Kaspersky Anti-Virus for Linux Mail Server 5.6.15.1 - BETA RELEASE NOTES 
================================================================================
Released on (2007-11-08)

Contents:
  * What's new?
  * Changed Features
  * Product Overview
  * System Requirements
  * Product Installation/Removal & Upgrade
  * Known Issues & Workarounds
  * Troubleshooting & Support
  * Trial Licensing
  * SNMP Additional Notes



What's new?
--------------------------------------------------------------------------------
 * Groups Configuration - now you can setup custom policies by defining Senders/
   Recipients rules. The following sections are now configured by group: 
     actions - what to do if criteria match;
     content-filtering - rules for message content by checking headers and size;
     notifications - custom e-mail notifications for each type of verdict;
     backup - save original messages and optional additional information.

   A group has also a 'definition' section, where you have to specify a unique
   priority and matching Senders/Recipients rules. Once a message matches both
   senders and recipients specified, the group is selected. If several groups can
   be selected only the one with the highest priority is finally chosen.

   Additionally, in group 'settings' section you can configure ScanPolicy, 
   placeholder notice policy, AddXHeader and AddDisclaimer options, and reject 
   message.

  IMPORTANT: The group priority is just a unique identified for this policy. The 
  file name on which this policy is defined is not meaningful (like in KAV for 
  Sendmail with Milter API). One needs to make sure that all subsequent sections 
  have the same group name.  When creating new groups by copying the default group,
  all occurrences of "default" in section names must be replaced with a unique
  group name.

 * SNMP Services - by enabling this feature, you can query KAV4LMS for config
   keywords, for statistics counters and administrative information (updates and
   application status). Any of the enabled SNMP functionality will make kav4lms
   act like a sub-agent, talking to a master agent via AgentX. 

   The possibility of querying statistics counter can be combined with RRDTool or
   MRTG to fetch and store the data, and then create some expressive graphs on
   KAV4LMS activity. 

 * SNMP Traps - this release includes support for SNMP traps, namely notifications
   triggered by some events.
   You can get notified when the application started or was stopped, a new update 
   was done and bases were reloaded, or the configuration was reloaded.
   In order to use AlertThreshold trap you must enable message statistics.

 * Per Message Statistics - for detailed information on content analysis performed
   for every message, you can turn this on and get a record for each scanned message.
   This entry per message contains: 
     - time of scanning
     - message sender
     - message recipients
     - all security verdicts taken per message or per part
     - a list of found malware, if any
     - IP address of the originating host
     - message ID assigned by MTA


 
Changed Features
--------------------------------------------------------------------------------
  IMPORTANT - All paths now are changed to conform with FHS requirements.

 * aveserver protocol - Because there was a major change in the services logic
   and implementation, it now uses a new protocol. If you have applications that
   talk directly to the scanning service, please write to support and ask for
   documentation of the new protocol. The main service binary now is named kavmd
   to make clean the generation difference.



Product Overview
--------------------------------------------------------------------------------
Kaspersky Anti-Virus for Linux Mail Server  (KAV4LMS) is a anti-virus and
content filtering service, able to intercept the incoming and outgoing mail
traffic, scanning all messages as they pass.

This is done by using MTA specific plug-ins, that send the messages to a central
scanning service, which performs the analysis - eventually applying security
policies, and gives back the changes.

Currently the following MTAs are supported: Sendmail (only with Milter API),
Postfix, Exim and qmail. See also the software requirements below.



System Requirements
--------------------------------------------------------------------------------
For smooth operation of Kaspersky Anti-Virus for Linux Mail Server, your
mail server must meet the following hardware and software requirements:

Minimum hardware requirements for program operation:
  * Intel Pentium 133 MHz processor or higher
  * 32 MB RAM
  * 100 MB available space on your hard drive (this amount does not include
    space necessary for storing backup message copies).

Minimum hardware requirements for a mail server with about 800 MB of traffic
per day (250-300 mail accounts (addresses)):
  * Celeron (Mendocino) 400 MHz processor
  * 512 MB RAM
  * 8 GB available space on your hard drive (this amount does not include
    space necessary for storing backup message copies).

Optimal hardware requirements:
  * For a mail server with about 800 MB of traffic per day (250-300 mail accounts
    (addresses)):
      + 2xPentium Xeon 1,8 GHz processor
      + 1 GB RAM
      + 100 MB available space on your hard drive (for Kaspersky Anti-
        Virus operation).

  * For a mail server with about 400 MB of traffic per day (100-150 mail accounts
    (addresses)):
      + Pentium III 900 MHz processor
      + 512 MB RAM.

Software requirements:
  1. One of the following operating systems:
    32-bit OS
      * Red Hat Enterprise Linux 5 Server
      * Fedora Core 6
      * SUSE Linux Enterprise Server 10
      * openSUSE Linux 10.2
      * Debian GNU/Linux 3.1 updated (r4)
      * Mandriva 2007
      * FreeBSD 5.5, 6.2
    64-bit OS
      * Red Hat Enterprise Linux 5 Server
      * Fedora Core 6
      * SUSE Linux Enterprise Server 10 
      * openSUSE Linux 10.2
  2. One of the following MTAs with minimum required versions:
    * Sendmail 8.12+
    * Postfix snapshot_20000529+
    * Exim 4.0
    * qmail 1.03
  3. [optional] Webmin program (www.webmin.com) (installed) to manage Kaspersky
     Anti-Virus from a remote location.
  4. [optional] If you want to use SNMP functionality with NET-SNMP then you should
     install net-snmp 5.2.1.2 or later.



