Sending and Receiving Mail
12.8 Advanced Options
In the Configuration → Advanced Options section you can set several advanced parameters for the mailserver.
Miscellaneous
Figure 12.18 Miscellaneous
Log hostnames for incoming connections
Convert IP addresses of remote clients and servers connecting to Kerio Connect to DNS names (using reverse DNS requests). This makes logs more comprehensible but it can also decrease the performance of Kerio Connect.
Show program name and version...
Disable this option if you do not wish to reveal the version and name of the mailserver application for this domain.
Warning:
To activate or disable the option, restart of Kerio Connect is required.
12.8 Advanced Options
Insert X-Envelope-To header...
Defines if the X-Envelope-To entry will be inserted into the header of messages delivered locally. X-Envelope-To is the original recipient address based on the SMTP envelope.
This option is useful especially if there is a domain mailbox in Kerio Connect.
Enable decoding of TNEF messages
TNEF (Transport Neutral Encapsulation Format) is a Microsoft’s, proprietary format used to send messages with format extensions from MS Outlook. The winmail.dat file is attached to any message sent in this format. It contains a complete copy of the message in RTF along with all attachments. This implies that if a user does not access their email via MS Outlook and an email message with an attachment in this format will be delivered to their mailbox, the attachment cannot be opened.
The TNEF decoder built-in Kerio Connect decodes TNEF messages at the server’s side in the standard MIME format and helps avoid winmail.dat attachment difficulties.
Use this option if users do not access their email only by MS Outlook.
Note: If any problems regarding message decoding occur, the Debug log may help where it is necessary to enable the Message decoding option. For details, see chapter24.9.
Enable conversion of uuencoded messages to MIME
Uuencode (Unix-to-Unix Encoding) is an encoding method used for sending of files by email. It encodes binary data to a text format so that the data can be inserted directly to message bodies. The main problem is that some email clients may miss a special decoder which decodes the encoded files and transforms them to their original format.
Therefore, Kerio Connect includes a built-in Uudecode decoder (Unix-to-Unix decoding).
Email messages are decoded to the standard MIME format on the server’s side so that users do not have to worry about this topic.
It is recommended to enable the Enable conversion of uuencoded messages to MIME option especially if users use Kerio WebMail and MS Outlook with Kerio Outlook Connector to access their mailboxes.
Note: If any problems regarding message decoding occur, the Debug log may help where it is necessary to enable the Message decoding option. For details, see chapter24.9.
Security Policy tab
Kerio Connect allows setting of security policies, i.e. the minimum required security level.
These settings can be established in the Configuration → Advanced Options section in the Security policy tab (see picture12.19).
The menu at the top of the page allows you to choose from one of these policies:
No restrictions Self explanatory.
Require secure authentication
Sending and Receiving Mail
Figure 12.19 Security Policy tab
DIGEST-MD5, NTLM, or the user must use an SSL tunnel (by enabling SSL traffic in their email clients).
If users access their email by Kerio WebMail where no one of the authentication methods can be applied, the SSL-secured HTTP protocol is used automatically.
Once the secured authentication is set, it is possible to allow non-secured connections from a specified IP group. This group can be either selected from existing groups or changed by clicking on Edit or a new one can be created.
Warning:
Do not apply this method if users use saving passwords on the server in SHA format.
Require encrypted connection
When this option is activated, client applications will be able to connect to any service using an encrypted connection (the communication cannot be tapped).
SSL traffic must be allowed to all protocols at all client stations. The secured connection is set automatically upon a successful connection to Kerio WebMail.
The only exception from this restriction is the SMTP protocol. Due to the plenty of SMTP servers which do not support SMTPS and STARTTLS, it is not possible to allow the secure version of the protocol only. To still provide sufficient security, the SMTP server requires secure password authentication for the SMTP protocol upon enabling the Require en-crypted connection option. Name and password are still sent by one of the supported secure authentication methods.
12.8 Advanced Options
After the security policy is defined, you can create an exception for a group of IP addresses for which the secured connection will not be required. This group can be either selected from existing groups or changed by clicking on Edit or a new one can be created.
