Kerio MailServer 6

Step-by-Step

Kerio Technologies

 Kerio Technologies. All Rights Reserved.

This guide provides detailed description on Kerio MailServer, version 6.7. All additional
modifications and updates reserved.
For current versions of the product and related manuals, check
http://www.kerio.com/kmsdwn.

Information regarding registered trademarks and trademarks are provided in appendix A.

Contents

Introduction . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4
1.1
Before you start . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5

Installation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
2.1
Windows . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
2.2
Mac OS X . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
2.3
Linux . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
2.4
Configuration Wizard . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

Server configuration . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 9
3.1
Starting Kerio MailServer . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 9
3.2
Starting the Kerio Administration Console . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 9
3.3
Setting domain and user accounts . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 10
3.4
Setting connection to the Internet and to the SMTP server . . . . . . . . . . . . . . . . . 11
3.5
Antispam control of the SMTP server . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 12
3.6
Antivirus control . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 12
3.7
Email backup . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 13

Settings of client applications and connection to Kerio WebMail . . . . . . . . . . . . . . .

4.1
Connection to Kerio WebMail . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
4.2
MS Outlook settings . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
4.3
MS Entourage settings . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

Legal Notices . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 18

7
7
7
8
8

14
14
14
16

Chapter 1

Introduction

This document is a simple guide focused on description of Kerio MailServer configuration

applied immediately upon its first installation and startup in the network. To make the guide
as comprehensible as possible, let us see an exemplary implementation of Kerio MailServer
(see figure 1.1):

Figure 1.1 Example of Kerio MailServer implementation

1.

Install Kerio MailServer on a separate server (no other services will be run on it) and run it
in a local firewall-protected network.

2.

Kerio MailServer will be connected to the Internet via a leased line. Email will be received
and sent vie SMTP. For this reason, it is necessary to enable antivirus and antispam control.

3.

Kerio MailServer will be used for a single domain called company.com. The server will be
installed and run in the local network, on a host with IP address 192.168.1.10 and DNS
name mail.company.com.

4.

In the internal user database, there will be created only one local account used for administration of Kerio MailServer. Any other user accounts will be mapped from the Microsoft
Active Directory directory service (the same method can be used for the Apple Open Directory).
4

1.1 Before you start

Name of the Active Directory domain will be the same as the name of the email domain
and the name of the Kerberos realm.
5.

The server will be available both from the local network and from the Internet. For security
reasons, however, only SSL/TLS-secured Internet connections will be allowed.

6.

All undelivered email (messages where the part preceding the @ symbol in the address is
not valid) will be sent to admin@company.com.

7.

Enable the Kerio MailServers dual antivirus control. We will use the integrated McAfee
antivirus (license of Kerio MailServer with McAfee is required) and the external Clam AntiVirus which will be installed on the same computer as Kerio MailServer.

8.

All email will saved and backed-up in a local archiving folder once a week.

9.

Users will access their email via Kerio WebMail, MS Outlook extended with the Kerio Outlook
Connector and with the Kerio Outlook Connector (Offline Edition). MS Entourage will be
used on Mac OS X..

The exemplary configuration can be easily customized. For detailed information on setting of
individual features of Kerio MailServer, refer to Kerio MailServer, Administrators Guide, chapterDeployment Examples. The whole document can be downloaded from the Kerio Technologies website at http://www.kerio.com/kms-manual.

1.1 Before you start

Before you start the installation and configuration, prepare your environment as follows:

Set DNS MX records

Although Kerio MailServer is located in a private network, email will be sent and received to
and from the Internet. Therefore, it is necessary to set the corresponding record in the public
DNS for a public IP address assigned by the provider (in this example, the 215.75.128.33 IP
address will be used). In the local network it is necessary to assign the mail.company.com
name the local IP address 192.168.1.10. The private address will be set in the local DNS.

