Overview
In order to increase the security level of your Kerio Connect installation, it's required to configure certain security control settings. To prevent repeating dictionary attacks from the multiple sender hosts, you can restrict communication on the firewall side; enforce a strong password and security policy; enable DKIM and Anti-spoofing protection; configure the data encryption.
Configuring Your Firewall
If you install Kerio Connect in a local network behind a firewall, map these ports as follows:
Service (default port) | Incoming Connection |
---|---|
SMTP (25) | allow |
SMTPS (465) | allow |
SMTP Submission (587) | allow |
POP3 (110) | deny |
POP3S (995) | allow |
IMAP (143) | deny |
IMAPS (993) | allow |
NNTP (119) | deny |
NNTPS (563) | allow |
LDAP (389) | deny |
LDAPS (636) | allow |
HTTP (80, 4040, 8800) | deny |
HTTPS (443, 4040, 8843) | allow |
By using IP Address Groups, you can define a list of IP addresses that can access a particular service. For instance, if there are only selected users in the company that uses IMAP (Internet Message Access Protocol) or POP (Post Office Protocol), you can allow access only to these users' IP addresses. You can also limit the maximum number of concurrent connections.
Please note that Kerio Connect does NOT have any built-in firewall, therefore does not have a built-in capability of blocking specific IPs that are attempting to spam the Kerio mailserver. This task would fall in the scope of the firewall that is sitting in front of Kerio Connect. The lack of a built-in firewall is complemented with the additional security features detailed in the next sections.
Password Policy
- Read the Password policy in the Kerio Connect article for detailed information on user passwords.
Note: please do NOT store passwords as a plain text in Description or any other Public-accessible field.
Configure a Secure Connection to Kerio Connect
Kerio Connect can do either of the following:
- Secure user authentication.
- Encrypt the whole communication.
Go to Configuration > Security > Security Policy to select your preferred security policy.
You can define a group of IP addresses that can authenticate insecurely (e.g., from local networks).
Securing User Authentication
If you select the Require secure authentication option, users must securely authenticate when they access Kerio Connect.
You can select any of the following authentication methods:
|
If you select more than one method, Kerio Connect performs the first available method.
If the users' passwords are saved in the SHA (Secure Hash Algorithm) format:
- Select PLAIN or LOGIN.
- Do not map users from a directory service.
Check out Enforcing SSL and Encrypted Communication in Kerio Connect for more information.
Authenticating Messages with DKIM
DomainKeys Identified Mail (DKIM) signs outgoing messages from Kerio Connect with a unique signature to identify the sender. The users take responsibility for the messages they send, and the recipients are sure the messages came from verified users (by retrieving their public key).
For more information please refer to Configuring DNS for DKIM in Kerio Connect.
Enabling Anti-Spoofing
Although it is not part of the Kerio Connect Anti-Spam filters, the anti-spoofing feature prevents spammers from "spoofing" your email address and pretend their messages are sent from you. A typical example in a Kerio environment (if this feature is not enabled) is that users can send messages as other users, even without delegation, when using mail clients that can modify the From address field, like Microsoft Outlook.
This feature implements Sender Identify, which users must authenticate with to be able to send an email using any of the local domain and the users are only allowed to send an email from the following addresses:
- The user's email address.
- The email address of groups they are a member of.
- The aliases to their email addresses.
- The aliases to public folders they can access.
- The email address of users who granted them a delegation.
If the email does not meet the conditions above, then Kerio Connect will block it as a spoofed message. It is important to note that this feature will only prevent your domain from being spoofed. Kerio Connect has other means of detecting if an incoming email comes from a spoofed sender.
Anti-Spoofing can be enabled from the following settings:
- From Security > Sender Policy:
- Or under Domain > Security:
Data Encryption
This feature is only available for users running Kerio Connect v9.2.7 and above on Linux.
- Data Encryption is not supported on external or removable disks or multi-volume data storage.
- The initial process of encryption and decryption takes a considerable amount of time to complete based on the size of the email data.
It is recommended not to interrupt the process as this will result in a corrupted email store. Email delivery is also unavailable during this time.
Enabling Encryption
You can configure Kerio Connect to encrypt user settings, logs, system configurations, and messages saved to the disk.
IMPORTANT: Encryption is bound to a specific storage device, so if you plan to change the hardware, you must first disable encryption. Also, the encryption results in more resources being utilized so that performance may be impacted.
- In the Kerio Connect administration interface, go to Configuration > Advanced Options > Store Directory.
- Go to the Data Encryption section.
- Key-in the Password and re-enter to confirm the same.
IMPORTANT: Once encryption is enabled, the password cannot be changed. Remember this password, as you would require it to decrypt data.
- Click Encrypt and confirm the action.
Note: during Encryption initialization, the Kerio Connect service is restarted.
Disabling Encryption
To decrypt data and disable encryption:
- In the Kerio Connect administration interface, go to Configuration > Advanced Options > Store Directory.
- Go to the Data Encryption section.
- Click Disable.
- Key-in the Password set while encrypting and confirm the action.
Troubleshooting
For any encryption-related issues, it's recommended to enable Data Encryption in Debug logs:
Encrypting User Communication
If you select the Require encrypted connection option, clients connect to any service via an encrypted connection (the communication cannot be tapped).
- Check out Enforcing SSL and Encrypted Communication in Kerio Connect for more information.
NOTE: Many SMTP (Simple Mail Transfer Protocol) servers do not support SMTPS (Simple Mail Transfer Protocol Secure) and STARTTLS. The SMTP server requires secure user authentication to provide advanced security.
Related Articles
- Antivirus and Content Filters
- Blacklists and Caller ID
- Sender Policy Framework and Greylisting
- Securing the SMTP Server
- Kerio Connect: Anti-Spam Advanced Filter