Sending and Receiving Mail
16.6 Advanced Options
Domain(s)
A list of domains for which the server stores email. Separate individual domains using a semi-colon (;).
Figure 16.15 Setting parameters for accessing the server
Description
A commentary on the ETRN server definition. May be left blank.
Authentication is required
Enable this option if the server requires username/password authentication.
User, Password
Appropriate user name and password
Use the Edit button to change the settings for server access. Remove servers using the Remove button. For temporary removal of this server, use matching fields next to the server definition.
The Options tab allows users to set the maximum delay time of dial-up line response.
16.6 Advanced Options
In the Configuration → Advanced Options section you can set several advanced parame-ters for the mailserver.
Chapter 16 Sending and Receiving Mail
Miscellaneous tab
Figure 16.16 Miscellaneous tab
Log reverse DNS records...
Convert IP addresses of remote clients and servers connecting to Kerio MailServer to DNS names (using reverse DNS requests). This makes logs more comprehensible but it can also decrease the performance of Kerio MailServer.
Don’t show program name and version...
Enable this option if you do not wish to reveal the version and name of the mailserver application for this domain.
Hide local IP in Received headers
Kerio MailServer will hide the local IP address (included in the IP address group defined in the Relay Control tab of Configuration → SMTP server) in the Received part of the message header.
Each SMTP server that the message passes through inserts an entry into this field, specifying where the message came from, where it is going and who received it. This implies that the first record in the Received header contains the sender’s email and IP addresses. If the SMTP server is placed on a private network behind a firewall, the client’s private IP address is inserted. This means that outgoing email messages can carry information about a private network that would normally be hidden from the Internet. This information could make it easier for a potential hacker to attack such networks. Only switch this option on if Kerio MailServer is installed on a private network behind a firewall (even if it runs on the same machine as the firewall).
There is a connection to relay control here so that the mailserver recognizes local IP addresses. In relay control, a group of local IP addresses is usually used to define addresses from which mail can be sent to any domain (see chapter16.2).
Note: If relay control is disabled or no local IP address group is defined, this option will have no effect.
16.6 Advanced Options
Insert X-Envelope-To header...
Defines if the X-Envelope-To entry will be inserted into the header of messages delivered locally. X-Envelope-To is the original recipient address based on the SMTP envelope. This option is useful especially if there is a domain mailbox in Kerio MailServer.
Enable decoding of TNEF messages
TNEF (Transport Neutral Encapsulation Format) is a Microsoft’s, proprietary format used to send messages with format extensions from MS Outlook. The winmail.dat file is attached to any message sent in this format. It contains a complete copy of the message in RTF along with all attachments. This implies that if a user does not access their email via MS Outlook and an email message with an attachment in this format will be delivered to their mailbox, the attachment cannot be opened.
The TNEF decoder built-in Kerio MailServer decodes TNEF messages at the server’s side in the standard MIME format and helps avoid winmail.dat attachment diffi-culties.
Use this option if users do not access their email only by MS Outlook.
Security Policy tab
Kerio MailServer allows setting of security policies, i.e. the minimum required security level. These settings can be established in the Configuration → Advanced Options section in the Security policy tab (see picture16.17).
Figure 16.17 Security Policy tab
The menu at the top of the page allows you to choose from one of these policies:
No restrictions Self explanatory.
Chapter 16 Sending and Receiving Mail
Require secure authentication
Kerio MailServer will always require secure user authentication. This implies that the authentication must be performed by using one of these methods — CRAM-MD5, DIGEST-CRAM-MD5, NTLM, or the user must use an SSL tunnel (by enabling SSL traffic in their email clients).
If users access their email by Kerio WebMail where no one of the authentication methods can be applied, the SSL-secured HTTP protocol is used automatically.
Once the secured authentication is set, it is possible to allow non-secured connec-tions from a specified IP group. This group can be either selected from existing groups or a new one can be created. For details on IP groups definition, refer to chapter13.1.
Warning: Do not apply this method if users use saving passwords on the server in SHA format.
