Kerio offers a 30 day full featured demo you can download from
their site. You can install that on Windows, Linux or Mac OS X.
Once you have done the initial setup (domain name and Admin password),
you'll do the rest of the configuration using the Web based GUI administration console.
I'm not going to go through the entire configuration here (though
I'm happy to do that by phone or even on-site if you are near me), but
there are a few areas I want to make sure you are aware of.
Note the "More Actions" link at the bottom of the screen when you have one or more users highlighted. Here you can reindex users mailboxes and recover deleted items (assuming you have enabled that; see below).
If you edit a user, note that additional email addresses are like aliases in that they do not consume user licenses, but there are differences. For one, an alias created in the alias section can deliver to a folder rather than a user - see below.
Additional email addresses can also be selected as the "From" address in Webmail and will appear in the searchable Global Address list (if that option is enabled for this user).
Users can be assigned to Access Policy groups. This allows you to prevent certain users from using Webmail or other specific services.
Quotas and limits can also be set per user, which allows you to override domain limits set elsewhere.
As mentioned above, these consume no licenses and can deliver to a user or a folder. They can also use wildcards: * and ?.
There is a small security advantage to aliases and additional email addresses: these cannot be used to authenticate. For example, if your real user name is "johnxyz1234" and you have "john" as an alias or additional email address, people can send email to "john", but they cannot use "john" to access your account - only "johnxyz1234" can be used. This provides some extra protection against password gussing attacks.
These can help give you an idea of mailserver load and can sometimes assist in tracking compromised accounts.
In Services, you define the services and port numbers for Kerio. Shut
off services you aren't using and set their Startup Type to Manual.
Here you can also limit services to the local lan if appropriate and
set the maximum number of concurrent connections allowed. Choosing
a suitable number can keep your server from being loaded down in
the event of DOS (Denial of Service) attacks. For example, if you
only have forty people in your entire organization, there's no reason
to allow 1,000 concurrent HTTPS connections to the server.
In the picture below, I changed the default port for HTTP to 8080
because this server runs a webserver on port 80. Kerio uses HTTP for
a limited Web based administration tool (users who have access to that
can add and maintain users and change passwords but can't access other
You probably want to enable this option. It makes your life easier
when users accidentally delete things they should not have. If this is active, you can just visit the Domain Settings -> Users section and click
one button to recover Deleted Items.
There are several limit settings in the SMTP Server section that can
help prevent DOS attacks and cut back on spam.
The spam and anti-virus sections are easy enough, but you'll need to
spend some time in the Attachment Filter section. You need to decide
exactly what your policies will be for attachments; which to allow, which
Turning on Blacklists can really help with spam, but you do probably
not want to "Block" domains that are on blacklists. Rather, have
it increase the spam score. If you do it that way, you can still
add Custom Rules that will allow mail from a specific person even
if they are on a blacklist. I ask my customers to make a
"whitelist" rule for my email address so that important messages
are sure to get through.
Be sure you understand that Archiving is done before the mail is delivered
to the user or sent out, so all messages will be captured (you have options
for only capturing inbound, etc.). Backup is a snapshot in time and also
includes the very important configuration files.
Backup is designed for complete restores, but if necessary, you can
extract specific messages using the command line kmsrecover tool. Contact me directly
if you ever need to do that.
Do peek in here. There are more security options that you probably want
to set. For example, there's no reason to tell connecting clients your
software version, and there is no reason to let anyone know your lan
ip scheme. Check those to hide those things.
IP Address Groups
You want to go here first when setting up a new server. As you can see, Kerio has defaulted to
using the common private IP address groups for your local lan. You'll
need to edit these to reflect your lan setup and remove any subnets
that don't apply. If you have VPN's, you probably want to add
those subnets here too.
User Access Policies
These allow you to restrict users to certain services. For example, if you wished to deny the use of Active Sync smartphones, you could assign a policy that denied that.
It's very important to set your log rotation and retention policies.
If you don't. your logs will just grow and grow. By right-clicking in
the log area, you can get a menu that includes "Log Settings". Choose
this to set how many logs to keep and how often you will rotate them.
The Debug log contains a "Messages" option. Selecting this gives you access to a menu where you can enable more extensive debugging. Don't forget to turn off those settings when done!
Of course there is much more to look at and possibly configure. Much
of it will be very obvious if you have worked with other mailservers. Kerio
does have extensive manuals on-line at Kerio Knowledgebase and of course you can
also call me.