About data provision

3 July 2024

ID 171771

The application operates with the use of data whose transmission and processing requires the consent of the Kaspersky Secure Mail Gateway administrator.

You can view the list of data and the terms on which it is used as well as give consent to data processing in the following agreements between your organization and Kaspersky:

  • In the End User License Agreement.

    In accordance with the terms and conditions of the End User License Agreement that you have accepted, you consent to automatic real-time provision of information required for improving the security level of the mail server to Kaspersky. This information is enumerated in the End User License Agreement under "Conditions regarding Data Processing":

    • Type, version, and localization of the application
    • Versions of installed updates
    • Activation code and unique activation ID of the current license activation code
    • Computer ID and application installation ID
    • Type, version, and number of bits of the operating system
    • Name of the virtual environment
    • IDs of application components that were active at the time of data submission

    You can read the End User License Agreement when installing Kaspersky Secure Mail Gateway or in the /opt/kaspersky/ksmg-appliance-addon/share/htdocs/en_US/assets/eula directory in Technical Support Mode.

  • In the Privacy Policy.
  • In the Kaspersky Security Network Statement and the Supplementary Kaspersky Security Network Statement.

    In the course of participation in the Kaspersky Security Network and submission of KSN statistics to Kaspersky, information can be transmitted that was obtained as a result of the application operation. The list of data that is transmitted is provided in the Kaspersky Security Network Statement and the Supplementary Kaspersky Security Network Statement. You can read these Statements in the web interface in the Settings → External services KSN/KPSN KSN/KPSN settings section.

Data protection

Kaspersky protects any information received in this way as prescribed by law and applicable rules of Kaspersky. Data is transmitted over encrypted data links.

RAM of Kaspersky Secure Mail Gateway may contain any data of application users that are being processed. The administrator of Kaspersky Secure Mail Gateway must personally ensure the security of such data.

By default, access to personal information of users can only be gained by the superuser (root) account of operating systems, the administrator account of Kaspersky Secure Mail Gateway Local administrator, as well as system accounts kluser, postfix, opendkim, and nginx, which components of the application use in the course of their operation. The application itself has no capability to restrict the permissions of administrators and other users of operating systems on which the application is installed. Access to the storage location of the data is restricted by the file system. The administrator should take steps to control access to personal information of other users by any system level measures at the administrator's own discretion.

The local administrator can provide SSH access to the administrator account of the operating system (root). SSH access to personal data is not restricted.

The local administrator can provide access to the web interface. Access to personal data is provided in accordance with access rights configured for the role of the account.

Data is sent between cluster nodes through an encrypted channel (over HTTPS with authorization using a security certificate). Data is sent to the web interface through an encrypted channel over HTTPS. The local administrator is authorized with a password; other users of the web interface are authorized over Kerberos or NTLM protocol.

Connection to Active Directory is performed through an encrypted channel (TLS) with Kerberos authorization.

Email delivery supports SMTPS encryption.

Managing the application using the management console of the server on which the application is installed using the superuser account lets you manage dump settings. A dump is generated whenever the application crashes and can be useful for analyzing the causes of the crash. The dump may include any data, including fragments of analyzed files. By default, dump generation in Kaspersky Secure Mail Gateway is disabled.

Access to such data can be gained from the Management Console of the server on which the application is installed, using an account with super-user privileges.

When sending diagnostic information to Kaspersky Technical Support, the Kaspersky Secure Mail Gateway administrator must take steps to ensure the security of dumps and trace files.

The administrator of Kaspersky Secure Mail Gateway is responsible for access to this information.

Scope of data that can be stored by the application

The following table contains the complete list of user data that can be stored by Kaspersky Secure Mail Gateway.

User data that can be stored in Kaspersky Secure Mail Gateway

Data type

Where data is used

Storage location

Storage duration

Access

Basic functionality of the application

  • Account names of application administrator and users.
  • Access permissions of user accounts of the application.
  • Hash of the Local administrator password.
  • User account name and password that the application uses to connect to the proxy server.
  • Keytab files and settings for connecting to the LDAP server.
  • Comments.