Require encrypted connection
When this option is activated, client applications will be able to connect to any service using an encrypted connection (the communication cannot be tapped).
SSL traffic must be allowed to all protocols at all client stations. The secured con-nection is set automatically upon a successful concon-nection to Kerio WebMail.
The only exception from this restriction is the SMTP protocol. Due to the plenty of SMTP servers which do not support SMTPS and STARTTLS, it is not possible to allow the secure version of the protocol only. To still provide sufficient security, the SMTP server requires secure password authentication for the SMTP protocol upon enabling the Require encrypted connection option. Name and password are still sent by one of the supported secure authentication methods.
After the security policy is defined, you can create an exception for a group of IP addresses for which the secured connection will not be required. For this purpose, either a new IP group can be created or an existing one can be selected. For infor-mation on IP address settings, see chapter13.1.
If you decide for this communication protection method, make sure that all users have a valid authentication certificate installed on their client stations (for more information, see chapter11).
Supported authentication methods
Kerio MailServer supports the following methods of user authentication:
• CRAM-MD5 — password authentication method (using MD5 digests). This method is quite common and many email clients provide support for it.
• DIGEST-MD5 — password authentication method (using MD5 digests).
16.6 Advanced Options
Figure 16.18 Authentication methods
• LOGIN — user passwords are completely unprotected during transfer. If this method is used, it is strongly recommended to enable SSL tunnel connection.
• NTLM — this method can be used only in case users are authenticated against an Ac-tive Directory domain. It is applicable only to the user accounts that were imported from Active Directory.
• PLAIN — user passwords are completely unprotected during transfer. If this method is used, it is strongly recommended to enable SSL tunnel connection.
• APOP — the authentication method is not displayed in the list, Kerio MailServer uses it automatically to download POP3 accounts.
The server provides all the above mentioned authentication methods. They are ordered the same way as in the table below (from CRAM-MD5). If the selected method is sup-ported by the client, the other methods will not be used. However, a problem may occur if the password is stored in the secure format (SHA1). If this encryption method is used, only LOGIN and PLAIN authentication methods can be used. If you select the secure CRAM-MD5 and DIGEST-MD5 methods, the system selects one of the secure authentica-tion methods and it will be impossible to log in to Kerio MailServer. If the password is stored in the SHA format, disable all methods but LOGIN and PLAIN.
Further recommendations:
• If a client authentication method fails, it is recommended to disable it in Kerio MailServer (uncheck it in the Enabled authentication methods list).
• For all authentication methods, it is recommended to enable SSL login to the mail clients.
Chapter 16 Sending and Receiving Mail
Check Allow NTLM authentication for users with Kerberos authentication to allow users from Active Directory to authenticate when attempting to log in to Kerio MailServer. In order for the NTLM authentication to be functional, both the computer as well as the user account have to be parts of the domain used for authentication. The NTLM (SPA) authentication must be also enabled in users’ mail clients.
Warning:
• NTLM (SPA) can be used only on Windows operating systems. Linux and Mac OS operating systems do not support this type of authentication (see table16.2).
• NTLM (SPA) authentication is not available if MS Outlook extended by the Kerio Syn-chronization Plug-in is used.
In the Account lockout section the following parameters can be defined (see figure16.19):
:
Enable account lockout
When this option is selected, user accounts will be locked based on the following rules. These settings protect the user accounts from being misused.
16.6 Advanced Options
Figure 16.19 Account lockout
Lockout user account...
You can specify a number of failed logins from one IP address that will be allowed.
Locked account becomes unlocked...
This information defines when the account will be unlocked automatically.
Use Unlock all accounts now to unlock all accounts previously locked.
Store Directory tab
The Store Directory tab contains settings of directories for message storing (user and public folders) and backup. Information about private and public folders, logs, messages that are to be sent and files that are just being checked by antivirus are saved into the Store Directory.
Path to the store directory
Define the absolute path to the store directory (according to the operating system on which Kerio MailServer is running).
