For details on advanced options of Kerio Connect, see the manual.
You can customize Kerio Connect in section :
Convert IP addresses of remote clients and servers connecting to Kerio Connect to DNS names (using reverse DNS requests). This makes logs more comprehensible but it can also decrease the performance of Kerio Connect.
Enable this option if you do not wish to reveal the version and name of the mailserver application for this domain.
Defines if the X-Envelope-To entry will be inserted into the header of messages delivered locally. X-Envelope-To is the original recipient address based on the SMTP envelope. This option is useful especially if there is a domain mailbox in Kerio Connect.
TNEF (Transport Neutral Encapsulation Format) is a format used to send messages with format extensions from MS Outlook. The winmail.dat file is attached to any message sent in this format. It contains a complete copy of the message in RTF along with all attachments. This implies that if a user does not access their email via MS Outlook and an email message with an attachment in this format will be delivered to their mailbox, the attachment cannot be opened.
The TNEF decoder built-in Kerio Connect decodes TNEF messages at the server's side in the standard MIME format and helps avoid winmail.dat attachment difficulties.
Use this option if users do not access their email only by MS Outlook.
Uuencode (Unix-to-Unix Encoding) is an encoding method used for sending of files by email. It encodes binary data to a text format so that the data can be inserted directly to message bodies. Some email clients may miss a special decoder which decodes the encoded files and transforms them to their original format. Kerio Connect includes a built-in Uudecode decoder (Unix-to-Unix decoding). Email messages are decoded to the standard MIME format on the server's side so that users do not have to worry about this topic.
It is recommended to enable the option if users use Kerio WebMail and MS Outlook with Kerio Outlook Connector to access their mailboxes.
If any problems regarding message decoding occur, the Debug log may help where it is necessary to enable the Message decoding option.
No restrictions — no security policy is applied.
Require secure authentication — server requires secure authentication of users by one of these methods: CRAM-MD5, DIGEST-MD5, NTLM. The users may also enable SSL communication in their Email clients as an alternative. If the users access their mailbox through Kerio WebMail, secure HTTP is automatically used.
Do not apply this method if users use saving passwords on the server in SHA format.
After enabling this option, you can set an IP address group for which this security policy will be applied. If you want to define a new IP address group, do so in the section.
Require encrypted connection — client applications will be able to connect to any service using an encrypted connection. Therefore SSL traffic must be allowed to all protocols at all client stations. The secured connection is set automatically upon a successful connection to Kerio WebMail.
If you decide for this security connection, make sure that all client stations have a valid Kerio Connect authentication certificate installed (see section SSL Certificates).
After enabling this option, you can set an IP address group for which this security policy will be applied. If you want to define a new IP address group, do so in the section.
CRAM-MD5 — password authentication method (using MD5 digests). This method is quite common and many email clients provide support for it.
DIGEST-MD5 — password authentication method (using MD5 digests).
LOGIN — user passwords are completely unprotected during transfer. If this method is used, it is strongly recommended to enable SSL tunnel connection.
NTLM — this method can be used only in case users are authenticated against an Active Directory domain. It is applicable only to the user accounts that were imported from Active Directory.
PLAIN — user passwords are completely unprotected during transfer. If this method is used, it is strongly recommended to enable SSL tunnel connection.
APOP — the authentication method is not displayed in the list, Kerio Connect uses it automatically to download POP3 accounts.
Enable this option to allow Active Directory domain users to authenticate at Kerio Connect upon their logon. In order for the NTLM authentication to be functional, both the computer as well as the user account have to be parts of the domain used for authentication. The NTLM (SPA) authentication must be also enabled in users' mail clients.
To see what is necessary to be set in Kerio Connect to make NTLM authentication work smoothly, refer to the manual.
When this option is selected, user accounts will be locked based on the following rules. These settings protect the user accounts from being misused.
Blocking of accounts upon unsuccessful login attempts is not identical with blocking in user account settings.
You can specify a number of failed logins from one IP address that will be allowed.
This information defines when the account will be unlocked automatically.
You can unlock all accounts with this button.
Define the absolute path to the store directory (according to the operating system on which Kerio Connect is running). By technical reasons, it is necessary to locate the store directory locally (i.e. on the server where Kerio Connect is running).
