Domain and its settings
8.2 Creating a user account
New local user accounts can be defined in the Accounts → Users section.
Figure 8.1 Users
First, choose a local domain in the Domain field, in which the accounts will be defined. Each domain may include local accounts as well as accounts saved in a directory service (e.g. Mi-crosoft Active Directory). The list of users of the particular domain includes both types of accounts. However, only local accounts can be added (accounts for directory services must be created with the respective administration tools, e.g. Active Directory Users and Computers).
Some of the features of accounts within a directory service can be edited.
8.2 Creating a user account
Warning:
If an account mapped from the directory service is deleted in the administration interface, the account is disabled in Kerio Connect.
The roles of each column of this window will be better understood through the following descriptions. The only exception — the Data source column — displays account types:
• Internal — the account is stored in the internal user database.
• LDAP — the account is saved in a directory service (Active Directory, Apple Open Directory).
To create a new user account, click on Add.
Template
If at least one template has been created for generating of new accounts, select whether to add a local user or use a template. To create a new template for user accounts, go to Configuration
→ Definitions → User Templates. The template is useful especially for creating multiple user accounts at once that have some parameters in common (e.g. authentication type, quotas, etc.). When all these common parameters are entered in a template, it can save a lot of time.
Figure 8.2 New user addition — a template
For information about creation of a new template, refer to chapter8.11.
Users
Basic information Login name
User login name (note: the domain must be the local primary domain; otherwise enter the full email address, e.g. [email protected], not only user).
The username is not case-sensitive.
Figure 8.3 New user addition — basic data
In login name, diacritics as well as some special symbols are not supported and are therefore not allowed in this entry.
Full name
A full name of the user (usually first name and surname). This option is required, if the user data from this account are to be exported to a public contacts folder.
Description
User description (e.g. a position in a company). The Description entry is for informative purposes only. They can contain any type of information or they can be left blank.
Authentication
Possible authentication methods:
• Internal user database
Users are only authenticated within Kerio Connect. In this case a password must be entered in the Password and Confirm Password fields (the user can then change
8.2 Creating a user account
his/her password in the Kerio WebMail interface).
Warning:
Passwords may contain printable symbols only (letters, numbers, punctuation marks). Password is case-sensitive.
• Windows NT domain
Users are authenticated in a Windows NT domain. The NT domain name must be entered in the email domain properties (Windows NT domain in the Advanced tab). This authentication method can be used only if Kerio Connect is running on Windows 2000/XP/2003. For details, see chapter7.7.
• Kerberos 5
Users are authenticated in the Kerberos 5 authentication system.
• PAM service
Authentication using the PAM service (Pluggable Authentication Module), available only in the Linux operating system.
• Apple Open Directory
Authentication against Apple Open Directory database (only for mailservers installed on a Macintosh). The option can be selected only if the user is mapped from Apple Open Directory.
Password / Confirm Password
Only the local user password can be entered or changed. We strongly recommend to change the password immediately after the account is created.
If the password contains special (national) characters, users of some mail clients will not be able to log in to Kerio Connect. It is therefore recommend to use only ASCII characters for passwords.
Account is enabled
Unchecking this option allows you to temporarily disable an account without deleting it.
This feature is not identical with account blocking set under Configuration → Advanced Options, on the Security Policy tab (see section 12.8). If the user enters an invalid password too many times in row and the limit set on the Security Policy tab is reached, the account is blocked automatically. To unblock the accounts, use the Unlock all accounts now button on the Security Policy tab.
Enable a default spam filter ...
Upon creating a new user account, check this option to set the antispam rule. All incoming emails marked as spam will be automatically moved to the Junk mail folder.
The rule can be set up only during the process of user account creation. Filtering and rules for incoming email is addressed in Kerio Connect, User’s Guide.
Warning:
It is not recommended to create this rule when the user accesses emails via POP3.
Users
Publish in Global Address List
The user’s full name and address will be published in the default public Contacts folder which is used as an internal source of company contacts (full names and email addresses).
The contact is added to the public folder only if Full Name is specified.
If users are mapped from Active Directory or Apple Open Directory, the entire LDAP database is synchronized every hour automatically. If you do not wish to synchronize a user to public contacts, uncheck this option.
Store password in high secure SHA format (recommended)
By default, user passwords are encrypted by DES. The Store password in highly secure SHA format allows for a more secure encryption (SHA string). This option has one disadvantage — some methods of Kerio Connect access authentication (APOP, CRAM-MD5 and Digest-MD5) cannot be applied. The only methods available for this option are LOGIN and PLAIN (it is highly recommended to use only SSL connection for authentication).
