The principle behind secure services in Kerio MailServer (services encrypted by SSL — e.g. HTTPS, IMAPS, POP3S, etc.) is that all communication between the client and the server is encrypted to protect it from tapping and to prevent it from misuse of transmit-ted information. The SSL encryption protocol used for this purpose uses an asymmetric cipher first to exchange a symmetric key.
The asymmetric cipher uses two keys: a public one for encrypting and a private one for decrypting. As their names suggest, the public (encrypting) key is available to anyone wishing to establish a connection with the server, whereas the private (decrypting) key is available only to the server and must remain secret. The client, however, also needs to be able to identify the server (to find out if it is truly the server and not an impostor).
For this purpose there is a certificate, which contains the public server key, the server name, expiration date and other details. To ensure the authenticity of the certificate it must be certified and signed by a third party, the certification authority.
Communication between the client and server then follows this scheme: the client gen-erates a symmetric key and encrypts it with the public server key (obtained from the server certificate). The server decrypts it with its private key (kept solely by the server).
Thus the symmetric key is known only to the server and client.
Note: To secure Kerio MailServer as much as possible, allow only SSL-secured traffic.
This can be set either by stopping all unencrypted services (see chapter7) or by setting appropriate security policy (refer to chapter 16.6). Once the server is configured, it is necessary to install a certificate (even a self-signed one) on clients of all users using Kerio MailServer’s services.
11.1 Kerio MailServer Certificate
To find out how these principles work in practice, look at Secure HTTP. Web browsers can display certificate information, as opposed to Secure POP3 or Secure IMAP, where such information will not be revealed.
When Kerio MailServer (version 6.0 and above) is run for the first time, it generates the self-signed certificate automatically. It is saved in the server.crt file in the sslcert folder where Kerio MailServer is installed. The second file in this directory, server.key,
Chapter 11 SSL certificate
If you attempt to access the Secure HTTP service immediately after installing Kerio MailServer a security warning will be displayed with the following information (depend-ing on your browser, name of the computer, etc.):
Figure 11.1 Security Alert
• The certificate was not issued by a company defined as trustworthy in your configu-ration. This is caused by the fact that the certificate is self-signed. This warning will not be displayed if you install the certificate (you can do this because you know the certificate’s origin).
• The certificate date is valid (the certificate is valid for a certain limited period, usually 1-2 years).
• The name of the certificate does not correspond with the name of the server. The certificate is issued for a certain server name (e.g. mail.ourcompany.com), which you must also use in the client (this certificate has been issued for a fictitious name keriomail).
This implies that you need your own certificate!
You can obtain your own certificate, which verifies your server’s identity, by two means.
You can create your own self-signed certificate (i.e. you will sign it). This can be done in the Configuration/SSL Certificates section where the current server certificate is dis-played.
11.1 Kerio MailServer Certificate
Figure 11.2 SSL Certificates
New...
Click on New to specify information about your server and your company. When confirmed, the server.crt and server.key files are created under sslcert.
The certificate you create will be original and will be issued to your company by your company (self-signed certificate). This certificate ensures security for your clients as it explicitly shows the identity of your server. The clients will be notified by their web browsers that the certification authority is not trustworthy. However, since they know who created the certificate and for what purpose, they can install it.
Secure communication is then ensured for them and no warning will be displayed again because your certificate has all it needs.
If you wish to obtain a “full” certificate you must contact a public certification authority (e.g. Verisign, Thawte, SecureSign, SecureNet, Microsoft Authenticode, etc.). The process of certification is quite complex and requires a certain expertise.
Kerio MailServer enables certification request that can be exported and the file can be delivered to a certification authority.
Attention: A new certificate will be used the next time Kerio MailServer Engine is started. If you wish to use it immediately, stop the Engine and then start it again.
The New button can be used to create a new certificate (the New certificate option) or to demand on a new certificate (New certificate request). You will be asked to specify entries in the Generate Certificate dialog. The Hostname and Country en-tries are required fields.
• Hostname — name of the host on which Kerio MailServer is running.
• Organization Name — name of your organization.
Chapter 11 SSL certificate
Figure 11.3 Certificate Creation
• Organization Unit — will be used only if the organization consists of more than one unit.
• City — city where the organization’s office is located.
• State or Province — state or province where your organization has its office(s).
• Country — this entry is required.
View Certificate
Select a certificate and click on the View Certificate button to get details about the selection.
Figure 11.4 Certificate Details
11.1 Kerio MailServer Certificate
Import...
Use this button to import a new certificate, regardless if certified by a certification authority or not.
Export...
Use this button to export an active certificate, a certification request or a private key. Using this option you can send an exported certificate request to a certification authority.
Remove
Using this button you can remove a selection (a certificate or a certification request).
Set as active
Use this button to set the selected certificate as active.