Phone Lines icon GFI Support Home

Articles in this section

See more

Unlocking Accounts for Locked-Out Users in Kerio Connect

Author: Central KB Updated

Overview

If a user has entered the incorrect combination of username and password a few times in a row, it is likely that their account has been locked out. As a result, the user is not being able to access mailbox items and directories.

This article is intended for administrators as a self-service guide on how to unlock users in Kerio Connect.

 

Process

  1. Log in to the Kerio Web Administration.

  2. Navigate to Configuration > Security.

  3. Under Login guessing protection, click Unlock All Accounts Now.

    075.png

    Note: This action will unlock all accounts that have been locked. You have to make sure that the users are entering the password correctly and that they are using the correct settings if they configured a new connection to their Kerio email accounts.

 

Additional Information

The account is locked when there are three consecutive incorrect login attempts to prevent a brute-force password break-in. As a workaround, you could disable the Account lockout option. However, this will leave the accounts vulnerable to said brute-force attacks, so it is not recommended to do so.

Lockout settings can be controlled via mailserver.cfg file. The proper procedure will be:

  1. Stop Kerio Connect.

  2. Open the Kerio Connect installation folder. Defaults are:

    - Windows: C:\Program Files\Kerio\MailServer

    - macOS: /usr/local/kerio/mailserver

    - Linux: /opt/kerio/mailserver

  3. Locate the following variables in the Security table of mailserver.cfg:

    076.png
    - LockoutEnabled is a boolean value for either Enabling (1) or Disabling (0) lockout feature

    - LockoutCount is a value of failed Login Attempts from one IP address

    - LockoutResetInterval is equal to Blocking ends after 5 minutes in Administration UI

  4. Change the variables to the necessary values. 

  5. Start Kerio Connect.

Kerio Connect does not have a built-in function to block the IP addresses attempting to login. Kerio Connect has no mechanism to prevent clients from attempting authentication. All clients, by default, can attempt authentication to the server, there is no way to prevent a client from attempting an authentication. You can deny the actual authentication from taking place in the SMTP server settings, Security settings, and using the Access Policies, but not the authentication attempt.

To stop illegitimate authentication attempts causing the accounts to get locked out, there needs to be a mechanism that prevents the connection from actually hitting the mail server. That type of blocking can be achieved at the Firewall level. 

 

Confirmation

All user accounts will be unlocked, and users will be able to log in successfully.

 

Back to Top

Related articles