<?xml version="1.0" encoding="iso-8859-1"?>
<rdf:RDF xmlns:rdf="http://www.w3.org/1999/02/22-rdf-syntax-ns#"
xmlns:dc="http://purl.org/dc/elements/1.1/"
xmlns:sy="http://purl.org/rss/1.0/modules/syndication/"
xmlns:admin="http://webns.net/mvcb/"
xmlns="http://purl.org/rss/1.0/">
<channel rdf:about="http://aplawrence.com/fullrss.rdf">
<title>Main Site News at A.P.Lawrence.com</title>
<link>http://aplawrence.com/</link>
<description>
Main feed at aplawrence.com: Thousands of articles, reviews, consultants listings, skills tests, opinion, how-to's for Unix, Linux and Mac OS X, networking, web site maintenance and more..
</description>
<sy:updatePeriod>hourly</sy:updatePeriod>
<sy:updateFrequency>6</sy:updateFrequency>
<sy:updateBase>2008-01-01T00:00+00:00</sy:updateBase>
<dc:language>en</dc:language>
<dc:publisher>A.P. Lawrence</dc:publisher>
<dc:rights>Copyright A.P. Lawrence</dc:rights>
<dc:creator>A.P. Lawrence (mailto:rssfeeds@aplawrence.com)</dc:creator>
<dc:date>2012-05-21T15:43:12+00:00</dc:date>
<image rdf:resource="http://aplawrence.com/image21.gif">
</image>
<items>
<rdf:Seq>
<rdf:li rdf:resource="http://aplawrence.com/Kerio/troubleshooting.html" />
<rdf:li rdf:resource="http://aplawrence.com/Kerio/why_buy_kerio_control.html" />
<rdf:li rdf:resource="http://aplawrence.com/Kerio/kerio_mailserver_spam_filtering.html" />
<rdf:li rdf:resource="http://aplawrence.com/Kerio/kerio_android_message_delivery.html" />
<rdf:li rdf:resource="http://aplawrence.com/Kerio/kerio_workspace_crm.html" />
<rdf:li rdf:resource="http://aplawrence.com/Kerio/kerio_rip.html" />
<rdf:li rdf:resource="http://aplawrence.com/Kerio/support_policies.html" />
<rdf:li rdf:resource="http://aplawrence.com/Kerio/koc_domain.html" />
</rdf:Seq>
</items>
</channel>
<image rdf:about="http://aplawrence.com/image21.gif">
<title>A.P.Lawrence Logo</title>
<url>http://aplawrence.com/image21.gif</url>
<link>http://aplawrence.com</link>
</image>
<item rdf:about="http://aplawrence.com/Kerio/troubleshooting.html">
<title>Kerio Troubleshooting </title>
<description>
<![CDATA[
Kerio,Linux,MacOSX,Mail,Microsoft,Toubleshooting
<p>Updated 5/21/2012</p>
<p>A few tips to help diagnose Kerio Mailserver problems:</p>
<h2>Startup Problems</h2>
<p>There are only a very few things that will completely prevent
Kerio Mailserver from starting. Usually this would come from
a confused or mangled configuration file, but there are other conditions
that can cause Kerio to refuse to start.</p>
<p>By the way, the easiest way to find out what is stopping the startup
is to look in Kerio's error log. On a Mac, you'll find <b>mailserver/store/logs</b>
under /usr/local/kerio, on Linux it will be under /opt/kerio, and on
Windows it's Program Files/Kerio. The error log is "error.log" and it
is plain text.</p>
<p>However, there's one condition where that won't help you. If Kerio's
"store" directory isn't where the config file says it is, Kerio
won't be able to start and also won't be able to find its log directory
to write the error. However, if you try starting Kerio from the
command line, you will see the error.</p>
<pre>
bash-3.2# cd /usr/local/kerio/mailserver
bash-3.2# ./mailserver
Kerio MailServer failed to start: Store directory
/usr/local/kerio/mailserver/store does not exist. Please create
it before you start the server.
</pre>
<p><i>mailserver.exe on Windows</i></p>
<p>I had this happen with a customer just this week. He was doing some
maintenance unrelated to Kerio but when he rebooted, Kerio failed to
start. The reason was that Windows changed drive letter assignments:
the Kerio store had been configured on the F: drive, but got moved
to H: as a result of the maintenance.</p>
<p>The fix for that was to edit the mailserver/mailserver.cfg file
manually and change the drive letter. The config file is
just an XML text file; the "StoreDir" variable is what you'd need to
fix.</p>
<pre>
# this is from a Mac;
<table name="Directories">
<variable name="StoreDir">/usr/local/kerio/mailserver/store
</variable>
<variable name="ArchiveDir">/usr/local/kerio/mailserver/store/archive
</variable>
<variable name="BackupDir">/usr/local/kerio/mailserver/store/backup
</variable>
..
</pre>
<!-- PLACEAD -->
<h2>Services Problems</h2>
<p>Every public mailserver needs to accept connections on port 25 (SMTP).
If another mailserver (Sendmail, Exchange) is already running when
Kerio starts, obviously Kerio won't be able to start its SMTP service.
You'll find this in the error log:</p>
<pre>
[13/May/2008 06:34:36] socklib.cpp: Bind to port 25 failed: (48)
Address already in use
[13/May/2008 06:34:36] services.cpp: Cannot start service SMTP on port 25,
unable to bind service to all IP addresses
</pre>
<p>Of course that's true for any service you need. A running webserver
will prevent HTTP or HTTPS from starting and leave you with the
same problem: identify the process that is conflicting, stop it, and
prevent it from starting up again. How you do that is operating
system specific and even then there can be odd circumstances that
could make it difficult to track down the offending process or application.
If you can't easily identify the problem, give me a call and I will
help you track it down.</p>
<p>The mailserver needs to go out on port 25 (unless you use a SMTP relay at some other server). zsome ISP's block 25 and other mail ports; make sure you can
<a href="http://scofaq.aplawrence.com/FAQ_scotec4testsmtp.html">use the ports you need</a>.</p>
<h2>Scanners and so on</h2>
<p>You may have a scanner or some other device that wants to use the mailserver. Usually that's trivial, but <a href="http://aplawrence.com/Kerio/scanner_to_email.html">it can be more complicated</a>. Most problems I've seen are simple mistyping errors or incorrect DNS.</p>
<h2>Operational Problems</h2>
<p>Other problems usually involve delivery (or non-delivery) of mail.
Why can't I send mail to Mary Jones? Why can't Mary send to me?
Usually the logs (mail.log, error.log, security.log and spam.log)
will show the reason: you mistyped Mary's address, Mary's domain
is on a blacklist..</p>
<p>A couple of things to keep in mind in this area: if there is
no record in any log of a connection from samplesite.com, then whatever
mail they tried to send to you simply never got to your server. Maybe it's
their DNS, maybe there is a bad router between you and them, but whatever
it is, it never got to you. There would ALWAYS be a log entry
of some sort if the mail got to your server. The same is true for outgoing
mail. If a user says they sent mail to maryj@samplesite,com, but you
can't find any such thing in the Kerio logs, the problem is back
at their machine, not within Kerio.</p>
<p>Of course there usually will be a log entry, and that will show you
where the problem is. In the case of sending mail, look
in the Message Queue (Under "Status" in your Kerio Administration Console).
