Kerio Mail Server with SpamAssassin
Copyright July 2006 Anthony Lawrence
Full disclosure: I am also a reseller of this product.
Note: this is review is several years old now. It still has value, but more recent information may be found at the links to the left.
The Kerio Mail Server is a cross platform ( Windows, Linux, and Mac OSX) mail server. I tested it on RedHat Linux 8.
Before we get into the details, let me say that I was very impressed. This is well done, and they have paid attention to important details. I have a few minor nit-picks here and there, but over all I can highly recommend it.
As some of the people reading this will be aware that I also sell the SME Mail Server, I'll also offer some comparisons between these very different approaches at the end of my review.
(By the way, I no longer sell the SME product)
What impresses me most about this is the level of control over spam. Skip right to that section of this review if that's your hot button too.
This was actually the most annoying part of the entire process. I say that not because it was horribly difficult, but only because it could have been much easier. Neither the enclosed manual nor the CD were particularly helpful. The manual tells you that you install Linux RPMS, but doesn't tell you where they are on the CD. Of course, they aren't very hard to find, but the CD directories are Windows/Mac GUI style: imbedded spaces in directory names, making it annoying to navigate from the command line. I've said this more than once: just because you CAN use spaces in a directory or file name doesn't mean that you SHOULD. But as all the regular readers know, I'm a grumpy old curmudgeon and you should ignore me when I start muttering about these things.
(Kerio tech support read this and noted that most people just download the software rather than getting the CD, but did agree that the spaces should be changed to underscores and promised to do that).
I found the kerio-mailserver-5.62-rh7.rpm and the kerio-mailserver-admin-5.62-rh7.rpm and installed both.
The manual tells you to run /opt/kerio/mailserver/wizard for initial configuration, but it is actually "cfgwizard", not "wizard" (Kerio says they'll fix that next release of the manual). There is very small notice of things you will have to do to an existing Linux server, such as disabling sendmail and other mail related things you may have running (POP3), changing firewall rules, etc. You probably shouldn't be installing this if you aren't comfartable with Linux. Yes, they do have a Windows version, but you can probably well imagine my horror at running a mail server on Windows - at least without a powerful firewall (which Kerio does sell also, and the new Windows XP SP2 firewall isn't all that bad either).!
Kerio tech support noted that I missed this:
When you install the RPM, it gives you a note to read /opt/kerio/mailserver/doc/REDHAT-README, which actually contains instructions on how to stop and disable both sendmail and, and how to tell (netstat -tlp) what network servers are running.
I recently installed the 6.0.2 version. The only problem I had was that I needed to use --nodeps because it was looking for an earlier library. I also tried out the Windows version and their WinRoute Firewall, which made a pretty good combination if you prefer a Windows environment.
The Admin package can administer servers on any platform, so I installed the Mac OS X version of that. That had a few resolution or screen placement problems; some controls were slightly distorted or out of place, but it worked fine. Here's a screenshot:
Notice the "Edit" button is slightly skewed. No big deal, of course. The Linux admin console had no such glitches administering its own server. This screen also shows the definition of IP Address Groups, which will be mentioned later.
The 6.0.2 version worked perfectly with Mac, Windows or Linux Administration Consoles.
The main Administration Console offers four major groups: Configuration, Domain Settings, Status, and Logs. There is some overlap here and there; for example you can configure basic SMTP access under Configuration->Services, but relaying is configured under Configuration->SMTP Server. That actually makes sense: if, for example, you configure SMTP Services to accept connections only from the local lan, any attempt to access port 25 from outside the lan will be rejected. Within SMTP Server, you can control relaying (even down to individual hosts). This is very welcome.
ServicesEvery service (SMTP,POP3, Secure POP3, Imap, Secure Imap, Webmail, Secure Webmail, Ldap, Secure Ldap) can be turned on and off, set to start automatically or manually, can be set to run on a non-standard port, and access can be set down to the host level.
Access to services means that your connection attempt will be refused if you aren't allowed access. By default, all services are running, started automatically, and not blocked at all. To add access control, simply edit the service you wish to control, and check "Allow access only from selected ip address group". You'll see this same control in other places, and it is quite well done. Basically you create "groups". A group can contain specific hosts, ip ranges (by beginning to end or by netmask) and other groups. This lets you be very specific about access control, although there's no exclusion here, only inclusion (you can blacklist specific hosts/groups at the SMTP server level though). I'd like to see exclusionary capability here, too (of course you could always do this at the Linux firewall level).
If I see someone as a threat (for example, they tried to ssh to my server using multiple account names), I block them here, at the Linux level, and again at my firewall. That takes a bit of effort but I don't think you can be too careful.
Domains can be independent or aliased. For example, I can have "apl.org", add users to it, and if I add an alias "aplawrence.org", mail to a user in either domain will go to the same account. However, if I create a separate domain, "foo.org", a user added there is entirely different from those in "apl.org" and "aplawrence.org".
