Kerio Connect Hosting Guide

This page will help email hosting providers who are planning deployment of Kerio Connect. It should be used as a general guideline to assist with the design and implementation of Kerio Connect in a hosted environment.

ABOUT KERIO CONNECT

Kerio Connect is an all-in-one messaging and collaboration server for small to medium organizations. Kerio Connect combines advanced email, calendaring and collaboration features with integrated anti-virus, powerful anti-spam, built-in archiving, automated backup, and an easy admin interface.

TECHNICAL SUPPORT AND OTHER HELP RESOURCES

Kerio Technologies provides Extended-hours telephone support 24 hours a day, Monday through Friday GMT. Contact information, as well as support availability outside of the United States, is available from http://www.kerio.com/support

On this page, you will also find a helpful search function for locating information from the Knowledge base and online manuals.

A forum is available at http://forums.kerio.com in case you would like feedback from the community

SALES AND LICENSING

Kerio Connect requires a server license, which starts with 5 mailboxes. A mailbox, or user is the only item which applies towards the license. If you need to add users, you may do this at any time. Users may be added in increments of 5. After purchasing additional users, you may add the extra license from the information page in the Administration console, which is displayed upon login. As a hosting provider, you are eligible for a discounted rate, based upon your sales volume. Licenses are purchased through the Kerio Partner Portal. For further assistance, contact your corresponding Kerio Channel Manager. If you do not yet have an assigned channel manager, you may use the 'Contact us' link from the website menu, and after submitting your information, you will be contacted by the appropriate Kerio representative.

SaaS Licensing model. In an attempt to match the type of sales model offered by most email hosting providers, Kerio has made available a licensing program where the hosting provider is billed by Kerio on a monthly basis. The amount charged is based on the maximum number of users accounted for during that time period. For more information regarding this type of licensing you will need to contact your appropriate channel manager.

MARKETING AND PROMOTIONAL RESOURCES

Promotional resources such as box shots, logos, web banners, datasheets, comparisons and product descriptions for Kerio Connect can be downloaded from the Kerio Partner Portal.

CONSIDERATIONS AND BEST PRACTICES

Firewall setup

All services and their corresponding port numbers are listed under the Administration console within the Configuration -> Services dialog. There is one service which is not listed in this section, that is port 4040, which is used by the web administration interface. If you would like to provide remote administration, it is necessary to open this port. The entire connection uses HTTPS, and is therefore encrypted.

For proper functionality of Kerio Connect, it is not necessary to make accessible any ports, however it is recommended to make the following services available: SMTP, Submission SMTP, Secure POP3, Secure IMAP, Secure HTTP, Secure LDAP. If it is necessary to make any of these services available without SSL, a non standard port should be used. Note that Kerio Connect will operate normally with a privately routable IP address, behind a NAT device.

Hardware and Operating System configuration

Kerio does not officially recommend any particular operating system over another. As a general rule, you should select the operating system that you are most confortable in managing. Kerio Connect server will operate the same on all supported platforms. Kerio Connect server is also available in an OVF format for ESX server, or it can be installed into a custom virtual machine. Although this option can provide hardware consolidation, system diagnostics and redundancy in the operating system, it adds an extra layer of complexity and costly hardware. This option should be used by an administrator who has prior experience with VMware's virtualization technology.

As a 32 bit application, Kerio Connect will not consume more than 2 GB of memory. It is therefore unnecessary to install more than 4 GB of memory, unless the server is combined with other services such as Active Directory and running a 64 bit platform. Kerio Connect does not require a specific CPU architecture, however Intel Xeon or Core i5/7 is recommended.
The storage device is important for optimal performance. Any type of storage technology may be used with the condition that the volume is identified to the operating system as a directly attached device. Drives with faster spindle speeds in some form of RAID is recommended. A separate drive should be used for Backup and Archiving purposes. eSata or Firewire is ideal for this purpose, but network based storage may also be used for the backup location.

SMTP security and the submission service

In a hosted environment, all user access is remote, and therefore cannot be controlled by IP Address in most cases. Kerio Connect implements the SMTP submission service as a special method for relay access to privileged senders. This service runs on TCP port 587, and may be accessed by any standard SMTP client for relay purposes. The only stipulation is that the client must be configured to provide authentication. Once authenticated, the user will be excluded from most of the content filtering components. This relieves the server of unnecessary processing, and ensures a higher probability of message delivery for the sender. All clients implementing IMAP with SMTP should use the submission service on port 587 when configured for access to a Kerio Connect server.

