Email domains and their use are focused in the manual.
Kerio Connect email domains can be handled in :
In the Internet hostname field under Domains, enter the Internet DNS name of the computer where Kerio Connect is installed (typically, this would be the name of the computer with the appended primary domain name, e.g. mail.company.com). Server names are used for server identification while establishing SMTP traffic.
If Kerio Connect is running behind NAT, enter the Internet hostname that can be converted to the IP address of the sending server, i.e. the Internet hostname of the firewall.
Kerio Connect allows sharing public folders between domains or keeping them identical for all domains. To perform these settings, go to and click on Global Settings.
For more extent information on public folders (how they work and what they are used for), refer to the corresponding chapter in the manual.
In addition to definition of a name, each domain can be set as primary or secondary. Only one domain can be set as primary, as the other ones are set as secondary automatically. Clicking on the button sets the domain as primary.
For detailed information on primary domains, refer to the manual.
To create a new domain, click on . Domain name and description are required. For other settings, see below.
To remove the domain, click on . However, bear in mind that the domain must not include any user accounts, groups or aliases; otherwise, it will not be possible to remove it. The domain also cannot be set as primary domain. Therefore, set another domain as primary before deleting this domain.
Enter domain name. The name does not allow any national characters or special symbols except dots and hyphens.
Optional entry. It is recommended to enter a description especially if you plan to have more than one domain (for better reference).
User limit is useful especially if you also use web administration. Users with administration rights cannot break this limit.
The maximum domain limit for size of all sent messages (via SMTP, WebDAV, etc.).
It is recommended to activate this option for each domain that contains user mailboxes. This way, you can prevent users from overloading the Internet connection with messages including large attachments (images, clips, music, etc.). The 20 MB value is recommended for this setting.
Automatic cleanup of items allows setting of a rule for automatic deletion of all items older than a defined number of days. This rule can be applied to the Junk E-Mail, Deleted Items folders or whole message store. Recommended value for Junk E-Mail, Deleted Items folders is 30 days.
If there are subfolders in Deleted Items and/or Junk E-Mail, the items inside them will be deleted in dependence on the set time limit. If a subfolder is empty, it is deleted automatically (the time limit does not apply here).
For details on automatic clean-up, refer to the manual.
This option helps users to restore emails deleted by mistake and to put them back to the mailbox. If Restoring deleted items is enabled, deleted mail of all domain users is backed-up for a defined time.
This tab allows to handle domain aliases (virtual domains). Virtual domains are alternative names for a particular domain. Email addresses within the virtual domains are identical (delivery is performed to the identical mailboxes). If this option is used, individual user accounts can belong to multiple domains. For details on domain aliases, refer to the manual.
Example: company_name.org and product_name.com can be used as virtual domains for company_name.com, etc.
This tab allows forwarding of messages to another SMTP server. Forwarding can be used especially for:
spreading of the domain over multiple servers (for details, see the manual),
creating of a back-up mailserver (for details, see the manual).
Messages will be forwarded to another SMTP server if a recipient is not found in the domain. Messages are forwarded only if the recipient's address is not an address of any user, group or alias included in this domain.
Enter DNS name or IP address and port of the SMTP server to which all email messages for this domain will be forwarded.
This option is helpful when it is intended to divide a domain to multiple servers while a persistent Internet connection is provided.
Use this option only for dialed Internet connections. Enabling this option will allow email for the Forward domains to be queued and delivered at scheduled times only.
Kerio Connect does not send email for this domain to the specified SMTP server until it receives an ETRN command. This way Kerio MailServer can be used as a secondary server for a domain whose primary SMTP server is not permanently connected to the Internet.
Here you can define whether messages containing one of domain aliases in the recipient address should be forwarded. The Don't forward such messages option disables loops in case that the particular recipient cannot be found at any server operating with this domain.
If the domain is spread over two domains, set this option only for one of them.
This tab allows definition of footers. The footer defined here will be added at the bottom of all messages sent by any user belonging to the particular domain.
