Limits tuning for Kerio Connect Mail server


Kerio connect mail server has several tuning features that can help improve mail server performance and may even help eliminate some spam. Unfortunately, setting these features requires careful analysis and thought. You can't just charge into this without knowing what you are doing and why you are doing it.

Please also note that I cannot make specific recommendations for your server because even the data analysis is not sufficient to make these decisions: you also need to know the habits of your users and their email correspondents.

However, there are real gains to be made, so this can be worth your time and trouble. With all that in mind, let's dive in and look at some of your options.

SMTP Server Options

The first place we'll look is in the Security Options tab of Configuration->SMTP Server.

Here we have set a very low number of concurrent SMTP connections from one IP address. That's probably far too low for most businesses, but in this particular case the server only handles two users, so it is unlikely that a sending server should need or want to make a great deal of simultaneus connections.

Note that if a server did try more than five, mail should not be lost, only delayed. The length of the delay depends on their configuration. Under extremely pathological conditions, mail could end up being permanently rejected if the sending server had reason to keep trying more than five connections and the excess connections always were for the same message. At some point (dependent upon them, again), they'd give up.

You'd think we might also set a low number for the maximum number of messages per hour from one address, but that's not necessarily wise: consider an active conversation where two or more people are emailing back and forth for some period of time. If the maximum per hour is set too low, it could interfere with that conversation.

Service Limits

Another place where we can set limits is in each service that we accept:

If set too high, someone could tie up all your resources in a DOS (Denial of Service) attack. Every process and every thread requires RAM and CPU and may need disk access also; an excessive number of SMTP connections could tie up your system enough to make user's HTTP or IMAP access muddy and slow.

However, setting lower limits can cause a service specific denial of service. You are protecting the system resources, but if there are 200 legitimate connnections and you have set the limit at 100, you are creating a denial of service for that specific service. If set too low, you could cause delayed mail, frustrated users and even lost mail due to rejections.

How can you decide how to set these limits? Some clues can come from Status->Charts:

For example, here we see that most of the time, SMTP connections were well under 100, only peaking above that rarely. That chart is in 30 minute intervals, so concurrent connections were likely far less. We could go back to the logs to see what actually happened during those peaks; in this case the spikes were caused by spammers.

What happens when spammers get temporarily rejected? Well, they may do what a legitimate mail server would do: come back and try again at a later time. On the other hand, they may not, but even if they do, temporary rejections may still have value as annoyance and providing a little more time for a new spammer to get added to a real-time blacklist. Limiting also prevents one service from hogging all the servers time (though of course it doesn't prevent your network from being swamped by attempts)

If your limits are exceeded, you will see a message in the "Warning" log:

[30/May/2012 15:09:48] Connection attempt to service HTTPS from IP
address rejected: too many connections. Connection
limit is 10.

Unneeded services

If you don't have any POP3 users, you'd probably shut that off entirely. If you don't expect to have any but think that possibly someone might have to configure one temporarily or on an emergency basis, you might leave it enabled but severely limit the maximum connections (and remember that current versions can also limit specific users from specific services).

Operating System Reports

Your operating system can give you more insight into connections and resource usage. Tools like Linux "sar", Windows Performance Monitor and Mac Activity Monitor can show you snapshots and historical data as can system logs.

Even a simple script like this can be useful (Linux or Mac):

# while true
> do
> lsof -i:25 | wc -l
> sleep 15
> done

That just counts SMTP connections every 15 seconds. It could give you a quick feel for what's normal on your server.

The Status-> Active Connections can also show you what's happening now.

Given all those sources of information, you should be able to apply reasonable limits. You should allow for growth and you need to keep an eye on these over time as your needs may change.

Also see Optimizing spam protection in Kerio MailServer at Kerio's Knowledge Base.

Got something to add? Send me email.

(OLDER) <- More Stuff -> (NEWER)    (NEWEST)   

Printer Friendly Version

-> -> Limits tuning for Kerio Connect Mail server

Increase ad revenue 50-250% with Ezoic

More Articles by

Find me on Google+

© Anthony Lawrence

Kerio Connect Mailserver

Kerio Samepage

Kerio Control Firewall

Have you tried Searching this site?

Unix/Linux/Mac OS X support by phone, email or on-site: Support Rates

This is a Unix/Linux resource website. It contains technical articles about Unix, Linux and general computing related subjects, opinion, news, help files, how-to's, tutorials and more.

Contact us

privacy policy