Chapter 1 Introduction

If no backup server is set, a public server log can be as follows:

company.com
mail.company.com

MX
A

10

mail.company.com
215.75.128.33

Firewall configuration
Kerio MailServer is installed in a local network behind a firewall. In addition to the mailservers
configuration, it is also necessary to perform corresponding additional settings of the firewall.
If the MailServer is to be accessible from the Internet, certain ports have to be opened (mapped)
in the firewall. Each mapped port might introduce security problems. Therefore, map ports
only for those services which you want to make available from the Internet.
In the case of our network environment, it is necessary to map port 25 (a default port for the
SMTP service). This setting is required for cases where an MX record for the particular domain
is addressed to the server. Any SMTP server on the Internet can connect to your SMTP server
to send email to one of its domains. For this reason access to the mapped port 25 must not
be restricted to particular IP addresses.
Now, it is necessary to map ports that will be used for connections out of the local network.
Since the security risk is higher here, only SSL/TLS-secured services will be mapped. Settings
are shown in table 1.1.
Service (default port) Outgoing connection Incoming connection
SMTP (25)

allow

allow

SMTPS (465)

allow

allow

POP3 (110)

allow

deny

POP3S (995)

allow

allow

IMAP (143)

allow

deny

IMAPS (993)

allow

allow

NNTP (119)

allow

deny

NNTPS (563)

allow

allow

LDAP (389)

allow

deny

LDAPS (636)

allow

allow

HTTP (80)

allow

deny

HTTPS (443)

allow

allow

Table 1.1

Services to be allowed on the firewall

Chapter 2

Installation

Kerio MailServer supports three types of operating systems. You can choose from Windows,
Mac OS X and Linux.
List of versions (or distribution packs) of the operating systems supported by Kerio MailServer
can be found at Kerio Technologies website (http://www.kerio.com/kms).
It is necessary to install a special additional installation package on any operating system (as
for Linux, two packages are in question). All installation packages can be downloaded from
the Kerio Technologies website at http://www.kerio.com/kmsdwn/.
Once a corresponding installation package is downloaded, the installation can be started. Installations differ by operating system:

2.1 Windows
Once the installation package is downloaded, run the installation under a user with administration rights for the operating system.
Standard wizard is used for the installation. Kerio MailServer is installed under the following
directory:
C:\Program Files\Kerio\MailServer
When the installation is completed, the configuration wizard is started (see section 2.4).

2.2 Mac OS X
Once the installation package is downloaded, run the installation under a user with administration rights for the operating system (the installation program requires authentication). The
installation package is opened as a disk in the Finder application and an executable installation
file is offered.
In the standard installation wizard select the Easy Install option to start complete installation
of the product to the /usr/local/kerio/mailserver directory.
When the installation is completed, the configuration wizard is started (see section 2.4).

Chapter 2 Installation

2.3 Linux
Kerio MailServer is distributed in two RPM or DEB packages which include the server and the
administration console.
The installation must be performed by a user with root rights. Kerio MailServer Engine is installed to /opt/kerio/mailserver and the Kerio Administration Console to
/opt/kerio/admin.
To install RPM packages, use this command:
# rpm -i <installation_file_name>
In case of the recent versions of the distributions, problems with package dependencies might
occur. In this case, install package compat-libstdc++
To install DEB packages, use this command:
# dpkg -i <installation_file_name.deb>
It is recommended to read carefully the LINUX-README file immediately upon the installation.
The file can be found in
/opt/kerio/mailserver/doc

2.4 Configuration Wizard

Since the identical configuration wizard is used for all operating systems, the following instructions also apply to all of them:
On Windows and Mac OS X, the configuration wizard is opened automatically upon a successful
installation of Kerio MailServer. On Linux, it is necessary to run the wizard by using the
following command:
cd /opt/kerio/mailserver/cfgwizard
Warning
The Kerio MailServer Engine must be stopped while the configuration wizard is running.
The following parameters are to be set in the configuration wizard:
1.

On the first page, create an email domain and specify Internet name of the server.

2.

In the next step of the wizard, create an administration account. Keep the Admin as name
and enter password. Memorize the name and password defined in this dialog well since
they will be later used for authentication to theKerio MailServers administration console.

3.

The next dialog of the wizard allows setting of location of the data store. In this directory,
all user accounts and server logs will be stored.

4.

In the last dialog, a summary of the parameters just set is provided. When this dialog is
closed, a notice of the successful completion of the installation is displayed.

Chapter 3

Server configuration

3.1 Starting Kerio MailServer

On Windows and Mac OS X, Kerio MailServer is automatically started upon a successful installation, while on Linux, the server must be run by hand.
Starting and stopping of the server depends on the operating system where Kerio MailServer
is installed, as follows:
Windows
To run Kerio MailServer, use the icon which appeared in the notification area of the system toolbar.
To open a pop-up context menu, right-click on the icon. The Start/Stop Kerio MailServer
options can be used to either run or stop the server.
Linux
The following commands can be used to stop, run or restart Kerio MailServer:
/etc/init.d/keriomailserver start
/etc/init.d/keriomailserver stop
/etc/init.d/keriomailserver restart
Mac OS X
On Mac OS X, Kerio MailServer can be started or stopped by using the Kerio MailServer
Monitor (its startup icon is available in the Other section of System Preferences). Username
which must belong to the Admins group and password is required for stopping or running
of the service. Once authenticated, clicking Stop or Start is sufficient.

