Mail Servers are a common target for malicious activity due to the ability of attackers to leverage the SMTP functionality within their future actions. While the network’s overall security should not rely entirely on the built-in utilities, several security options are available within Kerio Connect that admins can use to alleviate unauthorized access, spamming, and other malicious activity. These can often prevent many potential attack vectors before attackers can leverage vulnerabilities.
- Main Security Settings
- Additional Security Features
- User Authentication Methods
Main Security Settings
Two main sections within WebAdmin provide you with several security-related settings - The Security menu and the SMTP Server menu. You can configure Kerio Connect’s fundamental security features from these two menus.
The Security Menu
This menu provides the bulk of the non-SMTP-related standard security components (except for the special features such as AntiSpam, AntiVirus, etc., detailed later on). Note that many of these may play into your SMTP workflow - namely, the authentication methods selected. You can review more about using these within Securing Kerio Connect.
The Security Policy tab provides the bulk of the authentication-related settings available. You can define the user authentication requirements for connecting to the server, the authentication mechanisms to be used when secured connections are used, and refine the Login Guessing Protection settings.
The Sender Policy tab provides you with anti-spoofing protection options. Anti-Spoofing implements Sender Identify(via your SPF DNS Record), which users must authenticate with to send an email using any of the local domains. This can act as the first line of defense against spammers that might spoof your email domain. See Configuring Anti-Spoofing in Kerio Connect for more information on setting up the feature.
Starting in version 9.4 of Kerio Connect, you also have access to defining your default TLS version via the TLS options tab. This allows you to set the minimal TLS version for both the inbound and outbound connections using any supported versions.
The SMTP Server Menu
This menu of WebAdmin is primarily used for the configuration of the SMTP server itself. The security of the SMTP Server is tightly tied into the selections made, so being familiar with their functions can help ensure you are not inadvertently opening your server to unexpected threats. See Securing the Kerio Connect SMTP Server for more information on using these features.
The Relay control menu handles the configuration for who can send email using the Kerio Connect server. This is a common area where security is unexpectedly impaired due to unexpected IPs within the IP Address Group or accidentally using the “Open Relay” option.
The Security Options tab provides many options for fine-tuning limits(such as max messages per IP or maximum email size) and DNS-related SMTP checks. While unassuming, this section provides an enormous return on investment when properly configured.
The SMTP Delivery tab is the final security-centric feature within this menu of WebAdmin. This allows you to define the use of SSL/TLS for SMTP conversations when available and determine specific SMTP Relay Delivery rules. While not commonly a source of security issues, it can be crucial to fully understand how you have configured any listed Relays, especially if you have disabled authentication requirements.
Additional Security Features
Beyond the main security settings mentioned above, Kerio Connect has additional features that can be added on or enabled to further enhance the server’s security. You can access these directly within the Content Filtering section of the Webadmin.
One of the most numerous options available to administrators is the spam filtration options within the Spam Filter menu. While all of the features within this section prevent Spam, there are two primary Spam Filter providers available within Kerio Connect - Spamassassin and Kerio Anti-Spam.
- SpamAssassin is included with all Kerio Connect licenses that utilize a Bayes self-learning mechanism to catch emails that contain similar ‘features’ to emails that have been previously flagged as Spam.
- Kerio Anti-Spam is licensed separately and utilizes Bitdefender’s online scanning services to catch suspicious emails proactively. In recent releases of Kerio Connect, it works in tandem with the SpamAssassin filter to provide an overall more robust spam prevention service.
In addition to the primary Spam filters, this section provides access to configuring Blacklists and Whitelists to catch known malicious IPs or allow known good IPs. You can also leverage CallerID and SPF, which act as a sort of “ID Badge” for incoming emails. Combined with Greylisting, it provides additional peace of mind to all inbound messages.
DNSBLs are shared security methods for tracking domains that have been suspected or confirmed as sources of spam traffic. Server administrators are provided an additional defense against spammers and malicious email traffic through their use. Kerio Connect provides access to a handful of the most commonly used blacklists (SpamCop, SpamHaus, SORBS, & WPBL); however other 3rd-party blacklists may be available. For example, larger email providers such as Outlook may have their own internal blacklist for their users.
Like any other security measure available, it is possible that there may be “false positives” due to suspected traffic being incorrectly classified as Spam. This can occur due to a shared IP subnet being flagged en masse at the ISP level. When a domain appears on a blacklist in this way, it can result in an interruption of mail flow if the receiving email server is utilizing the offending blacklist.
If you encounter your mail server appearing within a blacklist, you can leverage services like MxToolbox’s Blacklist check to identify the specific blacklist, as well as receive guidance on getting removed. Often the blacklist will have a method for requesting that a user be removed.
Security-focused DNS Records
Often the best way to prevent your domain from appearing on a blacklist, and the subsequent potential for domain-reputation damage is to set up certain key DNS records. These are the SPF records previously mentioned, as well as the DKIM and Dmarc records which together all help to avoid your domain being spoofed by malicious users.
Once set up, they help provide a form of Authorization and Identification for your internal users. These records provide a way for receiving servers to immediately identify the validity of emails received from your server and block those that are impersonating your business.