If the message is stuck in the queue, the other server may just not
be up and running right now or there may be routing problems preventing
your server from reaching it. That assumes that the original message
was correctly addressed: many times I have found log entries showing
that the user tried sending to "maryj@samplesite.com" when the real
address was "maryj@samplesite.org" or was simply mispelled.</p>
<p>See also <a href="http://aplawrence.com/Kerio/failed-mail.html">Troubleshooting failed email</a>.</p>
<h2>Debug Settings</h2>
<p>Usually the logs tell the story completely, but sometimes you
need more information. You can turn on extended debugging by
selecting the Debug log and then Right-Clicking in the log
area as shown here:</p>
<img src="http://aplawrence.com/images/kerio-debug-log.jpg" alt="setting debug options in Kerio Mailserver" width="600px" height="452px" />
<p>That will bring up a window that can turn on extra debugging for
a number of functional areas. Usually you'd only do this at the
request of a support technician, but there's no harm experimenting
with this yourself if you are technically minded and curious.</p>
<h2>Outlook Connector Problems</h2>
<p>Outlook is a complicated product and adding Kerio's Outlook Connector
doesn't make it any less so. Recent versions are actually two separate
processes: the Connector itself (KoffBackend.exe) and the "Updater" service (ktupdaterservice.exe).</p>
<p>If you are experiencing difficulty, stop Outlook and the Updater service in Services) and try reinstalling. That sometimes fixes strange problems, as does simply creating a new profile. Remember, everything is stored on the server, so the only thing you lose is time.</p>
<p>Outlook synchronizatio stalled or slow is almost certainly a network
problem. I've seen some really strange ones:<a href="http://aplawrence.com/Kerio/koc_domain.html">Troubleshooting Outlook KOC problems on new Windows 7 machines</a>, for example.</p>
<h2>Domain issues</h2>
<p>The usual problem here is that the account you told Kerio to use to get information from the Active Directory Server doesn't have sufficient privilege or (on Linux and Mac) that there is in error in Kerberos configuration. The logs can show you what server it is trying to talk to and what went wrong:</p>
<pre>
[11/May/2012 14:27:10][21069] {ldapdb} LDAP request: action=modify,
params="CN=Fred Jones,OU=IT,OU=Concord,DC=umal,DC=com???" (ThreadId=21069)
[11/May/2012 14:27:10][21069] {ldapdb} LDAP result: action=modify, errcode=50,
message="Insufficient access" (ThreadId=21069)
</pre>
<h2>Repeated messages</h2>
<p>Unless something really is sending the same message more than once, this indicates a network problem - the recieving server accepted the message, but the sender never saw the packet that acknowledged the receipt.</p>
<p>I've seen this caused by an SMTP protocol inspector on a firewall, but also see <a href="http://aplawrence.com/Kerio/kerio_android_message_delivery.html">Android phone crashes email account</a>.</p>
<h2>Product Forums and Knowledge Base</h2> <p>Most mail problems are easily identified and quickly solved. Of
course there is always the possibility that your problem is
an actual Kerio bug. That hasn't happened very often, but you
never know when some odd combination of circumstances may bring
a bug to the surface. Kerio's <a href="http://forums.kerio.com/index.php?t=thread&frm_id=6&S=c3fff7546d7f24d8291fabd8ac4d620b">Product Forums</a> often
contain late breaking news and discussions that may be helpful. For
example, Microsoft patches can sometimes have unpleasant results -
you'll often find out about this kind of thing in the Forums.</p>
<p>The <a href="http://support.kerio.com/index.php?_m=knowledgebase&_a=view">Knowledge Base</a> is also a good place to look for help. Your issue
may be well known and a simple fix may be found here.</p>
<h2>Support Options</h2>
<p>You can open a Kerio support ticket <a href="http://kerio.com/support">on-line</a> or just call them directly.
If you need help and you are one of my customers, of course you can
call me. Actually, I'd like to know about any problems even if you
choose to go directly to Kerio support. It may be that I
know the answer and can react more quickly, but even if I do not,
I want to be involved and on top of the situation.</p>
<p>You may not ever have any real problems with Kerio Mailserver, but
if you do, I hope this article helped.</p>
<p>Comments: <a href="http://aplawrence.com/cgi-bin/newcomm.pl?commenting=/Kerio/troubleshooting.html">Click Here.</a></p>
<p>Want to showcase your product to our audience? Check our <a href="http://aplawrence.com/advert.html">advertising options.</a></p>
<p><br /><br /><i><b>Many of the products and books I review are things I purchased for my own use. Some were given to me specifically for the purpose of reviewing them.</b></i></p>
<p><i><b>I resell or can earn commissions from the sale of some of these items. Links within these pages may be affiliate links that pay me for referring you
to them. That's mostly insignificant amounts of money; whenever it is not I have made my relationship plain. If you have any question, please do feel free to contact me.</b></i></p>
<div style="font-size:80%">
<table>
<tr>
<td> - </td>
<td><a href="http://aplawrence.com/Tests">Skills Tests</a></td>
<td> - </td>
<td><a href="http://aplawrence.com/psst.html">Psst - wanna work for yourself?</a></td>
<td> - </td><td><a href="http://aplawrence.com/troubleshootingbook.html">Unix/Linux Troubleshooting e-book</a></td>
<td> - </td>
<td><a href="http://aplawrence.com/Kerio">Kerio Mail Server</a></td>
<td> - </td>
<td><a href="http://aplawrence.com/rates.html">Consulting</a></td>
<td> - </td>
<td><a href="http://aplawrence.com/advert.html">Advertise Here</a></td>
</tr>
</table>
</div>
]]>
</description>
<link>http://aplawrence.com/Kerio/troubleshooting.html</link>
</item>
<item rdf:about="http://aplawrence.com/Kerio/why_buy_kerio_control.html">
<title>Why you should let me sell you a new firewall </title>
<description>
<![CDATA[
Kerio,Security
2012/05/19<p><br /></p>
<p>I see a lot of small businesses in the course of my work. Today, almost all have some form of Internet access and a firewall providing at least basic protection from the big bad world.</p>
<p>There is a wide range of deployed product. At the low end, someone ran down to Staples and picked up an inexpensive firewall that a home user might buy. At the other end, I'll see expensive Cisco units with high priced service contracts attached. I feel better about their security when I see the Cisco units, though I sometimes wince when I hear what they are paying for maintenance and support.</p>
<p>I sell Kerio Control firewall. I'm not a particularly aggressive sales type, so I might not even mention that fact unless something else triggers the subject, but lately I've been thinking that I really ought to be a bit more vocal and yes, a bit more "pushy".</p>
<p>It's not because I want to sell another firewall. Sure, I'm always happy to get an order for anything that I sell, but for me it's not about selling so much as it is about providing something that someone needs.</p>
<p>Yeah, I know: everybody says that. Most of them don't really mean it though. What they mean is that they need to hit this month's sales quota and they want you to contribute toward that goal. It's all about the money, honey, and the product itself is secondary. Oh, whatever they want to sell may be a great product, and they may really believe that they are helping you, but the really important thing is the sales quota.</p>
<!-- PLACEAD -->
<h2>Quota? What quota?</h2>
<p>I don't have a sales quota with Kerio. Well, technically I do, but I pass my yearly quota sometime in February or March of each year, so I don't have them hovering over my shoulder demanding sales projections. I don't have a personal sales goal either - I make money and I spend money and it all works out. My attitude toward all of this is that if I do a good job, I'll make enough money. Therefore, my only plan is to do a good job for my customers. The rest works out.</p>
<p>So, with that in mind, let's chat about Kerio firewall. I like the product and I know that you will too, whether it's just you in your home office or you are buliding a mini empire and already have two branch offices running.</p>
<p>I could talk about technical features and I have at other articles you'll find here. Kerio also provides full <a href="http://www.kerio.com/control/technical-specifications">tech specs</a> for your perusal if you like that sort of thing.</p>
<p>Those really aren't that important to me.</p>
<p>Oh, they are important, of course. But what's really important to me is that Kerio Control helps me do a good job for my customer. Sure, the technical stuff is all part of that, but for me it's the end result that counts: my customers get protection and I can provide them with great support at a very reasonable price.</p>
<h2>What you can expect from me</h2>
<p>First, I want you to understand what you are buying. You can see the basic interface at <a href="https://control.demo.kerio.com:4081/admin/index.php">demo.kerio.com</a>. I want you to schedule a phone call with me so that I can walk you through the features and benefits shown there. </p>
<p>Depending upon your circumstances, I might also suggest that you download a 30 day demo. I'd want to help you select which version to download (it's available as a vertual machine, for example) and I will help you configure it appropriately for a test drive.</p>
<p>After that, if you decide to buy, I'll help you decide on how many licenses you will want and whether you'd prefer one of the software versions or the hardware box. I'll give you a competitive quote for the initial purchase and tell you what your expected yearly maintenance will be.</p>
<p>If you are buying one of the hardware boxes, I'm happy to have it shipped to my office where I will configure it so that it is ready to plug into your network when you receive it. I can do the same thing with software versions by emailing a configuration file.</p>
<p>When you are ready to go live, we'll schedule another telephone conference. By the way, there is no additional charge for any of this. It's to my advantage to be certain that everything is working as it should be; proper configuration can eliminate future un-scheduled support and that will make both you and me happier.</p>
<p>Going forward, you have my commitment to support you. All business apps are at least somewhat critical, of course, but firewall support is at or near the top of the list. Many businesses today utterly depend upon Internet access and a breach of firewall security could be extremely disruptive. Therefore, if you should ever call or email me with a problem, you aren't going to be waiting very long before you hear back from me: I take support very seriously and especially so when it involves your firewall. You won't be charged for my assistance; that's included in the price you paid.</p>
<p>You can even set your firewall to alert me of certain conditions if you prefer:</p>
<div style="text-align:center">
<p><a href="http://aplawrence.com/cgi-bin/showpic.pl?image=kerio_control_alerts_lg.jpg
&mytitle=Setting Control alert messages
&returnpage=Kerio/why_buy_kerio_control.html
&returntitle=Why you should let me sell you a new firewall">
<img src="http://aplawrence.com/images/kerio_control_alerts.jpg" alt="Setting Control alert messages" title="Setting Control alert messages (click for larger view)" /></a><br /></p>
</div>
<p>If you are going to do that, let me know so that I will know to watch for those specifically.</p>
<p>That's the whole of it. You'll be paying a reasonable price (usually far, far less than what you'd pay for Cisco support) and you aren't going to be waiting for someone to get back to you days later. You'll be dealing with me and I care about your needs. I appreciate that serious problems require rapid response - I also know that if I do my job correctly ahead of time, your chances of ever needing that response are greatly diminished.</p>
<p>All that tends to make both of us happy, doesn't it?</p>
<p>Comments: <a href="http://aplawrence.com/cgi-bin/newcomm.pl?commenting=/Kerio/why_buy_kerio_control.html">Click Here.</a></p>
<p>Want to showcase your product to our audience? Check our <a href="http://aplawrence.com/advert.html">advertising options.</a></p>
<p><br /><br /><i><b>Many of the products and books I review are things I purchased for my own use. Some were given to me specifically for the purpose of reviewing them.</b></i></p>
<p><i><b>I resell or can earn commissions from the sale of some of these items. Links within these pages may be affiliate links that pay me for referring you
to them. That's mostly insignificant amounts of money; whenever it is not I have made my relationship plain. If you have any question, please do feel free to contact me.</b></i></p>
<div style="font-size:80%">
<table>
<tr>
<td> - </td>
<td><a href="http://aplawrence.com/Tests">Skills Tests</a></td>
<td> - </td>
<td><a href="http://aplawrence.com/psst.html">Psst - wanna work for yourself?</a></td>
<td> - </td><td><a href="http://aplawrence.com/troubleshootingbook.html">Unix/Linux Troubleshooting e-book</a></td>
<td> - </td>
<td><a href="http://aplawrence.com/Kerio">Kerio Mail Server</a></td>
<td> - </td>
<td><a href="http://aplawrence.com/rates.html">Consulting</a></td>
<td> - </td>
<td><a href="http://aplawrence.com/advert.html">Advertise Here</a></td>
</tr>
</table>
</div>
]]>
</description>
<link>http://aplawrence.com/Kerio/why_buy_kerio_control.html</link>
</item>
<item rdf:about="http://aplawrence.com/Kerio/kerio_mailserver_spam_filtering.html">
<title>Kerio Mail Server Spam Filtering </title>
<description>
<![CDATA[
Kerio,Mail,Malware
Updated 5/19/2012
<p><br /></p>
<!-- LEFTADOK -->
<!-- PCOUNT -->
<!-- PCOUNT -->
<p>Kerio Mail Server has several configuration options to protect
against spam email. For maximum protection, you should
investigate and set all appropriate items.</p>
<p>Under the Security Options tab for the SMTP server are
several limits and controls you can set. These are:</p>
<ul>
<li>Maximum number of messages per hour from one IP address.
