APLawrence.com -  Resources for Unix and Linux Systems, Bloggers and the self-employed
RSS Feeds RSS Feeds











(OLDER) <- More Stuff -> (NEWER) (NEWEST)
Printer Friendly Version
->
-> Kerio Mail Server with SpamAssassin


Kerio Mail Server with SpamAssassin


Copyright Anthony Lawrence

Full disclosure: I am also a reseller of this product.



Note: this is review is several years old now. It still has value, but more recent information may be found at the links to the left.

The Kerio Mail Server is a cross platform ( Windows, Linux, and Mac OSX) mail server. I tested it on RedHat Linux 8.

Before we get into the details, let me say that I was very impressed. This is well done, and they have paid attention to important details. I have a few minor nit-picks here and there, but over all I can highly recommend it.

As some of the people reading this will be aware that I also sell the SME Mail Server, I'll also offer some comparisons between these very different approaches at the end of my review.

(By the way, I no longer sell the SME product)

What impresses me most about this is the level of control over spam. Skip right to that section of this review if that's your hot button too.

Installation

This was actually the most annoying part of the entire process. I say that not because it was horribly difficult, but only because it could have been much easier. Neither the enclosed manual nor the CD were particularly helpful. The manual tells you that you install Linux RPMS, but doesn't tell you where they are on the CD. Of course, they aren't very hard to find, but the CD directories are Windows/Mac GUI style: imbedded spaces in directory names, making it annoying to navigate from the command line. I've said this more than once: just because you CAN use spaces in a directory or file name doesn't mean that you SHOULD. But as all the regular readers know, I'm a grumpy old curmudgeon and you should ignore me when I start muttering about these things.

(Kerio tech support read this and noted that most people just download the software rather than getting the CD, but did agree that the spaces should be changed to underscores and promised to do that).

I found the kerio-mailserver-5.62-rh7.rpm and the kerio-mailserver-admin-5.62-rh7.rpm and installed both.

The manual tells you to run /opt/kerio/mailserver/wizard for initial configuration, but it is actually "cfgwizard", not "wizard" (Kerio says they'll fix that next release of the manual). There is very small notice of things you will have to do to an existing Linux server, such as disabling sendmail and other mail related things you may have running (POP3), changing firewall rules, etc. You probably shouldn't be installing this if you aren't comfartable with Linux. Yes, they do have a Windows version, but you can probably well imagine my horror at running a mail server on Windows - at least without a powerful firewall (which Kerio does sell also, and the new Windows XP SP2 firewall isn't all that bad either).!

Kerio tech support noted that I missed this:

When you install the RPM, it gives you a note to read
/opt/kerio/mailserver/doc/REDHAT-README, which actually contains
instructions on how to stop and disable both sendmail and, and how to
tell (netstat -tlp) what network servers are running.
 

I recently installed the 6.0.2 version. The only problem I had was that I needed to use --nodeps because it was looking for an earlier library. I also tried out the Windows version and their WinRoute Firewall, which made a pretty good combination if you prefer a Windows environment.

Admin Console

The Admin package can administer servers on any platform, so I installed the Mac OS X version of that. That had a few resolution or screen placement problems; some controls were slightly distorted or out of place, but it worked fine. Here's a screenshot:

Kerio Admin Mac OS X administering Linux Server

Notice the "Edit" button is slightly skewed. No big deal, of course. The Linux admin console had no such glitches administering its own server. This screen also shows the definition of IP Address Groups, which will be mentioned later.

The 6.0.2 version worked perfectly with Mac, Windows or Linux Administration Consoles.

The main Administration Console offers four major groups: Configuration, Domain Settings, Status, and Logs. There is some overlap here and there; for example you can configure basic SMTP access under Configuration->Services, but relaying is configured under Configuration->SMTP Server. That actually makes sense: if, for example, you configure SMTP Services to accept connections only from the local lan, any attempt to access port 25 from outside the lan will be rejected. Within SMTP Server, you can control relaying (even down to individual hosts). This is very welcome.

Services

Every service (SMTP,POP3, Secure POP3, Imap, Secure Imap, Webmail, Secure Webmail, Ldap, Secure Ldap) can be turned on and off, set to start automatically or manually, can be set to run on a non-standard port, and access can be set down to the host level.