Watchdog Soft Limit
If the value specified is reached, Kerio MailServer will automatically warn users about this fact upon each login to the administration console. After the limit is reached, it will be recorded in the Error log (for more information, see chapter23.6).
Watchdog Hard Limit
If this limit is reached, Kerio MailServer Engine and Kerio MailServer Monitor will be stopped. Kerio Administration Console can be run. Immediately after login, the critical limit error message is displayed. This information is also recorded into the Error log (for more information, see chapter23.6).
Chapter 16 Sending and Receiving Mail
Figure 16.20 Store Directory tab
Warning: Do not set the hard limit for 0, otherwise an error message or warning will be displayed when a new mail is delivered.
Changes in the paths are effective only after restarting the MailServer Engine. If you don’t change these settings immediately after the Kerio MailServer installation, you will need to first stop the Engine and then move files from the old location to the new one and then start the service again.
Master Authentication tab
Master authentication password is a special password. It can be used by specific appli-cations to access Kerio MailServer accounts without knowing individual corresponding passwords.
A typical application using master authentication is the Kerio Exchange Migration Tool.
This tool needs to access individual accounts to perform the migration. Correct set-tings of the master authentication enables the migration tool to access any accounts not having to specify passwords for individual accounts (more details in chapter37).
Warning:
1. The Master Password cannot be used to access user accounts from email clients or via Kerio WebMail. It is not a versatile administrator password (it is not possible to use it for authentication to Administration Console).
2. Since Kerio MailServer 6.0.5, the Master Password is stored in the new SHA format.
For this reason, the original password will not work after server configuration is transferred to an older version and it must be changed.
16.6 Advanced Options
Master authentication settings can be defined in Configurations → Advanced Options.
Figure 16.21 Master Authentication tab
Enable master authentication...
This option enables/disables Kerio MailServer master authentication. We recom-mend keeping this option disabled unless it is needed (e.g. by Kerio Exchange Mi-gration Tool).
Allow master authentication only from IP address group
Select an IP address group where master authentication will be exclusively allowed.
The group must be first defined in Configurations → Definitions → IP address groups (see chapter 13.1). For security reasons it is not possible to allow Master authen-tication from any IP address. You can simply add a new IP group using the Add button.
Master Password
Define a password that will be used for access to all accounts. This password should be known by as few persons as possible. If the Master Password arrives to an unauthorized person, privacy of all user accounts on the server can be broken!
Confirm password
The password confirmation is required to eliminate typos.
HTTP Proxy
If Kerio MailServer runs on a host behind a firewall, it can be connected to the Internet via a proxy server. This feature can be useful for example for upgrade downloads or/and for searching for new versions of Kerio MailServer or antivirus application.
Use HTTP proxy for ...
Insert HTTP proxy address and port on which the service is running.
Chapter 16 Sending and Receiving Mail
Figure 16.22 HTTP Proxy tab
Proxy server requires authentication
Username and password must be specified if the proxy server requires authentica-tion.
Username
Insert your user name to connect to the particular proxy server.
Password
Correct password must be specified for a successful connection.
Update Checker tab
This tab enables users to perform administration of Kerio MailServer version updates.
Figure 16.23 Update Checker tab
16.6 Advanced Options
Check for new versions of...
Check this option to enable the automatic updates of Kerio MailServer. New ver-sions of Kerio MailServer are stored in the /store/temp directory, where Kerio MailServer is installed.
Check also for beta versions
This option checks for new beta versions of Kerio MailServer.
Note: If you want to participate in beta version testing, enable the Check also beta versions option. If the Kerio MailServer is used in production, the beta versions are not recommended — do not enable this option.
Last update check performed ...
Time since the last update check. The system checks for new versions of the prod-uct every 24 hours.
Click the Check now button to check for the new version. When the new version is found, the user can download it. If no new version is available, the user is notified.
If a new version was released by Kerio Technologies, the Update tab will contain link to the download web page. The installation package also contains automatic installations of Kerio Outlook Connector and Kerio Synchronization Plug-in:
Kerio Outlook Connector is updated automatically. The Current version available for clients field displays the information about the version currently used.
