Kerio Mail Server with SpamAssassin
Copyright July 2006 Anthony Lawrence
Full disclosure: I am also a reseller of this product.
Note: this is review is several years old now. It still has value, but more recent information may be found at the links to the left.
The Kerio Mail
Server is a cross platform ( Windows, Linux, and Mac OSX) mail
server. I tested it on RedHat Linux 8.
Before we get into the details, let me say that I was very
impressed. This is well done, and they have paid attention to
important details. I have a few minor nit-picks here and there, but
over all I can highly recommend it.
As some of the people reading this will be aware that I also
sell the SME Mail Server, I'll also offer
some comparisons between these very different approaches at the end
of my review.
(By the way, I no longer sell the SME product)
What impresses me most about this is the level of control over
spam. Skip right to that section of this review
if that's your hot button too.
This was actually the most annoying part of the entire process.
I say that not because it was horribly difficult, but only because
it could have been much easier. Neither the enclosed manual nor the
CD were particularly helpful. The manual tells you that you install
Linux RPMS, but doesn't tell you where they are on the CD. Of
course, they aren't very hard to find, but the CD directories are
Windows/Mac GUI style: imbedded spaces in directory names, making
it annoying to navigate from the command line. I've said this more
than once: just because you CAN use spaces in a directory or file
name doesn't mean that you SHOULD. But as all the regular readers
know, I'm a grumpy old curmudgeon and you should ignore me when I
start muttering about these things.
(Kerio tech support read this and noted that most people just
download the software rather than getting the CD, but did agree
that the spaces should be changed to underscores and promised to do
I found the kerio-mailserver-5.62-rh7.rpm and the
kerio-mailserver-admin-5.62-rh7.rpm and installed both.
The manual tells you to run /opt/kerio/mailserver/wizard for
initial configuration, but it is actually "cfgwizard", not "wizard"
(Kerio says they'll fix that next release of the manual). There is
very small notice of things you will have to do to an existing
Linux server, such as disabling sendmail and other mail related
things you may have running (POP3), changing firewall rules, etc.
You probably shouldn't be installing this if you aren't comfartable
with Linux. Yes, they do have a Windows version, but you can
probably well imagine my horror at running a mail server on Windows
- at least without a powerful firewall (which Kerio does sell also,
and the new Windows XP SP2 firewall isn't all that bad
Kerio tech support noted that I missed this:
When you install the RPM, it gives you a note to read
/opt/kerio/mailserver/doc/REDHAT-README, which actually contains
instructions on how to stop and disable both sendmail and, and how to
tell (netstat -tlp) what network servers are running.
I recently installed the 6.0.2 version. The only problem I
had was that I needed to use --nodeps because it was looking for an
earlier library. I also tried out the Windows version and their
WinRoute Firewall, which made a pretty good combination if you
prefer a Windows environment.
The Admin package can administer servers on any platform, so I
installed the Mac OS X version of that. That had a few resolution
or screen placement problems; some controls were slightly distorted
or out of place, but it worked fine. Here's a screenshot:
Kerio Admin Mac OS X
administering Linux Server
Notice the "Edit" button is slightly skewed. No big deal, of
course. The Linux admin console had no such glitches administering
its own server. This screen also shows the definition of IP Address
Groups, which will be mentioned later.
The 6.0.2 version worked perfectly with Mac, Windows or Linux
The main Administration Console offers four major groups:
Configuration, Domain Settings, Status, and Logs. There is some
overlap here and there; for example you can configure basic SMTP
access under Configuration->Services, but relaying is configured
under Configuration->SMTP Server. That actually makes sense: if,
for example, you configure SMTP Services to accept connections only
from the local lan, any attempt to access port 25 from outside the
lan will be rejected. Within SMTP Server, you can control relaying
(even down to individual hosts). This is very welcome.
Every service (SMTP,POP3, Secure POP3, Imap, Secure Imap, Webmail,
Secure Webmail, Ldap, Secure Ldap) can be turned on and off, set to
start automatically or manually, can be set to run on a
non-standard port, and access can be set down to the host level.
Access to services means that your connection attempt will be
refused if you aren't allowed access. By default, all services are
running, started automatically, and not blocked at all. To add
access control, simply edit the service you wish to control, and
check "Allow access only from selected ip address group". You'll
see this same control in other places, and it is quite well done.
Basically you create "groups". A group can contain specific hosts,
ip ranges (by beginning to end or by netmask) and other groups.
