New local user accounts can be defined in the Domain Settings → Users section.
First, choose a local domain in the Domain field, in which the accounts will be defined. Each domain may include local accounts as well as accounts saved in a directory service (e.g. Microsoft Active Directory). The list of users of the particular domain includes both types of accounts. However, only local accounts can be added (accounts for directory services must be created with the respective administration tools, e.g. Active Directory Users and Computers). Some of the features of accounts within a directory service can be edited.
If an account mapped from the directory service is deleted in the administration console, the account is disabled in Kerio MailServer.
The roles of each column of this window will be better understood through the following descriptions. The only exception — the Data source column — displays account types:
Internal — the account is stored in the internal user database.
LDAP — the account is saved in a directory service (Active Directory, Apple Open Directory).
To create a new user account, use the Add button to open the new user account wizard. If the domain is configured to be used with directory services (see chapter 10 Mapping users from directory services), a dialog where you can define whether you would like to activate users from a directory service or create a new local account will be displayed.
If a user is activated, a user account is saved into the directory service. Since the activation it can be used by Kerio MailServer. All events and information will be saved into the directory service.
If the Kerio MailServer will be opened. Select appropriate users and confirm the selection. The buttons bottom left make user selection more comfortable. — this button selects all users. The option clears any selection.
option is selected, a dialog with user list of the LDAP database used byThe following guide shows how local user accounts can be defined.
The first step is shown only in case at least one template for creating of new accounts is created. To create new user account templates, select
. The template is useful especially for creating multiple user accounts at once that have some parameters in common (e.g. authentication type, quotas, etc.). When all these common parameters are entered in a template, it can save a lot of time.For information about creation of a new template, refer to chapter 8.10 User Account Templates.
User login name (note: the domain must be the local primary domain; otherwise enter the full email address, e.g. user@anothercompany.com
, not only user
).
The username is not case-sensitive.
In login name, diacritics as well as some special symbols are not supported and are therefore not allowed in this entry.
A full name of the user (usually first name and surname). This option is required, if the user data from this account are to be exported to a public contacts folder.
User description (e.g. a position in a company). The Description entry is for informative purposes only. They can contain any type of information or they can be left blank.
Possible authentication methods:
Internal user database
Users are only authenticated within Kerio MailServer. In this case a password must be entered in the Password and Confirm Password fields (the user can then change his/her password in the Kerio WebMail interface).
Passwords may contain printable symbols only (letters, numbers, punctuation marks). Password is case-sensitive.
Windows NT domain
Users are authenticated in a Windows NT domain. The NT domain name must be entered in the email domain properties (Windows NT domain in the Advanced tab). This authentication method can be used only if Kerio MailServer is running on Windows 2000/XP/2003. For details, see chapter 7.7 Authentication of domain users.
Kerberos 5
Users are authenticated in the Kerberos 5 authentication system.
PAM service
Authentication using the PAM service (Pluggable Authentication Module), available only in the Linux operating system.
Apple Open Directory
Authentication against Apple Open Directory database (only for mailservers installed on a Macintosh). The option can be selected only if the user is mapped from Apple Open Directory.
Only the local user password can be entered or changed. We strongly recommend to change the password immediately after the account is created.
If the password contains special (national) characters, users of some mail clients will not be able to log in to Kerio MailServer. It is therefore recommend to use only ASCII characters for passwords.
Temporary blocking of the account so that you do not have to remove it.
This feature is not identical with account blocking set under Security Policy tab (see section 12.6 Advanced Options). If the user enters an invalid password too many times in row and the limit set on the Security Policy tab is reached, the account is blocked automatically. To unblock the accounts, use the button on the Security Policy tab.
, on theUpon creating a new user account, check this option to set the antispam rule. All incoming emails marked as spam will be automatically moved to the Junk mail folder. The rule can be set up only during the process of user account creation. Filtering and rules for incoming email is addressed in Kerio MailServer, User's Guide.
It is not recommended to create this rule when the user accesses emails via POP3. In such case, only the INBOX folder is downloaded to the local client and the user is not able to check if the emails moved to the Spam folder are really spam emails.
The user's full name and address will be published in the default public Contacts folder which is used as an internal source of company contacts (full names and email addresses). The contact is added to the public folder only if Full Name is specified.
If users are mapped from Active Directory or Apple Open Directory, the entire LDAP database is synchronized every hour automatically. If you do not wish to synchronize a user to public contacts, uncheck this option.
By default, user passwords are encrypted by DES. The Store password in highly secure SHA format allows for a more secure encryption (SHA string). This option has one disadvantage — some methods of Kerio MailServer access authentication (APOP, CRAM-MD5 and Digest-MD5) cannot be applied. The only methods available for this option are LOGIN and PLAIN (it is highly recommended to use only SSL connection for authentication).
If this option is enabled, it is necessary to change the user password. This can be done either by administrator or the user (e.g. by Kerio WebMail).
In this step, all required email addresses of the user can be defined. The other addresses are called aliases. The other addresses are called aliases. These can be defined either during the user definition or in Domain Settings/Aliases. We recommend to use the first alternative — it is easier and the aliases are available through Active Directory.
If user accounts are maintained in Active Directory (see chapter 10.1 Active Directory), their aliases can be defined in Active Directory Users and Computers. Global aliases (in Domain Settings → Aliases) cannot be defined this way.
Messages for a user can be forwarded to other email accounts if defined. If the Deliver messages to... button is activated, messages will be saved in the local account and forwarded to the addresses defined by user (if not, messages will be forwarded only, not saved).
Note: The same functionality can be accomplished through the Domain Settings → Aliases dialog; however, aliases created within the user definition dialog is smoother and easier to follow.
In this dialog window, you can add or remove groups of which the user is a member. Groups must be created first in the Domain Settings → Groups section. You can add users to groups during definition of groups. Therefore, it is not important which is created first — users or groups.
Each user must be assigned one of the following three levels of access rights.
These users do not have any access to Kerio MailServer administration. Most users will have this setting so they will only be able to access their own mailboxes.
These users can connect to Kerio MailServer administration but they can only view the logs and settings; they cannot make any changes.
These users have full rights to administration and are equal to the Admin account. If there is at least one user with such rights, the Admin account can be removed.
A special access right for KMS Web Administration (for more information, see chapter 32 KMS Web Administration). This setting is independent on the access rights settings for Kerio Administration Console.
By default, only Admin of the primary domain is allowed to administer the public folders. If there are multiple local domains with user accounts in Kerio MailServer, this option must be selected at least for one user in each domain. Each domain in Kerio MailServer has its own public folders and users of a different local domain are not allowed to access it (you can change this setting so that all public folders are accessible from all domains and from all users — for detailed information about this setting, see chapter 7.1 Initial settings).
By default, all users from one domain have read only rights for the public folders. The rights for public folders can be assigned by any user that has the administrator rights. The rights can be also assigned using the Kerio WebMail interface and MS Outlook with Kerio Outlook Connector.
All types of public services (email, calendars, contacts, tasks, notes) in Kerio MailServer can be viewed only in MS Outlook extended by the Kerio Outlook Connector and in Kerio WebMail. Other email clients usually display only email folders (for detailed information about all supported email clients, see Kerio MailServer, User's Guide).
You can set limits for each user's mailbox.
The maximum space for a mailbox. For greater ease in entering values you can choose between kilobytes (KB), megabytes (MB) or gigabytes (GB).
The maximum number of messages in the mailbox.
The value of either of these items can be set to 0 (zero), which means that there is no limit set for the mailbox.
The user quota prevents cluttering of the server disk. If either of the limits is reached, any new messages will be refused by the server.
When the quota is reached, the user will receive a warning message including recommendation on deleting some messages. It is also not important if the quota was exceeded by number of messages or by the reserved disk space capacity. The quota is reached at the moment when an incoming message (or an event, a contact or a task) exceeds one of these limits.
The treshold of 90 per cent of the quota value is set (90 per cent of the limit set for the number of messages or 90 per cent of the disk space reserved). When this treshold is reached, an informative message is send to the particular user. This value can be edited manually in the Kerio MailServer's configuration file, as follows:
Stop the Kerio MailServer Engine.
In the directory where Kerio MailServer is installed, search the mailserver.cfg
file
If the file is being edited on Mac OS X or Linux operating systems, login to the system as the root user (a special user with full access rights to the system).
Open the mailserver.cfg
file and look up the QuotaWarningThreshold
value. The line is as follows:
<variable name="QuotaWarningThreshold">90</variable>
Change the value as needed and save the file.
Run Kerio MailServer.
These warning messages are sent each 24 hours (not more frequently). Even if a user removes messages to get under the quota treshold and then exceeds it again, the next informative message will be sent after 24 hours from the first informatory message.
Note: When solving any problems regarding quota settings arise, information obtained in the Debug log might help. The log can be found in the section of the administration console. To log information on the quota's behaviour, enable the Quota and Login Statistics option (see chapter 25.9 Debug log for details).
Using this option, the administrator of Kerio MailServer can limit communication of the user to traffic on the local domain level. This feature may help solve issues of internal traffic in companies. By checking this domain, a particular user will not be allowed to send and/or receive messages from external domains.
Use this option to set the size limit for outgoing messages. The size limit can be either set for each user separately, or globally for the whole domain (see chapter 7.1 Initial settings). If no size limit is specified for the whole domain, it is recommended to set this option.
By setting the size limit, you can prevent the internet connection from being overloaded by emails with large attachments.
If both limits are set to 0
, Kerio MailServer behaves the same way as if no limit was specified.
Limit set for a specific user has higher priority than limits applied to the entire domain.
Kerio MailServer includes an option of setting a special rule for automatic deletion of all items older than a defined number of days (for a mailbox, or for an entire domain in domain settings). This rule applies to the Junk E-Mail and Deleted Items folders.
For more information on this feature, read section 7.5 Automated items clean-out.