3.2 Starting the Kerio Administration Console

Kerio Mailserver is configured through the Kerio Administration Console application. The
method of starting of the administration console depends on the operating system where
the application is installed:
Windows
On Windows, the administration console can be run by clicking on the Kerio MailServer
Monitors icon displayed in the notification area of the system toolbar. To run the administration console, double-click on this icon.

Chapter 3 Server configuration

Linux
The Kerio MailServers administration program can be started by the kerioadmin script
stored under the /usr/bin directory (the path to this directory is set by default in the
system).
Mac OS X
To start the administration console, click on the Administration Console icon in Applications Kerio MailServer.
Once the program is started, the administration window of the Kerio Administration Console
and the New connection dialog box appear. Use the dialog box to enter the login data defined
in the configuration wizard (see chapter 2).
On any operating system, click on Connect to open the Kerio MailServers administration window. Upon the first authentication, a product registration dialog is displayed. It is possible to
register either the full product version or the trial version charge-free technical supported
is available for any registered version. This support is available during the whole period of the
products validity, either of the full or of the trial version.
Note
The Save as option can also be used to save the connection.
Besides the connection administration, the Kerio Administration Console window allows also perform language localization settings for the administration program. Localization settings can be changed under Tools Options.

3.3 Setting domain and user accounts

Email domains are configured in the Configuration Domains section. This section already
includes the domain created in the configuration wizard.

Mapping of user accounts and groups from a directory service

1.

On the domain server, install the Kerio Active Directory Extension which is available for
free at the Kerio Technologies website. This application extends the directory service by
certain Kerio MailServers features.

2.

In the Kerio MailServers administration console, open the Configuration Domains section.
Open the domain created within the installation by clicking on the Edit.

3.

Go to the Directory Service tab and enter domain servers information. Enable mapping by
checking the Map user accounts and groups from a directory service to this domain option.
Select Active Directory as the directory service type. In the Hostname entry, specify DNS
name or IP address of the domain server. Use the Username entry to specify a username
with read and write rights for the Active Directorys LDAP database.
10

3.4 Setting connection to the Internet and to the SMTP server

Use the Test connection button to test whether all parameters have been set correctly to
allow Kerio MailServer connect to the Active Directorys domain controller.
4.

Switch to the Advanced tab. It is necessary that Kerberos realm is defined in the Kerberos
5 entry on this tab. The upper-case is set automatically for the name.

Once mapping is set, open the Domain Settings User Accounts section. User list will include
all mapped users and one local account for Kerio MailServer administration.
The user groups can be mapped in a similar way as users. Groups are administered in Domain
Settings Groups.

Setting an alias for undeliverable email

Aliases ca be defined in the Domain Settings Aliases section.
1.

Click on Add.

2.

This opens a dialog where a new alias can be added. In the Alias entry, enter the * symbol.
In the E-mail address textfield specify the address of the mailbox where any undeliverable
email will be sent.

3.

Once the alias is saved, you can test it by the Check address button available in the Aliases
section.

3.4 Setting connection to the Internet and to the SMTP server

Anyone can connect to the SMTP server to send messages to local domains. Sending of messages to other domains will be restricted to local users only. Users connected from the Internet
will be prompted to authenticate on the SMTP server by username and password. This setting
can be done on the Relay Control under Configuration SMTP server:
1.

On the tab, enable the Allow relay only for option.

2.

Check option Users from IP address groups and select the Local Clients group which includes all private ranges of IP addresses.

3.

Enable option Users authenticated through SMTP for outgoing mail to allow users connected from the Internet send email.
Note
Authentication against the SMTP server must be set in the email client. Settings of some
popular clients are focused in chapter 4.2).

11

Chapter 3 Server configuration

Details on security of the SMTP server can be found in chapter SMTP server of the Kerio
MailServer, Administrators Guide.

3.5 Antispam control of the SMTP server

The SMTP server is accessible from the Internet and, therefore, it is necessary to configure
an antispam control of the SMTP server. Antispam filters can be set under Configuration
Content Filtering Spam Filter:
1.