Product Installation/Removal & Upgrade
--------------------------------------------------------------------------------
To install the product use the system specific command:

  on Linux/RPM:    rpm  -i <package>.rpm
  on Linux/Debian: dpkg -i <package>.deb
  on FreeBSD:      pkg_add <package>.tgz

The product should do some automated steps upon installation, namely:
  * create "kluser" user and "klusers" group if they do not exist;
  * add product update information;
  * add trial/beta keys (if any);
  * register "kav4lms" as a service (to be launched upon start-up);
  * install kav4lms webmin module (if webmin is present).

To check that setup modifications were made, you can use the setup script:
  kav4lms-setup.sh --check-<option>

If you decide to remove the package, you should use system specific commands:
  on Linux/RPM:    rpm  -e <package-name>
  on Linux/Debian: dpkg -r <package-name> (keeps config) 
                   or dpkg -P <package-name> (removes completely)
  on FreeBSD:      pkg_delete <package-name>



Known Issues & Workarounds
--------------------------------------------------------------------------------
(18397) The product setup does not have support for SELinux or AppArmor policies.
  For the product to be functional, the administrator must either disable these
  systems or write policies to allow the product to function when they are active.

(16587) The MTA integration with Exim and Postfix is post-queue model, therefore
  any 'reject' action in content-filtering/av-scanning will result in a bounce.
  This model (post-queue) was chosen for efficiency and future version of setup
  may also add pre-queue integration.

(30100) Content filtering actions can only be taken on "leaf" parts, that means it
  cannot delete complex message parts but only the part with the matching content-type.
  That is why if content-filtering rules match any of the header types 'message/*'
  or 'multipart/*' the action shall NOT be taken but a warning shall be logged instead. 

(30645,30628) When running keepup2date from command line, it will always use first
  $TEMP/$TMP environment setting, and not TempDir from [path] section. This might be
  a problem on some OSes where TMP is not world writable and [options] section also sets
  a particular user. Such a case is on Mandriva where it is set to /root/tmp.
  This should not be a problem when running under 'kluser' from a registered cron job.
  The workaround is to manually set a usable directory, e.g. 
  # TMP=/var/tmp /opt/kaspersky/kav4lms/bin/keepup2date

(29234) The kavscanner command line scanner binary may abort execution if it runs
  out of memory when scanning large files. The workaround is to allow the process
  to use more memory (with ulimit) and also to ensure the system has enough memory.

(29109) There is no migration tool or tutorial for upgrading from Kaspersky Anti-Virus 
  5.5 for Linux, FreeBSD and OpenBSD Mail Servers (kav4mailservers-5.5) or from 
  Kaspersky Anti-Virus for Sendmail with Milter API (kav4milter-5.6). This will be added 
  in Technical Release.

(30272) The product does not integrate correctly with Exim MTA if Kaspersky Anti-Spam 
  is also installed.
      
(30033) For some licensing keys combination the expiration date is wrongly computed.
  The workaround is to use only one license key at a time. The issue will be fixed by
  Technical Release.

(26807,26808) Man pages for kavmd binary and kav4lms.conf configuration files are not 
  complete. They shall be added by Technical Release. For now you should read the verbose
  comments in the configuration file and the Administrator's Guide included in the package.



Troubleshooting & Support
--------------------------------------------------------------------------------
To get help on product related issues, please send an e-mail to Kaspersky Lab:
  LinuxMail@kaspersky.com

To investigate a problem you can also visit:
  http://support.kaspersky.com - to find out other means of getting help,
                                 to check knowledge base for similar issues.

To obtain latest Admin Guide manuals visit:
  ftp://ftp.kaspersky.com/docs/<language>
  where depending on preferred language you shall find an up to date manual
  for this product named kav5.6_linuxms_<language-code>.pdf



Trial Licensing
--------------------------------------------------------------------------------
Some packages may include trial keys. They should be registered automatically
upon installation. These keys are under /var/opt/kaspersky/kav4lms/licenses/

You can switch between any of the licensing models by setting the active trial key
using licensemanager or kav4lms-setup.sh (preferred), e.g.:
  kav4lms-setup.sh --set-key=000DB76F
  kav4lms-setup.sh --set-key=000DB795.key
  kav4lms-setup.sh --set-key=/var/opt/kaspersky/kav4lms/licenses/000DB76F.key

(Note that on FreeBSD the path is /var/db/kaspersky/kav4lms/licenses)



SNMP Additional Notes
--------------------------------------------------------------------------------
Since 5.6 versions, KAV4LMS comes with SNMP support. That is, read only requests
for product configuration, statistics counters and update status, and SNMP traps on
specific events.

When activated, the product becomes a sub-agent for an agent you need to configure.
It will talk to its master agent using AgentX protocol. The master agent can be
any SNMP product supporting sub-agents; we suggest NET-SNMP 5.2.1.2 or newer.

To enable sub-agent support in NET-SNMP you need to add in snmpd.conf:
  "master agentx"

And configure properly the listening socket, e.g.:
  "AgentXSocket 127.0.0.1:705"

Set a convenient timeout (default is 1s):
  "AgentXTimeout 5"

Note that by default NET-SNMP listens on a UNIX domain socket with restrictive 
permissions, and you might need to allow access by kluser user, e.g.:
  "AgentXPerms 770 770 root klusers"

If you want to receive product traps, you need to configure a trap sink, e.g.:
  "trap2sink localhost"

Remember you must start snmpd and snmptrapd services *before* kav4lms,
otherwise the failure to register with an agent will cause the product to stop
as on critical error. If you do not have an agent configured to allow sub-agents 
registration via AgentX, you should turn SNMP off in the product settings.