In the
section you can set several advanced parameters for the mailserver.Convert IP addresses of remote clients and servers connecting to Kerio MailServer to DNS names (using reverse DNS requests). This makes logs more comprehensible but it can also decrease the performance of Kerio MailServer.
Enable this option if you do not wish to reveal the version and name of the mailserver application for this domain.
To activate or disable the option, restart of Kerio MailServer is required.
Kerio MailServer will hide the local IP address (included in the IP address group defined in the Relay Control tab of ) in the Received
part of the message header.
Each SMTP server that the message passes through inserts an entry into this field, specifying where the message came from, where it is going and who received it. This implies that the first record in the Received
header contains the sender's email and IP addresses. If the SMTP server is placed on a private network behind a firewall, the client's private IP address is inserted. This means that outgoing email messages can carry information about a private network that would normally be hidden from the Internet. This information could make it easier for a potential hacker to attack such networks. Only switch this option on if Kerio MailServer is installed on a private network behind a firewall (even if it runs on the same machine as the firewall).
There is a connection to relay control here so that the mailserver recognizes local IP addresses. In relay control, a group of local IP addresses is usually used to define addresses from which mail can be sent to any domain (see chapter 12.2 SMTP server).
Note: If relay control is disabled or no local IP address group is defined, this option will have no effect.
Defines if the X-Envelope-To
entry will be inserted into the header of messages delivered locally. X-Envelope-To
is the original recipient address based on the SMTP envelope. This option is useful especially if there is a domain mailbox in Kerio MailServer.
TNEF (Transport Neutral Encapsulation Format) is a Microsoft's, proprietary format used to send messages with format extensions from MS Outlook. The winmail.dat
file is attached to any message sent in this format. It contains a complete copy of the message in RTF along with all attachments. This implies that if a user does not access their email via MS Outlook and an email message with an attachment in this format will be delivered to their mailbox, the attachment cannot be opened.
The TNEF decoder built-in Kerio MailServer decodes TNEF messages at the server's side in the standard MIME format and helps avoid winmail.dat
attachment difficulties.
Use this option if users do not access their email only by MS Outlook.
Note: If any problems regarding message decoding occur, the Debug log may help where it is necessary to enable the Message decoding option. See chapter 25.9 Debug log for more information.
Uuencode (Unix-to-Unix Encoding) is an encoding method used for sending of files by email. It encodes binary data to a text format so that the data can be inserted directly to message bodies. The main problem is that some email clients may miss a special decoder which decodes the encoded files and transforms them to their original format. Therefore, Kerio MailServer includes a built-in Uudecode decoder (Unix-to-Unix decoding). Email messages are decoded to the standard MIME format on the server's side so that users do not have to worry about this topic.
It is recommended to enable the Enable conversion of uuencoded messages to MIME option especially if users use Kerio WebMail and MS Outlook with Kerio Outlook Connector to access their mailboxes.
Note: If any problems regarding message decoding occur, the Debug log may help where it is necessary to enable the Message decoding option. See chapter 25.9 Debug log for more information.
Kerio MailServer allows setting of security policies, i.e. the minimum required security level. These settings can be established in the Configuration → Advanced Options section in the Security policy tab (see picture 12.16 Security Policy tab).
The menu at the top of the page allows you to choose from one of these policies:
Self explanatory.
Kerio MailServer will always require secure user authentication. This implies that the authentication must be performed by using one of these methods — CRAM-MD5, DIGEST-MD5, NTLM, or the user must use an SSL tunnel (by enabling SSL traffic in their email clients).
If users access their email by Kerio WebMail where no one of the authentication methods can be applied, the SSL-secured HTTP protocol is used automatically.
Once the secured authentication is set, it is possible to allow non-secured connections from a specified IP group. This group can be either selected from existing groups or a new one can be created. For details on IP groups definition, refer to chapter 19.1 IP Address Groups.
Do not apply this method if users use saving passwords on the server in SHA format.
When this option is activated, client applications will be able to connect to any service using an encrypted connection (the communication cannot be tapped).
SSL traffic must be allowed to all protocols at all client stations. The secured connection is set automatically upon a successful connection to Kerio WebMail.
The only exception from this restriction is the SMTP protocol. Due to the plenty of SMTP servers which do not support SMTPS and STARTTLS, it is not possible to allow the secure version of the protocol only. To still provide sufficient security, the SMTP server requires secure password authentication for the SMTP protocol upon enabling the Require encrypted connection option. Name and password are still sent by one of the supported secure authentication methods.