<br /><br />While this certainly can cut down on spam,
be careful here. A on-going conversation about a support
issue or any other complex subject might bounce back and forth
quite quickly and could easily exceed 60 messages per hour. Setting
this is not going to prevent legitimate email; it just temporarily
delays it. A legitimate server will try again later; a spammer
probably won't.<br /><br /></li>
<li>Maximum number of concurrent SMTP connections from
one IP address.<br /><br />Again, this can block some
spam, but keep in mind that legitimate email can and will
make multiple connections for efficiency. Don't set this
too low if, for example, your users have a lot of correspondence
with AOL users or similar big servers.<br /><br /></li>
<li>Block if sender's mail domain was not found in DNS.
<br /><br />That's checked by default and ordinarily
would be left that way. Why would you want to accept mail from
someone without a DNS name? The only possible justification
would be if you had other mailservers within your network, but even
then you'd be smarter to put them in DNS and block anyone
else without a DNS lookup.<br /><br /></li>
<li>Maximum number of recipients in a message.
<br /><br />This can be an effective block against spam,
but it can also be a problem if you belong to mailing
lists that (stupidly) list all recipients in the "To:" line.
If that's not an issue, leave it checked and set the limit
to the number of users in your mail domain.<br /><br /></li>
<li>Maximum number of failed commands in SMTP
session.<br /><br />By default, this is checked and set to three.
The most likely source of failed commands is someone exploring your server for weaknesses - an ordinary SMTP conversation shouldn't have
many failed commands. It might check for ability to do encrypted
sessions, but it shouldn't do much more. Leave this checked.<br /><br /></li>
<li>Limit incoming SMTP message size.<br /><br />This is a good one
to set, but you do have to think about your legitimate needs for larger messages.<br /><br /></li>
</ul>
<!-- PLACEAD -->
<h2>Blacklists</h2>
<p>Real time blacklist filtering is not enabled by default, but
you should turn this on. The reason people hesitate to do this
is because of false positives, but you can easily white-list
those addresses; see <a href="http://aplawrence.com/Kerio/blacklists.html">
Kerio Mailserver Blacklists</a>. A number of free blacklists are
pre-configured for you, but you can add others, including of course
paid lists. Using these blacklists can immediately cut out
a lot of unwanted mail.</p>
<p>Be sure to set blacklists to "Add Spam Score", not block. If you block, you cannot whitelist.</p>
<h2>Use multiple blacklists</h2>
<p>There's another advantage to adding spam score rather than blocking. There are <a href="http://en.wikipedia.org/wiki/Comparison_of_DNS_blacklists">many available blacklisting services</a>. Some are free, some are paid, some are good and some are sloppy, but consider this:</p>
<p>If you found an IP address on four different blacklists, the chances of that NOT being a spammer are very, very low. One blackist might be a "false positive". Two starts to get suspicious, but four is almost certain. So if you increased the spam score by just one point for a match from any of them, you hit four instantly for the spammer who has attracted everyone's attention. Of course you could increase it even more for super-consefvative lists like <a href="http://www.gbudb.com/">GBUdb</a>, but intelligent use of blaclists can really help block spam.</p>
<h2>Consider netblocks</h2>
<p>Some countries generate more spam than others. If you have no reason to expect any legitimate mail from IP addresses that originate in those countries, why not block those outright or add spam score? You can do that with Custom Blacklists. For example, I have an IP address group called "Out of Country". I put in networks like 60.0.0.0 (mask 255.0.0.0) which matches an Asian block. I add two spam points if the sender matches. By itself, that isn't enough to be classified as spam, but it gives the message a good head start if it has other spammy characteristics.</p>
<p>This is my list of IP blocks. </p>
<pre>
network APNIC
description Asia-Pacific
61.0.0.0 255.0.0.0
165.133.0.0 255.255.0.0
202.0.0.0 255.0.0.0
203.0.0.0 255.0.0.0
210.0.0.0 255.0.0.0
211.0.0.0 255.0.0.0
218.0.0.0 255.0.0.0
219.0.0.0 255.0.0.0
220.0.0.0 255.0.0.0
221.0.0.0 255.0.0.0
222.0.0.0 255.0.0.0
223.0.0.0 255.0.0.0
58.0.0.0 255.0.0.0
59.0.0.0 255.0.0.0
60.0.0.0 255.0.0.0
network RIPE
description Europe
212.0.0.0 255.0.0.0
213.0.0.0 255.0.0.0
217.0.0.0 255.0.0.0
62.0.0.0 255.0.0.0
81.0.0.0 255.0.0.0
network LACNIC
description Latin America and Carribean
200.0.0.0 255.0.0.0
network SANSBLOCK
description SANS Recommended block list
69.50.160.0 255.255.224.0
85.255.112.0 255.255.240.0
</pre>
<h2>Attachment Filters</h2>
<p>Attachment filtering is also disabled by default because every
company has different needs. If you are a programming house, you may need
to accept .exe files, but other businesses usually wouldn't. If
enabled, messages are still delivered (assuming the message gets by
other content rules), but inappropriate attachments are stripped.
You can optionally warn the sender that the attachment was stripped, and
you can also forward the original, with attachment, to an
administrative address.</p>
<h2>Spam filter</h2>
<p>"SpamEliminator" is what Kerio calls their combination of Spamassassin and
Bayesian filtering. As explained at <a href="http://support.kerio.com/index.php?_m=knowledgebase&_a=viewarticle&kbarticleid=405&nav=0,1">How does Bayesian Self Learning Work in Kerio MailServer?</a>, Kerio "self trains". Mail
users can also help Kerio learn about spam by either using the "Spam/Not Spam"
buttons in their mail client or simply by dragging spam messages to the
Junkmail folder in Imap clients that don't support those buttons.</p>
<p>You can also define your own custom rules at the server, and some clients
(Webmail, for example) can define their own server side rules. Remember
that rules defined in Webmail are processed regardless of whether you
are using Webmail to read your mail. There is, for example,
a default rule that moves messages marked "** SPAM **" to Junkmail. No
wildcards in custom rules, unfortunately.</p>
<p>Kerio Connect 7.4 adds the ability to search inside the message body for
administrator created rules. This lets you add spam points for "viagra" or "mortgage" even if it isn't in the subject line.</p>
<p>Note that you need to look at how such messages are scored (use "View source" or "Show original" in your client). Many of these get a negative starting score, so you'd need to be more aggressive to block them. As an example, I often get email similar to this:</p>
<pre>
Dear webmaster
Are you the person responsible for aplawrence.com?
I'd like to discuss a possibility of my placing a text
link on your page. This would be beneficial to both of us.