Antispam rating can be started and set on the Spam Rating tab. Default settings of this
tab can be kept.

2.

On the Blacklists tab, it is recommended to enable control involving Internet spammer

databases and to set 2 points as a score for each database.

3.

Switch to the SpamAssassin tab and enable option Check every incoming message in Spam
URI Realtime Blocklist (SURBL) database.

4.

On tabs Caller ID and SPF, set control of e-mail policy records of the sender SMTP server
and set the spam score to 2 points. This control allows to filter out messages with fake
sender addresses.

5.

On the Spammer Repellent tab, enable SMTP connection delay. This filter efficiently stops
spam messages at the SMTP level which relieves the server from a remarkable volume of
spam testing.

Antispam filters of the SMTP server are focused in the Kerio MailServer, Administrators Guide,
chapter Antispam control of the SMTP server.

3.6 Antivirus control

Another necessary settings of Kerio MailServer to be done are enabling of the antivirus control
and attachment filter that can be performed in the following sections:

Antivirus
Antivirus check can be enabled under Configuration Content Filter Antivirus:
1.

Check that the Use the integrated McAfee antivirus engine option is running.

2.

On the Kerio MailServers host, install the external Clam AntiVirus.

3.

Under Configuration Content Filter Antivirus, enable option Use external antivirus
and select Clam AntiVirus in the menu.

12

3.7 Email backup

Attachment Filter tab

To set attachment filter, go to the Configuration Content Filter Attachment Filter section
and check the Enable attachment filter option.
In the list, it is also possible to add/remove other attachments to be filtered and use the Add
button to add attachment types which are not included in the list yet.

3.7 Email backup

Email backup and archiving can be set under Configuration Archiving and Backup.

Backup of the data store and configuration files

Backup can be set on the Backup tab:
1.

The backup can be enabled by checking the Enable message store and configuration recovery backup option.

2.

In the Backup scheduling table, set one full backup for Sunday midnight so that the backup
does not burden the server within working hours.

3.

In the Backup directory entry, specify the path to the directory where backups will be
stored. The path must be entered in a way in accordance with convenience of the operating
system where Kerio MailServer is running.

4.

Enter your email address in the Email address field. Kerio MailServer will automatically
generate results of each backup and send it to the address defined.

Email archiving
Email archiving can be set on the Archiving tab:
1.

To enable archiving, check the Enable mail archiving option.

2.

The default path to the directory can be kept.

3.

Enable the Archive to local folder option.

4.

Set the interval used for creating of new archive folders to one week.

Archiving folders will be displayed in the Kerio MailServers administrator mailbox. They can
be viewed, for example, in the Kerio WebMail interface.

13

Chapter 4

Settings of client applications and connection to

Kerio WebMail

Users will connect to the server via the Kerio WebMail interface or use a supported MS Outlook (on Windows) or MS Entourage (on Mac OS X) clients. The following sections include
instructions on how to connect to Kerio WebMail and how to set email clients optimally.

4.1 Connection to Kerio WebMail

To access the HTTP service using a web browser, insert the IP address (or the name if it is
contained in DNS) of the computer where Kerio MailServer is running. A protocol has to be
specified in the URL either HTTP for non-secured access or HTTPS for SSL-encrypted access.
The URL will be as follows: http://mail.company.com or https://mail.company.com.
It is recommend to use the HTTPS protocol for remote access to the service (simple HTTP can
be tapped and the user login data can be misused). By default, the HTTP and HTTPS services
use the standard ports (80 and 443). If the standard ports are changed, specify the port number in the URL address: http://mail.company:8000 or https://mail.company.com:8080.
Note
The description above focuses accessing email via PDA devices. If connection of the PDA
device to Kerio MailServer fails, it is possible that it chooses a wrong connection (it tries to
connect to the full version instead of Kerio WebMail Mini). In this case, simply enter the
following URL: https://mail.company.com/pda.
If the a correct URL is entered, authentication page is opened requiring username and password. Click on Connect to connect to the account.

4.2 MS Outlook settings

Kerio (MAPI) account Kerio Outlook Connector (Offline Edition)
Install and configure the account as follows:
1.

On client station, install MS Outlook.

2.

Install Kerio Outlook Connector (Offline Edition) on the same station.

3.

Login to Kerio WebMail (see section 4.1) and select Integration with Windows in the Settings
menu.
14

4.2 MS Outlook settings

4.