If you decide for this communication protection method, make sure that all users have a valid authentication certificate installed on their client stations (for more information, see chapter16).
Permitted authentication methods
Kerio Connect supports the following methods of user authentication:
• CRAM-MD5 — password authentication method (using MD5 digests). This method is quite common and many email clients provide support for it.
• DIGEST-MD5 — password authentication method (using MD5 digests).
• LOGIN — user passwords are completely unprotected during transfer. If this method is used, it is strongly recommended to enable SSL tunnel connection.
• NTLM — this method can be used only in case users are authenticated against an Active Directory domain. It is applicable only to the user accounts that were imported from Active Directory. Configuration of NTLM authentication is addressed in chapter27.
• PLAIN — user passwords are completely unprotected during transfer. If this method is used, it is strongly recommended to enable SSL tunnel connection.
• APOP — the authentication method is not displayed in the list, Kerio Connect uses it automatically to download POP3 accounts.
The server provides all the above mentioned authentication methods. They are ordered the same way as in the table below (from CRAM-MD5). If the selected method is supported by the client, the other methods will not be used. However, a problem may occur if the password is stored in the secure format (SHA1). If this encryption method is used, only LOGIN and PLAIN authentication methods can be used. If you select the secure CRAM-MD5 and DIGEST-MD5 methods, the system selects one of the secure authentication methods and it will be impossible to log in to Kerio Connect. If the password is stored in the SHA format, disable all methods but LOGIN and PLAIN.
Further recommendations:
• If a client authentication method fails, it is recommended to disable it in Kerio Connect (uncheck it in the Enabled authentication methods list).
• For all authentication methods, it is recommended to enable SSL login to the mail clients.
Sending and Receiving Mail
NTLM authentication to be functional, both the computer as well as the user account have to be parts of the domain used for authentication. The NTLM (SPA) authentication must be also enabled in users’ mail clients.
To see what is necessary to be set in Kerio Connect to make NTLM authentication work smoothly, refer to chapter27.
In the Account lockout section the following parameters can be defined (see figure12.20):
Figure 12.20 Account lockout
12.8 Advanced Options
Enable account lockout
When this option is selected, user accounts will be locked based on the following rules.
These settings protect the user accounts from being misused.
Count of failed logins...
You can specify a number of failed logins from one IP address that will be allowed.
Minutes to unlock locked account
This information defines when the account will be unlocked automatically.
Use Unlock all accounts now to unlock all accounts previously locked.
Warning:
Blocking of accounts upon unsuccessful login attempts is not identical with blocking in user account settings (see section8.2).
Store Directory tab
The Store Directory tab contains settings of directory for storing of messages, contacts, events, etc. (user and public folders). Information about private and public folders, logs, messages that are to be sent and files that are just being checked by antivirus are saved into the Store Directory.
Path to the store directory
Define the absolute path to the store directory (according to the operating system on which Kerio Connect is running). By technical reasons, it is necessary to locate the store directory locally (i.e. on the server where Kerio Connect is running).
Enter the path in the text field or select it upon clicking on Select Folder.
If the data directory path needs to be changed, follow these instructions:
1. Create a new directory for the store.
2. In Kerio Connect Administration (Configuration → Advanced Options → Data store), specify the new path.
3. Stop Kerio Connect.
4. Move all files included in the data store to the new directory.
5. Run Kerio Connect.
Warning:
It is not allowed to specify the Path to the store directory entry by a UNC path.
Watchdog Soft Limit
If the value specified is reached, Kerio Connect will automatically warn users about this fact upon each login to the administration interface. After the limit is reached, it will be
Sending and Receiving Mail
Watchdog Hard Limit
If this limit is reached, Kerio Connect Engine and Kerio Connect Monitor will be stopped. However, ity is possible to login to the Kerio Connect Administration interface.
Immediately after login, the critical limit error message is displayed. This information is also recorded into the Error log (for more information, see chapter24.7).
Figure 12.21 Store Directory tab
Warning:
Do not set the hard limit for 0, otherwise an error message or warning will be displayed when a new mail is delivered.
