Overview

After upgrading Kerio Connect to version 9.2.9 and above, you can experience an issue with email signature and images/pictures not showing. The Developer Tools in the web browser may display the following error:

Refused to load the image '<URL>' because it violates the following Content Security Policy directive: "img-src 'self' data:"

This article describes a workaround for this issue.

Prerequisites

Kerio Connect 9.2.9

Diagnosis

Kerio Connect upgrade to version 9.2.9 and above is causing this issue. Developers implemented a new security feature in Version 9.2.9 (as seen below) to protect email clients from suspicious sources.

Version 9.2.9

Released: April 2, 2019

Release notes

New:

• Faster Contact List (webmail)
• Faster Global Address List (GAL)
• Added HTTP Security Headers

Solution

1. Stop the Kerio Connect service.

2. Navigate to the installation folder. The default paths for various OS are listed below:

   • Windows: C:\Program Files\Kerio\MailServer.

   • Mac: /usr/local/kerio/mailserver.

   • Linux: /opt/kerio/mailserver.

3. Edit the file mailserver.cfg to change the following variable:

   <variable name="AppendHeaderContentSecurityPolicy">default-src 'self' 'unsafe-eval' 'unsafe-inline' *.kerio.com; img-src * http: https: data:;</variable>.

4. Note if entering more than one domain it must be space separated e.g. (

   <variable name="AppendHeaderContentSecurityPolicy">default-src 'self' 'unsafe-eval' 'unsafe-inline' *.kerio.com login.microsoftonline.com graph.microsoft.com; img-src * http: https: data:;</variable>)

   
   

5. Start the Kerio Connect service.

Confirmation

Signature and images are showing in the webmail.