The HTML format cannot be used for the footer text. Only plain text is displayed in the message footer.
By checking of this option, you enable the function which automatically appends the footer to the user's email. Use the window to specify a footer as you wish to be displayed.
Checking of this option narrows messages where the footer will be displayed to those which are not delivered locally.
This tab allows setting of mapping of user accounts from directory services Active Directory and Apple Open Directory. As the setting is quite difficult, it is recommended to read the corresponding chapter in the manual.
This option enables/disables cooperation with the LDAP database.
Type of LDAP database that will be used by this domain:
Active Directory,
Apple Open Directory (Kerberos authentication),
Apple Open Directory (PasswordServer authentication).
If your company uses Apple Open Directory and you are not sure which authentication method is suitable for you, refer to the manual.
The dialog's form depends on whether you use Active Directory or Apple Open Directory. The following description focuses on settings for Active Directory:
Enter DNS name or IP address of the server where the LDAP database is running. If it is running on a non-standard port, add it to the address or name in the following form:
mail1.company.com:12345
212.100.12.5:12345
If the secured version of LDAP service is used for connection, it is necessary to enter also the DNS name to enable the SSL certificate's verification.
Name of the user that has read rights for the LDAP database in the following form: xxxxx@company.com.
Password of the user that have read rights for the LDAP database.
Within the communication of the LDAP database with Kerio Connect, sensitive data may be transmitted (such as user passwords). For this reason, it is recommended to secure such traffic by using SSL. To enable LDAPS in Active Directory, it is necessary to run a certification authority on the domain controller that is considered as trustworthy by Kerio Connect.
SSL encryption is demanding in respect of connection speed and processor operation. Especially when too many connections are established between the LDAP database and Kerio Connect or a great amount of users are included in the LDAP database, the traffic might be slow. If the SSL encryption overloads the server, it is recommended to use the non-secured version of LDAP.
Add DNS name or IP address of the backup server with the same LDAP database.
If the domain name differs from the name defined in Active Directory, match this option and insert a corresponding name into the Active Directory Domain Name text field.
If you have set Apple Open Directory as the Directory Service Type, the dialog will be as follows:
Enter DNS name or IP address of the server where the LDAP database is running. If it is running on a non-standard port, add it to the address or name in the following form:
mail1.company.com:12345
212.100.12.5:12345
If the secured version of LDAP service is used for connection, it is necessary to enter also the DNS name to enable the SSL certificate's verification.
Name of the user that have read rights for the LDAP database, either of the root user or of the Open Directory administrator (admin for Mac OS X 10.3 or diradmin for Mac OS X 10.4 and higher).
To connect to the Apple OpenDirectory database insert an appropriate username in the following form:
uid=xxx,cn=xxx,dc=xxx
uid — username that you use to connect to the system.
cn — name of the users container (typically the users file).
dc — names of the domain and of all its subdomains (i.e. mail.company.com → dc=mail1,dc=company,dc=com)
Password of the user that have read rights for the LDAP database.
Within the communication of the LDAP database with Kerio Connect, sensitive data may be transmitted (such as user passwords). It is possible to secure the communication by using an SSL tunnel.
SSL encryption is demanding in respect of connection speed and processor operation. Especially when too many connection are established between the LDAP database and Kerio Connect or when too many users are included in the LDAP database, the communication might get slow. If the SSL encryption overloads the server, it is recommended to use the non-secured version of LDAP.
Enter DNS name or IP address of the backup server with the same LDAP database.
If the Apple OpenDirectory option is selected in the Directory service type entry, insert a suffix in the following form: dc=subdomain,dc=domain.
This tab allows setting of user authentication parameters:
To read more on the Kerberos system, refer to the manual.
In the appropriate item of the dialog box, specify the Kerberos system domain, where the users will be authenticated. The name of the Kerberos area is capitalized automatically.