After the security policy is defined, you can create an exception for a group of IP addresses for which the secured connection will not be required. For this purpose, either a new IP group can be created or an existing one can be selected. For information on IP address settings, see chapter 19.1 IP Address Groups.
If you decide for this communication protection method, make sure that all users have a valid authentication certificate installed on their client stations (for more information, see chapter 16 Server's Certificates).
Supported authentication methods
Kerio MailServer supports the following methods of user authentication:
CRAM-MD5 — password authentication method (using MD5 digests). This method is quite common and many email clients provide support for it.
DIGEST-MD5 — password authentication method (using MD5 digests).
LOGIN — user passwords are completely unprotected during transfer. If this method is used, it is strongly recommended to enable SSL tunnel connection.
NTLM — this method can be used only in case users are authenticated against an Active Directory domain. It is applicable only to the user accounts that were imported from Active Directory. Configuration of NTLM authentication is addressed in chapter 28 NTLM authentication settings.
PLAIN — user passwords are completely unprotected during transfer. If this method is used, it is strongly recommended to enable SSL tunnel connection.
APOP — the authentication method is not displayed in the list, Kerio MailServer uses it automatically to download POP3 accounts.
The server provides all the above mentioned authentication methods. They are ordered the same way as in the table below (from CRAM-MD5). If the selected method is supported by the client, the other methods will not be used. However, a problem may occur if the password is stored in the secure format (SHA1). If this encryption method is used, only LOGIN and PLAIN authentication methods can be used. If you select the secure CRAM-MD5 and DIGEST-MD5 methods, the system selects one of the secure authentication methods and it will be impossible to log in to Kerio MailServer. If the password is stored in the SHA format, disable all methods but LOGIN and PLAIN.
Operational system | Authentication against Active Directory | User mailboxes are stored locally and passwords are secured by DES encryption | User mailboxes are stored locally and passwords are secured by SHA encryption |
---|---|---|---|
MS Windows | NTLM LOGIN PLAIN | CRAM-MD5 DIGEST-MD5 LOGIN PLAIN | LOGIN PLAIN |
LINUX | LOGIN PLAIN | CRAM-MD5 DIGEST-MD5 LOGIN PLAIN | LOGIN PLAIN |
Mac OS X | LOGIN PLAIN | CRAM-MD5 DIGEST-MD5 LOGIN PLAIN | LOGIN PLAIN |
Table 12.3. Authentication methods
Further recommendations:
If a client authentication method fails, it is recommended to disable it in Kerio MailServer (uncheck it in the Enabled authentication methods list).
For all authentication methods, it is recommended to enable SSL login to the mail clients.
Check Allow NTLM authentication for users with Kerberos authentication to allow users from Active Directory to authenticate when attempting to log in to Kerio MailServer. In order for the NTLM authentication to be functional, both the computer as well as the user account have to be parts of the domain used for authentication. The NTLM (SPA) authentication must be also enabled in users' mail clients.
To see what is necessary to be set in Kerio MailServer to make NTLM authentication work smoothly, refer to chapter 28 NTLM authentication settings.
In the Account lockout section the following parameters can be defined (see figure 12.17 Account lockout):
When this option is selected, user accounts will be locked based on the following rules. These settings protect the user accounts from being misused.
You can specify a number of failed logins from one IP address that will be allowed.
This information defines when the account will be unlocked automatically.
Use
to unlock all accounts previously locked.Blocking of accounts upon unsuccessful login attempts is not identical with blocking in user account settings (see section 8.2 Creating a user account).
The Store Directory tab contains settings of directory for storing of messages, contacts, events, etc. (user and public folders). Information about private and public folders, logs, messages that are to be sent and files that are just being checked by antivirus are saved into the Store Directory.
Define the absolute path to the store directory (according to the operating system on which Kerio MailServer is running). By technical reasons, it is necessary to locate the store directory locally (i.e. on the server where Kerio MailServer is running).
If the data directory path needs to be changed, follow these instructions:
Create a new directory for the store.
In Kerio Administration Console ( ), specify the new path.
Stop Kerio MailServer.
Move all files included in the data store to the new directory.
Run Kerio MailServer.
It is not allowed to specify the Path to the store directory entry by a UNC path.
If the value specified is reached, Kerio MailServer will automatically warn users about this fact upon each login to the administration console. After the limit is reached, it will be recorded in the Error log (for more information, see chapter 25.7 Error).