If this option is enabled, it is necessary to change the user password. This can be done either by administrator or the user (e.g. by Kerio WebMail).
Mail Addresses
In this step, all required email addresses of the user can be defined. The other addresses are called aliases. The other addresses are called aliases. These can be defined either during the user definition or in Accounts → Aliases. We recommend to use the first alternative — it is easier and the aliases are available through Active Directory.
Figure 8.4 New user addition — email addresses
8.2 Creating a user account
If user accounts are maintained in Active Directory (see chapter 10.1), their aliases can be defined in Active Directory Users and Computers. Global aliases (in Accounts → Aliases) cannot be defined this way.
Forwarding messages to other addresses
Messages for a user can be forwarded to other email accounts if defined. If the Deliver mes-sages to... button is activated, mesmes-sages will be saved in the local account and forwarded to the addresses defined by user (if not, messages will be forwarded only, not saved).
Figure 8.5 New user addition — forwarding messages to other addresses
Note: The same functionality can be achieved by aliases; however, setting this within the user definition dialog is smoother and easier to follow.
Groups
In this dialog window, you can add or remove groups of which the user is a member. Groups must be created first in the Accounts → Groups section. You can add users to groups during definition of groups. Therefore, it is not important which is created first — users or groups.
Users
Figure 8.6 New user addition — groups
Access rights settings
Each user must be assigned one of the following three levels of access rights.
No rights
The user will not be granted any administration rights
<your.domain> accounts
The user will be granted administration rights for user accounts, groups, aliases, mailing lists and resource in the domain their account belongs to. For more information refer to section4.1.
Whole server read only
The user will be granted access rights to all accounts on the server without being allowed to edit them.
Whole server read/write
The user will be granted administration access rights to all accounts created in Kerio Connect
Independently from the server administration rights, it is possible to use corresponding options to set rights for administration of Public Folders and Archive Folders.
User quota settings
You can set limits for each user’s mailbox.
Limit disk space
The maximum space for a mailbox. For greater ease in entering values you can choose between kilobytes (kB), megabytes (MB) or gigabytes (GB).
Limit item count
The maximum number of messages in the mailbox.
8.2 Creating a user account
Figure 8.7 New user addition — quota
The value of either of these items can be set to 0 (zero), which means that there is no limit set for the mailbox.
The user quota prevents cluttering of the server disk. If either of the limits is reached, any new messages will be refused by the server.
When the quota is reached, the user will receive a warning message including recommendation on deleting some messages. It is also not important if the quota was exceeded by number of messages or by the reserved disk space capacity. The quota is reached at the moment when an incoming message (or an event, a contact or a task) exceeds one of these limits.
The treshold of 90 per cent of the quota value is set (90 per cent of the limit set for the number of messages or 90 per cent of the disk space reserved). When this treshold is reached, an informative message is send to the particular user. This value can be edited manually in the Kerio Connect’s configuration file, as follows:
1. Stop the Kerio Connect Engine.
2. In the directory where Kerio Connect is installed, search the mailserver.cfg file
If the file is being edited on Mac OS X or Linux operating systems, login to the system as the root user (a special user with full access rights to the system).
3. Open the mailserver.cfg file and look up the QuotaWarningThreshold value. The line is as follows:
<variable name="QuotaWarningThreshold">90</variable>
4. Change the value as needed and save the file.
5. Run Kerio Connect.
These warning messages are sent maximally each 24 hours (not more frequently). Even if
Users
Note: When solving any problems regarding quota settings arise, information obtained in the Debug log might help. The Debug log can be found in the Logs → Debug section of the administration interface. To log information on the quota’s behaviour, enable the Quota and Login Statistics option (see chapter24.9for details).
Messages
This user can send/receive...
Using this option, the administrator of Kerio Connect can limit communication of the user to traffic on the local domain level. This feature may help solve issues of internal traffic in companies. By checking this domain, a particular user will not be allowed to send and/or receive messages from external domains.
Figure 8.8 Creating a new user — other user account settings
Maximum message size
Use this option to set the size limit for outgoing messages. The size limit can be either set for each user separately, or globally for the whole domain (see chapter7.1). If no size limit is specified for the whole domain, it is recommended to set this option.
By setting the size limit, you can prevent the internet connection from being overloaded by emails with large attachments.
If both limits are set to 0, Kerio Connect behaves the same way as if no limit was specified.
Limit set for a specific user has higher priority than limits applied to the entire domain.