Access to services means that your connection attempt will be refused if you aren't allowed access. By default, all services are running, started automatically, and not blocked at all. To add access control, simply edit the service you wish to control, and check "Allow access only from selected ip address group". You'll see this same control in other places, and it is quite well done. Basically you create "groups". A group can contain specific hosts, ip ranges (by beginning to end or by netmask) and other groups. This lets you be very specific about access control, although there's no exclusion here, only inclusion (you can blacklist specific hosts/groups at the SMTP server level though). I'd like to see exclusionary capability here, too (of course you could always do this at the Linux firewall level).

If I see someone as a threat (for example, they tried to ssh to my server using multiple account names), I block them here, at the Linux level, and again at my firewall. That takes a bit of effort but I don't think you can be too careful.

Domains

Domains can be independent or aliased. For example, I can have "apl.org", add users to it, and if I add an alias "aplawrence.org", mail to a user in either domain will go to the same account. However, if I create a separate domain, "foo.org", a user added there is entirely different from those in "apl.org" and "aplawrence.org".

Within Domains, you can specify a footer to be added to each email sent from that domain, forwarding to another SMTP server/port for unknown users, and even specify active directory or kerberos servers. A domain can be bound to a specific IP address. Forwarding can be immediate, scheduled or triggered by ETRN from the other server.

Delivery Queue

Here you have the choice of using direct MX record message delivery, or a relay server. This section also lets you specify how often to retry delivery, when to warn the sender of delivery problems, and how many days to wait before giving up entirely. It is very nice to have such full control.

SMTP Server

By default, the server won't relay (deliver messages to users outside of its own domains) for anyone, not even a user logged on to this machine. You do have the option of setting it to be an open relay, but it's not likely you'd want to do that. You have the ability to use the access groups as mentioned under Services above, or you can require SMTP authentication, or allow relay if the user has authenticated by POP3 within some period of time you specify.

You can also specify Blacklists. There are built in selections (www.mail-abuse.org and www,ordb.org), and you can specify your own, again using the Access List method. The combination of IP address groups and blacklists gives you very precise control over who can use your server and who can send you mail.

There are more Security options here: you can specify a maximum number of messages per hour from one ip address, a maximum number of concurrent SMTP connections from one address, and also a maximum number of unknown recipients (that could be an indication of spamming). You can specify an access group that these limits do not apply to, which might allow more freedom to local users etc. These types of controls have become much more important in recent years.

You can block if the sender's address doesn't resolve with DNS (another anti-spam control) and specify the maximum number of recipients you will accept in one message. Other useful anti-abuse controls include limiting the number of failed SMTP commands (for example attempts to relay or send to unknown users) and can reject messages that have gone through too many relays prior to getting here. Finally, you can specify a maximum size for messages. That's a global limit that is above the user quotas that can be applied individually.

Spam Filter

Spam is an awful burden for businesses today. The volume grows constantly, and spammers learn to avoid spam scanners, frustrating our attempts to keep your mailbox clean. Individuals can use any of the commercial challenge/response systems where nobody can send you email until they at least verify that they are a real person, but most businesses don't want to annoy potential customers with that sort of hindrance. There are other schemes in the works - Sender ID will eventually cut some spam out, but it won't even begin to stop all of it, so we are left with computer scanning for now.

The Kerio Mail Server uses SpamAssassin, and gives you full control over its configuration, including the ability to add rules to accept or reject messages regardless of SpamAssassins scoring, or increase/decrease the score. You also get full control over the disposition of messages: add a Spam header, discard it, return to sender, or forward to some other address. I really like that level of control, especially being able to "whitelist" senders.

I also like being able to add points to messages. For example, I add a point or two to any message from hotmail.com or yahoo.com. I wouldn't want to completely reject you if you happen to have an address there, but your mail starts off as immediately suspect. Of course I can do that because most of my business is with other businesses who don't use these accounts; someone doing business with the general public might not want to do that. For non-business senders I know, I can exempt their address entirely.

I also add points for such foolishness as not setting a Subject: again, not enough to be automatically rejected, but enough for a head-start.

Finally, I add big points for the present crop of spam Subject: lines. These change all the time - this month it's "Megan asked me to invite you" or whatever; next month it will be something different. Kerio shows you when your rules were last used and allows you to delete all unused rules instantly. This alone can really help, and I wish there were a way to automate it.

If someone keeps showing up again and again, I add their IP to the SMTP Blacklist, though that's something you have to be careful of for several reasons. First, spammers move on, and sometimes legitimate folks get the spammers former ip address. There are procedures that are supposed to help prevent that, but they don't always work. Second, many spam messages actually originate from compromised home-user Windows machines, which are likely using DHCP assigned address. When the address is re-assigned, your Important Customer may be the person who gets it.