Application configuration

/var/opt/kaspersky

Indefinite.

  • The root user has access to the storage location of the information.
  • The kluser user has access to the storage location of the information as well as the data while it is being processed.
  • The nginx service has access to the data while it is transmitted between nodes or to the web interface.
  • Users of the application web interface that have permissions to view application settings.
  • Names of user accounts and contacts in LDAP and other LDAP attributes.
  • Email addresses of message senders and recipients.
  • IP addresses of users and mail servers.
  • Comments.

Message processing rules

/var/opt/kaspersky

Indefinite.

  • The root user has access to the storage location of the information.
  • The kluser user has access to the storage location of the information as well as the data while it is being processed.
  • The nginx service has access to the data while it is transmitted between nodes or to the web interface.
  • Users of the application web interface that have permissions to view message processing rules.

Information from email messages:

  • IP addresses of users and mail servers.
  • Email addresses of message senders and recipients.

Information about LDAP attributes of users:

  • Names of user accounts in LDAP and other LDAP attributes.

Application statistics

/var/opt/kaspersky

Indefinite.

  • The root user has access to the storage location of the information.
  • The kluser user has access to the storage location of the information as well as the data while it is being processed.
  • The nginx service has access to the data while it is transmitted between nodes or to the web interface.
  • Users of the application web interface that have permissions to view reports and the Monitoring section.

Information from email messages:

  • IP addresses of users and mail servers.
  • Email addresses of message senders and recipients.
  • Names of email attachments.
  • Message subject.

Information about LDAP attributes of users:

  • Names of user accounts and contacts in LDAP and other LDAP attributes.

Message processing event log

/var/opt/kaspersky

In accordance with settings specified by the user of the application.

By default, the storage duration is 3 days and the maximum size of the log is 1 GB.

When this limit is reached, older records are deleted.

  • The root user has access to the storage location of the information.
  • The kluser user has access to the storage location of the information as well as the data while it is being processed.
  • The nginx service has access to the data while it is transmitted between nodes or to the web interface.
  • Users of the application web interface that have the View mail traffic events permission.

/var/log/ksmg-messages

Indefinite.

When the size reaches 23 GB, older records are deleted.

  • The root user has access to the storage location of the information.
  • The kluser user has access to the storage location of the information and can also have access to data when receiving diagnostic information and logging events.
  • The nginx service has access to the data while it is transmitted between nodes or to the web interface.
  • Users of the application web interface that have the View mail traffic events permission.

/var/log/ksmg-important

Indefinite.

When the size reaches 500 MB, older records are deleted.

  • The root user has access to the storage location of the information.
  • The kluser user has access to the storage location of the information and can also have access to data when receiving diagnostic information and logging events.
  • The nginx service has access to the data while it is transmitted between nodes or to the web interface.
  • Users of the application web interface that have the View mail traffic events permission.
  • The name of the user account that initiated the event.
  • IP addresses used for downloading updates.
  • IP addresses of update sources.

Application event log

/var/opt/kaspersky

In accordance with settings specified by the user of the application.

By default, the storage duration is 1100 days, or the maximum size of the log is 1 GB.

When this limit is reached, older records are deleted.

  • The root user has access to the storage location of the information.
  • The kluser user has access to the storage location of the information as well as the data while it is being processed.
  • The nginx service has access to the data while it is transmitted between nodes or to the web interface.
  • Users of the application web interface that have the View program events permission.

/var/log/ksmg-messages

Indefinite.

When the size reaches 23 GB, older records are deleted.

  • The root user has access to the storage location of the information.
  • The kluser user has access to the storage location of the information and can also have access to data when receiving diagnostic information and logging events.
  • The nginx service has access to the data while it is transmitted between nodes or to the web interface.
  • Users of the application web interface that have the View program events permission.

/var/log/ksmg-important

Indefinite.

When the size reaches 500 MB, older records are deleted.