New Kerio Outlook Connector versions are stored in the Kerio\MailServer\webmail\download
Kerio Synchronization Plug-in is updated the same way as Kerio Outlook Connector. The Current version available for clients field displays the information about the version currently used.
New Kerio Synchronization Plug-in versions are stored in the directory Kerio\MailServer\webmail\download
Warning:
• In order to perform an automatic upgrade of Kerio Outlook Connector and Kerio Syn-chronization Plug-in, the HTTP or HTTPS service must be running.
• If only HTTPS traffic is allowed in Kerio MailServer (e.g. for security reasons), it is nec-essary that a trustworthy Kerio MailServer certificate is installed inInternet Explorer of all clients (a self-signed certificate can be used). Otherwise, new versions will not be updated automatically.
Chapter 16 Sending and Receiving Mail
WebMail
In Kerio Administration Console, several parameters for Kerio WebMail can be set (see figure16.24):
Figure 16.24 WebMail
Message size limit
Setting of maximal message size can be used for the following purposes:
• to limit size of attachments sent to Kerio WebMail by the an HTTP POST request,
• to set maximal size of memory allocated in Kerio MailServer to each HTTP POST request.
For better understanding of the limit, here is an explanation of how a message written in Kerio WebMail is sent to Kerio MailServer. Each new message composed in the web interface is sent by a browser via HTTP protocol using an HTTP POST request to Kerio WebMail. The interface receives the message and processes it so that Kerio MailServer can send it to the addressee by SMTP protocol.
Each HTTP POST request contains one message including a message body, all head-ers and attachments. The limit set by this option narrows size of any HTTP POST request directed to Kerio WebMail. This means that any limit set for requests also limits size of email messages.
Size limit set for HTTP POST requests is applied to any files sent from Kerio WebMail to Kerio MailServer and it is applied to all Kerio MailServer users. The default value
16.6 Advanced Options
for maximal size of messages sent from Kerio WebMail is 20 MB. This limit should be generally satisfactory for these purposes.
The minimal value for the limit is 2 MB. If any lower limit is entered in the Maximum size of messages that can be sent entry, the 2 MB value is set automatically.
If a message includes any attachments, they are encrypted by the Base64 method.
This type of encoding is able to increase the size of transmitted data even by one third (in case of binary data). This means that, for example, the minimal 2 MB limit might also allow just 1 — 1,5 MB attachments.
It is necessary that a memory allocation value is specified in Kerio MailServer for HTTP POST requests. The more bulky the request is the more memory must be allocated. This implies that the size of the allocated memory changes according to changes in the size limit.
Warning: Any time the limit is changed, it is necessary to restart Kerio MailServer since the memory allocation is changed as well.
Session security
Session security depends on methods and manners how users manage connection to Kerio WebMail. Users often simply close their browsers without logging out of Kerio WebMail. In such cases, the session is not interrupted and it can be misused more easily (the session is the more risky the longer it takes). For this reason, it is possible to set session timeout. If the user does not use the session over the timeout, connection to the server is interrupted automatically when this timeout runs out. By default, the timeout is set for one hour.
The Force WebMail logout if user’s IP address changes option uses another method to protect the session. It might happen that a session of one user is hijacked by an attacker (especially if SSL-secured HTTP is not used) to access the server. Con-nection of an attacker to the session changes the client’s IP address. If the Force WebMail logout if user’s IP address changes option is enabled, Kerio MailServer de-tects change of the IP address and terminates the session.
Warning:
• The “anti-hijack” protection must be disabled if Kerio MailServer users share their accounts. The option disallows connection to a single account from multi-ple hosts (IP addresses) at a time.
• The “anti-hijack” protection also cannot be applied if your ISP changes IP ad-dresses during the connection (e.g. in case of GPRS or WiFi connections).
Select a logo for Webmail
At the top of each page of Kerio WebMail, Kerio Technologies logo is displayed.
At the top of each page of Kerio WebMail, Kerio Technologies logo is displayed.