Click on the Click here to auto-configure Kerio Outlook Connector link.

5.

Depending on your browser and its settings, the tool gets downloaded and launched automatically or it only gets downloaded and you can run it by double-clicking on the tools
icon.

6.

The script now runs MS Outlook, creates a new profile and preconfigures your Kerio account.

7.

For security reasons, enter only your user mailbox password. Once the password is set,
configuration of MS Outlook is completed.

Kerio (MAPI) account Kerio Outlook Connector

Install and configure the Kerio account as follows:
1.

Install MS Outlook on the client station, run it and close it again.

2.

Install the Kerio Outlook Connector.

3.

Create a new email profile in the Start Settings Control Panel Mail menu.

4.

Enter a name for the new profile and in the new account wizard select Add a new email
account.

5.

On page two of the wizard, select Other server types and click on Next.

6.

The next step allows selection of a server type. Select Kerio MailServer.

7.

Now, set the Kerio Outlook Connector on the Kerio MailServer dialogs tabs:
Account on this tab, enter Internet name of the server where Kerio MailServer is
installed and username and password for the mailbox. If the user does not have
an account in the primary domain, it is necessary to use full username including
the domain name: username@domain. Click on Check connection to check whether
it is possible to establish connection to the server under the parameters having
been defined.
Advanced on this tab, it is possible to change ports for SMTP, IMAP and HTTP
services. Ports of non-secured versions of these services are set by default. This
implies that it is not necessary to change these ports in case that an account is
being set within the local network. If setting an account of the local network,
enable the Secured Connection (SSL) option.

15

Chapter 4 Settings of client applications and connection to Kerio WebMail

POP3 and IMAP account

To set an IMAP/POP3 account in MS Outlook, follow these guidelines:
1.

A particular POP3 or IMAP account is set withing creation of the profile in MS Outlook:

2.

In the new account wizard, opened automatically upon setting a name of the new profile,
select POP3 or IMAP.

3.

Set the E-mail and Internet Settings section carefully. In the Name entry, specify first
and second name of the user, and enter the users address in the E-mail Address field.
Specify username in the Username entry. If the user does not have an account in
the primary domain, it is necessary to use full username including the domain name:
username@company.com. Specify Password that will be used for connection to Kerio
MailServer. Finally, enter the DNS name or IP address of the server where Kerio MailServer
is running in the Incoming mail server and Outgoing mail server (SMTP) entries.

4.

If the user connects from the Internet, it is necessary to set authentication in accordance
with the configuration of the SMTP server (see section 3.4). Click on Advanced settings.
This opens a dialog including several tabs where other parameters of the account can be
set. Switch to the Outgoing mail server tab, enable the My outgoing server (SMTP) requires
authentication option and select Use the same settings as my incoming mail server.

5.

Run MS Outlook in the new profile.

4.3 MS Entourage settings

Kerio MailServer uses an interface for MS Exchange in MS Entourage and thus it allows work
with groupware data (email, calendar, contacts and public email folders), use the Free/Busy
server, connect to various LDAP databases for contact searching, etc. The account can be set
as follows:
1.

Install a supported version of MS Entourage and run it.

Note
For updated list of supported versions of MS Entourage, refer to Kerio Technologies website (http://www.kerio.com/kms/).

2.

Login to Kerio WebMail (see section 4.1) and select Integration with MAC OS X in the Settings menu.

3.

Click on Auto-configure Entourage.

4.

The tool gets downloaded and starts automatically.

5.

The installation requires username and password for an account with administration
rights for the computer.
16

4.3 MS Entourage settings

6.

Once installation is completed, an MS Entourage dialog is opened where you are supposed
to authenticate with your mailbox password. Enter the password and confirm the dialog.

7.

Finish the wizard to complete MS Entourage configuration.

17

Appendix A

Legal Notices

R
R
R
R
R
Microsoft
, Windows
, Windows NT
, Windows Vista
, Internet Explorer
, Active DiR
R
R
R




rectory , Outlook , ActiveSync
and Windows Mobile
are registered trademarks of Microsoft Corporation.
R
R
R
R
Apple
, Mac OS
, Tiger TM, Panther
and Leopard
are registered trademarks or trademarks of Apple Computer, Inc.
R
Linux
is registered trademark of Linus Torvalds.

Kerberos TM is trademark of Massachusetts Institute of Technology (MIT).

18

19