Providing mail relay is a significant privilege, which in the wrong hands, can cause drastic problems for other users of the same mail system. It is therefore extremely important to set restrictions on relayed mail. In the Administration console under Configuration -> SMTP Server -> Security Options, you may set a number of restrictions such as the maximum number of messages per hour, or maximum size of a message. It is strongly recommended to enable these options and set reasonable values. Note that on a default installation of Kerio Connect, none of these restrictions are enabled.

SSL and email encryption

Access to a hosted Kerio Connect server usually requires a connection through public networks. It is therefore imperative to ensure that any communication is encrypted when possible. All services hosted by Kerio Connect share the same SSL certificate, and are therefore easily accessible through SSL. All email clients configured to access a Kerio Connect server should be set to use SSL for all protocols.

Although a self signed SSL certificate is highly secure, most email or web applications will notify the user that the certificate is not trusted. This message can be both frightening and annoying to users of the mail system, and for this reason it is recommended to invest in a signed certificate. Kerio Connect implements OpenSSL, which is the same technology used in Apache web servers. Typically when selecting a certificate format from an SSL authority, you may choose the 'Apache' format. It is recommended to use a single hostname on the certificate, however it is possible to combine multiple hostnames to a single certificate in the form of a Unified Communications Certificate. Several authorities, including GoDaddy.com offer this type of certificate. When selecting this type of certificate, you will submit the request file with only a single hostname, while you will be later asked by the authority to provide the additional hostnames, which will be combined in the certificate issued by the authority.

DNS configuration and pointer records

Kerio Connect does not include any configuration for domain name services. It is only required that the underlying operating system is properly configured to resolve internet hostnames. There is a setting defined during the initial installation of Kerio Connect called the "Internet Hostname". This is the name used by the mail server to identify itself when communicating with other Internet based servers. It is important to assign a name which resolves to the internet IP address used by your Kerio Connect server.

When relaying mail to other servers, they may perform a reverse lookup on your IP address to identify there is a pointer record. If no record exists, the message could be bounced, or considered spam. In order to improve the reliability of successful message transmission, it is necessary to configure a pointer record. This requires contacting the responsible owner of the IP address used by your mail server to configure a qualified DNS name for your IP address. This usually will match the hostname assigned to the Kerio Connect server, as well as the name provided on the SSL certificate.

User management and password policies

Kerio Connect does not require password complexity. This means users can set simple passwords, which can be potentially guessed by an attacker. There are a few options to reduce the risk of password guessing. In the security policy of the advanced options, you can enable the account lockout feature to limit the number of failed login attempts. Note that this affects only the offending IP address. A reasonable value is 3. Another approach would be to import users from Active Directory. By using a directory server, you can incorporate password complexity requirements. In version 7.2, an option was added to prevent users from changing their passwords. You may consider assigning strong passwords for each account, and choosing this option of preventing password changes so that users are not able to reset their password to something which could be guessed by an attacker.

Scalability

Kerio Connect server does not utilize a database mail storage. All data in the mail store is organized into separate files and folders. To improve performance, there are many accompanying files which contain indexing and metadata. These files are usually cached in memory, and flushed to the hard drive at intervals. Although this architecture is easy to manage, as the data is directly accessible, it prevents the ability to leverage the resources of multiple servers (i.e. load balancing). As a result, there are general upper limits to the scalability of Kerio Connect. Depending on the hardware, Kerio Connect can comfortably accommodate up to 1000 mailboxes, averaging 1 GB of mail for each mailbox. This value should be used only as a general measure when planning on a number of servers to deploy, based on the number of anticipated mailboxes. It should be noted that Kerio Connect has very few hard limits, and the maximum number of mailboxes is limited only by the license key.

Archiving

The archiving feature of Kerio Connect is designed to allow an administrator to search and locate any email processed by the mail server. By default, the feature is not enabled. It is recommended to enable this feature, and define a location for the archive. Note that the archive contains a copy of every message processed by the mail server, so the location assigned to the archive must have sufficient capacity. The archive does not distinguish between domains, so any settings defined for the archive feature will be applied globally. To distinguish domains, it is possible to archive to an email address, at which point mail filter rules can be applied to sort messages into specific folders based on the sender or recipient domain. Note that by sending archived email to a local email address will use the mail store, not the archive directory, and these emails will not be compressed.