</pre>
<p>I added some body rules to catch things like this, but the message above isn't enough to be treated as spam - it would need more indicators as we can see in the headers after receiving it.:</p>
<pre>
X-Spam-Status: No, hits=0.8 required=3.0
tests=AWL: -2.467,BAYES_00: -1.665,CUSTOM_PERSON_RESPONSIBLE: 2,
CUSTOM_TEXT_LINK: 1.5,CUSTOM_WEBMASTER: 1.5,HTML_MESSAGE: 0.001,
TOTAL_SCORE: 0.869,autolearn=no
</pre>
<h2>Caller ID and SPF</h2>
<p>Kerio supports both of these, though at this time they aren't
used enough by other servers to be of much value. There's no reason
not to turn them on; they could catch something. Don't block
though - increase the spam store.</p>
<p>See also <a href="http://aplawrence.com/Kerio/spf-callerid.html">Kerio Spam Control: Caller-ID and SPF</a></p>
<p>Note: You might want to add SPF and Caller ID records for your domain - this can help your email get through to other places. See <a href="http://support.kerio.com/index.php?_m=knowledgebase&_a=viewarticle&kbarticleid=497">How do I create an SPF or Caller ID record?</a>.</p>
<h2>Spam Repellent</h2>
<p>This is a simple method to really annoy spammers. When a server
connects to your server, it is supposed to politely wait for
the SMTP greeting - your server saying it is ready to talk. This
setting deliberately delays that greeting for up to 30 seconds. If
the other server attempts to start talking before then, it is just disconnected.
Spammer's software usually doesn't want to waste that much time
waiting around, but even if it does, you at least have cut down
on how much work they can get done in a day. If every server
did this, spammers would be significantly hampered (assuming they
were willing to wait).</p>
<p>Spam is an on-going problem. Spammers can and do buy servers like Kerio
and use them to test their messages against. Kerio does constantly
improve their spam filtering methods to help counter that.</p>
<p>More <a href="http://aplawrence.com/Kerio/">Kerio Articles</a>.</p>
<br />Technorati tags: <a href="http://technorati.com/tag/Mail" rel="tag">Mail</a>
<a href="http://technorati.com/tag/Spam" rel="tag">Spam</a>
<script type="text/javascript" src="http://technorati.com/embed/zhdmzf35uu.js">
</script>
<p>Comments: <a href="http://aplawrence.com/cgi-bin/newcomm.pl?commenting=/Kerio/kerio_mailserver_spam_filtering.html">Click Here.</a></p>
<p>Want to showcase your product to our audience? Check our <a href="http://aplawrence.com/advert.html">advertising options.</a></p>
<p><br /><br /><i><b>Many of the products and books I review are things I purchased for my own use. Some were given to me specifically for the purpose of reviewing them.</b></i></p>
<p><i><b>I resell or can earn commissions from the sale of some of these items. Links within these pages may be affiliate links that pay me for referring you
to them. That's mostly insignificant amounts of money; whenever it is not I have made my relationship plain. If you have any question, please do feel free to contact me.</b></i></p>
<div style="font-size:80%">
<table>
<tr>
<td> - </td>
<td><a href="http://aplawrence.com/Tests">Skills Tests</a></td>
<td> - </td>
<td><a href="http://aplawrence.com/psst.html">Psst - wanna work for yourself?</a></td>
<td> - </td><td><a href="http://aplawrence.com/troubleshootingbook.html">Unix/Linux Troubleshooting e-book</a></td>
<td> - </td>
<td><a href="http://aplawrence.com/Kerio">Kerio Mail Server</a></td>
<td> - </td>
<td><a href="http://aplawrence.com/rates.html">Consulting</a></td>
<td> - </td>
<td><a href="http://aplawrence.com/advert.html">Advertise Here</a></td>
</tr>
</table>
</div>
]]>
</description>
<link>http://aplawrence.com/Kerio/kerio_mailserver_spam_filtering.html</link>
</item>
<item rdf:about="http://aplawrence.com/Kerio/kerio_android_message_delivery.html">
<title>Android phone crashes email account </title>
<description>
<![CDATA[
Kerio,Mail,Troubleshooting
2012/05/15<p><br /></p>
<p>One of my long term customers called me with a complaint about his daughter. No, I don't do family counseling; this was about a company wide email message that was being duplicated over and over again. When he called me, he already had several hundred copies of the email she had sent and so did every other person in the company.</p>
<p>Duplicate email usually has a simple cause: the sending end never got an
acknowledgement from the server that the message was received intact, so, assuming the worse, it sends it again. If, however, the receiving server thinks that it got
everything and that it did send an acknowledgement, it will get busy passing that message on to the recipients. When the next message comes, it happily passes that on too.</p>
<p>You wouldn't expect this to keep happening. Sure, something might go awry once or twice every now and then, but not hundreds of times.</p>
<p><i>We do often put some limits on this dance. For example, we'd usually set a hard limit on the number of messages per hour from one IP address. This will at least slow down errors like this.</i></p>
<p>The cause of this could be faulty software or a bad network connection. I'd look to the sending machine's network card or cable as the cause, but even that would be very strange: it's hard to be defective so that the acknowledgement is missed without being so defective that nothing works at all. </p>
<p><i>If this were happening to multiple people, I'd look to an SMTP protocol inspector at the firewall messing this up. In my experience, that particular interference would be with large attachments, not small text message as this one was. Also, that usually wouldn't repeat more than a few times.</i></p>
<p>In this case, her father knew that she was out of the office and therefore had to be using her cell phone. I therefore suggested the quick solution: nuke the email account on her phone.</p>
<p>That's not as draconian as it sounds. All data is stored on the server; the <a href="https://kb.kerio.com/article/how-to-configure-exchange-active-sync-account-on-android-device-883.html">phone account can be set up again in less than a minute</a>. Killing the account will quickly stop any sending and if it didn't, killing the account and shutting the phone off surely would. So that's what we did and of course the duplicate emails stopped.</p>
<p>It's not hard to find <a href="http://www.droidforums.net/forum/droid-2-tech-issues/158258-droid-2-sending-multiple-emails.html">accounts of others having similar problems</a>. Those referenced Exchange servers, but ActiveSync is the common factor. It could be the phone software, but it could also be the network connection - perhaps she was in a bad reception area when she sent the message - though, again, it's hard to imagine why the message would get sent and only the final part of the communication get screwed up.</p>
<p>Anyway, problem fixed with nothing more than a quick phone call. I thought we had put that behind us, although she would have to test her phone and be sure it was not faulty software.</p>
<p>Two weeks later, Dad called again. This time he told me that his daughter couldn't access her email. I asked if he meant from her phone; no, she had not even restored her account yet. She was unable to see mail on her desktop not twenty feet from the server room.</p>
<p>We felt that warranted a hands-on visit. I could have VPN'd in, but they are not that far away and I had some shopping to do along the route anyway, so I headed on over.</p>
<p>When I arrived, I was momentarily puzzled. Looking at her mail directory in the Kerio Connect store directory, I could see that it contained well over 200,000 files. However, her Inbox, Sent Items and Deleted Items were all small - less than 200 messages in any of them. The largest email folder in her directory had 7,500 messages and the total of everything was less than 10,000. So where were all these files?</p>
<h2>Calendar</h2>
<p>I found them in Calendar - over 200,000 entries.</p>
<p>Of course calendaring is a separate part of Active Sync - nuking the email account wouldn't affect that, and apparently this phone was having the same trouble with Calendar events as it had with email - it had been sending them repeatedly for two weeks and that finally broke her mail client.</p>
<p>I deleted these from the command line, and then told the system to reindex her mailboxes. The deletion and the reindexing took about 30 minutes but she was able to get in after that.</p>
<p>Although Kerio recommends shutting down the server in these cases, I didn't. I had her close her email client and shut off her phone; there was no danger of calendar events arriving from anywhere else so I saw no need to inconvenience the rest of the company. Still, recommended practice is to bring the server down.</p>
<p>I told her she could try reactivating her account if it was OK with her father and told him that if he did that, he should watch her mailbox closely for a few days just in case. We need to find out if her phone is broken or this was just a transient glitch. My suspicion is the phone because of the calendar entries building up over time. It doesn't seem to be transient, and the similar circumstances I can find in Google indicate that something is broken in the phone software. If she reactivates her email and that starts acting up immediately, that would seem to nail it, although I'm not sure what she'd do at that point: I didn't find any definite solution in my Google searches.</p>
<p>Comments: <a href="http://aplawrence.com/cgi-bin/newcomm.pl?commenting=/Kerio/kerio_android_message_delivery.html">Click Here.</a></p>
<p>Want to showcase your product to our audience? Check our <a href="http://aplawrence.com/advert.html">advertising options.</a></p>