Changes in the paths are effective only after restarting the Kerio Connect Engine. If you don’t change these settings immediately after the Kerio Connect installation, you will need to first stop the Engine and then move files from the old location to the new one and then start the service again.
Master Authentication tab
Master authentication password is a special password. It can be used by specific applications to access Kerio Connect accounts without knowing individual corresponding passwords.
12.8 Advanced Options
Warning:
The Master Password cannot be used to access user accounts from email clients or via Kerio WebMail. It is not a versatile administrator password (it is not possible to use it for authentication to Kerio Connect administration).
Master authentication settings can be defined on the eponymous tab under Advanced Options:
Figure 12.22 Master Authentication tab
Enable Master authentication
This option enables/disables Kerio Connect master authentication. It is recommended to enable Master authentication only if this option is expected to be used effectively.
Allow master authentication only from IP address group
Select or create an IP address group where master authentication will be exclusively allowed. For security reasons, it is not possible to allow Master authentication from any IP address. This group can be either selected from existing groups or changed by clicking on Edit or a new one can be created.
Master Password
Define a password that will be used for access to all accounts. This password should be known by as few persons as possible. If the Master Password arrives to an unauthorized person, privacy of all user accounts on the server can be broken!
Confirm password
The password confirmation is required to eliminate typos.
HTTP Proxy
If Kerio Connect runs on a host behind afirewall, it can be connected to the Internet via a proxy
Sending and Receiving Mail
Figure 12.23 HTTP Proxy tab
Use HTTP proxy for...
Insert HTTP proxy address and port on which the service is running.
Proxy server requires authentication
Username and password must be specified if the proxy server requires authentication.
Username
Insert your user name to connect to the particular proxy server.
Password
Insert your password to connect to the proxy server.
Update
The tab defines updates of new versions of Kerio Connect and automatic updates of the Kerio Outlook Connector and the Kerio Outlook Connector (Offline Edition):
Last update check performed...
Time since the last update check. The system checks for new versions of the product every 24 hours.
Click the Check now button to check for the new version. When the new version is found, the user can download it. If no new version is available, the user is notified.
Automatically check for new versions
This option enables the feature of automatic checking whether there is a new version of Kerio Connect available at the Kerio Technologies website.
If a new version was released by Kerio Technologies, the Update tab will contain link to the download web page.
Check also for beta versions
This option enables informing users that a new betaversion of Kerio Connect is available.
12.8 Advanced Options
Figure 12.24 Update
Warning:
If you want to participate in beta version testing, enable the Check also beta ver-sions option. If the Kerio Connect is used in production, the beta verver-sions are not recommended — do not enable this option.
The installation package includes also automatic installations of the Kerio Outlook Connector, the Kerio Outlook Connector (Offline Edition) and the Kerio Sync Connector for Mac.
The Current version available for clients field displays the information about the module versions currently used (including build numbers).
• Kerio Outlook Connector — the package is updated for all users immediately upon update of the server.
• Kerio Outlook Connector (Offline Edition) — the package is updated for all users immediately upon update of the server.
• Kerio Sync Connector — users on client stations will be informed about available updates for the Kerio Sync Connector. If they conform the dialog, the program gets updated.
Kerio Connect performs automatic update checks for the Kerio Outlook Connector and the
Sending and Receiving Mail
plug-in should be upgraded/downgraded. The correct version is installed upon confirmation.
If a user rejects to install a new version, it depends whether the server version differs in the version number or in the build number only:
1. Build numbers are different — plug-in is started along with the MS Outlook. Before each startup of the MS Outlook, alert is displayed informing that the plug-in should be updated.
2. Version numbers are different — the plug-in refuses to connect to the server until it is updated.
New versions of Kerio Outlook Connector, Kerio Outlook Connector (Offline Edition) and Kerio Sync Connector are stored in the directory
Kerio\MailServer\webmail\download
Warning:
Update of plug-ins requires the HTTP or the HTTPS service to be running.
A server certificate can also be created in the Kerio Connect’s administration interface. For detailed information refer to chapter16.
Note: If any problems regarding the update occur, enable the Update Checker Activity option (detailed information can be found in chapter 24.9) in the Debug log settings. Logged information might help you where any problems to be solved occur.