If this limit is reached, Kerio MailServer Engine and Kerio MailServer Monitor will be stopped. Kerio Administration Console can be run. Immediately after login, the critical limit error message is displayed. This information is also recorded into the Error log (for more information, see chapter 25.7 Error).
Do not set the hard limit for 0
, otherwise an error message or warning will be displayed when a new mail is delivered.
Changes in the paths are effective only after restarting the MailServer Engine. If you don't change these settings immediately after the Kerio MailServer installation, you will need to first stop the Engine and then move files from the old location to the new one and then start the service again.
Master authentication password is a special password. It can be used by specific applications to access Kerio MailServer accounts without knowing individual corresponding passwords.
The Master Password cannot be used to access user accounts from email clients or via Kerio WebMail. It is not a versatile administrator password (it is not possible to use it for authentication to Administration Console).
Master authentication settings can be defined on the eponymous tab under Advanced Options:
This option enables/disables Kerio MailServer master authentication. It is recommended to enable Master authentication only if this option is expected to be used effectively.
Select or create an IP address group where master authentication will be exclusively allowed. For security reasons, it is not possible to allow Master authentication from any IP address. IP address groups can be created either in
or upon clicking on .Define a password that will be used for access to all accounts. This password should be known by as few persons as possible. If the Master Password arrives to an unauthorized person, privacy of all user accounts on the server can be broken!
The password confirmation is required to eliminate typos.
If Kerio MailServer runs on a host behind a firewall, it can be connected to the Internet via a proxy server. This feature can be useful for example for upgrade downloads or/and for searching for new versions of Kerio MailServer or antivirus application.
Insert HTTP proxy address and port on which the service is running.
Username and password must be specified if the proxy server requires authentication.
Insert your user name to connect to the particular proxy server.
Insert your password to connect to the proxy server.
The tab defines updates of new versions of Kerio MailServer and automatic updates of the Kerio Outlook Connector and the Kerio Outlook Connector (Offline Edition):
Time since the last update check. The system checks for new versions of the product every 24 hours.
Click the
button to check for the new version. When the new version is found, the user can download it. If no new version is available, the user is notified.This option enables the feature of automatic checking whether there is a new version of Kerio MailServer available at the Kerio Technologies website.
If a new version was released by Kerio Technologies, the Update tab will contain link to the download web page.
This option enables informing users that a new betaversion of Kerio MailServer is available.
If you want to participate in beta version testing, enable the Check also beta versions option. If the Kerio MailServer is used in production, the beta versions are not recommended — do not enable this option.
The installation package includes also automatic installations of the Kerio Outlook Connector, the Kerio Outlook Connector (Offline Edition) and the Kerio Sync Connector for Mac.
The Current version available for clients field displays the information about the module versions currently used (including build numbers).
Kerio Outlook Connector — the package is updated for all users immediately upon update of the server.
Kerio Outlook Connector (Offline Edition) — the package is updated for all users immediately upon update of the server.
Kerio Sync Connector for Mac — users on client stations will be informed about available updates for the Kerio Sync Connector. If they conform the dialog, the program gets updated.
Kerio MailServer performs automatic update checks for the Kerio Outlook Connector and the Kerio Outlook Connector (Offline Edition). The update checks help avoid problems caused by incompatibility of older server and newer plug-in versions or, vice versa, of newer server and older plug-in versions. In case that there is a collision detected, users are informed that the plug-in should be upgraded/downgraded. The correct version is installed upon confirmation. If a user rejects to install a new version, it depends whether the server version differs in the version number or in the build number only:
Build numbers are different — plug-in is started along with the MS Outlook. Before each startup of the MS Outlook, alert is displayed informing that the plug-in should be updated.
Version numbers are different — the plug-in refuses to connect to the server until it is updated.
New versions of Kerio Outlook Connector, Kerio Outlook Connector (Offline Edition) and Kerio Sync Connector are stored in the directory
Kerio\MailServer\webmail\download
Update of plug-ins requires the HTTP or the HTTPS service to be running.
A server certificate can also be created in the Kerio MailServer's administration console. For detailed instructions, see chapter 16 Server's Certificates.
Note: If any problems regarding the update occur, enable the Update Checker Activity option (detailed information can be found in chapter 25.9 Debug log) in the Debug log settings. Logged information might help you where any problems to be solved occur.