<p><br /><br /><i><b>Many of the products and books I review are things I purchased for my own use. Some were given to me specifically for the purpose of reviewing them.</b></i></p>
<p><i><b>I resell or can earn commissions from the sale of some of these items. Links within these pages may be affiliate links that pay me for referring you
to them. That's mostly insignificant amounts of money; whenever it is not I have made my relationship plain. If you have any question, please do feel free to contact me.</b></i></p>
<div style="font-size:80%">
<table>
<tr>
<td> - </td>
<td><a href="http://aplawrence.com/Tests">Skills Tests</a></td>
<td> - </td>
<td><a href="http://aplawrence.com/psst.html">Psst - wanna work for yourself?</a></td>
<td> - </td><td><a href="http://aplawrence.com/troubleshootingbook.html">Unix/Linux Troubleshooting e-book</a></td>
<td> - </td>
<td><a href="http://aplawrence.com/Kerio">Kerio Mail Server</a></td>
<td> - </td>
<td><a href="http://aplawrence.com/rates.html">Consulting</a></td>
<td> - </td>
<td><a href="http://aplawrence.com/advert.html">Advertise Here</a></td>
</tr>
</table>
</div>
]]>
</description>
<link>http://aplawrence.com/Kerio/kerio_android_message_delivery.html</link>
</item>
<item rdf:about="http://aplawrence.com/Kerio/kerio_workspace_crm.html">
<title>Kerio Workspace as a CRM </title>
<description>
<![CDATA[
Kerio
2012/05/14<p><br /></p>
<p>I'm a small business, Basically, the business is me and at one time I did it all: prospecting, sales, tech support, billing and accounts receivable. Of course I also did the filing, though I confess that with the crush of everything else, that often consisted of just laying the latest piece of paper on the top of a pile of older things.</p>
<p>When my wife stopped working, she took pity and began handling the paperwork side: billing, making up deposits, chasing slow payers and of course the neglected filing. That took quite a burden off my shoulders, but it also partially disconnected me from my customers. I no longer had involvement in the accounting side, so I lost part of my knowledge base.</p>
<p>Of course I could get at that information: I've used Quickbooks to handle all that for years and my wife just continued that. I could call up any report or customer detail at any time, but that's not quite the same as actually doing the work.</p>
<h2>Quickbooks limitations</h2>
<p>Although I do a fair amount of simple selling, both product and support, most of my business is built around recurring subscriptions - support and licenses. Tracking those subscriptions can be difficult, especially when it involves other companies as it does with software licenses. Quickbooks doesn't help me with that, so long ago I wrote scripts that alert us to expiring subscriptions. Those are useful, but I needed more. What I really wanted was an electronic filing cabinet where I could put everything I need or want to know about customers.</p>
<p>That part by itself wouldn't have been too hard to do, but I also needed something multiuser that would be easy for my wide to use and understand.</p>
<h2>Kerio Workspace</h2>
<div style="text-align:center">
<p><a href="http://aplawrence.com/cgi-bin/showpic.pl?image=kerio_workspace_crm_lg.jpg
&mytitle=My Workspace Customer records
&returnpage=Kerio/kerio_workspace_crm.html
&returntitle=Kerio Workspace as a CRM">
<img src="http://aplawrence.com/images/kerio_workspace_crm.jpg" alt="My Workspace Customer records" title="My Workspace Customer records (click for larger view)" /></a><br /></p>
</div>
<!-- PLACEAD -->
<p>Kerio Workspace gave me exactly what I need. Its ability to merge in text notes, pictures and any type of file gives me a full record of all customer interaction. Of course I can keep track of upcoming renewals, keep notes on contact name and email changes, but I can also attach copies of invoices, scripts I wrote and records of support incidents and resolutions. The automatic tracking of file versions makes that ability particularly powerful for scripts and invoice history.</p>
<p>Now EVERYTHING I know about my customers can be in one place.
The search capability lets me quickly find whatever I need and the ease of use lets my wife update those parts that are related to invoicing and collections.The granular sharing controls lets me only show her those parts of the records that she cares about, so her view can be much more compact than mine.</p>
<h2>API?</h2>
<p>This layout can give me everything I want, but if I could interface it with my scripts using an API such as Kerio has provided for Connect, I could automate even more of it and actually make it rival commercial CRM software. The ability to automatically copy renewal information to the man customer space would make this much more like a real database and eliminate manual work. I hope that is something Kerio will consider in the future.</p>
<p>Comments: <a href="http://aplawrence.com/cgi-bin/newcomm.pl?commenting=/Kerio/kerio_workspace_crm.html">Click Here.</a></p>
<p>Want to showcase your product to our audience? Check our <a href="http://aplawrence.com/advert.html">advertising options.</a></p>
<p><br /><br /><i><b>Many of the products and books I review are things I purchased for my own use. Some were given to me specifically for the purpose of reviewing them.</b></i></p>
<p><i><b>I resell or can earn commissions from the sale of some of these items. Links within these pages may be affiliate links that pay me for referring you
to them. That's mostly insignificant amounts of money; whenever it is not I have made my relationship plain. If you have any question, please do feel free to contact me.</b></i></p>
<div style="font-size:80%">
<table>
<tr>
<td> - </td>
<td><a href="http://aplawrence.com/Tests">Skills Tests</a></td>
<td> - </td>
<td><a href="http://aplawrence.com/psst.html">Psst - wanna work for yourself?</a></td>
<td> - </td><td><a href="http://aplawrence.com/troubleshootingbook.html">Unix/Linux Troubleshooting e-book</a></td>
<td> - </td>
<td><a href="http://aplawrence.com/Kerio">Kerio Mail Server</a></td>
<td> - </td>
<td><a href="http://aplawrence.com/rates.html">Consulting</a></td>
<td> - </td>
<td><a href="http://aplawrence.com/advert.html">Advertise Here</a></td>
</tr>
</table>
</div>
]]>
</description>
<link>http://aplawrence.com/Kerio/kerio_workspace_crm.html</link>
</item>
<item rdf:about="http://aplawrence.com/Kerio/kerio_rip.html">
<title>Kerio Control Rip and Replace </title>
<description>
<![CDATA[
Kerio,Security,Troubleshooting
2012/05/10<p><br /></p>
<p>I'm very happy today. Yesterday I installed a brand new Kerio Control box at a customer I've known for almost 20 years now. We replaced an Astaro firewall that had been put in just two years ago and you probably think I'm happy because I made a sale, but no, that's not it at all.</p>
<p>I'm happy because my customer is now going to get decent support.</p>
<p>With the Astaro, he was getting awful support and at a damn high price, too. His phone calls and emails would often go ignored for days and sometimes weeks. There was nothing wrong with the Astaro itself and I suppose he could have gone searching for some better Astaro reseller to take over the support, but instead he and I decided to rip and replace - he'll be paying far less in the long run and I do NOT ignore my customers! That's why I'm happy.</p>
<h2>Best laid plans</h2>
<p>My plan was to replace the Astaro with Kerio Control on Wednesday. We knew the Astaro license would expire a few days before that, but I only got the unit the previous Wednesday, and of course I had other things on my schedule already. I expected that Astaro would have some reasonable policy on expired licenses. For example, Kerio Control has this policy:</p>
<blockquote>
If the License (or the trial period) expires, the functionality of the product will be limited. In particular, the following features will be turned off:
<br /><br />* IPS, integrated and external anti-virus engines
<br />* VPN Server, all tunnels, SSL-VPN Server
<br />* Accounting - gathering statistics,
<br />* HTTP Policy, FTP Policy, HTTP Proxy Server, Forbidden words
<br />* Bandwidth Limiter, is turned off
<br />* 'Require user authentication', NTLM authentication
<br />* UPnP server, P2P Eliminator, Anti-spoofing, MAC Filter
<br />* Kerio Web Filter will stop working
</blockquote>
<p>I expected Astaro to have something similar.</p>
<p>On Saturday afternoon, however, someone from the customer called saying that the Internet was down. I wasn't where I could test anything at that particular moment, so I asked them to call their ISP (Verizon) to see what they said. An hour later the customer called back, telling me that Verizon said a line was "down" somewhere.</p>
<p>I shrugged my shoulders - there's not much I can do about that, although I knew that they also have a slower line and I thought that would have been configured for failover. The person I was talking to on Saturday would know nothing about that, though, so perhaps they had simply discontinued it.</p>
<p>On Monday morning, I had a call from my usual contact. Apparently Verizon had not yet fixed the problem. They were 'on their way', he said and had narrowed it down to something very close to the building. I commiserated, but then he said something odd.</p>
<p>"Email is still coming in. I can't send email, but I get it."</p>
