 |
Business Partner Program
 Business Partner Program
Certification Info
KBP Program FAQ
Web-based Training
Certification Exam
|
|
Chapter 1: Introduction to Kerio
MailServer
1.0
Introduction
1.1
Securing your mail server
1.11
Antivirus
1.12
Antispam
1.13
Encryption and authentication
Next
section...
1.0
Introduction
This chapter provides a hands-on introduction
to Kerio MailServer. By the end of this chapter you should have a basic
understanding of how to set-up and administer the server.
Let's
begin by installing the latest version of Kerio MailServer. Download Kerio
MailServer from our site and follow the installation instructions in your
product manual. You can define a pretend domain to practice with, e.g.,
"testdomain.lab".
Now add a few example users to test with using
the Domain Settings / Users section of the Administration Console as
described in the User
accounts section of your manual.
Once you have a few example
users, try adding a user group and alias using the Domain Settings section
of the Administration Console as described in sections Creating a user account
and Aliases of your manual.
Then try opening one of your new
example user accounts through Kerio WebMail by entering the IP address
of the MailServer into your browser. You can use the loopback IP (127.0.0.1) if you are opening the browser on the MailServer machine.
Tip: What is my IP? On Windows, to find out the
IP address of your MailServer, click "Run..." in the Start Menu on the server. Enter
"cmd" in the Run dialog. At the DOS Windows prompt type "ipconfig".
Now that we have a basic mail server set up, we will begin by
reviewing one of Kerio MailServer's most powerful features for small and
medium sized organizations, advanced security.
Back
to top...
1.1 Securing your mail
server
Kerio MailServer offers advanced security against
intrusion. However, even secure mail servers may be vulnerable if
improperly administered. As we begin to consider security, a review of the
following sections of your manual may be helpful.
There are several key areas that we will
review in this training regarding security: antivirus, antispam,
encryption and authentication.
Back
to top...
1.11
Antivirus
Support for gateway virus scanning makes Kerio
MailServer a secure shield against the spread of computer viruses. In this
section we will configure antivirus for a Kerio MailServer w/ McAfee.
Begin by selecting "Antivirus" in the Configuration section of the Kerio
Administration Console.
Larger
image
From a technical standpoint, the antivirus scanning in
Kerio MailServer is performed at the server's kernel level. This prevents
an e-mail from bypassing the antivirus check.
Enabled with McAfee,
the Antivirus tab provides a number of powerful configuration options.
- Antivirus usage (check
box) - turns integrated McAfee engine or external antivirus scanning on/off
- Integrated antivirus engine - set update intervals for
the antivirus database, and consider age of database, last update,
antivirus and scanning database versions
- If a virus found in a message - selects what action to take with emails that has a virus detected
- If a part of message cannot be scanned (e.g. encrypted or corrupted file) -
selects whether to perform actions defined in action dialog or allow
delivery perhaps with a warning
Note that the Antivirus tab also have several other antivirus plug-ins to choose from that you can use instead or in conjunction with the built-in McAfee engine. In version 6.1 and up, you can scan with two antivirus engines, using the McAfee engine with one of the supported plugins. Depending on which operating system the MailServer is installed on, the supported antivirus plugins includes:
| |
Windows |
Linux |
Mac |
| Computer Associates eTrust |
 |
n/a |
n/a |
| Symantec Antivirus Scan Engine |
|
|
n/a |
| Sophos SAVI |
|
|
|
| Grisoft AVG |
|
|
n/a |
| Alwil Software Avast! |
|
n/a |
n/a |
| VisNetic |
|
n/a |
n/a |
| Eset Software NOD32 |
|
|
n/a |
It is important to set an antivirus update policy that balances antivirus concerns with performance. Generally, antivirus updates only take seconds, though times may vary. For this training check the box to scan mail using McAfee and select 6 hours for our update interval.
For messages containing these rejected attachments,
administrators can specify the following behaviors.