If user account are saved in Active Directory or in Open Directory, it is required to specify name of the Active Directory or the Open Directory domain here. If you use the Directory Service tab for Active Directory or Open Directory definition in domain settings, this entry will be specified automatically.
If you use Open Directory or a stand-alone Kerberos server, check thoroughly that the Kerberos realm specified on the Advanced tab matches the name of Kerberos realm in the /Library/Preferences/edu.mit.Kerberos file. In particular, it must match the default_realm value in this file. By result, the line may be for example default_realm = COMPANY.COM
The NT domain in which all users will be authenticated. The computer which Kerio Connect is running on must be a part of this domain.
Example: For the company.com domain, the NT domain is COMPANY.
Each domain can be bound with one IP address. Binding of an IP address with a domain saves users connecting from such an IP address from the necessity of including domain in username (e.g. wsmith@company.com) for each login attempt. This implies that such users can use separate user name (e.g. jsmith) as if connecting to the primary domain.
To make user connections work correctly, at most one domain must be bound to each IP address.
Each domain allows setting of a specific logo that will be displayed in users' Kerio WebMail interface. It is recommended to set your company logo.
The recommended parameters of the logo:
Format: GIF
Size: 200x40 pixels
Click to browse to the logo file.
Distributed domain allows you to connect all your Kerio Connect servers into a cluster. Thus all users on all the servers can be put into one mailing domain (such as company.com). Upon logon, any user can schedule meetings with other users and book resources across all connected servers.
For detailed information on distributed domain, refer to the manual.
Select one server for master server (the other servers will connect to the master).
On the other servers, under click on to open the welcome window for wizard for connection to the master server. Click on .
In the dialog just opened, specify the following entries:
DNS name of the master server
username and password of a user with administration rights for the master server.
Make sure that on each connected server users are mapped from the same directory service (e.g. Active Directory nor Apple Open Directory) and include at least one domain of an identical name (for details on how to rename domains, refer to chapter Domains).
To disconnect a server from a distributed domain, go to and click on .
Servers can be disconnected only via their own administration interface. If you just happen to be in another domain's interface, click on the domain you wish to disconnect under . A Kerio Connect Administration login page for this domain will open in your browser.
It is only possible to disconnect slave servers from the master server.
Kerio Connect allows you to move a mailbox physically from one server in distributed domain to another one (this option is useful when an employee is moving to a different company branch).
For detailed information on user migration, refer to the manual.
Perform migration on the server to which you want to move the user accounts.
Under , select one or more users to migrate (migratable accounts have the button active).
Clicking on starts migrating mailboxes to the target server. Mailboxes will be moved one by one.
Migration can be cancelled by the button, if necessary. All temporary files will be removed and the mailbox will stay unchanged on the original server.
After the migration of each account, the administrator gets a message with information about: migration result, its duration and size of the migrated mailbox.
For details on domain renaming, refer to the manual.
If need be, Kerio Connect enables you to rename your domain in a simple way.
Ensure that you have purchased a domain from your provider and that its name is registered in DNS records. Test your domain first.
Make a full backup of your message store before and after the renaming process (how to run a new backup, refer to chapter Archiving and Backup).
Choose the domain you want to rename in the section and click the button to open the corresponding dialog box. On the General tab, click on and confirm action. In the Domain entry, specify a new domain name and confirm settings with .
To complete the renaming process, restart of the server is required. Restart of the server makes the original domain name an alias.
The domain configuration will not change after renaming.
If a user's mail filters include addresses of users from the renamed domain, they need to change the rules.
If you wish to cancel the domain rename action, you can do that under before the next server restart. For this purpose, use the button.
If you wish to rename the distributed domain, follow these instructions:
Disconnect all servers from the distributed domain (for details on how to disconnect the, refer to the manual).
On each server, rename the domain to your desired name (details on how to rename domains can be found in the manual).
Then reconnect all servers to the distributed domain (see the manual).
Do not forget to first restart the server after you rename the domains and then reconnect them to the distributed domain.