Kerio Connect is a messaging and collaboration server that can be used in multi-tenant or larger deployments; however, careful consideration must be given to these types of environments. This brief document addresses many of these considerations and explains some of the essential architecture and behavior of Kerio Connect, while offering several suggestions for optimizing its performance.
Kerio Connect has minimal system requirements. Keep the system simple, without overly complicated and expensive components. With more parts involved, there is an increased potential for bottlenecks, hardware misconfigurations, or points of failure.
4 cores are recommended, and more may provide minor benefits during large operations. Typical CPU utilization will be relatively low for most of the time, however, some operations involving searching, indexing, and compression can be taxing on the processor. The mail server runs as a single process, however, several other processes are spawned for certain operations including content filtering, message store indexing, and user authentication. Specific details regarding software configuration to minimize CPU utilization are covered later in this document.
8 GB or above is recommended; additional RAM may provide minor benefits depending on the Operating System.
This is the most important consideration, as the mail server is responsible for a significant amount of data. The message store location is essential to the mail server's performance. This directory contains all user data, logs, queues, indexes, and the Bayes database. It is therefore important to ensure that this storage hardware is both fast, and reliable. This will typically require some form of RAID configuration, usually 5 or 10. The location of the storage device must be a local file system. Low latency and seek time are essential; consider either SSD or 15k RPM based drives. SAN based storage is supported, however depending on the architecture, additional latency can be added by the controller or transport layer, and is not ideal outside of virtualized environments.
The preferred operating system for optimal performance of Kerio Connect is Linux. This is due to its lightweight kernel and ability to function in a purely headless environment. Kerio Connect is a self-sufficient package, with minimal requirements for other operating system services. Most Linux distributions take a minimalist approach, and provide optional installation for non-essential system functions, which makes it a prime candidate for Kerio Connect.
The mail store for Kerio Connect is organized in a single directory, with many subdirectories for each domain, user, and email folder. Each email message, contact, note, task, or calendar event is stored as an individual file, which means that the mail store directory contains a significant amount of small files and folders. It's essential for the file system to manage this type of file structure efficiently. File system ext3 offers the best efficiency and performance with Kerio Connect.
Kerio Connect functions in two locations, the install root (e.g. /opt/kerio) and the mail store location. To leverage the performance of multiple disks, you may assign a fast, small drive (e.g. 60 GB SSD) for the Operating System and installation path of Kerio Connect. The mail store would then be pointed to the local RAID volume. There are customizable locations for other optional features, which will be discussed further in this document.
Deploying virtualization involves multiple Operating Systems sharing resources on the same physical server, and layering multiple file systems. This architecture will introduce a small amount of performance degradation (approximately 5-10%). The primary value of Virtualization with Kerio Connect is the underlying capabilities of the hypervisor to maximize uptime, which is outside the scope of this document.
Kerio Connect Configuration
In a default setup, Kerio Connect maintains a laissez-faire approach to user management. It assumes users respect the implied proper conduct of owning an account on the mail system. However, in most cases it is difficult to dictate proper behavior through corporate policy, and therefore quotas and restrictions need to be proactively defined. These types of restrictions will guarantee that no person can compromise the health of the mail system, and will help ensure higher performance and availability over time.
Restricting Attachment Size
One of the most significant burdens on a mail system is processing large email files. Limiting the Size of Outgoing Messages in Kerio Connect will preserve bandwidth and storage space. Users have become accustomed to the convenience of sending files through email, however this convenience is commonly abused. With the broad availability of web based file sharing services, users should become familiar with these types of options for sharing large files. A reasonable attachment size maximum is 20 MB, however a more aggressive value should be considered in larger environments.
Without Limiting the Size of User Mailboxes, users have no motivation to remove or archive old emails. Setting quotas on mailbox size will force users to archive old emails, reducing the amount of data stored on the server. This will result in faster backups, and will allow the potential for purchasing faster, lower capacity drives.
Items clean-out (retention policy)
Deleting Old Mails using Items Clean-Out Feature is disabled by default because it proactively deletes email. This feature is highly recommended for the Deleted Items and the Junk Email folders. A reasonable value is one month for both folders.
In most cases, Archiving in Kerio Connect should be enabled to ensure accountability for every message that passes through the mail server. If enabled, this feature can significantly strain the server, especially when processing a high volume of mail. You may consider running a separate mail server, and configure Kerio Connect to forward all archived messages to an email address that resides on the archive server.