<p>Excuse me? If the Verizon line is down, how could anything be coming in? Unless maybe it was coming through the failover line? But why wouldn't he be able to get out? I was at a computer now, so I ssh'ed to his Linux server and, sure enough, it let me in. But once in, I couldn't even ping outside sites. That made no sense to me and I suspected the Astaro licensing. I asked him to check what the Astaro said about its interfaces, but he couldn't see much: almost everything he looked at just said his license was expired.</p>
<p>I offered to reschedule and come in early Tuesday, but if Verizon was still looking for a broken line, that didn't seem to make sense. We decided to leave it for Wednesday.</p>
<h2>Installation</h2>
<p>Of course I preconfigured most of this before going on site, but I didn't add users or fully configure the secondary Internet line - it might not exist. When I arrived, Verizon had just completed the repairs and had asked him to reboot his routers. Good timing!</p>
<p>We headed down to the network closet and I found pretty much what I expected to find. The Astaro had three CAT5 cables plugged in. That would be one for the main ISP, one for the failover and one for the network switch. I pulled them out and started hooking up the new Kerio Control..</p>
<p>All hell broke lose a few minutes later. Cries of pain echoed down the halls. I had somehow disconnected them from their server!</p>
<p>That made no sense, but then we looked more closely at the line coming from the "failover" connection. It was disconnected and had been before we walked in. Huh?</p>
<p>"Oh yeah - I remember he [the Astaro guy] had me disconnect this. It was slowing us down.", my contact guy explained.</p>
<p>Slowing you down? "Wasn't it a failover?", I asked. No, he explained: it had been configured to use both, but it is a much slower link, so people were complaining..</p>
<p>I muttered something unfriendly about the Astaro guy. That link shouldn't have been configured for load balancing. If you have a fast link and a slow link, you either configure the slow one for failover only or you use it only for some specific purpose like incoming mail - you don't plague users with it! I pulled out the "wrong" wire and plugged this one in to the port I had planned for failover.</p>
<p>But what about the wire I just pulled out of that port? What the heck was that? How could we have two connections to the network? It took me a few minutes to understand: there were not two connections to a switch; there was a connection to one switch and a connection to another and the firewall was sitting in the middle! So of course I killed the network when I switched it - I plugged half of their network into a port I had configured for the failover link! The really hilarious part of it was that a little 8 port switch was sitting right there - that extra line could have been plugged into that instead! Sheesh!</p>
<p>But at least we were working. Within a few tens of seconds, people had Internet access again and the network was reunited. I began introducing my contact to his new firewall.</p>
<h2>Users and VPN access</h2>
<p>I like to set up the VPN users and administrators first. Those are the users we absolutely need to define; the rest can wait. We already had six or seven people who ssh in and I had defined a DNAT rule to bring them in, but I explained that it really would be better for them to use the free Kerio VPN client instead. That would give them access to all network resources instead of just logging in by ssh. We set them up and gave them VPN rights.</p>
<p>I held off on adding any more users because I wanted to show him a neat way to do it in Kerio Control. This way is easier for everyone..</p>
<h2>Lease reservations</h2>
<p>In the DHCP section of the firewall, you can see leases. If you double click on one, you can give it a name (helpful when the machine names were carelessly assigned) and reserve the lease so that the device will always get that same IP. Why do we care? Because in the user config, there is the ability to assign an IP to a user - when the system sees traffic from that IP, it logs it as belonging to that user.</p>
<div style="text-align:center">
<p><a href="http://aplawrence.com/cgi-bin/showpic.pl?image=kerio_rip_iplock_lg.jpg
&mytitle=Lock Ip to user
&returnpage=Kerio/kerio_rip.html
&returntitle=Kerio Control Rip and Replace ">
<img src="http://aplawrence.com/images/kerio_rip_iplock.jpg" alt="Lock Ip to user" title="Lock Ip to user (click for larger view)" /></a><br /></p>
</div>
<p>In this case, that "user" is called "Front Desk Downstairs". Note that spaces in the name are fine and that we really aren't defining a user - we're defining a machine. The Kerio reporting will treat it as a user and a user with more rights could specifically login at that machine, but otherwise we don't care who uses it - we're tracking what happens at that machine. The real user doesn't have to login, doesn't have to know the assigned password, really doesn't have to care at all. But the administrator can now easily see that "Front Desk Machine" spent a lot of time on Facebook just before lunch..</p>
<p>That's a simple and transparent way to handle users. The only people who even need to know passwords are the VPN users or anyone who has rights to unlock otherwise protected content. The administrator gets the oversight and the users don't have to login.</p>
<h2>Blocking Sites</h2>
<p>Kerio Control has a built in rule for its Kerio Web Filter, but don't forget that you have to double-click on it and select the specific categories you want to block.</p>
<div style="text-align:center">
<p><a href="http://aplawrence.com/cgi-bin/showpic.pl?image=kerio_rip_web_filter_lg.jpg
&mytitle=Kerio Web Filter
&returnpage=Kerio/kerio_rip.html
&returntitle=Kerio Control Rip and Replace ">
<img src="http://aplawrence.com/images/kerio_rip_web_filter.jpg" alt="Kerio Web Filter" title="Kerio Web Filter (click for larger view)" /></a><br /></p>
</div>
<p>Of course there may also be things you want to block specifically. The easiest way to do that is to create a new URL group:</p>
<div style="text-align:center">
<p><a href="http://aplawrence.com/cgi-bin/showpic.pl?image=kerio_rip_blocked_sites_lg.jpg
&mytitle=Blocked Sites URL Group
&returnpage=Kerio/kerio_rip.html
&returntitle=Kerio Control Rip and Replace ">
<img src="http://aplawrence.com/images/kerio_rip_blocked_sites.jpg" alt="Blocked Sites URL Group" title="Blocked Sites URL Group (click for larger view)" /></a><br /></p>
</div>
<p>And then add an http policy that blocks them:</p>
<div style="text-align:center">
<p><a href="http://aplawrence.com/cgi-bin/showpic.pl?image=kerio_rip_http_policy_lg.jpg
&mytitle=Blocked Sites Policy Rule
&returnpage=Kerio/kerio_rip.html
&returntitle=Kerio Control Rip and Replace ">
<img src="http://aplawrence.com/images/kerio_rip_http_policy.jpg" alt="Blocked Sites Policy Rule" title="Blocked Sites Policy Rule (click for larger view)" /></a><br /></p>
</div>
<p>This doesn't clutter your policy with dozens of rules and makes it easy for the administrator to add and remove sites.</p>
<h2>StaR Reports</h2>
<p>Kerio's StaR reports seemed to really fascinate my contact. "Didn't the Astaro do something like this?", I asked. He replied that it did, but only by IP address, so he never knew who was doing what. He said that the Astaro guy was "supposed to fix that", but never did.</p>
<p>Yeah. I think can you see why I was happy about this sale.</p>
<p>Comments: <a href="http://aplawrence.com/cgi-bin/newcomm.pl?commenting=/Kerio/kerio_rip.html">Click Here.</a></p>
<p>Want to showcase your product to our audience? Check our <a href="http://aplawrence.com/advert.html">advertising options.</a></p>
<p><br /><br /><i><b>Many of the products and books I review are things I purchased for my own use. Some were given to me specifically for the purpose of reviewing them.</b></i></p>
<p><i><b>I resell or can earn commissions from the sale of some of these items. Links within these pages may be affiliate links that pay me for referring you
to them. That's mostly insignificant amounts of money; whenever it is not I have made my relationship plain. If you have any question, please do feel free to contact me.</b></i></p>
<div style="font-size:80%">
<table>
<tr>
<td> - </td>
<td><a href="http://aplawrence.com/Tests">Skills Tests</a></td>
<td> - </td>
<td><a href="http://aplawrence.com/psst.html">Psst - wanna work for yourself?</a></td>
<td> - </td><td><a href="http://aplawrence.com/troubleshootingbook.html">Unix/Linux Troubleshooting e-book</a></td>
<td> - </td>
<td><a href="http://aplawrence.com/Kerio">Kerio Mail Server</a></td>
<td> - </td>
<td><a href="http://aplawrence.com/rates.html">Consulting</a></td>
<td> - </td>
<td><a href="http://aplawrence.com/advert.html">Advertise Here</a></td>
</tr>
</table>
</div>
]]>
</description>
<link>http://aplawrence.com/Kerio/kerio_rip.html</link>
</item>
<item rdf:about="http://aplawrence.com/Kerio/support_policies.html">
<title>Support is not an annoyance </title>
<description>
<![CDATA[
Employment,Kerio,Troubleshooting
2012/05/07<p><br /></p>
<p>There's a bit of a storm brewing at the Kerio user community forums over Kerio's recent announcement that they intend to <a href="http://www.kerio.com/support/faq">charge for support in some circumstances</a>. Some of this is just simple misunderstanding, but other users feel angry and perhaps betrayed by this sudden change in policy.</p>
<p>Because it's important, I'm going to restate two things that some people have ignored:</p>
<blockquote>
Pre-sales and registered Trial support will be free. Complimentary Installation Period Support will also be available for 90 days after the registration of a purchased licence.
<br /><br />
Any support incident that results in a bug report or an RMA, or is a known Kerio product bug, will of course not be charged for.
