12.6  Advanced Options

In the Configuration → Advanced Options section you can set several advanced parameters for the mailserver.

Miscellaneous tab

Miscellaneous tab

Figure 12.15. Miscellaneous tab


Log hostnames for incoming connections

Convert IP addresses of remote clients and servers connecting to Kerio MailServer to DNS names (using reverse DNS requests). This makes logs more comprehensible but it can also decrease the performance of Kerio MailServer.

Don't show program name and version...

Enable this option if you do not wish to reveal the version and name of the mailserver application for this domain.

Warning

To activate or disable the option, restart of Kerio MailServer is required.

Hide local IP in Received headers

Kerio MailServer will hide the local IP address (included in the IP address group defined in the Relay Control tab of Configuration → SMTP server) in the Received part of the message header.

Each SMTP server that the message passes through inserts an entry into this field, specifying where the message came from, where it is going and who received it. This implies that the first record in the Received header contains the sender's email and IP addresses. If the SMTP server is placed on a private network behind a firewall, the client's private IP address is inserted. This means that outgoing email messages can carry information about a private network that would normally be hidden from the Internet. This information could make it easier for a potential hacker to attack such networks. Only switch this option on if Kerio MailServer is installed on a private network behind a firewall (even if it runs on the same machine as the firewall).

There is a connection to relay control here so that the mailserver recognizes local IP addresses. In relay control, a group of local IP addresses is usually used to define addresses from which mail can be sent to any domain (see chapter 12.2  SMTP server).

Note: If relay control is disabled or no local IP address group is defined, this option will have no effect.

Insert X-Envelope-To header...

Defines if the X-Envelope-To entry will be inserted into the header of messages delivered locally. X-Envelope-To is the original recipient address based on the SMTP envelope. This option is useful especially if there is a domain mailbox in Kerio MailServer.

Enable decoding of TNEF messages

TNEF (Transport Neutral Encapsulation Format) is a Microsoft's, proprietary format used to send messages with format extensions from MS Outlook. The winmail.dat file is attached to any message sent in this format. It contains a complete copy of the message in RTF along with all attachments. This implies that if a user does not access their email via MS Outlook and an email message with an attachment in this format will be delivered to their mailbox, the attachment cannot be opened.

The TNEF decoder built-in Kerio MailServer decodes TNEF messages at the server's side in the standard MIME format and helps avoid  winmail.dat attachment difficulties.

Use this option if users do not access their email only by MS Outlook.

Note: If any problems regarding message decoding occur, the Debug log may help where it is necessary to enable the Message decoding option. See chapter 25.9  Debug log for more information.

Enable conversion of uuencoded messages to MIME

Uuencode (Unix-to-Unix Encoding) is an encoding method used for sending of files by email. It encodes binary data to a text format so that the data can be inserted directly to message bodies. The main problem is that some email clients may miss a special decoder which decodes the encoded files and transforms them to their original format. Therefore, Kerio MailServer includes a built-in Uudecode decoder (Unix-to-Unix decoding). Email messages are decoded to the standard MIME format on the server's side so that users do not have to worry about this topic.

It is recommended to enable the Enable conversion of uuencoded messages to MIME option especially if users use Kerio WebMail and MS Outlook with Kerio Outlook Connector to access their mailboxes.

Note: If any problems regarding message decoding occur, the Debug log may help where it is necessary to enable the Message decoding option. See chapter 25.9  Debug log for more information.

Security Policy tab

Kerio MailServer allows setting of security policies, i.e. the minimum required security level. These settings can be established in the Configuration → Advanced Options section in the Security policy tab (see picture 12.16  Security Policy tab).

Security Policy tab

Figure 12.16. Security Policy tab


The menu at the top of the page allows you to choose from one of these policies:

No restrictions

Self explanatory.

Require secure authentication

Kerio MailServer will always require secure user authentication. This implies that the authentication must be performed by using one of these methods — CRAM-MD5, DIGEST-MD5, NTLM, or the user must use an SSL tunnel (by enabling SSL traffic in their email clients).

If users access their email by Kerio WebMail where no one of the authentication methods can be applied, the SSL-secured HTTP protocol is used automatically.

Once the secured authentication is set, it is possible to allow non-secured connections from a specified IP group. This group can be either selected from existing groups or a new one can be created. For details on IP groups definition, refer to chapter 19.1  IP Address Groups.

Warning

Do not apply this method if users use saving passwords on the server in SHA format.

Require encrypted connection

When this option is activated, client applications will be able to connect to any service using an encrypted connection (the communication cannot be tapped).

SSL traffic must be allowed to all protocols at all client stations. The secured connection is set automatically upon a successful connection to Kerio WebMail.

The only exception from this restriction is the SMTP protocol. Due to the plenty of SMTP servers which do not support SMTPS and STARTTLS, it is not possible to allow the secure version of the protocol only. To still provide sufficient security, the SMTP server requires secure password authentication for the SMTP protocol upon enabling the Require encrypted connection option. Name and password are still sent by one of the supported secure authentication methods.