This lets you be very specific about access control, although
there's no exclusion here, only inclusion (you can blacklist
specific hosts/groups at the SMTP server level though). I'd like to
see exclusionary capability here, too (of course you could always
do this at the Linux firewall level).
If I see someone as a threat (for example, they tried to ssh to
my server using multiple account names), I block them here, at the
Linux level, and again at my firewall. That takes a bit of effort
but I don't think you can be too careful.
Domains can be independent or aliased. For example, I can have
"apl.org", add users to it, and if I add an alias "aplawrence.org",
mail to a user in either domain will go to the same account.
However, if I create a separate domain, "foo.org", a user added
there is entirely different from those in "apl.org" and
Within Domains, you can specify a footer to be added to each
email sent from that domain, forwarding to another SMTP server/port
for unknown users, and even specify active directory or kerberos
servers. A domain can be bound to a specific IP address. Forwarding
can be immediate, scheduled or triggered by ETRN from the other
Here you have the choice of using direct MX record message
delivery, or a relay server. This section also lets you specify how
often to retry delivery, when to warn the sender of delivery
problems, and how many days to wait before giving up entirely. It
is very nice to have such full control.
By default, the server won't relay (deliver messages to users
outside of its own domains) for anyone, not even a user logged on
to this machine. You do have the option of setting it to be an open
relay, but it's not likely you'd want to do that. You have the
ability to use the access groups as mentioned under Services above,
or you can require SMTP authentication, or allow relay if the user
has authenticated by POP3 within some period of time you
You can also specify Blacklists. There are built in selections
(www.mail-abuse.org and www,ordb.org), and you can specify your
own, again using the Access List method. The combination of IP
address groups and blacklists gives you very precise control over
who can use your server and who can send you mail.
There are more Security options here: you can specify a maximum
number of messages per hour from one ip address, a maximum number
of concurrent SMTP connections from one address, and also a maximum
number of unknown recipients (that could be an indication of
spamming). You can specify an access group that these limits do not
apply to, which might allow more freedom to local users etc. These
types of controls have become much more important in recent
You can block if the sender's address doesn't resolve with DNS
(another anti-spam control) and specify the maximum number of
recipients you will accept in one message. Other useful anti-abuse
controls include limiting the number of failed SMTP commands (for
example attempts to relay or send to unknown users) and can reject
messages that have gone through too many relays prior to getting
here. Finally, you can specify a maximum size for messages. That's
a global limit that is above the user quotas that can be applied
Spam is an awful burden for businesses today. The volume grows
constantly, and spammers learn to avoid spam scanners, frustrating
our attempts to keep your mailbox clean. Individuals can use any of
the commercial challenge/response systems where nobody can send you
email until they at least verify that they are a real person, but
most businesses don't want to annoy potential customers with that
sort of hindrance. There are other schemes in the works - Sender
ID will eventually cut some spam out, but it won't even begin
to stop all of it, so we are left with computer scanning for
The Kerio Mail Server uses SpamAssassin,
and gives you full control over its configuration, including the
ability to add rules to accept or reject messages regardless of
SpamAssassins scoring, or increase/decrease the score. You also get
full control over the disposition of messages: add a Spam header,
discard it, return to sender, or forward to some other address. I
really like that level of control, especially being able to
I also like being able to add points to messages. For example, I
add a point or two to any message from hotmail.com or yahoo.com. I
wouldn't want to completely reject you if you happen to have an
address there, but your mail starts off as immediately suspect. Of
course I can do that because most of my business is with other
businesses who don't use these accounts; someone doing business
with the general public might not want to do that. For non-business
senders I know, I can exempt their address entirely.
I also add points for such foolishness as not setting a Subject:
again, not enough to be automatically rejected, but enough for a
Finally, I add big points for the present crop of spam Subject:
lines. These change all the time - this month it's "Megan asked me
to invite you" or whatever; next month it will be something
different. Kerio shows you when your rules were last used and
allows you to delete all unused rules instantly. This alone can
really help, and I wish there were a way to automate it.
If someone keeps showing up again and again, I add their IP to
the SMTP Blacklist, though that's something you have to be careful
of for several reasons. First, spammers move on, and sometimes
legitimate folks get the spammers former ip address. There are
procedures that are supposed to help prevent that, but they don't
always work. Second, many spam messages actually originate from
compromised home-user Windows machines, which are likely using DHCP
assigned address. When the address is re-assigned, your Important
Customer may be the person who gets it.