</blockquote>
<p>I'm also going to be very honest here: I think Kerio handled this badly and that there were other options that might have eliminated the need for this upsetting change. On the other hand, I support the change if it will encourage customers to contact their resellers for support rather than Kerio.</p>
<p>I have more than one reason for my support. One of my reasons is actually greedy and selfish: Kerio has more than a few "bad" resellers who do NOT support their customers well and I'd like to take over those accounts who become disenchanted with their poor support. That's the self-centered reason that I support this change, but there are more reasons.</p>
<h2>It's good for the customers</h2>
<p>Good resellers can often do a better job at support than Kerio can. There are obvious exceptions, of course: if we are talking about a bug, the reseller does not have access to the resources Kerio support has access to. We don't get to see source code and few of us can maintain every possible supported equipment configuration to test scenarios.</p>
<p>On the other hand, those are not what most support calls are about. If you read through all the <a href="http://aplawrence.com/cgi-bin/indexget.pl?arg=Troubleshooting">troubleshooting articles</a> I have written here over the years (all of which were taken from actual support requests), very few involve product bugs per se. More usually, these are "fog of war" problems, confusing problems brought on by unusual conditions that aren't always easy to see. As a support person, the more knowledge you have of the customers environment <b>and of the customer personnel</b>, the more likely you are to solve the problem quickly.</p>
<p>This requires a relationship with the customer. It requires knowing what they do, what hardware and software they use, what their technical expertise is and what their past history has been. A reseller may have that relationship and that knowledge; Kerio support personnel may not.</p>
<p><i>Don't forget that the reseller always has the option to bring Kerio support into the conversation. Kerio resellers are NOT charged for support, so the reseller can augment their own knowledge with Kerio's.</i></p>
<p>The reseller may also be capable of doing things that Kerio support cannot. For example, I've helped many customers with network problems, virus problems and hardware issues. Kerio support can't reasonably offer much help once the problem is plainly not their software, but the reseller may very well be able to chase the problem much farther.</p>
<h2>Doesn't this take more time?</h2>
<p>The scenario many envision is this: The customer sends a problem to the reseller. The reseller passes it to Kerio. Kerio answers the reseller requesting more information, the reseller in turn asks the customer and on we go.</p>
<p>That may very well be what the "bad" resellers do, but it's not what I do. If we're exploring a problem by email, I cc the customer when I initiate the support ticket with Kerio and ask them to cc the customer in turn when they answer. If we are doing this by phone, I'll call Kerio and then conference in the customer. This avoids all the delays - everyone is on the same page at the same time. </p>
<p>That's assuming I even need to contact Kerio. In the almost eight years I have been selling Kerio products, I have had very few conversations with support. I handle most calls myself, because most calls are not bugs and are not difficult.</p>
<h2>It's good for Kerio</h2>
<p>Well, that's obvious: having resellers handle tier one support reduces their costs. But there is more to it. Kerio has reasons for having a reseller network and a very important part of that is the relationships resellers have with their mutual customers. Those relationships usually mean longer term opportunities for Kerio. </p>
<h2>It's good for the reseller</h2>
<p>I may be odd, but I don't look at the support I provide as an expense. I see it as opportunity. My motto for many years is that there are no problems, because every problem is always an income opportunity for someone. The opportunity may be obvious or it may be subtle, but solving problems often leads to more sales, now or in the future. Even when it does not directly lead to new business, good support helps ensure business retention, something that every good reseller knows is vitally important. Therefore, those "bad" resellers who look at support as annoyance and are anxious to pass it on to someone else are really missing out. Sooner or later they will lose their customers to someone like me who is willing to give good service and support.</p>
<h2>My gripes?</h2>
<p>There are things I don't like about this. For example, I don't want my customers going to Kerio for that 90 day "free support" period. For all the reasons detailed above, I want them running those questions through me.</p>
<p>I'd also prefer that Kerio support be able to conference call me and my customer when we've opened a ticket that requires that. That's a minor issue, of course. I'd love it if we could do Google Hangouts with Kerio support and my customer when needed. That could be a very good way to handle conferences and even written communications.</p>
<p>I also feel that Kerio has not yet done enough for the reseller's needs. We need access to bug reports and we should get immediate notification if one of our customers has contacted Kerio directly - we should get copies of all conversations and solutions, both so that we can follow up if more help is needed and so that we can be aware of issues that may affect other customers.</p>
<p>We should get better technical training. Kerio does provide some training, but it hasn't been in depth. I'm sure they must provide better to their in-house people; resellers need access to similar resources. That may not be easy to do - there can be confidentiality issues, of course, but we should at least get
masked reports (expunged of customer information) of current support requests and their resolutions. That would help us support other customers better.</p>
<p>Kerio also needs to manage their reseller channel better and make partners more aware of their obligation to provide customer support. I suspect most have been accustomed to just telling customers to "call Kerio" - that needs to stop.</p>
<p>If a customer does call Kerio direct, I'd like to see support strongly encourage them to call their reseller instead - perhaps even offering to try to patch the reseller in right then and there, or in the case of a written ticket, cc'ing the reseller with the initial response.</p>
<p>Support is important. As I said above, it is important for all three parties involved. I see posts at the forum that strongly imply that some see the reseller as a rather useless cog in this particular wheel, but that's not my view at all.</p>
<p>Comments: <a href="http://aplawrence.com/cgi-bin/newcomm.pl?commenting=/Kerio/support_policies.html">Click Here.</a></p>
<p>Want to showcase your product to our audience? Check our <a href="http://aplawrence.com/advert.html">advertising options.</a></p>
<p><br /><br /><i><b>Many of the products and books I review are things I purchased for my own use. Some were given to me specifically for the purpose of reviewing them.</b></i></p>
<p><i><b>I resell or can earn commissions from the sale of some of these items. Links within these pages may be affiliate links that pay me for referring you
to them. That's mostly insignificant amounts of money; whenever it is not I have made my relationship plain. If you have any question, please do feel free to contact me.</b></i></p>
<div style="font-size:80%">
<table>
<tr>
<td> - </td>
<td><a href="http://aplawrence.com/Tests">Skills Tests</a></td>
<td> - </td>
<td><a href="http://aplawrence.com/psst.html">Psst - wanna work for yourself?</a></td>
<td> - </td><td><a href="http://aplawrence.com/troubleshootingbook.html">Unix/Linux Troubleshooting e-book</a></td>
<td> - </td>
<td><a href="http://aplawrence.com/Kerio">Kerio Mail Server</a></td>
<td> - </td>
<td><a href="http://aplawrence.com/rates.html">Consulting</a></td>
<td> - </td>
<td><a href="http://aplawrence.com/advert.html">Advertise Here</a></td>
</tr>
</table>
</div>
]]>
</description>
<link>http://aplawrence.com/Kerio/support_policies.html</link>
</item>
<item rdf:about="http://aplawrence.com/Kerio/koc_domain.html">
<title>Troubleshooting Outlook KOC problems on new Windows 7 machines </title>
<description>
<![CDATA[
Kerio,Mail,Microsoft,Troubleshooting
2012/05/04<p><br /></p>
<p>A New York customer had recently purchased another company, so they added that company's email domain to their Kerio Connect mail server. A few users were moved in one direction or another and everything seemed to be going well.</p>
<p>As the newly purchased company needed some hardware upgrades, new Windows 7 machines were purchased for several of their users. That's where the trouble started..</p>
<h2>It has to be the domain</h2>
<p>The new machines could not seem to synchronize with Kerio.</p>
<p>For those who aren't familiar with Kerio, let me explain that in addition to Webmail, POP3 and IMAP, Kerio supports a <a href="http://manuals.kerio.com/kms/en/sect-koc.html">MAPI</a> configuration which gives Outlook most of the important features it would have using Microsoft Exchange. This requires the installation of a Kerio Outlook Connector (KOC) on client machines. After installation, the KOC attempts to bring down message headers from the server - synchronizing its view of email with the servers. It was this process that was failing.</p>
<p>IMAP has a similar synchronization and both it and Webmail performed badly on these new machines also, although not quite so poorly as the KOC did.</p>
<p>The situation was described by Rick, their IT guy, to me over the phone and then he followed up with this email (I added comments and explanations in [brackets]):
</p>
<pre>
Given: Both users are at[the new company], and work fine on Windows
XP with Office 2003 SP3 with the Outlook connector
Both users have Windows 7 Pro, and Office 2010.
I have Windows 7 Pro with Office 2010 with -0- problems
The ONLY thing I can think of is the Domain. I have no domain.
So, I asked [tech person at the new company] to set up a new machine,
but don't join the domain.. Then try the KOC setup. NO PROBLEMS!
Then she joined the machine to the domain, (and had to setup
KOC again, because it's a new profile on the computer.) and
BAM! PROBLEM setting up KOC!
</pre>
<p>Let's pause for a moment, shall we?</p>
<p>This HAS to be a domain policy. Rick said so himself here and I said the same thing.</p>
<p>One small wrinkle, though: the old XP machines are in the domain and they worked fine. Moreover, everyone at the new company swore up and down that there were no policies applied - the domain really was only to help protect a few shared resources from unauthorized users</p>
<p>So, we bumped it up to Kerio Support. They looked at logs and didn't have much to add:</p>
<pre>
Thank you for the log information.