Backup and recovery

The automated backup feature in Kerio Connect is designed as a disaster recovery option for user data, mailing lists, and configuration. By default the backup feature is not enabled, but rules are configured for full backups once per week, and differential backups each day. Note that in the advanced options there is a default setting of 7 complete backups, which will consume a significant amount of storage space. The backup location can be specified as a network mount, however a locally attached device, such as eSata or Firewire is recommended. When the mail server is backing up data, the mail system remains accessible, however access will be slow as the backup process is very hardware intensive. Backups should therefore be performed during light usage. In a typical environment, the backup process will take approximately one hour for every 20 GB. If the backup process exceeds 6 hours, you may consider allocating faster drives for the backup location, or incorporating a 3rd party backup option, such as rsync.

Anti-Spam configuration (integrated vs. gateway)

The core of the spam filter in Kerio Connect is "bayes"ed on SpamAssassin. Each user has a spam folder called "Junk Email", and spam messages are automatically sorted to this folder. It's important to let end users know that they can train the server by moving messages from the Junk Email folder to the Inbox and vice versa. You may also inform end users that within webmail there is an anti-spam setting to exclude their contacts from the spam filter, which is not enabled by default.

In some circumstances you may choose to offload the spam processing to another device or service. This will free up resources on the mail server, and improve performance to a small degree. There is no recommendation however in regards to the integrated spam filter vs. an external Anti-Spam solution.

In addition to SpamAssassin, there are a number of additional features to prevent spam. A description of each feature is available at http://manuals.kerio.com/connect/adminguide/en/chap-antispam.html. It is important to note that most Anti-Spam features are disabled by default to guarantee successful delivery of messages in favor of more effective spam filtering. Also note that the "bayes" component of SpamAssassin does not become active until a sufficient volume of messages has been processed, so the spam filter will not be as effective during the initial deployment.

Client access and configuration

End users will receive the most value for their hosted email service by using the right desktop application. There are 4 email and collaboration applications which provide unique options when connected to Kerio Connect: Microsoft Outlook, Microsoft Entourage, Apple iCal and Apple Address Book. Each client has a simplified configuration tool, available from the Webmail interface under Settings -> Integration with … For details regarding the usage of each client, such as Calendar delegation, resource scheduling, mail filters, and out of office … a special 'User's Guide' is available at http://manuals.kerio.com/connect/userguide/en/

Mobile device access

Kerio Connect supports the latest protocol version of ActiveSync. This allows devices such as iPhone, Droid, Palm Pre/Pixi, Nexus, Nokia E/N, and Windows Mobile to synchronize email, contacts, calendars and tasks wirelessly. BlackBerry devices do not natively support ActiveSync, however there are currently two 3rd party applications available to add ActiveSync support for BlackBerry: http://www.notifysync.com and http://www.astrasync.com. More details regarding supported mobile devices and a matrix of supported features for each device is available from our website at http://www.kerio.com/connect/wireless.

The configuration of mobile devices involves an "Exchange" connection. In other words, the device assumes it is connecting to a Microsoft Exchange server for wireless synchronization. Steps regarding this configuration are available for most popular smart phones from the Kerio User's Guide at http://manuals.kerio.com/connect/userguide/en/chap-activesync. For instructions on management of mobile devices, such as the remote wipe function, you may refer to the following section of the Administrator's guide http://manuals.kerio.com/connect/adminguide/en/chap-activesync.html

Public folders management

In a hosted environment you will want to assign public folders as 'Unique for each domain'. Instructions regarding this setting and assignment of public folder administrators is located at http://manuals.kerio.com/connect/adminguide/en/sect-publfol.html. Maintenance of public folders (e.g. updating a contact, creating a Calendar folder…) is done through any one of the supported collaboration applications previously mentioned in this document.

Mailbox restrictions (quotas and retention)

Assignment of mailbox quotas is typically necessary in a hosted environment. Quotas can be set on message volume or size. At 90 percent usage, the user will be notified by an automated message. There is an additional setting in the properties of a user to enable the "Items clean-out", which will automatically remove messages from the "Junk Email" and "Deleted Items" folders older than the specified number of days.