Within Domains, you can specify a footer to be added to each email sent from that domain, forwarding to another SMTP server/port for unknown users, and even specify active directory or kerberos servers. A domain can be bound to a specific IP address. Forwarding can be immediate, scheduled or triggered by ETRN from the other server.
Here you have the choice of using direct MX record message delivery, or a relay server. This section also lets you specify how often to retry delivery, when to warn the sender of delivery problems, and how many days to wait before giving up entirely. It is very nice to have such full control.
By default, the server won't relay (deliver messages to users outside of its own domains) for anyone, not even a user logged on to this machine. You do have the option of setting it to be an open relay, but it's not likely you'd want to do that. You have the ability to use the access groups as mentioned under Services above, or you can require SMTP authentication, or allow relay if the user has authenticated by POP3 within some period of time you specify.
You can also specify Blacklists. There are built in selections (www.mail-abuse.org and www,ordb.org), and you can specify your own, again using the Access List method. The combination of IP address groups and blacklists gives you very precise control over who can use your server and who can send you mail.
There are more Security options here: you can specify a maximum number of messages per hour from one ip address, a maximum number of concurrent SMTP connections from one address, and also a maximum number of unknown recipients (that could be an indication of spamming). You can specify an access group that these limits do not apply to, which might allow more freedom to local users etc. These types of controls have become much more important in recent years.
You can block if the sender's address doesn't resolve with DNS (another anti-spam control) and specify the maximum number of recipients you will accept in one message. Other useful anti-abuse controls include limiting the number of failed SMTP commands (for example attempts to relay or send to unknown users) and can reject messages that have gone through too many relays prior to getting here. Finally, you can specify a maximum size for messages. That's a global limit that is above the user quotas that can be applied individually.
Spam is an awful burden for businesses today. The volume grows constantly, and spammers learn to avoid spam scanners, frustrating our attempts to keep your mailbox clean. Individuals can use any of the commercial challenge/response systems where nobody can send you email until they at least verify that they are a real person, but most businesses don't want to annoy potential customers with that sort of hindrance. There are other schemes in the works - Sender ID will eventually cut some spam out, but it won't even begin to stop all of it, so we are left with computer scanning for now.
The Kerio Mail Server uses SpamAssassin, and gives you full control over its configuration, including the ability to add rules to accept or reject messages regardless of SpamAssassins scoring, or increase/decrease the score. You also get full control over the disposition of messages: add a Spam header, discard it, return to sender, or forward to some other address. I really like that level of control, especially being able to "whitelist" senders.
I also like being able to add points to messages. For example, I add a point or two to any message from hotmail.com or yahoo.com. I wouldn't want to completely reject you if you happen to have an address there, but your mail starts off as immediately suspect. Of course I can do that because most of my business is with other businesses who don't use these accounts; someone doing business with the general public might not want to do that. For non-business senders I know, I can exempt their address entirely.
I also add points for such foolishness as not setting a Subject: again, not enough to be automatically rejected, but enough for a head-start.
Finally, I add big points for the present crop of spam Subject: lines. These change all the time - this month it's "Megan asked me to invite you" or whatever; next month it will be something different. Kerio shows you when your rules were last used and allows you to delete all unused rules instantly. This alone can really help, and I wish there were a way to automate it.
If someone keeps showing up again and again, I add their IP to the SMTP Blacklist, though that's something you have to be careful of for several reasons. First, spammers move on, and sometimes legitimate folks get the spammers former ip address. There are procedures that are supposed to help prevent that, but they don't always work. Second, many spam messages actually originate from compromised home-user Windows machines, which are likely using DHCP assigned address. When the address is re-assigned, your Important Customer may be the person who gets it.
Kerio also supports "Caller ID" (another name for Sender ID), though since almost no one is using it, it isn't very useful.
A recent new feature is to optionally delay the response to an SMTP connection. This doesn't bother legitimate email, but really annoys spammers - they often give up.
There is no end to spam. None of these things can entirely eliminate spam from your mailbox, but at least you have some control and can block the majority.
Kerio offers McAfee as an option, but the server can use other vendors too. In this tab is Attachment handling also: you can separately specify what to do about .exe, .doc files, etc. Messages tagged by the virus scanner or because of attachments can be blocked, have the attachment removed, or forwarded to an administrative address. The sender can be notified or that can only be done if the origination was local. That's useful - many external virus messages are spam that shouldn't be replied to, but you'd probably still want to let local users know about viri in their outgoing messages.
No, this isn't system backup. This rather lets you store automatic copies of messages: Kerio Mail Server Backup Screenshot This is a very important feature for some industries, and could be handy for just about anyone. Notice the options available in the screenshot allow viruses to be stored intact if desired.
The Kerio Mail Server can schedule sending mail, downloading from another POP server, or sending an ETRN to another server. If your server is on dialup, you can allow it to establish a connection if needed. POP and ETRN downloads have their own configuration tabs also, where you can specify multiple servers, sorting rules etc. There's a lit of flexibility here. You can download from multiple POP servers (while still receiving SMTP mail, of course).
You can generate a self-signed cerificate or import a "real" certificate. Certificates are necessary if you want to use any of the secure protocols.
