8.2  Creating a user account

New local user accounts can be defined in the Domain Settings → Users section.

Users

Figure 8.1. Users


First, choose a local domain in the Domain field, in which the accounts will be defined. Each domain may include local accounts as well as accounts saved in a directory service (e.g. Microsoft Active Directory). The list of users of the particular domain includes both types of accounts. However, only local accounts can be added (accounts for directory services must be created with the respective administration tools, e.g. Active Directory Users and Computers). Some of the features of accounts within a directory service can be edited.

Warning

If an account mapped from the directory service is deleted in the administration console, the account is disabled in Kerio MailServer.

The roles of each column of this window will be better understood through the following descriptions. The only exception — the Data source column — displays account types:

To create a new user account, use the Add button to open the new user account wizard. If the domain is configured to be used with directory services (see chapter 10  Mapping users from directory services), a dialog where you can define whether you would like to activate users from a directory service or create a new local account will be displayed.

If a user is activated, a user account is saved into the directory service. Since the activation it can be used by Kerio MailServer. All events and information will be saved into the directory service.

Activate user in directory service

Figure 8.2. Activate user in directory service


If the Activate user in directory service option is selected, a dialog with user list of the LDAP database used by Kerio MailServer will be opened. Select appropriate users and confirm the selection. The buttons bottom left make user selection more comfortable. Select all — this button selects all users. The Unselect all option clears any selection.

The following guide shows how local user accounts can be defined.

Step 1 — Template

The first step is shown only in case at least one template for creating of new accounts is created. To create new user account templates, select Definition → User templates. The template is useful especially for creating multiple user accounts at once that have some parameters in common (e.g. authentication type, quotas, etc.). When all these common parameters are entered in a template, it can save a lot of time.

New user addition — a template

Figure 8.3. New user addition — a template


For information about creation of a new template, refer to chapter 8.10  User Account Templates.

Step 2 — Basic data

Login name

User login name (note: the domain must be the local primary domain; otherwise enter the full email address, e.g. user@anothercompany.com, not only user).

The username is not case-sensitive.

New user addition — basic data

Figure 8.4. New user addition — basic data


In login name, diacritics as well as some special symbols are not supported and are therefore not allowed in this entry.

Full name

A full name of the user (usually first name and surname). This option is required, if the user data from this account are to be exported to a public contacts folder.

Description

User description (e.g. a position in a company). The Description entry is for informative purposes only. They can contain any type of information or they can be left blank.

Authentication

Possible authentication methods:

  • Internal user database

    Users are only authenticated within Kerio MailServer. In this case a password must be entered in the Password and Confirm Password fields (the user can then change his/her password in the Kerio WebMail interface).

    Warning

    Passwords may contain printable symbols only (letters, numbers, punctuation marks). Password is case-sensitive.

  • Windows NT domain

    Users are authenticated in a Windows NT domain. The NT domain name must be entered in the email domain properties (Windows NT domain in the Advanced tab). This authentication method can be used only if Kerio MailServer is running on Windows 2000/XP/2003. For details, see chapter 7.7  Authentication of domain users.

  • Kerberos 5

    Users are authenticated in the Kerberos 5 authentication system.

  • PAM service

    Authentication using the PAM service (Pluggable Authentication Module), available only in the Linux operating system.

  • Apple Open Directory

    Authentication against Apple Open Directory database (only for mailservers installed on a Macintosh). The option can be selected only if the user is mapped from Apple Open Directory.

Password / Confirm Password

Only the local user password can be entered or changed. We strongly recommend to change the password immediately after the account is created.

If the password contains special (national) characters, users of some mail clients will not be able to log in to Kerio MailServer. It is therefore recommend to use only ASCII characters for passwords.

Account is disabled

Temporary blocking of the account so that you do not have to remove it.

This feature is not identical with account blocking set under Configuration → Advanced Options, on the Security Policy tab (see section 12.6  Advanced Options). If the user enters an invalid password too many times in row and the limit set on the Security Policy tab is reached, the account is blocked automatically. To unblock the accounts, use the Unlock all accounts now button on the Security Policy tab.

Enable a default spam filter ...

Upon creating a new user account, check this option to set the antispam rule. All incoming emails marked as spam will be automatically moved to the Junk mail folder. The rule can be set up only during the process of user account creation. Filtering and rules for incoming email is addressed in Kerio MailServer, User's Guide.

Warning

It is not recommended to create this rule when the user accesses emails via POP3. In such case, only the INBOX folder is downloaded to the local client and the user is not able to check if the emails moved to the Spam folder are really spam emails.

Publish in Global Address List

The user's full name and address will be published in the default public Contacts folder which is used as an internal source of company contacts (full names and email addresses). The contact is added to the public folder only if Full Name is specified.

If users are mapped from Active Directory or Apple Open Directory, the entire LDAP database is synchronized every hour automatically. If you do not wish to synchronize a user to public contacts, uncheck this option.

Store password in high secure SHA format (recommended)

By default, user passwords are encrypted by DES. The Store password in highly secure SHA format allows for a more secure encryption (SHA string). This option has one disadvantage — some methods of Kerio MailServer access authentication (APOP, CRAM-MD5 and Digest-MD5) cannot be applied. The only methods available for this option are LOGIN and PLAIN (it is highly recommended to use only SSL connection for authentication).

If this option is enabled, it is necessary to change the user password. This can be done either by administrator or the user (e.g. by Kerio WebMail).

Step 3 — Mail addresses

In this step, all required email addresses of the user can be defined. The other addresses are called aliases. The other addresses are called aliases. These can be defined either during the user definition or in Domain Settings/Aliases. We recommend to use the first alternative — it is easier and the aliases are available through Active Directory.