  • The root user has access to the storage location of the information.
  • The kluser user has access to the storage location of the information and can also have access to data when receiving diagnostic information and logging events.
  • The nginx service has access to the data while it is transmitted between nodes or to the web interface.
  • Users of the application web interface that have the View program events permission.

Information from email messages:

  • IP addresses of users and mail servers.
  • Email addresses of message senders and recipients.
  • Message subject.
  • Message body.
  • Message control headers.
  • Names and bodies of email attachments.

Data on application updates:

  • IP addresses used for downloading updates.
  • IP addresses of update sources.
  • Information about downloaded files and download speed.

Information about user accounts:

  • Names of administrator accounts and application web interface user accounts.
  • Names of user accounts in LDAP and other LDAP attributes.

Trace files

/var/log/kaspersky

Indefinite.

When the size reaches 150 MB per trace stream, older records are deleted.

  • The root user has access to the storage location of the information.
  • The kluser user has access to the storage location of the information and can also have access to data when receiving diagnostic information and logging events.
  • The nginx service has access to the data while it is transmitted between nodes or to the web interface.
  • Users of the application web interface that have permissions to receive diagnostic information.

/var/log/kaspersky/extra

Indefinite.

When the size reaches 400 MB per trace stream, older records are deleted.

/var/log/ksmg-traces

Indefinite.

When the size reaches 23 GB per trace stream, older records are deleted.

Information from email messages:

  • IP addresses of users and mail servers.
  • Email addresses of message senders and recipients.
  • Message subject.
  • Message body.
  • Message control headers.
  • Names and bodies of email attachments.

Backup

/var/opt/kaspersky

Indefinite.

When the size reaches 7 GB, older records are deleted.

  • The root user has access to the storage location of the information.
  • The kluser user has access to the storage location of the information as well as the data while it is being processed.
  • The nginx service has access to the data while it is transmitted between nodes or to the web interface.
  • The postfix and opendkim services have access to messages while they are being fetched from Backup.
  • Users of the application web interface that have permissions to view Backup.

Information from email messages:

  • IP addresses of users and mail servers.
  • Email addresses of message senders and recipients.
  • Message subject.
  • Message body.
  • Message control headers.
  • Names and bodies of email attachments.

Anti-Spam Quarantine

/var/opt/kaspersky

Indefinite.

When the size reaches 1 GB, older records are deleted.

  • The root user has access to the storage location of the information.
  • The kluser user has access to the storage location of the information as well as the data while it is being processed.
  • The nginx service has access to the data while it is transmitted between nodes or to the web interface.
  • Users of the application web interface that have permissions to view the message queue.

Information from email messages:

  • IP addresses of users and mail servers.
  • Email addresses of message senders and recipients.
  • Message subject.
  • Message body.
  • Message control headers.
  • Names and bodies of email attachments.
  • URLs contained in the message.

KATA Quarantine.

/var/opt/kaspersky

Indefinite.

When the 1 GB or 5000 message limit is reached (the values can be configured by the administrator), new messages are not placed in KATA Quarantine.

  • The root user has access to the storage location of the information.
  • The kluser user has access to the storage location of the information as well as the data while it is being processed.
  • The nginx service has access to the data while it is transmitted between nodes or to the web interface.
  • Users of the application web interface that have permissions to view the message queue.

Information from email messages:

  • IP addresses of users and mail servers.
  • Email addresses of message senders and recipients.
  • Message subject.
  • Message body.
  • Message control headers.
  • Names and bodies of email attachments.

Temporary files

  • /tmp/ksmgtmp
  • /tmp/klms_filter

Until application restart.

  • The root user has access to the storage location of the information.
  • The kluser user has access to the storage location of the information as well as the data while it is being processed.
  • The postfix and opendkim services have access to processed messages while they are being delivered.

Integration with Active Directory

  • Email address of the user.
  • Email address of the contact.
  • DN record of the user.
  • DN record of the contact.
  • CN of the user.
  • CN of the contact.
  • sAMAccountName.
  • UPN suffix.
  • objectSID.
  • Message processing rules.
  • Authentication using the single sign-on technology.
  • Autocompletion of user accounts when managing user roles and permissions, or when configuring message processing rules.