It appears as if there is network connectivity issues as soon as
you join the domain. the debug log shows it unable to locate items
(404 not found errros) and RPC server unavailable. Something is
blocking these machines as soon as they join the domain.
Can you check the windows event viewer for any sign here of
issues? other warning messages.
What Antivirus is used on these machines. Are these the only win7
platforms on the domain that are having this issue? are there win7's
that are working?
I have to be honest, that I have not seen this type of issue with
domain based win7 boxes, since we use them ourselves and many other
clients/customers are running win7 without this type of issue. It
has to be something about this domain that is causing the issue.
</pre>
<p>So, really, it HAS to be the domain, right?</p>
<p>Microsoft was summoned. At first, they thought it was Outlook. Then of course, they suspected Kerio, but had to agree that Kerio worked correctly before the machines joined the domain. Rick also showed them that Zimbra IMAP had the same problems Kerio exhibited.</p>
<p>Meanwhile, Kerio second tier support confirmed what we thought we were seeing:</p>
<pre>
The development team writes that requests from KOFF to Connect are
timeouting when downloading partially synchronized message.
</pre>
<p>I wondered about the Internet link at the new company. It's only a T1; were we overloading it? But that made no sense because, again, the trouble only showed up when the machines joined the domain and that sent me back to domain policy and there was none.</p>
<p>Meanwhile, Microsoft had decided that this was indeed a domain related network issue and bumped the case upward in their support chain. A week later, they fixed it.</p>
<h2>Presented as it is, without understanding</h2>
<p>As we all said, this had to be a domain policy, and Microsoft pointed at "Remote Installation Services". There are four options in that policy:</p>
<ul>
<li>Automatic Setup</li>
<li>Custom Setup</li>
<li>Restart Setup</li>
<li>Tools</li>
</ul>
<p>Each option can be set to Enabled, Disabled and Not Configured. In the murky past, someone had set Custom, Restart, and Tools to "Disabled". Microsoft had Rick set them back to "Not Configured".</p>
<p>I have to bring this train to a screeching halt for just a minute. This Remote Installation Services is for <a href="http://en.wikipedia.org/wiki/Remote_Installation_Services">installing OS images on PXE capable systems</a>. Therefore, unless you actually are installing operating systems, it would seem reasonable to assume that the most this service would be doing is listening for BOOTP requests - and it would only do that if it were enabled. Moreover, given Microsoft's explanation of "Not Configured" (see image below), that is no different from "Disabled" in this case.</p>
<div style="text-align:center">
<p><a href="http://aplawrence.com/cgi-bin/showpic.pl?image=koc_domain_trouble_lg.jpg
&mytitle=Microsoft Remote Installation Services
&returnpage=Kerio/koc_domain.html
&returntitle=Troubleshooting Outlook KOC problems on new Windows 7 machines">
<img src="http://aplawrence.com/images/koc_domain_trouble.jpg" alt="Microsoft Remote Installation Services" title="Microsoft Remote Installation Services (click for larger view)" /></a><br /></p>
</div>
<p>However, Microsoft code is full of strange things. While being prevented from listening for BOOTP packets, perhaps the PDC gets bored and decides to echo random thoughts back out on the wire, interfering with our synchronization?</p>
<p>Perhaps Windows 7, feeling humiliated by the looming shadow of Win 8, desires an OS transplant, and, noticing that this option is specifically disabled, cries out in pain, throws itself on the floor and trashes around in tantrum? Whatever: if Microsoft tells you to change a setting, you change the setting - even if they admit they have no idea why it matters.</p>
<h2>But wait - there's more!</h2>
<p>Microsoft also had Rick do this:</p>
<pre>
We had to issue the following commands at the command prompt (AS ADMINISTRATOR!)
[on the Win 7 machines]
netsh interface tcp set global rss=disabled
netsh interface tcp set global autotuninglevel=disabled
netsh int ip set global taskoffload=disabled
netsh interface tcp set global chimney=disabled
When complete, the command :
netsh int tcp show global
should show everything disabled except for NetDMA State
</pre>
<div style="text-align:center">
<p><a href="http://aplawrence.com/cgi-bin/showpic.pl?image=koc_domain_nics_lg.jpg
&mytitle=Resetting NiCS
&returnpage=Kerio/koc_domain.html
&returntitle=Troubleshooting Outlook KOC problems on new Windows 7 machines">
<img src="http://aplawrence.com/images/koc_domain_nics.jpg" alt="Resetting NiCS" title="Resetting NiCS (click for larger view)" /></a><br /></p>
</div>
<p>That makes more sense. This has to do with smarty-pants NIC cards that can take on TCP/IP processing that the OS would normally handle. If you google for "Win 7 SNP", you'll find <a href="http://social.technet.microsoft.com/Forums/en-US/w7itpronetworking/thread/14fc08fb-f62b-4f86-b59f-d7a4d685b3fe">articles that recommend similar actions for similar problems</a>. Interestingly, this stuff goes back to Server 2003 - I found this <a href="http://support.microsoft.com/default.aspx?scid=kb;EN-US;948496">"update to turn off default SNP features"</a>, which leads off with an explanation of all the bad networking trouble this can cause:</p>
<div style="text-align:center">
<p><a href="http://aplawrence.com/cgi-bin/showpic.pl?image=koc_domain_snp_lg.jpg
&mytitle=Effects of SNP
&returnpage=Kerio/koc_domain.html
&returntitle=Troubleshooting Outlook KOC problems on new Windows 7 machines">
<img src="http://aplawrence.com/images/koc_domain_snp.jpg" alt="Effects of SNP" title="Effects of SNP (click for larger view)" /></a><br /></p>
</div>
<p>This makes sense - apparently Microsoft coders and the NIC card coders aren't communicating well and the result can be a mess like this. I can't imagine how this has anything to do with Remote Installation Services, but so what?</p>
<p>But why does it turn up only after joining the domain? Does the domain change the Win 7 TCP/IP stack? Darned if I know.. I did some Googling but couldn't zero in on anything helpful. Apparently something happens - because Rick reports success:</p>
<pre>
And this my friends provides us with a Windows 7 computer on a Server
2003 Domain that operates quickly, smoothly and most enjoyably.
</pre>
<p>Rick explained in a phone conversation that they tried doing just the SNP, but without changing the domain policy, it did not help. We all agree (even Microsoft, apparently) that it makes no sense - when KOC is talking to the mail server, the DC isn't even involved, but there it is just the same: both these actions were needed to fix the problem.</p>
<p>So, two weeks after the initial problem, and with much wailing and gnashing of teeth, the problem is solved. Happy workers are now reading email on their brand spanking new Windows 7 machines. I'm sure Rick is sleeping better and those of us who work in the field should remember this SNP stuff for future reference.</p>
<p>If this had been happening BEFORE joining the domain, the first thing I would have tried is adding a different NIC. That's a simple and quick test for driver weirdness, but because the silly things worked outside of the domain, that thought never entered my head. It's good to keep in mind that for this kind of troubleshooting, you actually want a no frills, basic, simple NIC that Windows has known how to handle for years - no smarty pants hardware need apply. Had I been wise enough to do that, the finger would likely have pointed at the NICS instantly and we either would have got to this point faster or would have just bought a box of new NICS and gone around the problem. But I did not.</p>
<p>But that's life, isn't it? We get led astray at times and it can be hard to resist that. Had I suggested trying different NICs, I probably would have met resistance because it worked until they joined the domain. So, maybe it doesn't matter, but I wish I had tried just the same.</p>
<p>Comments: <a href="http://aplawrence.com/cgi-bin/newcomm.pl?commenting=/Kerio/koc_domain.html">Click Here.</a></p>
<p>Want to showcase your product to our audience? Check our <a href="http://aplawrence.com/advert.html">advertising options.</a></p>
<p><br /><br /><i><b>Many of the products and books I review are things I purchased for my own use. Some were given to me specifically for the purpose of reviewing them.</b></i></p>
<p><i><b>I resell or can earn commissions from the sale of some of these items. Links within these pages may be affiliate links that pay me for referring you
to them. That's mostly insignificant amounts of money; whenever it is not I have made my relationship plain. If you have any question, please do feel free to contact me.</b></i></p>
<div style="font-size:80%">
<table>
<tr>
<td> - </td>
<td><a href="http://aplawrence.com/Tests">Skills Tests</a></td>
<td> - </td>
<td><a href="http://aplawrence.com/psst.html">Psst - wanna work for yourself?</a></td>
<td> - </td><td><a href="http://aplawrence.com/troubleshootingbook.html">Unix/Linux Troubleshooting e-book</a></td>
<td> - </td>
<td><a href="http://aplawrence.com/Kerio">Kerio Mail Server</a></td>
<td> - </td>
<td><a href="http://aplawrence.com/rates.html">Consulting</a></td>
<td> - </td>
<td><a href="http://aplawrence.com/advert.html">Advertise Here</a></td>
</tr>
</table>
</div>
]]>
</description>
<link>http://aplawrence.com/Kerio/koc_domain.html</link>
</item>
</rdf:RDF>