This article provides information about the different methods of securing Kerio Connect and how to implement them.
You can secure Kerio Connect by applying the following recommendations:
Restricting Communication on the Firewall to Necessary IP Addresses and Ports
By using IP Address Groups, you can define a list of IP addresses that can access a particular service. For instance, if there are only selected users in the company that uses IMAP or POP, you can allow access only to these users' IP addresses. You can also limit the maximum number of concurrent connections.
Enforcing a Strong Password Policy
To secure users and their passwords in Kerio Connect, you can implement these policies:
- Require users to create strong passwords.
- Require complex passwords (for local users)
- Enable password expiry (for local users)
- Enable password protection against login guessing.
Securing User Authentication
If you select the Require Secure Authentication option, users must authenticate securely when they access Kerio Connect. You can choose any of the following authentication methods:
- CRAM-MD5 - password authentication using MD5 digests.
- DIGEST-MD5 - password authentication using MD5 digests.
- NTLM - can only be used with Active Directory.
- SSL Tunnel - select if no authentication method is used.
If you select more than one method, Kerio Connect performs the first available method. If users' passwords are saved in SHA format, select the PLAIN or LOGIN option.
Encrypting User Communication
If you select the Require Encrypted Connection option, clients connect to any service via an encrypted connection (the communication cannot be tapped). For example, it is required to access the Kerio Connect Administration interface using HTTPS.
Authenticating Messages with DKIM
DomainKeys Identified Mail (DKIM) signs outgoing messages from Kerio Connect with a unique signature to identify the sender. The users thus take responsibility for the messages they send, and the recipients are sure the messages came from verified users (by retrieving their public key).
For DKIM to work, a TXT record must be created in the DNS containing the Kerio Connect public key. This key is found under Edit Domain > General > Show Public Key.
INFO: A TXT record (short for text record) is a type of resource record in the Domain Name System (DNS) used to provide the ability to associate arbitrary text with a hostname or other names, such as human-readable information about a server, network, data center, or additional accounting information.
Although it is not part of the Kerio Connect Anti-Spam filters, the anti-spoofing feature prevents spammers from "spoofing" your email address and pretend their messages are sent from you. A typical example in a Kerio environment if this feature is not enabled is that users can send messages as other users even without delegation when using mail clients that can modify the From address field, like Microsoft Outlook.
This feature implements Sender Identify, to which users must authenticate to be able to send an email using any of the local domain and the users are only allowed to send an email from the following addresses:
- Their email address
- The email address of groups they are a member of
- The aliases to their email addresses
- The aliases to public folders they can access
- The email address of users who granted them a delegation
If the email does not meet the conditions above, then Kerio Connect will block it as a spoofed message. It is important to note that this feature will only prevent your domain from being spoofed. Kerio Connect has other means of detecting if an incoming email comes from a spoofed sender.
Anti-Spoofing can be enabled from the following settings:
From Security > Sender Policy:
Or under Domain > Security:
- Antivirus and Content Filters
- Anti-Spam Filters
- Sender Policy Framework Filter
- Anti-Spam Advanced Filter
- Securing the SMTP Server