Kerio also supports "Caller ID" (another name for Sender ID), though since almost no one is using it, it isn't very useful.

A recent new feature is to optionally delay the response to an SMTP connection. This doesn't bother legitimate email, but really annoys spammers - they often give up.

There is no end to spam. None of these things can entirely eliminate spam from your mailbox, but at least you have some control and can block the majority.

Virus Scanning

Kerio offers McAfee as an option, but the server can use other vendors too. In this tab is Attachment handling also: you can separately specify what to do about .exe, .doc files, etc. Messages tagged by the virus scanner or because of attachments can be blocked, have the attachment removed, or forwarded to an administrative address. The sender can be notified or that can only be done if the origination was local. That's useful - many external virus messages are spam that shouldn't be replied to, but you'd probably still want to let local users know about viri in their outgoing messages.

Backup

No, this isn't system backup. This rather lets you store automatic copies of messages: Kerio Mail Server Backup Screenshot This is a very important feature for some industries, and could be handy for just about anyone. Notice the options available in the screenshot allow viruses to be stored intact if desired.

Scheduling

The Kerio Mail Server can schedule sending mail, downloading from another POP server, or sending an ETRN to another server. If your server is on dialup, you can allow it to establish a connection if needed. POP and ETRN downloads have their own configuration tabs also, where you can specify multiple servers, sorting rules etc. There's a lit of flexibility here. You can download from multiple POP servers (while still receiving SMTP mail, of course).

SSL Certificates

You can generate a self-signed cerificate or import a "real" certificate. Certificates are necessary if you want to use any of the secure protocols.

Other Options

There are other security related options under Advanced Options. These include requiring specific authentication methods, doing reverse DNS lookups and other more advanced settings. It is really good to see these capabilities made easily available for configuration.

Users

Users are added on a per-domain basis, or can be imported from a Windows NT domain or Active Directory server. It's too bad that you cannot import from Linux passwd or a Linux LDAP server too, or at the very least from a csv file. (Kerio tech support says):

It is theoretically possible to import from Linux LDAP, if you
want to write your own MAP file. Look at the files in
/opt/kerio/mailserver/ldapmap/ for examples
 

The user information is quite complete, including quotas, webmail preferences, how to authenticate each user, forwarding and more. One noticeable lack is any provision for putting a user on vacation. Of course that can easily be done at the Linux level with procmail etc., but I think that function should be part of mail server administration.

The 6.0.2 version adds "Out of Office Reply" to Webmail.

Naturally you can also assign groups and aliases. I was pleasantly surprised to see that this handles mailing lists also.

POP, IMAP,Webmail

There's nothing much to configure here. Webmail includes some nice features like shared folders, more message filtering, and cellular phone notification. There's Wapmail (access by cellphone) also, which could be very handy now and then.

The 6.0.2 version adds "Out of Office Reply" to Webmail.

Outlook Connector

The 6.0.2 version includes an Outlook Connector that effectively provides the same types of services as an Exchange server would. You install this (it's a separate download from Kerio) on each client. I had to go to Microsoft Office Updates and download Office XP SP3 to get this to install. After that, you configure Outlook to use the Kerio Connector as a MAPI Mail account. Unfortunately, you also have to change the Information Store, which makes it a little complicated for users with existing Inboxes. The messages can be migrated, but it's much easier if you are starting out fresh.

With the Outlook Connector (and the Webmail), you can share folders and calendars with other users, allowing them to read or even administer your data. For example, I give my wife access to my calendar - she can update it as easily as I can, giving us both a consistent view of our schedules.

Overall Impressions and comparison to SME Server

This is a very good mail server. As mentioned above, I also sell the Mitel SME Server, so it is interesting to compare these. The most important difference is that this is a package you install on an existing Linux system, while the SME server is a complete Linux distribution which includes many other features not necessarily related to mail (VPN access, firewall, file and print services, etc.). There are advantages and disadvantages to both approaches:

  • Security:

    With an all inclusive package like SME, all aspects of the system are under the control of one vendor. You don't need to worry about general security issues that aren't related to mail. On the other hand, you are also forced to wait for that vendor to provide security fixes, whereas with a stock Linux install, you can get security updates yourself the moment they are available. Of course you'd need to wait for Kerio to provide any mail related security fixes too.

