Overview

When the password change policy is in place, it is possible to monitor password changes. It's not visible automatically in the Kerio Connect Administration, but it's achievable with tracking and reviewing the internal file's changes or enabling specific Debug logs. It is helpful while instituting new passwords for compromised user accounts.

Preconditions

Administrator (root) access to Kerio Connect server

Diagnosis

The user passwords are stored in the user configuration file called users.cfg. The file contains Password history changes from the user creation time.

The default user password change policy is set as 180 days but can be configured to the customs value.

For more information, please refer to Password Policy in Kerio Connect.

When the user password is about to expire, the Kerio Connect sends an automatic email as a reminder to change the existing password.

Solution

1. Login to Kerio Connect Administration and navigate to Logs -> Debug -> right-click on logs area -> enable Kerio Connect Client
   
2. When the user changes the password, the log generates the message:
   "User <username>@<domain>; Function Session.setPassword was finished in 0.xx seconds."
3. The change is also reflected in users.cfg, list UserAdditionalData. It generates a new PasswordHistory variable and alters the LastPasswordChange timestamp.
   
   Note: to convert timestamp to a human-readable format, please use the EpochConvertor website.
4. The change of the file can be automatically tracked by external tools.
   1. For Linux/macOS, you can use the Fswatch tool. For more information, please refer to the Fswatch 3rd-party discussion.
   2. For Windows, it can be achieved using Event Viewer logs. For more information, please refer to how to track files' changes 3rd-party guide.

Confirmation

The monitoring of the User password is configured successfully.