/var/opt/kaspersky/ksmg/ldap/cache.dbm

Indefinite.

The data is regularly updated.

When integration with Active Directory is disabled, the data is deleted.

  • The root user has access to the storage location of the information.
  • The kluser user has access to the storage location of the information as well as the data while it is being processed.
  • The nginx service has access to the data while it is transmitted between nodes or to the web interface.
  • Users of the application web interface that have permissions to view sections of the application that include an account autocompletion field.

Integration with Kaspersky Anti Targeted Attack Platform (KATA)

Information from email messages:

  • IP addresses of users and mail servers.
  • Email addresses of message senders and recipients.
  • Message subject.
  • Message body.
  • Message control headers.
  • Names and bodies of email attachments.
  • URLs contained in the message.

Forwarding of objects to be scanned on the KATA server

Data is not saved.

Data is not saved.

No access.

Built-in mail server functionality

  • Certificates for establishing TLS connections.
  • Certificate private key files.
  • Private keys for DKIM signatures.
  • Email addresses of users.
  • IP addresses and domain names of mail servers.

Built-in mail server settings

/etc/postfix/

/var/opt/kaspersky/

Indefinite.

Data is deleted when the corresponding settings are removed in the application web interface.

Certificate files can be overwritten when a certificate is replaced.

  • The root user has access to the storage location of the information.
  • The kluser user has access to the storage location of the information as well as the data while it is being processed.
  • The nginx service has access to the data while it is transmitted between nodes or to the web interface.
  • The postfix and opendkim services have access to the storage location of the information and the data when it is being processed.
  • Users of the application web interface that have permissions to view settings of the built-in mail server have access to data except private keys.

Information from email messages:

  • IP addresses of users and mail servers.
  • Email addresses of message senders and recipients.
  • Domain names of mail servers.
  • TLS encryption information.

Event log of the built-in mail server

/var/log/maillog

Indefinite.

When the size reaches 23 GB, older records are deleted.

  • The root user has access to the storage location of the information.
  • The kluser user has access to the storage location of the information as well as the data when receiving diagnostic information.
  • The nginx service has access to the data while it is transmitted between nodes or to the web interface.
  • The postfix and opendkim services have access to the data when logging events.
  • Users of the application web interface that have permissions to receive diagnostic information.

Information from email messages:

  • Email addresses of message senders and recipients.
  • Message subject.
  • Message body.
  • Message control headers.

Message queues of the built-in mail server

/var/spool/postfix

Indefinite.

Messages are deleted when they are delivered to recipients.

  • The root user has access to the storage location of the information.
  • The kluser user has access to the storage location of the information as well as the data while managing message queues of the built-in mail server.
  • The nginx service has access to the data while it is transmitted between nodes or to the web interface.
  • The postfix service has access data when data is being processed.
  • Users of the application web interface that have permissions to view message queues.

Connecting over SSH:

  • IP address of the user.
  • Name of the user account.
  • SSH key fingerprint.

Connecting over the web interface:

  • IP address of the user.
  • Name of the user account.

Authorization event log

/var/log/secure

Not longer than 5 weeks.

A weekly file rotation is maintained.

  • The root user has access to the storage location of the information.
  • The kluser user has access to the storage location of the information as well as the data while it is being processed.
  • The nginx service has access to the data while it is transmitted between nodes or to the web interface.
  • Users of the application web interface that have permissions to receive diagnostic information.

Public SSH keys of application administrators.

Built-in SSH server settings

/etc/ssh/authorized_keys

Indefinite.

Data is deleted when the corresponding settings are removed in the application web interface.

  • The root user has access to the storage location of the information.
  • The kluser user has access to the storage location of the information as well as the data when managing the built-in SSH server settings.
  • The nginx service has access to the data while it is transmitted between nodes or to the web interface.
  • Users of the application web interface that have permissions to view the settings of the built-in SSH server.