After the security policy is defined, you can create an exception for a group of IP addresses for which the secured connection will not be required. For this purpose, either a new IP group can be created or an existing one can be selected. For information on IP address settings, see chapter 19.1  IP Address Groups.

If you decide for this communication protection method, make sure that all users have a valid authentication certificate installed on their client stations (for more information, see chapter 16  Server's Certificates).

Supported authentication methods

Kerio MailServer supports the following methods of user authentication:

  • CRAM-MD5 — password authentication method (using MD5 digests). This method is quite common and many email clients provide support for it.

  • DIGEST-MD5 — password authentication method (using MD5 digests).

  • LOGIN — user passwords are completely unprotected during transfer. If this method is used, it is strongly recommended to enable SSL tunnel connection.

  • NTLM — this method can be used only in case users are authenticated against an Active Directory domain. It is applicable only to the user accounts that were imported from Active Directory. Configuration of NTLM authentication is addressed in chapter 28  NTLM authentication settings.

  • PLAIN — user passwords are completely unprotected during transfer. If this method is used, it is strongly recommended to enable SSL tunnel connection.

  • APOP — the authentication method is not displayed in the list, Kerio MailServer uses it automatically to download POP3 accounts.

The server provides all the above mentioned authentication methods. They are ordered the same way as in the table below (from CRAM-MD5). If the selected method is supported by the client, the other methods will not be used. However, a problem may occur if the password is stored in the secure format (SHA1). If this encryption method is used, only LOGIN and PLAIN authentication methods can be used. If you select the secure CRAM-MD5 and DIGEST-MD5 methods, the system selects one of the secure authentication methods and it will be impossible to log in to Kerio MailServer. If the password is stored in the SHA format, disable all methods but LOGIN and PLAIN.

Operational system Authentication against Active Directory User mailboxes are stored locally and passwords are secured by DES encryption User mailboxes are stored locally and passwords are secured by SHA encryption
MS Windows

NTLM

LOGIN

PLAIN

CRAM-MD5

DIGEST-MD5

LOGIN

PLAIN

LOGIN

PLAIN

LINUX

LOGIN

PLAIN

CRAM-MD5

DIGEST-MD5

LOGIN

PLAIN

LOGIN

PLAIN

Mac OS X

LOGIN

PLAIN

CRAM-MD5

DIGEST-MD5

LOGIN

PLAIN

LOGIN

PLAIN

Table 12.3. Authentication methods


Further recommendations:

  • If a client authentication method fails, it is recommended to disable it in Kerio MailServer (uncheck it in the Enabled authentication methods list).

  • For all authentication methods, it is recommended to enable SSL login to the mail clients.

Check Allow NTLM authentication for users with Kerberos authentication to allow users from Active Directory to authenticate when attempting to log in to Kerio MailServer. In order for the NTLM authentication to be functional, both the computer as well as the user account have to be parts of the domain used for authentication. The NTLM (SPA) authentication must be also enabled in users' mail clients.

To see what is necessary to be set in Kerio MailServer to make NTLM authentication work smoothly, refer to chapter 28  NTLM authentication settings.

In the Account lockout section the following parameters can be defined (see figure 12.17  Account lockout):

Account lockout

Figure 12.17. Account lockout


Enable account lockout

When this option is selected, user accounts will be locked based on the following rules. These settings protect the user accounts from being misused.

Lockout user account...

You can specify a number of failed logins from one IP address that will be allowed.

Locked account becomes unlocked...

This information defines when the account will be unlocked automatically.

Use Unlock all accounts now to unlock all accounts previously locked.

Warning

Blocking of accounts upon unsuccessful login attempts is not identical with blocking in user account settings (see section 8.2  Creating a user account).

Store Directory tab

The Store Directory tab contains settings of directory for storing of messages, contacts, events, etc. (user and public folders). Information about private and public folders, logs, messages that are to be sent and files that are just being checked by antivirus are saved into the Store Directory.

Path to the store directory

Define the absolute path to the store directory (according to the operating system on which Kerio MailServer is running). By technical reasons, it is necessary to locate the store directory locally (i.e. on the server where Kerio MailServer is running).

If the data directory path needs to be changed, follow these instructions:

  1. Create a new directory for the store.

  2. In Kerio Administration Console (Configuration → Advanced Options → Data store), specify the new path.

  3. Stop Kerio MailServer.

  4. Move all files included in the data store to the new directory.

  5. Run Kerio MailServer.

Warning

It is not allowed to specify the Path to the store directory entry by a UNC path.

Watchdog Soft Limit

If the value specified is reached, Kerio MailServer will automatically warn users about this fact upon each login to the administration console. After the limit is reached, it will be recorded in the Error log (for more information, see chapter 25.7  Error).