If you want to keep the archive local to Kerio Connect, consider designating a separate drive for the archive, and defining this location in the options of the archive configuration within the Kerio Connect administration. This drive can be an inexpensive, high capacity drive. The objective in defining the location of the archive is to diversify the workload of the local disks. Please do not use compression of the archive, as this will create unnecessary strain on the CPU. Do not choose to archive mail to a mailbox, as this will cause a significant volume of mail in a single folder, creating massive workload if that account is
ever accessed. For optimal performance of the archive feature, choose to archive to a local subfolder, specifying a daily rotation schedule.
The Backups and Data Recovery is optional. If enabled, it should point to a separate physical drive. Just like the archive, the backup folder location should be defined on its own, dedicated hard drive in order to further diversify the workload of the local disks. If the mail store becomes too large such that the full backup process becomes a burden to the operations of the server, consider using an alternate backup strategy. An option would be to configure a separate server to receive rsync or rdiff backups over a separate, dedicated network connection.
The search index allows for Configuring Full Text Search in Kerio Connect through webmail and IMAP. Most mail clients, including those using IMAP, do not perform body searches on the server. If full text searching in webmail can be avoided, the absence of this feature will conserve valuable resources both in storage space and processing. If enabled, make sure to define an alternate location for the index. This can be placed on the same physical drive as the archive or backup, or on its own dedicated drive. The ability to define a storage location for a disk intensive process will again allow for diversification of disk workload.
To reduce the amount of file I/O and to save space in the mail store, consider setting limits on each log with the rotation feature. Configuring Log Settings in Kerio Connect will reveal individual settings for rotation. A reasonable value for each log is 5 MB, with up to 10 rotated files. Always ensure you do not have any debug logging enabled unless you troubleshoot a specific issue.
For spam and virus processing, Kerio Connect includes SpamAssassin and Sophos. These components run as a separate process to distribute processing workload, however this functionality can consume significant resources, and may be offloaded to an external MTA. Many gateway content filtering devices or hosted services can be used in combination with Kerio Connect. Utilizing an external SMTP filter can significantly reduce the processing and network load of the mail server.
In some installations of Kerio Connect, the public folders become an extensive repository of information. With many client applications synchronizing this information, it can become a strain on the server. If possible, limit public folders to read only access. Give write permissions only to people instructed to manage public folders responsibly. Please do not store emails with large attachments in public folders. Try to limit public folders to absolutely necessary information, and assign less critical information to a designated user account. Evaluate the type of data in the public folders, and consider incorporating other workflows or applications to manage that information.
The type of applications and protocols accessing the server can impact performance. Specifically, WebDAV and EWS based synchronization protocols will strain the server most. Applications using these protocols include Entourage, Outlook 2011, and the Kerio Outlook Connector. Operations within these applications can also have a notable effect on performance. For example, performing large folder operations such as a mass move/delete. Encourage users to perform large folder operations only through the Kerio Connect Client if possible. The Entourage/Outlook 2011 delegation feature also requires significant resources. Encourage users to access shared folders using the option File -> Open -> Other user's folder. IMAP, POP3, and Webmail are less demanding of the server and will allow the server to accommodate a significantly larger number of users.
As data accumulates over time, the performance may be impacted to the extent that operations become unacceptably slow to end users of the system. Although the information in this document will prevent the likelihood of such a scenario, it is difficult to estimate the maximum capacity of a Kerio Connect Server. It is therefore recommended to plan for this circumstance. If everything in this document has been implemented and still the performance is not acceptable, be prepared to divide the information into multiple servers. If the server manages only a single domain, consider creating sub domains and dividing across multiple servers. Refer to Creating and Migrating users in Kerio Connect Multi-Server for related instructions.
Otherwise, consider Configuring Distributed domains in Kerio Connect feature. If the domains are separate, you can migrate user mailboxes quite easily by moving folders in the mail store directory.
As a solution designed for small to medium sized companies, Kerio Connect removes the complexity of managing and configuring a mail system by setting non-restrictive policies. It is therefore the responsibility of the Administrator to proactively apply restrictive policies within the product, and to define a proper conduct of behavior among all users of the mail system to ensure its longevity, stability, and optimal performance.