New user addition — email addresses

Figure 8.5. New user addition — email addresses


If user accounts are maintained in Active Directory (see chapter 10.1  Active Directory), their aliases can be defined in Active Directory Users and Computers. Global aliases (in Domain Settings → Aliases) cannot be defined this way.

Step 4 — Forwarding messages to other addresses

Messages for a user can be forwarded to other email accounts if defined. If the Deliver messages to... button is activated, messages will be saved in the local account and forwarded to the addresses defined by user (if not, messages will be forwarded only, not saved).

New user addition — forwarding messages to other addresses

Figure 8.6. New user addition — forwarding messages to other addresses


Note: The same functionality can be accomplished through the Domain Settings → Aliases dialog; however, aliases created within the user definition dialog is smoother and easier to follow.

Step 5 — Groups

In this dialog window, you can add or remove groups of which the user is a member. Groups must be created first in the Domain Settings → Groups section. You can add users to groups during definition of groups. Therefore, it is not important which is created first — users or groups.

New user addition — groups

Figure 8.7. New user addition — groups


Step 6 — Access rights

Each user must be assigned one of the following three levels of access rights.

No access to administration

These users do not have any access to Kerio MailServer administration. Most users will have this setting so they will only be able to access their own mailboxes.

Read only access

These users can connect to Kerio MailServer administration but they can only view the logs and settings; they cannot make any changes.

Read/Write access

These users have full rights to administration and are equal to the Admin account. If there is at least one user with such rights, the Admin account can be removed.

User can administer aliases and users/groups ...

A special access right for KMS Web Administration (for more information, see chapter 32  KMS Web Administration). This setting is independent on the access rights settings for Kerio Administration Console.

This user has the administrator rights...

By default, only Admin of the primary domain is allowed to administer the public folders. If there are multiple local domains with user accounts in Kerio MailServer, this option must be selected at least for one user in each domain. Each domain in Kerio MailServer has its own public folders and users of a different local domain are not allowed to access it (you can change this setting so that all public folders are accessible from all domains and from all users — for detailed information about this setting, see chapter 7.1  Initial settings).

By default, all users from one domain have read only rights for the public folders. The rights for public folders can be assigned by any user that has the administrator rights. The rights can be also assigned using the Kerio WebMail interface and MS Outlook with Kerio Outlook Connector.

All types of public services (email, calendars, contacts, tasks, notes) in Kerio MailServer can be viewed only in MS Outlook extended by the Kerio Outlook Connector and in Kerio WebMail. Other email clients usually display only email folders (for detailed information about all supported email clients, see Kerio MailServer, User's Guide).

Step 7 — Quota

You can set limits for each user's mailbox.

New user addition — quota

Figure 8.8. New user addition — quota


Disk space

The maximum space for a mailbox. For greater ease in entering values you can choose between kilobytes (KB), megabytes (MB) or gigabytes (GB).

Number of messages

The maximum number of messages in the mailbox.

The value of either of these items can be set to 0 (zero), which means that there is no limit set for the mailbox.

The user quota prevents cluttering of the server disk. If either of the limits is reached, any new messages will be refused by the server.

When the quota is reached, the user will receive a warning message including recommendation on deleting some messages. It is also not important if the quota was exceeded by number of messages or by the reserved disk space capacity. The quota is reached at the moment when an incoming message (or an event, a contact or a task) exceeds one of these limits.

The treshold of 90 per cent of the quota value is set (90 per cent of the limit set for the number of messages or 90 per cent of the disk space reserved). When this treshold is reached, an informative message is send to the particular user. This value can be edited manually in the Kerio MailServer's configuration file, as follows:

  1. Stop the Kerio MailServer Engine.

  2. In the directory where Kerio MailServer is installed, search the mailserver.cfg file

    If the file is being edited on Mac OS X or Linux operating systems, login to the system as the root user (a special user with full access rights to the system).

  3. Open the mailserver.cfg file and look up the QuotaWarningThreshold value. The line is as follows:

    <variable name="QuotaWarningThreshold">90</variable>

  4. Change the value as needed and save the file.

  5. Run Kerio MailServer.

These warning messages are sent each 24 hours (not more frequently). Even if a user removes messages to get under the quota treshold and then exceeds it again, the next informative message will be sent after 24 hours from the first informatory message.

Note: When solving any problems regarding quota settings arise, information obtained in the Debug log might help. The Debug log can be found in the Logs → Debug section of the administration console. To log information on the quota's behaviour, enable the Quota and Login Statistics option (see chapter 25.9  Debug log for details).

Step 8 — Advanced settings

This user can send/receive ...

Using this option, the administrator of Kerio MailServer can limit communication of the user to traffic on the local domain level. This feature may help solve issues of internal traffic in companies. By checking this domain, a particular user will not be allowed to send and/or receive messages from external domains.

Creating a new user — other user account settings

Figure 8.9. Creating a new user — other user account settings


Maximum message size

Use this option to set the size limit for outgoing messages. The size limit can be either set for each user separately, or globally for the whole domain (see chapter 7.1  Initial settings). If no size limit is specified for the whole domain, it is recommended to set this option.

By setting the size limit, you can prevent the internet connection from being overloaded by emails with large attachments.

If both limits are set to 0, Kerio MailServer behaves the same way as if no limit was specified.

Limit set for a specific user has higher priority than limits applied to the entire domain.

Cleaned items

Kerio MailServer includes an option of setting a special rule for automatic deletion of all items older than a defined number of days (for a mailbox, or for an entire domain in domain settings). This rule applies to the Junk E-Mail and Deleted Items folders.

For more information on this feature, read section 7.5  Automated items clean-out.