  • Customization:

    The SME server, being mostly Open Source, encourages and allows customization. On the other hand, the Kerio Mail Server often offers more configuration capability with its admin tool than the SME server does. You'd need to drop to the Linux command line level to do some of the tasks that the Kerio Admin Console allows. However, if the Kerio console does not offer the function, you may have no way to do it at all, as this is mostly proprietary code.

  • Independent Domains:

    The Kerio Mail server allows the definition of independent mail domains as noted above. SME server only supports alias domains.

  • Other software:

    While other software can be installed on an SME server, this can cause conflicts and problems in some cases. This is, of course, because the SME is an integrated OS with a number of very customized sub-systems. As the Kerio Mail Server is only a mail server, other Linux software is not as likely to affect its operation.

  • Administration: The SME server is administered with any web browser, Kerio uses a proprietary tool. The advantage of the web browser approach is that you can immediately administer from anywhere; there's nothing to install. The Open Source and well documented interface allows third party modules to be easily added. However, this approach also limits what can be easily done: the web interface is sometimes a little clumsy and often is much slower than a dedicated interface like Kerio Mail Server uses.
  • OS Knowledge:

    The SME server requires almost no OS knowledge for installation or use. The Kerio Mail Server itself requires no OS knowledge, but you will need some for installation.

  • Cost:

    The SME server comes both in a free (unsupported) version, and a paid, fully supported subscription mode. Kerio Mail Server has a free 30 day demo, but otherwise is subscription only. The Kerio is priced similarly to the SME for the first year, but is less expensive in subsequent years.

  • Support:

    The SME server, because it is an entire integrated server, is supported by Mitel and your dealer at all levels: from booting on up. As the Kerio Mail Server is simply an application on your server, they of course only support this part.


Which of these would be better for you? Well, that's something only you'd know, but it's easy enough to try either one out to get a hand's on look. Download the Kerio Mail Server here: http://www.kerio.com/kms_download.html and see http://www.contribs.org/ for SME.

New features since this review

  • Global Address List synchronised with user database
  • Entourage 2004/2008 auto-configuration - Entourage Config Tool
  • Syncing of groups from Apple Address Book with Kerio Sync Connector for Mac
  • Enhanced CalDAV server with support for Apple iCal private events
  • Spam Filter improvements
  • Update of integrated McAfee antivirus to version 5300
  • New antivirus plug-in for Eset NOD32 Antivirus 3.0 and 4
  • Kerio Assist utility for Mac OS X
  • New Kerio IMAP Migration Tool
  • Debian 5.0 and Ubuntu 8.04LTS Linux support
  • New Configuration Wizard utility on Windows
  • Localization of the Mac OS X installer
  • New mobile client: RoadSync 4.0
  • Added support for running on 64-bit systems (in 32-bit compatibility mode).
  • Added support for new commands in IMAP: NAMESPACE (RFC 2342) and XLIST.
  • * Updated external libraries: PHP5 5.2.6, libxml2 2.7.2, libcurl 7.19.2, openldap 2.4.11.
  • Added support for Internet Explorer 8.
  • Added installation package for 64bit Windows server.
  • Added support for command 'Settings' requested by RoadSync 4.
  • Added support for Entourage 12.1.3 and 12.1.4
  • Added support for e-mail, contact and calendar over-the-air synchronisation with Apple iPhone 3G, 2.0 and iPod Touch. The support includes e-mail push and remote device wipe feature.
  • Enhanced Apple iCal integration with Kerio MailServer (address and location autocomplete, delegation support, availability feature).
  • New automatic configuration tool for Apple iCal client - http(s)://servername/setup/ical
  • Added ability to automatically delete old e-mails from Junk E-mail and Deleted Items folders on the server.
  • Introduced new log file tracing all delete and move operations with e-mails and other items on the server.
  • Support for new ActiveSync protocol used on Windows Mobile 6 devices (Exchange 2007 compatible). Includes support for reading HTML e-mails, fast message retrieval, enhanced e-mail search and out-of-office setting on mobile device.
  • Added support for partial header FETCH in IMAP server.
  • "Integration" web page with tools and downloads - http(s)://servername/integration
  • Windows Server 2008 (Longhorn) 32bit is supported.
  • Added support for Firefox 3.
  • Added support for Resource Scheduling
  • Added support of Outlook Connector on Terminal Server.
  • Local cache may be emptied now.
  • All contact folders are added to Address Book by default.
  • Outlook Connector's connections are identified in Admin Console.
  • Added support for Mailing Lists.
  • Added support for Resource Scheduling.
  • Added support for e-mail, calendar and contacts over-the-air synchronisation with Apple iPhone 3G and 2.0.
  • Added support for e-mail push and remote device wipe feature for Apple iPhone 3G and 2.0.
  • Added support for AVG 8 antivirus.



