For the traffic, ActiveSync uses the HTTP or the HTTPS protocol.
For security reasons, it is recommended to synchronize only by the HTTPS protocol, since ActiveSync uses only unencrypted user login data for authentication at the server.
For description on encryption of services running in Kerio MailServer, see chapter 16 Server's Certificates. This method requires a valid SSL certificate installed on the device.
The following conditions must be met to make certificates valid:
The certificate must be issued by a trustworthy certification authority. Trustworthy means that the mobile device needs to know the server's root certificate. Windows Mobile includes root certificates of several certification authorities. List of these authorities can be found at the Microsoft Corporation website.
Date of the certificate must be valid and correct date and time must be set in the device.
The certificate must include a valid name of the email domain for which Kerio MailServer is used.
Valid certificates for encrypted traffic can be either certificates issued by trustworthy certification authorities (these certificates can be quite expensive, however, they avoid possible installation difficulties) or a certificate issued by an internal certification authority or a so-called self-signed certificate generated in Kerio MailServer (for details, see chapter 16 Server's Certificates).
In case of certificates issued by a trusted certification authority, no settings or installations are required. In cases of internal certificates or self-signed certificates, the root certificate must be installed on the device.
Windows Mobile requires certificate encoded in the DER X.509 format. The .cer
extension is required. The simpliest method to get and install a certificate is to download it to the device by a browser.
Kerio MailServer's self-signed certificate in the required format is available at http://server_name/server.cer
On devices with Windows Mobile 2002, traffic can be performed only by HTTPS. The unencrypted version of the protocol is not supported. It is also necessary that Kerio MailServer authenticates with a certificate authorized by a trustworthy certification authority. This can be either a certificate authorized by a supported commercial certification authority (certificates issued by VeriSign, CyberTrust, Thawte and Entrust are supported) or a root certificate of the authority which issued the certificate for Kerio MailServer can be installed on the device (for details, see section Allowing installation of a root certificate in WM 2002).
It is not possible to install the Kerio MailServer's self-signed certificate on Windows Mobile 2002. It is only possible to use root certificates authorized by at least one internal authority.
Since Windows Mobile 2003, ActiveSync configuration includes an option to enable/disable SSL encryption. However, it is strongly recommended to use the SSL encryption since only the basic authentication method is used for user authentication within the synchronization (no encryption is used for the login data transfers so the data can be easily misused).
Since Windows Mobile 2003, installation of the self-signed certificate on mobile devices is very simple. The instructions can be found in section Installation of the Kerio MailServer's self-signed root certificate.
Security rules in Smartphone devices with Windows Mobile 2005 forbid installation of new root certificates. In such cases, it is necessary to enable installation of root certificates in the device registry first (the instructions are provided below).
The Kerio MailServer's self-signed certificate can be installed as described below:
To install the certificate on Windows Mobile 2002 or on Windows Mobile 5.0 Smartphone Edition, follow the instructions provided in sections Allowing installation of a root certificate in WM 2002 and Allowing installation of a root certificate in WM 5.0 Smartphone Edition. In other cases, start the installation by step 2
.
On the mobile device, run a web browser.
In the URl textfield, enter the server's address following the pattern
http://server_name/server.cer
(e.g. http://mail.company.com/server.cer
)
or
https://server_name/server.cer
(e.g. https://mail.company.com/server.cer
)
A dialog is displayed asking whether the certificate should be downloaded to the device. Click
to confirm the action.Next, you'll be asked whether the certificate should be installed and used. Again, click on the
button.Now, the certificate is installed.
To add a root certificate issued by a certification authority which is not supported by the device, follow these instructions:
Download the application from the AddRootCert link [409KB] and unpack it.
Copy the addrootcert.exe
file to the device.
Copy the server's certificate to the device (the certificate must be encoded in DER X.509 format and the .cer
extension is required).
In the device, click on the addrootcert.exe
file and run it.
Use the application to install the certificate.
Restart the device.
The security policy of Smartphone devices with Windows Mobile 5.0 or Windows Mobile 5.0 AKU2 forbids installation of root certificates issued by other than trusted certification authorities.
To allow installation of root certificates issued by authorities not supported by the particular device (an internal certificate or the Kerio MailServer's self-signed certificate), it is necessary to install a mobile device registry editor on the mobile device and use this editor to allow installation of untrustworthy root certificates. One of the options is for example application regeditSTG.zip
(24.01 KB).
In this editor, follow these instructions:
Find and download regeditSTG.zip
(available for free) and unpack it.
Move the editor to the mobile phone (e.g. by using the MS ActiveSync desktop application).
It is necessary that the file is saved in the phone, not on the memory card.
On the telephone, click on the file and run it.
Run regeditSTG.exe
and find HKLM\Security\Policies\Policies
.
Change the following registry items:
00001001 overwrite the 2 with 1
00001005 overwrite the 16 with 40
00001017 overwrite the 128 with 144
Now, it is possible to download the certificate from the server and install it as described in section 36.4 SSL encryption.
So called “hard reset” removes the registry changes (it is necessary to repeat the settings if needed).
If the Kerio MailServer's self-signed certificate is installed, the device does not require confirmation for each synchronization with the server:
[Security Information ?] The certificate could not be verified. Select 'Certificate details' to get more information about the certificate. Do you want to accept the certificate and proceed? [ Yes ] [ No ] [ Details ]
Therefore, it is recommended to install a certificate signed by a trustworthy certification authority.