17.4  Keeping sessions between Kerio MailServer and Kerio WebMail secure

17.4.1  Setting session protection

Users often simply close their browsers without logging out of Kerio WebMail. In such cases, the session is not interrupted and it can be misused more easily (the session is the more risky the longer it takes). For this reason, it is possible to set session timeout. If user is not using the session at this time (the session is idle),[6]then the connection with the server gets lost upon expiration of the idleness timeout. By default, the timeout is set for two hours.

Maximum time can also be set for sessions in addition to the session's expiration time. The maximum session time means the time since user's connection. If users use the Kerio WebMail interface as the main connection to their mailboxes, set the time at least to a value between 8 and 10 hours. Too short interval might cause inappropriate closure of a session (while a user is editing a message, for example). This is not desirable.

Note: If the user has started composing a message and has not finished it yet and the session expires, user authentication will be required for reconnection. After successful re-authentication, the message can be finished and sent.

Another option of protection is to use automatic logout from Kerio WebMail upon change of the client's IP address. It might happen that a session of one user is hijacked by an attacker (especially if SSL-secured HTTP is not used) to access the server. Connection of an attacker to the session changes the client's IP address.

Warning

  • The “anti-hijack” protection must be disabled if Kerio MailServer users share their accounts. The option disallows connection to a single account from multiple hosts (IP addresses) at a time.

  • The “anti-hijack” protection also cannot be applied if your ISP changes IP addresses during the connection (e.g. in case of GPRS or WiFi connections).

17.4.1  Setting session protection

To set session protection, follow these guidelines:

Securing of the connection between the server and the Kerio WebMail interface

Figure 17.4. Securing of the connection between the server and the Kerio WebMail interface


  1. In the administration interface, go to Configuration → Advanced Options.

  2. Open the WebMail tab (see figure 17.4  Securing of the connection between the server and the Kerio WebMail interface).

  3. Set session's expiration timeout.

  4. Set maximal session time length — this time depends on frequency of use of the WebMail interface. The default value is appropriate if WebMail is used as the main tool for accessing email mailboxes.

  5. If you do not connect via an ISP which changes IP addresses within sessions, it is recommended to enable also the Force WebMail logout if user's IP address changes option.



[6] Idleness is when no request is sent to the server including autorefresh requests. This implies that the timeout is applied only if user closes the Kerio WebMail interface without having logged out of it or if they simply go to another page by rewriting the URL on the corresponding browser's tab.