Kerio also supports "Caller ID" (another name for Sender ID),
though since almost no one is using it, it isn't very useful.
A recent new feature is to optionally delay the response to an
SMTP connection. This doesn't bother legitimate email, but really
annoys spammers - they often give up.
There is no end to spam. None of these things can entirely
eliminate spam from your mailbox, but at least you have some
control and can block the majority.
Kerio offers McAfee as an option, but the server can use other
vendors too. In this tab is Attachment handling also: you can
separately specify what to do about .exe, .doc files, etc. Messages
tagged by the virus scanner or because of attachments can be
blocked, have the attachment removed, or forwarded to an
administrative address. The sender can be notified or that can only
be done if the origination was local. That's useful - many external
virus messages are spam that shouldn't be replied to, but you'd
probably still want to let local users know about viri in their
No, this isn't system backup. This rather lets you store
automatic copies of messages: Kerio Mail
Server Backup Screenshot This is a very important feature for
some industries, and could be handy for just about anyone. Notice
the options available in the screenshot allow viruses to be stored
intact if desired.
The Kerio Mail Server can schedule sending mail, downloading
from another POP server, or sending an ETRN to another server. If
your server is on dialup, you can allow it to establish a
connection if needed. POP and ETRN downloads have their own
configuration tabs also, where you can specify multiple servers,
sorting rules etc. There's a lit of flexibility here. You can
download from multiple POP servers (while still receiving SMTP
mail, of course).
You can generate a self-signed cerificate or import a "real"
certificate. Certificates are necessary if you want to use any of
the secure protocols.
There are other security related options under Advanced Options.
These include requiring specific authentication methods, doing
reverse DNS lookups and other more advanced settings. It is really
good to see these capabilities made easily available for
Users are added on a per-domain basis, or can be imported from a
Windows NT domain or Active Directory server. It's too bad that you
cannot import from Linux passwd or a Linux LDAP server too, or at
the very least from a csv file. (Kerio tech support says):
It is theoretically possible to import from Linux LDAP, if you
want to write your own MAP file. Look at the files in
/opt/kerio/mailserver/ldapmap/ for examples
The user information is quite complete, including quotas,
webmail preferences, how to authenticate each user, forwarding and
more. One noticeable lack is any provision for putting a user on
vacation. Of course that can easily be done at the Linux level with
procmail etc., but I think that function should be part of mail
The 6.0.2 version adds "Out of Office Reply" to
Naturally you can also assign groups and aliases. I was
pleasantly surprised to see that this handles mailing lists
There's nothing much to configure here. Webmail includes some
nice features like shared folders, more message filtering, and
cellular phone notification. There's Wapmail (access by cellphone)
also, which could be very handy now and then.
The 6.0.2 version adds "Out of Office Reply" to
The 6.0.2 version includes an Outlook Connector that
effectively provides the same types of services as an Exchange
server would. You install this (it's a separate download from
Kerio) on each client. I had to go to Microsoft Office Updates and
download Office XP SP3 to get this to install. After that, you
configure Outlook to use the Kerio Connector as a MAPI Mail
account. Unfortunately, you also have to change the Information
Store, which makes it a little complicated for users with existing
Inboxes. The messages can be migrated, but it's much easier if you
are starting out fresh.
With the Outlook Connector (and the Webmail), you can share
folders and calendars with other users, allowing them to read or
even administer your data. For example, I give my wife access to my
calendar - she can update it as easily as I can, giving us both a
consistent view of our schedules.
Overall Impressions and comparison to SME Server
This is a very good mail server. As mentioned above, I also sell
the Mitel SME Server, so it is interesting
to compare these. The most important difference is that this is a
package you install on an existing Linux system, while the SME
server is a complete Linux distribution which includes many other
features not necessarily related to mail (VPN access, firewall,
file and print services, etc.). There are advantages and
disadvantages to both approaches:
With an all inclusive package like SME, all aspects of the
system are under the control of one vendor. You don't need to worry
about general security issues that aren't related to mail. On the
other hand, you are also forced to wait for that vendor to provide
security fixes, whereas with a stock Linux install, you can get
security updates yourself the moment they are available. Of course
you'd need to wait for Kerio to provide any mail related security
The SME server, being mostly Open Source, encourages and allows
customization. On the other hand, the Kerio Mail Server often
offers more configuration capability with its admin tool than the
SME server does. You'd need to drop to the Linux command line level
to do some of the tasks that the Kerio Admin Console allows.