  • Kerio®, and related trademarks, names and logos are the property of Kerio Technologies, Inc. and are registered and/or used in the U.S. and other countries. Used under license from Kerio Technologies, Inc.

    We offer competitive pricing and complete, no extra charge support on all Kerio products.


    If this page was useful to you, please help others find it:  





    5 comments




    More Articles by - Find me on Google+



    Click here to add your comments
    - no registration needed!




    Mon May 1 15:05:01 2006: 1989   TonyLawrence

    gravatar
    Kerio is constantly updating and improving this product. It now has many more anti-spam features and can plug-in multiple anti-virus products. See http://aplawrence.com/Unixart/dhantivirus.html for the value of extra scanning.

    I do sell and support Kerio, so I suppose I'm a little biased, but really the REASON I sell it is because it's a great product, not the other way around. I like their pricing policies (cheaper after the first year) and their support has been great.







    Thu Oct 12 02:28:25 2006: 2513   anonymous


    Doesn't appear there is any load balancing other than having users on different mail servers. You are required to run the webmail service on the same hosts. All of your users must connect to a single host.



    Thu Oct 12 10:08:03 2006: 2514   TonyLawrence

    gravatar
    True, but nearly irrelevant. Except in the very largest organizations, mail is a minuscule load: I've run hundreds of mail users on ancient weak desktop class machines with acceptable performance. Maybe GM and Microsoft need to load balance mail servers, but most of us do not. An inexpensive consumer class machine today can handle hundreds of mail users without even noticing it.

    Now failover or redundancy IS a missing feature and is something they do need to add - and I think they will, soon.



    Fri Feb 4 12:05:54 2011: 9275   anonymous

    gravatar


    Currently, SME is the mail server. However Kerio has been chosen to used after the hardware upgrade (new host machine). What could be the best implementation strategy for this change? Is there a way that the old email data on the SME can be imported to the new Mail server (with Kerio)?



    Fri Feb 4 12:14:01 2011: 9276   TonyLawrence

    gravatar


    Yes, absolutely. You can use the free IMAP migration tool or even use scripting to copy messages manually.

    Don't miss responses! Subscribe to Comments by RSS or by Email

    Click here to add your comments


    If you want a picture to show with your comment, go get a Gravatar

    Kerio Connect Mailserver

    Kerio Samepage

    Kerio Control Firewall

    Have you tried Searching this site?

    Unix/Linux/Mac OS X support by phone, email or on-site: Support Rates

    This is a Unix/Linux resource website. It contains technical articles about Unix, Linux and general computing related subjects, opinion, news, help files, how-to's, tutorials and more. We appreciate comments and article submissions.

    Publishing your articles here

    Jump to Comments



    Many of the products and books I review are things I purchased for my own use. Some were given to me specifically for the purpose of reviewing them. I resell or can earn commissions from the sale of some of these items. Links within these pages may be affiliate links that pay me for referring you to them. That's mostly insignificant amounts of money; whenever it is not I have made my relationship plain. I also may own stock in companies mentioned here. If you have any question, please do feel free to contact me.

    I am a Kerio reseller. Articles here related to Kerio products reflect my honest opinion, but I do have an obvious interest in selling those products also.

    Specific links that take you to pages that allow you to purchase the item I reviewed are very likely to pay me a commission. Many of the books I review were given to me by the publishers specifically for the purpose of writing a review. These gifts and referral fees do not affect my opinions; I often give bad reviews anyway.

    We use Google third-party advertising companies to serve ads when you visit our website. These companies may use information (not including your name, address, email address, or telephone number) about your visits to this and other websites in order to provide advertisements about goods and services of interest to you. If you would like more information about this practice and to know your choices about not having this information used by these companies, click here.

    pavatar.jpg

    This post tagged:

           - Kerio Connect
           - Kerio
           - Kerio Info
           - Kerio Pricing
           - Kerio RSS Feed
           - Mail
           - Malware















    My Troubleshooting E-Book will show you how to solve tough problems on Linux and Unix systems!


    book graphic unix and linux troubleshooting guide



    Buy Kerio from a dealer
    who knows tech:
    I sell and support

    Kerio Connect Mail server, Control, Workspace and Operator licenses and subscription renewals



    Click and enter your name and phone number to call me about Kerio® products right now (Flash required)