Scope of data transmitted to the Kaspersky Security Network service

Data is sent to KSN servers in an encrypted form. By default, data can be accessed by Kaspersky staff, the superuser (root) account of operating systems, and the kluser system account used by application components.

For a full enumeration of user data transmitted to the KSN service, see the following table.

The enumerated data is transmitted only if consent has been given to participate in Kaspersky Security Network.

Data transmitted to the Kaspersky Security Network service

Data type

Where data is used

Storage location

Storage duration

  • Checksums (MD5, SHA2-256) of the object being scanned
  • URL address for which reputation is being queried
  • Connection protocol ID and port number
  • Anti-Virus database ID and entry ID of the Anti-Virus databases that were used to scan the object
  • Information about the certificate of the signed file (certificate fingerprint and SHA256 checksum of the public key of the certificate)
  • ID and full version of the installed software
  • ID of the KSN service accessed by the software
  • Date and time when the object was submitted for scanning
  • ID of software component
  • ID of the scenario in which the object was submitted for scanning

Sending KSN requests

KSN servers

Indefinite.

The maximum number of stored entries is 360,000. When this limit is reached, those entries are deleted that have not been accessed for the longest time.

  • Information about the operating system installed on the computer (type, version, bitness).
  • Information about the installed application and computer (unique ID of the computer where the application is installed; unique ID of the application installation on the computer; name, localization, ID and full version of the installed application; date and time of software installation).
  • Information about scanned objects (application database ID and application database entry ID; name of the detected threat in accordance with the Kaspersky classification system; checksum (MD5, SHA256); size, name, and type of the scanned object; full path to the scanned object; date and time when the object was scanned; IP address of the user; results of file and URL scanning; metadata of scanned objects; scanned URL; Referrer header; checksum of the scanned URL; checksum and size of the packer and container of the scanned object; date and time of the last database update installation; flag indicating whether the detection is from debugging).
  • Information about scanned email messages (message ID; time when the message was received; target of the attack (name of the organization, website); weight level of the attack; value of the trust level; IP address of the sender from the SMTP session; information from message headers; IP addresses of intermediate mail transfer agents; data from the SMTP session; employed detection methods; fragment of the DKIM signature of the message; information about Mail Sender Authentication results; information about connections to the DNS server; information from the message for spam detection; size of the message in bytes; size of the attachment in bytes; checksum and type of attachment; size of the subject in bytes; name of the message encoding; information about whether the message has been in Anti-Spam Quarantine; information about HTML markup of the message; checksum and size of MIME parts).
  • Information about the operation of the Updater component (version of the Updater component; completion status of the Updater component update task; type and ID of Updater component update error if there is an error; exit code of the Update component update task; the number of times the Updater component has crashed while executing update tasks over the operation period of this component).
  • Information about errors occurring during the operation of software components (information about software components that encountered an error; error type ID; fragments of component operation reports).
  • Information about the version of the statistics packet, date and time when statistics gathering began, date and time when statistics gathering ended.
  • Information about the software usage license (license ID, ID of the partner from which the license was acquired, license serial number, date and time when the license key was added, indicator that the KSN Statement was accepted).

Sending KSN statistics

KSN servers

Before sending statistics to KSN.

After disabling the sending of KSN statistics in application settings, the data is deleted when the next attempt to send them occurs.

When the application databases are updated from Kaspersky servers, the following information is transmitted:

  • Application version and type
  • Unique ID of the current license key
  • Unique application installation ID
  • Update session ID

See also

Application licensing

About the End User License Agreement

About the license certificate

About the key

About the key file

About the activation code

About the subscription

Modes of Kaspersky Secure Mail Gateway operation under license

Adding an activation code

Adding a key file

Removing a key

Monitoring license key status

Configuring warnings about upcoming license key expiration

Purchasing a license

Renewing a license

Did you find this article helpful?
What can we do better?
Thank you for your feedback! You're helping us improve.
Thank you for your feedback! You're helping us improve.