Mail distribution

It is common to configure an email address, which is distributed to multiple recipients. There are many approaches in Kerio Connect to achieve this type of configuration. The most common method involves the use of a mailing list.
The following points explain the basic constraints and capabilities of a mailing list:

• Offers security: Emails addressed to the list can be restricted to members of the list, or individually approved by designated email addresses.

• Automatic enrollment/un-enrollment: A person may be added or removed from the list by addressing list_name-subscribe@domain.com or list_name-unsubscribe@domain.com

• Members are hidden: The sender does not know the recipients of the list

• Addresses are processed one at a time: A mailing list is processed as a single email thread to prevent interruption to other email activity (i.e. clogging the mail queue)

• Managed by the Administrator: The members of the list, or it's settings must be defined within the full, or domain based administration interface

• Other settings: You may include a footer, prepend to the subject, specify the reply address or define other posting policies.

Another method of mail distribution involves a 'Distribution list'. This option cannot be defined within the administration interface. Distribution lists are configured in Webmail or Outlook. They may be created in a user's personal contact folders, or within public contact folders by a user with appropriate rights. This type of list is only recognized by Webmail or Outlook as a means of easily addressing, or modifying the recipients within the list.

You may also create a Group of users, which is assigned an email address. Groups are generally used to assign privileges to multiple users (e.g. setting a public calendar folder to be read only by a specific department) and should not be used for mail distribution in most cases. Groups may contain only local mailboxes and offer no security in regards to posting policies.

The last method of mail distribution involves 'Aliases'. It is possible to create the same alias address, which is redirected to different recipients. In other words, if an alias rule is processed, the mail server will continue to check other aliases for a match, and may process the same alias again if it is configured with a different forwarding address.

Migrating to a Kerio mailbox

There are a number options to transfer data from an existing mailbox or local data file to the hosted Kerio Connect mailbox. If the data is located on a remote server, you can use the Kerio IMAP migration tool, which is available on the download page of the Kerio website. Otherwise, you can use one of the previously mentioned collaboration clients to import email and PIM data to the Kerio Connect server.

Maintenance and updates

Updating Kerio Connect server is a simple process. The administration console will notify you when a new version is available. The new version is downloaded and applied by running the installation package. The update process does not require a restart of the operating system, and typically takes between 2 to 5 minutes. The installer will automatically stop and restart the server engine. There is no schedule regarding new releases, but you may view the release history to get an idea of the frequency of updates and types of changes applied to each update: http://www.kerio.com/connect/history.

RELEVANT FEATURES:

Max users per domain
Ensure that the number of users for a specific domain does not exceed a defined number (e.g. for licensing reasons)

User message quota
A user may only store up to a defined amount of data (e.g. usually based on the cost of their hosted mailbox)

Public Folders per domain
Each customer domain has its own set of shared folders (e.g. global address list, resources…)

Custom webmail logo per domain
So that the end users will feel more ownership of their customized domain

Multiple domain support
Each domain contains its own users, groups, mailing lists, resources and aliases, and can be managed using a special web based management interface for domain administrators

Message size limits per domain
To prevent users from relaying emails with large attachments

Footers per domain
Each domain can have a custom message or disclaimer appended to emails from a user of that domain

Add licenses as you need them
It is quick and easy to add users when needed (minimum of 5)

Outlook access through WebDAV for simple remote access
The Kerio Outlook Connector (Offline Edition) connects remotely using a secure HTTP connection

Domain based web administration
Allows designated users of each domain to manage domain settings from a web browser

Integrations page for simplified client configuration
Automatic configuration for one of the 4 supported collaboration clients by clicking a link in webmail

Activesync support for mobile devices
Exchange configuration to synchronize Email, Contacts, Calendars and Tasks.

SSL support for secure remote access
All services are available over SSL

Complete Webmail interface with features like shared folders and Out of office
Can be used as a desktop replacement to simplify deployment and centralize data

HELPFUL KNOWLEDGE BASE ARTICLES:

How do I move Kerio Connect from one machine to another (or change Operating Systems)?
How do I get a valid, signed SSL certificate for Kerio Connect?
What are the recommended settings for logging in Kerio Connect?
How do I share folders in Kerio webmail and Outlook Connector?
How do I create a custom or external login interface for WebMail?
Allow Unsupported Devices with Kerio Connect

Have you had a chance to ask about our Kerio Connect SaaS model?