It is not allowed to specify the Path to the store directory entry by a UNC path.
If the value specified is reached, Kerio Connect will automatically warn users about this fact upon each login to the administration console. After the limit is reached, it will be recorded in the error log (see chapter Logs).
If this limit is reached, Kerio Connect Engine and Kerio Connect Monitor will be stopped. Kerio Administration Console can be run. Immediately after login, the critical limit error message is displayed. The information is also recorded into the error log (see chapter Logs).
Do not set the hard limit for 0, otherwise an error message or warning will be displayed when a new mail is delivered.
Changes in the paths are effective only after restarting the Kerio Connect. If you don't change these settings immediately after the Kerio Connect installation, you will need to first stop the Kerio Connect and then move files from the old location to the new one and then start the service again.
Master authentication password is a special password. It can be used by specific applications to access Kerio Connect accounts without knowing individual corresponding passwords.
It is recommended to enable Master authentication only if this option is expected to be used effectively.
Select an IP address group where master authentication will be exclusively allowed. This group must be predefined in the Configuration → Definitions → Address Groups section. For security reasons, it is not possible to allow Master authentication from any IP address.
Define a password that will be used for access to all accounts. This password should be known by as few persons as possible. If the Master Password arrives to an unauthorized person, privacy of all user accounts on the server can be broken!
The Master Password cannot be used to access user accounts from email clients or via Kerio WebMail. It is not a versatile administrator password (it is not possible to use it for authentication to Administration Console).
If Kerio Connect runs on a host behind a firewall, it can be connected to the Internet via a proxy server. This feature can be useful for example for upgrade downloads or/and for searching for new versions of Kerio Connect or antivirus application.
Insert HTTP proxy address and port on which the service is running.
Username and password must be specified if the proxy server requires authentication.
Insert your user name to connect to the particular proxy server.
Time since the last update check for the new version of Kerio Connect. The system checks for new versions of the product every 24 hours.
This option enables the feature of automatic checking whether there is a new version of Kerio Connect available at the Kerio Technologies website.
Click the button to check for the new version. When the new version is found, the user can download it. If no new version is available, the user is notified.
If a new version was released by Kerio Technologies, the Update tab will contain link to the download web page.
This option enables informing users that a new betaversion of Kerio Connect is available.
If the Kerio Connect is used in production, the beta versions are not recommended — do not enable this option.
The installation package includes also automatic installations of the Kerio Outlook Connector, the Kerio Outlook Connector (Offline Edition) and the Kerio Sync Connector. Field displays the information about the module versions currently used (including build numbers).
Update of plug-ins requires the HTTP or the HTTPS service to be running.
Each new message composed in the Kerio WebMail interface is sent to Kerio Connect via so-called HTTP POST request. Each request contains not only a message body, but also all headers and attachments. The limit set by this option narrows size of any HTTP POST request directed from Kerio WebMail. This means that any limit set for requests also limits size of email messages.
The minimum value for the limit is 2 MB. If a lower limit is set, Kerio Connect sets the value back to 2 MB automatically. Maximal value of the limit is 128 MB. It is not possible to enter a greater value in the Kerio Administration Console.
Session expire timeout — session will expire when the user closes the browser without logging out from Kerio WebMailu or when the user goes to a different URL page. In such cases, all communication with the server is terminated. However, the session is not stopped. Since the session may be hijacked, it is recommended to set a time limit for an automatic logout.
Maximum session duration — limit for a total login time since connecting to Kerio WebMail.
Force WebMail logout if user's IP address changes — a session of one user is hijacked by an attacker to access the server. Connection of an attacker to the session changes the client’s IP address. Thus the attacker is recognized and is blocked from the server.
The “anti-hijack” protection must be disabled if Kerio Connect users share their accounts. The option disallows connection to a single account from multiple hosts (IP addresses) at a time.
The “anti-hijack” protection cannot be applied if your ISP changes IP addresses during the connection (e.g. in case of GPRS or WiFi connections).
At the top of each page of the Kerio WebMail interface, Kerio Technologies logo is displayed. You can replace it with your own logo or any other image.
The recommended parameters of the logo:
Format: GIF
Size: 200x40 pixels
A logo set up for a specific domain (Configuration→ Domains → Edit) has priority over the logo set up in this section.