Watchdog Hard Limit

If this limit is reached, Kerio MailServer Engine and Kerio MailServer Monitor will be stopped. Kerio Administration Console can be run. Immediately after login, the critical limit error message is displayed. This information is also recorded into the Error log (for more information, see chapter 25.7  Error).

Store Directory tab

Figure 12.18. Store Directory tab


Warning

Do not set the hard limit for 0, otherwise an error message or warning will be displayed when a new mail is delivered.

Changes in the paths are effective only after restarting the MailServer Engine. If you don't change these settings immediately after the Kerio MailServer installation, you will need to first stop the Engine and then move files from the old location to the new one and then start the service again.

Master Authentication tab

Master authentication password is a special password. It can be used by specific applications to access Kerio MailServer accounts without knowing individual corresponding passwords.

Warning

  1. The Master Password cannot be used to access user accounts from email clients or via Kerio WebMail. It is not a versatile administrator password (it is not possible to use it for authentication to Administration Console).

Master authentication settings can be defined on the eponymous tab under Advanced Options:

Master Authentication tab

Figure 12.19. Master Authentication tab


Enable Master authentication...

This option enables/disables Kerio MailServer master authentication. It is recommended to enable Master authentication only if this option is expected to be used effectively.

Allow master authentication only from IP address group

Select or create an IP address group where master authentication will be exclusively allowed. For security reasons, it is not possible to allow Master authentication from any IP address. IP address groups can be created either in Configuration → Definitions → IP Groups or upon clicking on Edit.

Master Password

Define a password that will be used for access to all accounts. This password should be known by as few persons as possible. If the Master Password arrives to an unauthorized person, privacy of all user accounts on the server can be broken!

Confirm password

The password confirmation is required to eliminate typos.

HTTP Proxy

If Kerio MailServer runs on a host behind a firewall, it can be connected to the Internet via a proxy server. This feature can be useful for example for upgrade downloads or/and for searching for new versions of Kerio MailServer or antivirus application.

HTTP Proxy tab

Figure 12.20. HTTP Proxy tab


Use HTTP proxy for ...

Insert HTTP proxy address and port on which the service is running.

Proxy server requires authentication

Username and password must be specified if the proxy server requires authentication.

Username

Insert your user name to connect to the particular proxy server.

Password

Insert your password to connect to the proxy server.

Update Checker tab

The tab defines updates of new versions of Kerio MailServer and automatic updates of the Kerio Outlook Connector and the Kerio Outlook Connector (Offline Edition):

Update Checker tab

Figure 12.21. Update Checker tab


Last update check performed ...

Time since the last update check. The system checks for new versions of the product every 24 hours.

Click the Check now button to check for the new version. When the new version is found, the user can download it. If no new version is available, the user is notified.

Check for new versions of Kerio MailServer

This option enables the feature of automatic checking whether there is a new version of Kerio MailServer available at the Kerio Technologies website.

If a new version was released by Kerio Technologies, the Update tab will contain  link to the download web page.

Check also for beta versions

This option enables informing users that a new betaversion of Kerio MailServer is available.

Warning

If you want to participate in beta version testing, enable the Check also beta versions option. If the Kerio MailServer is used in production, the beta versions are not recommended — do not enable this option.

The installation package includes also automatic installations of the Kerio Outlook Connector, the Kerio Outlook Connector (Offline Edition) and the Kerio Sync Connector for Mac.

The Current version available for clients field displays the information about the module versions currently used (including build numbers).

  • Kerio Outlook Connector — the package is updated for all users immediately upon update of the server.

  • Kerio Outlook Connector (Offline Edition) — the package is updated for all users immediately upon update of the server.

  • Kerio Sync Connector for Mac — users on client stations will be informed about available updates for the Kerio Sync Connector. If they conform the dialog, the program gets updated.

Kerio MailServer performs automatic update checks for the Kerio Outlook Connector and the Kerio Outlook Connector (Offline Edition). The update checks help avoid problems caused by incompatibility of older server and newer plug-in versions or, vice versa, of newer server and older plug-in versions. In case that there is a collision detected, users are informed that the plug-in should be upgraded/downgraded. The correct version is installed upon confirmation. If a user rejects to install a new version, it depends whether the server version differs in the version number or in the build number only:

  1. Build numbers are different — plug-in is started along with the MS Outlook. Before each startup of the MS Outlook, alert is displayed informing that the plug-in should be updated.

  2. Version numbers are different — the plug-in refuses to connect to the server until it is updated.

New versions of Kerio Outlook Connector, Kerio Outlook Connector (Offline Edition) and Kerio Sync Connector are stored in the directory

Kerio\MailServer\webmail\download

Warning

Update of plug-ins requires the HTTP or the HTTPS service to be running.

A server certificate can also be created in the Kerio MailServer's administration console. For detailed instructions, see chapter 16  Server's Certificates.

Note: If any problems regarding the update occur, enable the Update Checker Activity option (detailed information can be found in chapter 25.9  Debug log) in the Debug log settings. Logged information might help you where any problems to be solved occur.