage	Indefinite. The data is regularly updated. When integration with Active Directory is disabled, the data is deleted.	The root user has access to the storage location of the information. The kluser user has access to the storage location of the information as well as the data while it is being processed. The Nginx service has access to the data while it is transmitted between nodes or to the web interface. Users of the application web interface that have permissions to view sections of the application that include an account autocompletion field.
Integration with Kaspersky Anti Targeted Attack Platform (KATA)
Information from email messages: IP addresses of message senders. Email addresses of message senders and recipients. Message subject. Message body. Message control headers. Names and bodies of email attachments. URLs contained in the message.	Forwarding of objects to be scanned on the KATA server	Data is not saved.	Data is not saved.	No access.

Scope of data transmitted to the Kaspersky Security Network (KSN) service

Data is sent to KSN servers in an encrypted form. By default, data can be accessed by Kaspersky staff, the root user account, and the 'kluser' user account used by application components.

For a full enumeration of user data transmitted to the KSN service, see the following table.

The enumerated data is transmitted only if consent has been given to participate in Kaspersky Security Network.

Data transmitted to the Kaspersky Security Network service

Data type	Where data is used	Storage location	Storage duration
Checksums (MD5, SHA2-256) of the object being scanned URL address for which reputation is being queried Connection protocol ID and port number Anti-Virus database ID and entry ID of the Anti-Virus databases that were used to scan the object Information about the certificate of the signed file (certificate fingerprint and SHA256 checksum of the public key of the certificate) ID and full version of the installed software ID of the KSN service accessed by the software Date and time when the object was submitted for scanning ID of software component ID of the scenario in which the object was submitted for scanning	Sending KSN requests	/var/opt/kaspersky/ksmg/	Indefinite. The maximum number of stored entries is 360,000. When this limit is reached, those entries are deleted that have not been accessed for the longest time.
Information about the operating system installed on the computer (type, version, bitness). Information about the installed application and computer (unique ID of the computer where the application is installed; unique ID of the application installation on the computer; name, localization, ID and full version of the installed application; date and time of software installation). Information about scanned objects (application database ID and application database entry ID; name of the detected threat in accordance with the Kaspersky classification system; checksum (MD5, SHA256); size, name, and type of the scanned object; full path to the scanned object; date and time when the object was scanned; IP address of the user; results of file and URL scanning; metadata of scanned objects; scanned URL; Referrer header; checksum of the scanned URL; checksum and size of the packer and container of the scanned object; date and time of the last database update installation; flag indicating whether the detection is from debugging). Information about scanned email messages (message ID; time when the message was received; target of the attack (name of the organization, website); weight level of the attack; value of the trust level; IP address of the sender from the SMTP session; information from message headers; IP addresses of intermediate mail transfer agents; data from the SMTP session; employed detection methods; fragment of the DKIM signature of the message; information about Mail Sender Authentication results; information about connections to the DNS server; information from the message for spam detection; size of the message in bytes; size of the attachment in bytes; checksum and type of attachment; size of the subject in bytes; name of the message encoding; information about whether the message has been in Anti-Spam Quarantine; information about HTML markup of the message; checksum and size of MIME parts; list of names of rules that caused the message to end up in Anti-Spam quarantine). Information about the operation of the Updater component (version of the Updater component; completion status of the Updater component update task; type and ID of Updater component update error if there is an error; exit code of the Update component update task; the number of times the Updater component has crashed while executing update tasks over the operation period of this component). Information about errors occurring during the operation of application components (information about application components that encountered an error; error type ID; fragments of component operation reports). Information about the version of the statistics packet, date and time when statistics gathering began, date and time when statistics gathering ended. Information about the application usage license (license ID, ID of the partner from which the license was acquired, serial number of the license key, date and time when the license key was added, indicator that the KSN Statement was accepted).	Sending KSN statistics	KSN servers	Before sending statistics to KSN. After disabling the sending of KSN statistics in application settings, the data is deleted when the next attempt to send them occurs.

Data type

Where data is used

Storage location

Storage duration

Checksums (MD5, SHA2-256) of the object being scanned
URL address for which reputation is being queried
Connection protocol ID and port number
Anti-Virus database ID and entry ID of the Anti-Virus databases that were used to scan the object
Information about the certificate of the signed file (certificate fingerprint and SHA256 checksum of the public key of the certificate)
ID and full version of the installed software
ID of the KSN service accessed by the software
Date and time when the object was submitted for scanning
ID of software component
ID of the scenario in which the object was submitted for scanning

Sending KSN requests

/var/opt/kaspersky/ksmg/

Indefinite.

The maximum number of stored entries is 360,000. When this limit is reached, those entries are deleted that have not been accessed for the longest time.

Information about the operating system installed on the computer (type, version, bitness).
Information about the installed application and computer (unique ID of the computer where the application is installed; unique ID of the application installation on the computer; name, localization, ID and full version of the installed application; date and time of software installation).
Information about scanned objects (application database ID and application database entry ID; name of the detected threat in accordance with the Kaspersky classification system; checksum (MD5, SHA256); size, name, and type of the scanned object; full path to the scanned object; date and time when the object was scanned; IP address of the user; results of file and URL scanning; metadata of scanned objects; scanned URL; Referrer header; checksum of the scanned URL; checksum and size of the packer and container of the scanned object; date and time of the last database update installation; flag indicating whether the detection is from debugging).
Information about scanned email messages (message ID; time when the message was received; target of the attack (name of the organization, website); weight level of the attack; value of the trust level; IP address of the sender from the SMTP session; information from message headers; IP addresses of intermediate mail transfer agents; data from the SMTP session; employed detection methods; fragment of the DKIM signature of the message; information about Mail Sender Authentication results; information about connections to the DNS server; information from the message for spam detection; size of the message in bytes; size of the attachment in bytes; checksum and type of attachment; size of the subject in bytes; name of the message encoding; information about whether the message has been in Anti-Spam Quarantine; information about HTML markup of the message; checksum and size of MIME parts; list of names of rules that caused the message to end up in Anti-Spam quarantine).
Information about the operation of the Updater component (version of the Updater component; completion status of the Updater component update task; type and ID of Updater component update error if there is an error; exit code of the Update component update task; the number of times the Updater component has crashed while executing update tasks over the operation period of this component).
Information about errors occurring during the operation of application components (information about application components that encountered an error; error type ID; fragments of component operation reports).
Information about the version of the statistics packet, date and time when statistics gathering began, date and time when statistics gathering ended.
Information about the application usage license (license ID, ID of the partner from which the license was acquired, serial number of the license key, date and time when the license key was added, indicator that the KSN Statement was accepted).

Sending KSN statistics

KSN servers

Before sending statistics to KSN.

After disabling the sending of KSN statistics in application settings, the data is deleted when the next attempt to send them occurs.

Updating application databases from Kaspersky servers

When the application databases are updated from Kaspersky servers, the following information is transmitted:

Application version and type
Unique ID of the current license key
Unique application installation ID
Update session ID

Kaspersky Endpoint Security for Business Advanced: Adaptive security of your company

Web and device controls. Data encryption. Centralized and convenient management from a single console.

Kaspersky Premium Support (MSA): High‑priority incident processing

Telephone and web ticket support. Fast response, monitoring and health check. Submit a request and activate the contract (MSA).

Did you find this article helpful?

What can we do better?

Thank you for your feedback! You're helping us improve.