Kerio Connect employs Bitdefender as an integrated AntiVirus solution. While most of the control over the particular virus definitions is handled directly by the Bitdefender team and their periodic automatic updates, you are provided some control over how to handle the items identified as potentially malicious.
While not a substitute for a local antivirus on end-user machines, this can help catch malicious software filtering through your mail server before it reaches them. You can learn to configure this feature within Configuring Antivirus Protection in Kerio Connect.
IP Address Group Exceptions
Within many of the security-related menus mentioned above, you may notice several IP Address Group drop-downs that can be utilized to provide exceptions to the defined rules. These exception fields are often intended to provide local users (on the LAN) with a way around the gauntlet of security features. While this is most often the case, they can also present a significant security concern when the default IP Groups have been modified, or User Access policies provide access to an unexpected group of IPs.
When considering the security of Kerio Connect, these minor configurations are often overlooked but, when misconfigured, can open your server to threats. This usually occurs when edits are made within the Local Clients default IP Address Group. Care should be taken when allowing these exceptions by first verifying the content of the IP Address Group.
Consider the following example of a perceived “mostly safe configuration” allowing LAN connections to send email without authentication:
Closer investigation shows that the Local Clients list had an Accidental Addition of an extensive IP Range that was not intended when the above rule was defined:
User Authentication Methods
Within Kerio Connect, there are several ways for users to authenticate against the server to access their mailboxes. Following a new installation of Kerio Connect, all users will use the standard Internal User Database authentication method; however, additional authentication methods can be set up and configured to provide extra security.
Local Authentication (Local User Database)
Standard Passwords are the most common authentication method used for many applications and should be familiar to most users. Upon creation, a password is configured for new local user accounts, then used to authenticate with WebAdmin, WebMail, and Email Clients.
Note that the security of Local Authentication is determined by the complexity of the password defined for the user. For this reason, there is a benefit to enforcing the use of complex passwords and the use of automatic Password Expiry.
Directory Service Authentication
As an alternative to the local user database, you can map your Kerio Connect server to an external Directory Server via Active Directory or Open Directory. This process allows you to leverage the authentication within the Directory Controller via Kerberos or PAM. The administration of the server is handled via the LDAP database. It enables users to use the same credentials across the entire organization if they are similarly mapped to the directory service.
This authentication method is not inherently more secure, as the impetus for security is passed on to the IT and infrastructure teams managing the Directory Service.
Starting in Kerio Connect Version 9.4, you can now leverage Two-Factor Authentication (2FA) for additional access security. It uses Google and Microsoft mobile device authenticators to supply a real-time token so that administrators control the needed level of protection. It provides an additional layer of security if usernames or passwords are compromised by phishing or other malicious attacks.
This 2-step verification adds an extra layer of security to your account by using an application on the user’s smartphone to confirm their identity. By using 2-step verification, even if standard credentials are compromised, access is not granted unless the second step is verified.
For access, users must first use their credentials to authenticate. Additionally, they must type in a unique time-limited code generated by an authentication application on their phones or computers. The authentication must be supported by the Internet Engineering Task Force (IETF) standard RFC 6238. Example applications include Google authenticator (available for iOS, Android, Windows phone) and FreeOTP authenticator (available for iOS and Android). Note that other authentication applications may be used as alternatives.
The 2FA process allows authentication with the following components:
- Admin web interface
- Kerio Connect webmail
- Kerio Connect client
Enabling 2-Step verification
The administrator can configure 2-step verification per domain. The setting can be found on the Security tab when editing a specific domain. You can choose to set up 2-step verification as optional for all users in the domain or enforce this security setting.
Since 2 step verification code is time-based, it is vital to check the OS time on the Kerio Connect mail server deployed. The OS time should be in sync with the internet time; otherwise, it may result in verification failures.
Once the feature has been enabled for a domain, users will need to configure 2FA within the Webmail or Kerio Connect Desktop Client. If you have decided to enforce the use of the new feature, users will be prompted to configure Two-Factor on their next login(or until configured). See Enabling Two-Factor Authentication in Kerio Connect for more information.
Unlike the standard local authentication method, Two-Factor authentication allows users to automatically regain access to their account if they lose access to the Authentication App used to set up the feature. Similar to local authentication, however, if the user forgets their password, this will still require the assistance of an Administrator to help them regenerate their password.
Once 2FA is turned on, standard account passwords will not work anymore when using KOFF, IMAP, or similar. These passwords will be replaced by application passwords created by a user within Kerio Connect WebMail or Kerio Connect Client after submitting a 2FA code or successfully setting up 2FA.
Application-specific passwords provide the following benefits when combined with 2FA:
- Compromised app passwords only impact a single assigned application and cannot be used for Webmail or Webadmin access.
- They can be quickly deleted and recreated by the end-users.
Once the application password is configured, the password can not be changed or reviewed. As such, it is strongly suggested that users save their passwords in their password vault, but if the application password is lost, users can quickly delete previous passwords and create a new one.
App Passwords can only be created or deleted via their WebMail or Kerio Connect Desktop from the Settings > App Passwords section. Within the UI, users can assign a Description to the password to help quickly identify it if multiple applications are used:
These are plaintext as a standard user password; however, the system automatically generates complex passwords similar to the passwords created via the Generate Password function. Once the App Password is defined, users are provided only the option to Remove the password via the Delete icon: