Of course that's true for any service you need. A running webserver will prevent HTTP or HTTPS from starting and leave you with the same problem: identify the process that is conflicting, stop it, and prevent it from starting up again. How you do that is operating system specific and even then there can be odd circumstances that could make it difficult to track down the offending process or application. If you can't easily identify the problem, give me a call and I will help you track it down.

The mailserver needs to go out on port 25 (unless you use a SMTP relay at some other server). zsome ISP's block 25 and other mail ports; make sure you can use the ports you need.

Scanners and so on

You may have a scanner or some other device that wants to use the mailserver. Usually that's trivial, but it can be more complicated. Most problems I've seen are simple mistyping errors or incorrect DNS.

Operational Problems

Other problems usually involve delivery (or non-delivery) of mail. Why can't I send mail to Mary Jones? Why can't Mary send to me? Usually the logs (mail.log, error.log, security.log and spam.log) will show the reason: you mistyped Mary's address, Mary's domain is on a blacklist..

A couple of things to keep in mind in this area: if there is no record in any log of a connection from samplesite.com, then whatever mail they tried to send to you simply never got to your server. Maybe it's their DNS, maybe there is a bad router between you and them, but whatever it is, it never got to you. There would ALWAYS be a log entry of some sort if the mail got to your server. The same is true for outgoing mail. If a user says they sent mail to maryj@samplesite,com, but you can't find any such thing in the Kerio logs, the problem is back at their machine, not within Kerio.

Of course there usually will be a log entry, and that will show you where the problem is. In the case of sending mail, look in the Message Queue (Under "Status" in your Kerio Administration Console). If the message is stuck in the queue, the other server may just not be up and running right now or there may be routing problems preventing your server from reaching it. That assumes that the original message was correctly addressed: many times I have found log entries showing that the user tried sending to "maryj@samplesite.com" when the real address was "maryj@samplesite.org" or was simply mispelled.

See also Troubleshooting failed email.

Debug Settings

Usually the logs tell the story completely, but sometimes you need more information. You can turn on extended debugging by selecting the Debug log and then Right-Clicking in the log area as shown here:

That will bring up a window that can turn on extra debugging for a number of functional areas. Usually you'd only do this at the request of a support technician, but there's no harm experimenting with this yourself if you are technically minded and curious.

Outlook Connector Problems

Outlook is a complicated product and adding Kerio's Outlook Connector doesn't make it any less so. Recent versions are actually two separate processes: the Connector itself (KoffBackend.exe) and the "Updater" service (ktupdaterservice.exe).

If you are experiencing difficulty, stop Outlook and the Updater service in Services) and try reinstalling. That sometimes fixes strange problems, as does simply creating a new profile. Remember, everything is stored on the server, so the only thing you lose is time.

Outlook synchronizatio stalled or slow is almost certainly a network problem. I've seen some really strange ones:Troubleshooting Outlook KOC problems on new Windows 7 machines, for example.

Domain issues

The usual problem here is that the account you told Kerio to use to get information from the Active Directory Server doesn't have sufficient privilege or (on Linux and Mac) that there is in error in Kerberos configuration. The logs can show you what server it is trying to talk to and what went wrong:

[11/May/2012 14:27:10][21069] {ldapdb} LDAP request: action=modify,
params="CN=Fred Jones,OU=IT,OU=Concord,DC=umal,DC=com???" (ThreadId=21069)
[11/May/2012 14:27:10][21069] {ldapdb} LDAP result: action=modify, errcode=50,
message="Insufficient access" (ThreadId=21069)

Repeated messages

Unless something really is sending the same message more than once, this indicates a network problem - the recieving server accepted the message, but the sender never saw the packet that acknowledged the receipt.

I've seen this caused by an SMTP protocol inspector on a firewall, but also see Android phone crashes email account.

Product Forums and Knowledge Base

Most mail problems are easily identified and quickly solved. Of course there is always the possibility that your problem is an actual Kerio bug. That hasn't happened very often, but you never know when some odd combination of circumstances may bring a bug to the surface. Kerio's Product Forums often contain late breaking news and discussions that may be helpful. For example, Microsoft patches can sometimes have unpleasant results - you'll often find out about this kind of thing in the Forums.

The Knowledge Base is also a good place to look for help. Your issue may be well known and a simple fix may be found here.

Support Options

You can open a Kerio support ticket on-line or just call them directly. If you need help and you are one of my customers, of course you can call me. Actually, I'd like to know about any problems even if you choose to go directly to Kerio support. It may be that I know the answer and can react more quickly, but even if I do not, I want to be involved and on top of the situation.

You may not ever have any real problems with Kerio Mailserver, but if you do, I hope this article helped.

Why you should let me sell you a new firewall

I see a lot of small businesses in the course of my work. Today, almost all have some form of Internet access and a firewall providing at least basic protection from the big bad world.

There is a wide range of deployed product. At the low end, someone ran down to Staples and picked up an inexpensive firewall that a home user might buy. At the other end, I'll see expensive Cisco units with high priced service contracts attached. I feel better about their security when I see the Cisco units, though I sometimes wince when I hear what they are paying for maintenance and support.

I sell Kerio Control firewall. I'm not a particularly aggressive sales type, so I might not even mention that fact unless something else triggers the subject, but lately I've been thinking that I really ought to be a bit more vocal and yes, a bit more "pushy".

It's not because I want to sell another firewall. Sure, I'm always happy to get an order for anything that I sell, but for me it's not about selling so much as it is about providing something that someone needs.

Yeah, I know: everybody says that. Most of them don't really mean it though. What they mean is that they need to hit this month's sales quota and they want you to contribute toward that goal. It's all about the money, honey, and the product itself is secondary. Oh, whatever they want to sell may be a great product, and they may really believe that they are helping you, but the really important thing is the sales quota.

Quota? What quota?

I don't have a sales quota with Kerio. Well, technically I do, but I pass my yearly quota sometime in February or March of each year, so I don't have them hovering over my shoulder demanding sales projections. I don't have a personal sales goal either - I make money and I spend money and it all works out. My attitude toward all of this is that if I do a good job, I'll make enough money. Therefore, my only plan is to do a good job for my customers. The rest works out.

So, with that in mind, let's chat about Kerio firewall. I like the product and I know that you will too, whether it's just you in your home office or you are buliding a mini empire and already have two branch offices running.

I could talk about technical features and I have at other articles you'll find here. Kerio also provides full tech specs for your perusal if you like that sort of thing.

Those really aren't that important to me.

Oh, they are important, of course. But what's really important to me is that Kerio Control helps me do a good job for my customer. Sure, the technical stuff is all part of that, but for me it's the end result that counts: my customers get protection and I can provide them with great support at a very reasonable price.

What you can expect from me

First, I want you to understand what you are buying. You can see the basic interface at demo.kerio.com. I want you to schedule a phone call with me so that I can walk you through the features and benefits shown there.

Depending upon your circumstances, I might also suggest that you download a 30 day demo. I'd want to help you select which version to download (it's available as a vertual machine, for example) and I will help you configure it appropriately for a test drive.

After that, if you decide to buy, I'll help you decide on how many licenses you will want and whether you'd prefer one of the software versions or the hardware box. I'll give you a competitive quote for the initial purchase and tell you what your expected yearly maintenance will be.

If you are buying one of the hardware boxes, I'm happy to have it shipped to my office where I will configure it so that it is ready to plug into your network when you receive it. I can do the same thing with software versions by emailing a configuration file.

When you are ready to go live, we'll schedule another telephone conference. By the way, there is no additional charge for any of this. It's to my advantage to be certain that everything is working as it should be; proper configuration can eliminate future un-scheduled support and that will make both you and me happier.

Going forward, you have my commitment to support you. All business apps are at least somewhat critical, of course, but firewall support is at or near the top of the list. Many businesses today utterly depend upon Internet access and a breach of firewall security could be extremely disruptive. Therefore, if you should ever call or email me with a problem, you aren't going to be waiting very long before you hear back from me: I take support very seriously and especially so when it involves your firewall. You won't be charged for my assistance; that's included in the price you paid.

You can even set your firewall to alert me of certain conditions if you prefer:

If you are going to do that, let me know so that I will know to watch for those specifically.

That's the whole of it. You'll be paying a reasonable price (usually far, far less than what you'd pay for Cisco support) and you aren't going to be waiting for someone to get back to you days later. You'll be dealing with me and I care about your needs. I appreciate that serious problems require rapid response - I also know that if I do my job correctly ahead of time, your chances of ever needing that response are greatly diminished.

All that tends to make both of us happy, doesn't it?

Kerio Mail Server Spam Filtering

Kerio Mail Server has several configuration options to protect against spam email. For maximum protection, you should investigate and set all appropriate items.

Under the Security Options tab for the SMTP server are several limits and controls you can set. These are:

• Maximum number of messages per hour from one IP address.
  
  While this certainly can cut down on spam, be careful here. A on-going conversation about a support issue or any other complex subject might bounce back and forth quite quickly and could easily exceed 60 messages per hour. Setting this is not going to prevent legitimate email; it just temporarily delays it. A legitimate server will try again later; a spammer probably won't.
  
  
• Maximum number of concurrent SMTP connections from one IP address.
  
  Again, this can block some spam, but keep in mind that legitimate email can and will make multiple connections for efficiency. Don't set this too low if, for example, your users have a lot of correspondence with AOL users or similar big servers.
  
  
• Block if sender's mail domain was not found in DNS.
  
  That's checked by default and ordinarily would be left that way. Why would you want to accept mail from someone without a DNS name? The only possible justification would be if you had other mailservers within your network, but even then you'd be smarter to put them in DNS and block anyone else without a DNS lookup.
  
  
• Maximum number of recipients in a message.
  
  This can be an effective block against spam, but it can also be a problem if you belong to mailing lists that (stupidly) list all recipients in the "To:" line. If that's not an issue, leave it checked and set the limit to the number of users in your mail domain.
  
  
• Maximum number of failed commands in SMTP session.
  
  By default, this is checked and set to three. The most likely source of failed commands is someone exploring your server for weaknesses - an ordinary SMTP conversation shouldn't have many failed commands. It might check for ability to do encrypted sessions, but it shouldn't do much more. Leave this checked.
  
  
• Limit incoming SMTP message size.
  
  This is a good one to set, but you do have to think about your legitimate needs for larger messages.
  
  

Blacklists

Real time blacklist filtering is not enabled by default, but you should turn this on. The reason people hesitate to do this is because of false positives, but you can easily white-list those addresses; see Kerio Mailserver Blacklists. A number of free blacklists are pre-configured for you, but you can add others, including of course paid lists. Using these blacklists can immediately cut out a lot of unwanted mail.

Be sure to set blacklists to "Add Spam Score", not block. If you block, you cannot whitelist.

Use multiple blacklists

There's another advantage to adding spam score rather than blocking. There are many available blacklisting services. Some are free, some are paid, some are good and some are sloppy, but consider this:

If you found an IP address on four different blacklists, the chances of that NOT being a spammer are very, very low. One blackist might be a "false positive". Two starts to get suspicious, but four is almost certain. So if you increased the spam score by just one point for a match from any of them, you hit four instantly for the spammer who has attracted everyone's attention. Of course you could increase it even more for super-consefvative lists like GBUdb, but intelligent use of blaclists can really help block spam.

Consider netblocks

Some countries generate more spam than others. If you have no reason to expect any legitimate mail from IP addresses that originate in those countries, why not block those outright or add spam score? You can do that with Custom Blacklists. For example, I have an IP address group called "Out of Country". I put in networks like 60.0.0.0 (mask 255.0.0.0) which matches an Asian block. I add two spam points if the sender matches. By itself, that isn't enough to be classified as spam, but it gives the message a good head start if it has other spammy characteristics.

This is my list of IP blocks.

network APNIC 
description Asia-Pacific 
61.0.0.0 255.0.0.0 
165.133.0.0 255.255.0.0 
202.0.0.0 255.0.0.0 
203.0.0.0 255.0.0.0 
210.0.0.0 255.0.0.0 
211.0.0.0 255.0.0.0 
218.0.0.0 255.0.0.0 
219.0.0.0 255.0.0.0 
220.0.0.0 255.0.0.0 
221.0.0.0 255.0.0.0 
222.0.0.0 255.0.0.0 
223.0.0.0 255.0.0.0 
58.0.0.0 255.0.0.0 
59.0.0.0 255.0.0.0 
60.0.0.0 255.0.0.0 

network RIPE 
description Europe
212.0.0.0 255.0.0.0 
213.0.0.0 255.0.0.0 
217.0.0.0 255.0.0.0 
62.0.0.0 255.0.0.0 
81.0.0.0 255.0.0.0 

network LACNIC 
description Latin America and Carribean
200.0.0.0 255.0.0.0 


network SANSBLOCK 
description SANS Recommended block list
69.50.160.0 255.255.224.0 
85.255.112.0 255.255.240.0 

Attachment Filters

Attachment filtering is also disabled by default because every company has different needs. If you are a programming house, you may need to accept .exe files, but other businesses usually wouldn't. If enabled, messages are still delivered (assuming the message gets by other content rules), but inappropriate attachments are stripped. You can optionally warn the sender that the attachment was stripped, and you can also forward the original, with attachment, to an administrative address.

Spam filter

"SpamEliminator" is what Kerio calls their combination of Spamassassin and Bayesian filtering. As explained at How does Bayesian Self Learning Work in Kerio MailServer?, Kerio "self trains". Mail users can also help Kerio learn about spam by either using the "Spam/Not Spam" buttons in their mail client or simply by dragging spam messages to the Junkmail folder in Imap clients that don't support those buttons.

You can also define your own custom rules at the server, and some clients (Webmail, for example) can define their own server side rules. Remember that rules defined in Webmail are processed regardless of whether you are using Webmail to read your mail. There is, for example, a default rule that moves messages marked "** SPAM **" to Junkmail. No wildcards in custom rules, unfortunately.

Kerio Connect 7.4 adds the ability to search inside the message body for administrator created rules. This lets you add spam points for "viagra" or "mortgage" even if it isn't in the subject line.

Note that you need to look at how such messages are scored (use "View source" or "Show original" in your client). Many of these get a negative starting score, so you'd need to be more aggressive to block them. As an example, I often get email similar to this:

Dear webmaster

Are you the person responsible for aplawrence.com?
I'd like to discuss a possibility of my placing a text
link on your page.  This would be beneficial to both of us.

I added some body rules to catch things like this, but the message above isn't enough to be treated as spam - it would need more indicators as we can see in the headers after receiving it.:

X-Spam-Status: No, hits=0.8 required=3.0
	tests=AWL: -2.467,BAYES_00: -1.665,CUSTOM_PERSON_RESPONSIBLE: 2,
	CUSTOM_TEXT_LINK: 1.5,CUSTOM_WEBMASTER: 1.5,HTML_MESSAGE: 0.001,
	TOTAL_SCORE: 0.869,autolearn=no

Caller ID and SPF

Kerio supports both of these, though at this time they aren't used enough by other servers to be of much value. There's no reason not to turn them on; they could catch something. Don't block though - increase the spam store.

See also Kerio Spam Control: Caller-ID and SPF

Note: You might want to add SPF and Caller ID records for your domain - this can help your email get through to other places. See How do I create an SPF or Caller ID record?.

Spam Repellent

This is a simple method to really annoy spammers. When a server connects to your server, it is supposed to politely wait for the SMTP greeting - your server saying it is ready to talk. This setting deliberately delays that greeting for up to 30 seconds. If the other server attempts to start talking before then, it is just disconnected. Spammer's software usually doesn't want to waste that much time waiting around, but even if it does, you at least have cut down on how much work they can get done in a day. If every server did this, spammers would be significantly hampered (assuming they were willing to wait).

Spam is an on-going problem. Spammers can and do buy servers like Kerio and use them to test their messages against. Kerio does constantly improve their spam filtering methods to help counter that.

More Kerio Articles.

Android phone crashes email account

One of my long term customers called me with a complaint about his daughter. No, I don't do family counseling; this was about a company wide email message that was being duplicated over and over again. When he called me, he already had several hundred copies of the email she had sent and so did every other person in the company.

Duplicate email usually has a simple cause: the sending end never got an acknowledgement from the server that the message was received intact, so, assuming the worse, it sends it again. If, however, the receiving server thinks that it got everything and that it did send an acknowledgement, it will get busy passing that message on to the recipients. When the next message comes, it happily passes that on too.

You wouldn't expect this to keep happening. Sure, something might go awry once or twice every now and then, but not hundreds of times.

We do often put some limits on this dance. For example, we'd usually set a hard limit on the number of messages per hour from one IP address. This will at least slow down errors like this.

The cause of this could be faulty software or a bad network connection. I'd look to the sending machine's network card or cable as the cause, but even that would be very strange: it's hard to be defective so that the acknowledgement is missed without being so defective that nothing works at all.

If this were happening to multiple people, I'd look to an SMTP protocol inspector at the firewall messing this up. In my experience, that particular interference would be with large attachments, not small text message as this one was. Also, that usually wouldn't repeat more than a few times.

In this case, her father knew that she was out of the office and therefore had to be using her cell phone. I therefore suggested the quick solution: nuke the email account on her phone.

That's not as draconian as it sounds. All data is stored on the server; the phone account can be set up again in less than a minute. Killing the account will quickly stop any sending and if it didn't, killing the account and shutting the phone off surely would. So that's what we did and of course the duplicate emails stopped.

It's not hard to find accounts of others having similar problems. Those referenced Exchange servers, but ActiveSync is the common factor. It could be the phone software, but it could also be the network connection - perhaps she was in a bad reception area when she sent the message - though, again, it's hard to imagine why the message would get sent and only the final part of the communication get screwed up.

Anyway, problem fixed with nothing more than a quick phone call. I thought we had put that behind us, although she would have to test her phone and be sure it was not faulty software.

Two weeks later, Dad called again. This time he told me that his daughter couldn't access her email. I asked if he meant from her phone; no, she had not even restored her account yet. She was unable to see mail on her desktop not twenty feet from the server room.

We felt that warranted a hands-on visit. I could have VPN'd in, but they are not that far away and I had some shopping to do along the route anyway, so I headed on over.

When I arrived, I was momentarily puzzled. Looking at her mail directory in the Kerio Connect store directory, I could see that it contained well over 200,000 files. However, her Inbox, Sent Items and Deleted Items were all small - less than 200 messages in any of them. The largest email folder in her directory had 7,500 messages and the total of everything was less than 10,000. So where were all these files?

Calendar

I found them in Calendar - over 200,000 entries.

Of course calendaring is a separate part of Active Sync - nuking the email account wouldn't affect that, and apparently this phone was having the same trouble with Calendar events as it had with email - it had been sending them repeatedly for two weeks and that finally broke her mail client.

I deleted these from the command line, and then told the system to reindex her mailboxes. The deletion and the reindexing took about 30 minutes but she was able to get in after that.

Although Kerio recommends shutting down the server in these cases, I didn't. I had her close her email client and shut off her phone; there was no danger of calendar events arriving from anywhere else so I saw no need to inconvenience the rest of the company. Still, recommended practice is to bring the server down.

I told her she could try reactivating her account if it was OK with her father and told him that if he did that, he should watch her mailbox closely for a few days just in case. We need to find out if her phone is broken or this was just a transient glitch. My suspicion is the phone because of the calendar entries building up over time. It doesn't seem to be transient, and the similar circumstances I can find in Google indicate that something is broken in the phone software. If she reactivates her email and that starts acting up immediately, that would seem to nail it, although I'm not sure what she'd do at that point: I didn't find any definite solution in my Google searches.

Kerio Workspace as a CRM

I'm a small business, Basically, the business is me and at one time I did it all: prospecting, sales, tech support, billing and accounts receivable. Of course I also did the filing, though I confess that with the crush of everything else, that often consisted of just laying the latest piece of paper on the top of a pile of older things.

When my wife stopped working, she took pity and began handling the paperwork side: billing, making up deposits, chasing slow payers and of course the neglected filing. That took quite a burden off my shoulders, but it also partially disconnected me from my customers. I no longer had involvement in the accounting side, so I lost part of my knowledge base.

Of course I could get at that information: I've used Quickbooks to handle all that for years and my wife just continued that. I could call up any report or customer detail at any time, but that's not quite the same as actually doing the work.

Quickbooks limitations

Although I do a fair amount of simple selling, both product and support, most of my business is built around recurring subscriptions - support and licenses. Tracking those subscriptions can be difficult, especially when it involves other companies as it does with software licenses. Quickbooks doesn't help me with that, so long ago I wrote scripts that alert us to expiring subscriptions. Those are useful, but I needed more. What I really wanted was an electronic filing cabinet where I could put everything I need or want to know about customers.

That part by itself wouldn't have been too hard to do, but I also needed something multiuser that would be easy for my wide to use and understand.

Kerio Workspace

Kerio Workspace gave me exactly what I need. Its ability to merge in text notes, pictures and any type of file gives me a full record of all customer interaction. Of course I can keep track of upcoming renewals, keep notes on contact name and email changes, but I can also attach copies of invoices, scripts I wrote and records of support incidents and resolutions. The automatic tracking of file versions makes that ability particularly powerful for scripts and invoice history.

Now EVERYTHING I know about my customers can be in one place. The search capability lets me quickly find whatever I need and the ease of use lets my wife update those parts that are related to invoicing and collections.The granular sharing controls lets me only show her those parts of the records that she cares about, so her view can be much more compact than mine.

API?

This layout can give me everything I want, but if I could interface it with my scripts using an API such as Kerio has provided for Connect, I could automate even more of it and actually make it rival commercial CRM software. The ability to automatically copy renewal information to the man customer space would make this much more like a real database and eliminate manual work. I hope that is something Kerio will consider in the future.