However, if the Kerio console does not offer the function, you may
have no way to do it at all, as this is mostly proprietary
The Kerio Mail server allows the definition of independent mail
domains as noted above. SME server only supports alias domains.
While other software can be installed on an SME server, this can
cause conflicts and problems in some cases. This is, of course,
because the SME is an integrated OS with a number of very
customized sub-systems. As the Kerio Mail Server is only a mail
server, other Linux software is not as likely to affect its
- Administration: The SME server is administered with any web
browser, Kerio uses a proprietary tool. The advantage of the web
browser approach is that you can immediately administer from
anywhere; there's nothing to install. The Open Source and well
documented interface allows third party modules to be easily added.
However, this approach also limits what can be easily done: the web
interface is sometimes a little clumsy and often is much slower
than a dedicated interface like Kerio Mail Server uses.
The SME server requires almost no OS knowledge for installation
or use. The Kerio Mail Server itself requires no OS knowledge, but
you will need some for installation.
The SME server comes both in a free (unsupported) version, and a
paid, fully supported subscription mode. Kerio Mail Server has a
free 30 day demo, but otherwise is subscription only. The Kerio is
priced similarly to the SME for the first year, but is less
expensive in subsequent years.
The SME server, because it is an entire integrated server, is
supported by Mitel and your dealer at all levels: from booting on
up. As the Kerio Mail Server is simply an application on your
server, they of course only support this part.
Which of these would be better for you? Well, that's something
only you'd know, but it's easy enough to try either one out to get
a hand's on look. Download the Kerio Mail Server here: http://www.kerio.com/kms_download.html
and see http://www.contribs.org/ for
New features since this review Global Address List synchronised with user database Entourage 2004/2008 auto-configuration - Entourage Config Tool Syncing of groups from Apple Address Book with Kerio Sync Connector for Mac Enhanced CalDAV server with support for Apple iCal private events Spam Filter improvements Update of integrated McAfee antivirus to version 5300 New antivirus plug-in for Eset NOD32 Antivirus 3.0 and 4 Kerio Assist utility for Mac OS X New Kerio IMAP Migration Tool Debian 5.0 and Ubuntu 8.04LTS Linux support New Configuration Wizard utility on Windows Localization of the Mac OS X installer New mobile client: RoadSync 4.0 Added support for running on 64-bit systems (in 32-bit compatibility mode). Added support for new commands in IMAP: NAMESPACE (RFC 2342) and XLIST.
* Updated external libraries: PHP5 5.2.6, libxml2 2.7.2, libcurl 7.19.2, openldap 2.4.11.
Added support for Internet Explorer 8. Added installation package for 64bit Windows server. Added support for command 'Settings' requested by RoadSync 4. Added support for Entourage 12.1.3 and 12.1.4 Added support for e-mail, contact and calendar over-the-air synchronisation with Apple iPhone 3G, 2.0 and iPod Touch. The support includes e-mail push and remote device wipe feature. Enhanced Apple iCal integration with Kerio MailServer (address and location autocomplete, delegation support, availability feature). New automatic configuration tool for Apple iCal client - http(s)://servername/setup/ical Added ability to automatically delete old e-mails from Junk E-mail and Deleted Items folders on the server. Introduced new log file tracing all delete and move operations with e-mails and other items on the server. Support for new ActiveSync protocol used on Windows Mobile 6 devices (Exchange 2007 compatible). Includes support for reading HTML e-mails, fast message retrieval, enhanced e-mail search and out-of-office setting on mobile device. Added support for partial header FETCH in IMAP server. "Integration" web page with tools and downloads - http(s)://servername/integration Windows Server 2008 (Longhorn) 32bit is supported. Added support for Firefox 3. Added support for Resource Scheduling Added support of Outlook Connector on Terminal Server. Local cache may be emptied now. All contact folders are added to Address Book by default. Outlook Connector's connections are identified in Admin Console. Added support for Mailing Lists. Added support for Resource Scheduling. Added support for e-mail, calendar and contacts over-the-air synchronisation with Apple iPhone 3G and 2.0. Added support for e-mail push and remote device wipe feature for Apple iPhone 3G and 2.0. Added support for AVG 8 antivirus.
More Articles by Anthony Lawrence
Find me on Google+
© 2011-02-04 Anthony Lawrence