There are other security related options under Advanced Options. These include requiring specific authentication methods, doing reverse DNS lookups and other more advanced settings. It is really good to see these capabilities made easily available for configuration.
Users are added on a per-domain basis, or can be imported from a Windows NT domain or Active Directory server. It's too bad that you cannot import from Linux passwd or a Linux LDAP server too, or at the very least from a csv file. (Kerio tech support says):
It is theoretically possible to import from Linux LDAP, if you want to write your own MAP file. Look at the files in /opt/kerio/mailserver/ldapmap/ for examples
The user information is quite complete, including quotas, webmail preferences, how to authenticate each user, forwarding and more. One noticeable lack is any provision for putting a user on vacation. Of course that can easily be done at the Linux level with procmail etc., but I think that function should be part of mail server administration.
The 6.0.2 version adds "Out of Office Reply" to Webmail.
Naturally you can also assign groups and aliases. I was pleasantly surprised to see that this handles mailing lists also.
There's nothing much to configure here. Webmail includes some nice features like shared folders, more message filtering, and cellular phone notification. There's Wapmail (access by cellphone) also, which could be very handy now and then.
The 6.0.2 version adds "Out of Office Reply" to Webmail.
The 6.0.2 version includes an Outlook Connector that effectively provides the same types of services as an Exchange server would. You install this (it's a separate download from Kerio) on each client. I had to go to Microsoft Office Updates and download Office XP SP3 to get this to install. After that, you configure Outlook to use the Kerio Connector as a MAPI Mail account. Unfortunately, you also have to change the Information Store, which makes it a little complicated for users with existing Inboxes. The messages can be migrated, but it's much easier if you are starting out fresh.
With the Outlook Connector (and the Webmail), you can share folders and calendars with other users, allowing them to read or even administer your data. For example, I give my wife access to my calendar - she can update it as easily as I can, giving us both a consistent view of our schedules.
Overall Impressions and comparison to SME Server
This is a very good mail server. As mentioned above, I also sell the Mitel SME Server, so it is interesting to compare these. The most important difference is that this is a package you install on an existing Linux system, while the SME server is a complete Linux distribution which includes many other features not necessarily related to mail (VPN access, firewall, file and print services, etc.). There are advantages and disadvantages to both approaches:
With an all inclusive package like SME, all aspects of the system are under the control of one vendor. You don't need to worry about general security issues that aren't related to mail. On the other hand, you are also forced to wait for that vendor to provide security fixes, whereas with a stock Linux install, you can get security updates yourself the moment they are available. Of course you'd need to wait for Kerio to provide any mail related security fixes too.
The SME server, being mostly Open Source, encourages and allows customization. On the other hand, the Kerio Mail Server often offers more configuration capability with its admin tool than the SME server does. You'd need to drop to the Linux command line level to do some of the tasks that the Kerio Admin Console allows. However, if the Kerio console does not offer the function, you may have no way to do it at all, as this is mostly proprietary code.
- Independent Domains:
The Kerio Mail server allows the definition of independent mail domains as noted above. SME server only supports alias domains.
- Other software:
While other software can be installed on an SME server, this can cause conflicts and problems in some cases. This is, of course, because the SME is an integrated OS with a number of very customized sub-systems. As the Kerio Mail Server is only a mail server, other Linux software is not as likely to affect its operation.
- Administration: The SME server is administered with any web browser, Kerio uses a proprietary tool. The advantage of the web browser approach is that you can immediately administer from anywhere; there's nothing to install. The Open Source and well documented interface allows third party modules to be easily added. However, this approach also limits what can be easily done: the web interface is sometimes a little clumsy and often is much slower than a dedicated interface like Kerio Mail Server uses.
- OS Knowledge:
The SME server requires almost no OS knowledge for installation or use. The Kerio Mail Server itself requires no OS knowledge, but you will need some for installation.
The SME server comes both in a free (unsupported) version, and a paid, fully supported subscription mode. Kerio Mail Server has a free 30 day demo, but otherwise is subscription only. The Kerio is priced similarly to the SME for the first year, but is less expensive in subsequent years.
The SME server, because it is an entire integrated server, is supported by Mitel and your dealer at all levels: from booting on up. As the Kerio Mail Server is simply an application on your server, they of course only support this part.
Which of these would be better for you? Well, that's something only you'd know, but it's easy enough to try either one out to get a hand's on look. Download the Kerio Mail Server here: http://www.kerio.com/kms_download.html and see http://www.contribs.org/ for SME.
New features since this review
Kerio®, and related trademarks, names and logos are the property of Kerio Technologies, Inc. and are registered and/or used in the U.S. and other countries. Used under license from Kerio Technologies, Inc.
All Kerio products have free 30 day trial versions. We also have the Kerio Control Hardware appliance available as a 30 day demo; contact us for details.
Kerio Samepage is a hosted team collaboration product - free trial, of course.
(OLDER) <- More Stuff -> (NEWER) (NEWEST)
Printer Friendly Version