- Discard or Deliver � Discard the message (radio button) and Deliver the message
with the malicious code removed (radio button)
- Forward for review � Forward the original message to specified administrator address (check box), and/or Forward the filtered message administrator address (check box)
In considering your action settings for optimal security, best practices generally
recommend forwarding messages for review. This is especially beneficial
when an important file was dropped, and later management wants the file
after security concerns are alleviated or regardless of them. Still,
balancing your message storage capacity and performance with these
benefits of review is also prudent.
Deciding whether to deliver (with warning), or discard can also be a balancing act. However,
Kerio MailServer includes a powerful option to deliver the message with
the attachment removed.
For this training, we will set the action to forward the
message to the administrator and deliver the message to the recipient with
the attachment removed.
TIP: How can I test my antivirus
configuration? For antivirus testing, eicar provides a standard
antivirus test file available at http://www.eicar.org/anti_virus_test_file.htm.
Now lets click on the Attachment Filter settings to configure the Kerio MailServer Attachment Filter.
Larger
image
This filter allows administrators to filter both inbound
and outbound e-mail for certain attachment types. Attachment filters may
supplement antivirus solutions by providing a fast way to block certain
file types associated with an anticipated virus before there is a new
virus profile to update.
Attachment filters may also supplement
some human resource policies by blocking the exchange of large movie and
audio files that may impact productivity - not to mention server
performance and storage capacity.
Administrators have several configuration elements to
consider when administering this filter.
- Enable attachment filter (check box) - turns
attachment filter on/off
- Add, edit, remove (buttons) - edits which content
types to filter
- Attachment filter dialog options - set content
type, action, and description
- If a message attachment is blocked by this filter - selects what action to take with emails that has a restricted attachment detected
The action options gives you the choice if you want to
- Send a warning to sender that the attachment was not delivered,
- Forward the original email to an administrator address - to audit the attachment in event you do not want to delete the attachment, and/or
- Forward the filtered message to administrator address
Let's add a few content types to
filter. Click the "Add..." button. When the "Attachment Filter"
dialog comes up, for an example try blocking MP3 files by following the
example in section Antivirus
Control of Email and Attachment Filtering of your manual.
Larger
image
That completes our set up of the antivirus configuration.
Back
to top...
1.12 Antispam
Kerio
MailServer is a true antispam mail server, combating spam with SMTP
authentication, support for public databases of spammers, efficient
content filtering, antispoofing, and dynamic limitation of SMTP server capacity.
In this section we will configure the SMTP Server and Spam Filter
in the Administration Console. Begin by selecting the SMTP Server section.
Larger
image
We will use the first tab, Relay Control, to secure the
server against unauthorized relay by potential spammers. By controlling
relay, administrators can reduce overall spam on the Internet and prevent
getting blacklisted by other mail servers.
Kerio MailServer adds
the flexibility to specify which friendly IP addresses are allowed to
relay. In environments in which e-mail clients authenticate when sending
mail, administrators can also choose to allow relay for users
authenticated through SMTP for outgoing mail. Similarly, administrators
can allow relay for users previously authenticated through POP3 from the
same IP address (POP3 before SMTP).
In the Relay Control tab, we
will select the radio button to allow relay only for IP addresses we know
and authenticated users.
At this time let's add a new IP address
group we know by selecting the "Edit..." button and clicking the
"Add..." button in the IP Groups dialog. It is best to use a
private IP address for testing. For an example IP address group we'll
enter the following.
- Name: testdomain2.lab
- Type: Host or Network/Mask or Address Range
- IP Address: x.x.x.x (Your LAN IP mask or range or remote server that you want to relay through this MailServer.)
- Description: example IP group
In the Relay
Control tab, check the "Users from IP address group" check box, and select
your new example IP group from the scroll down box. Check the "Users
authenticated through SMTP for outgoing mail" to require e-mail clients to
authenticate when sending mail.
Back
to top...
The second tab in the Configuration / SMTP
Server section is the Security Options tab. These settings are standard SMTP security options that can be used to block spam by restricting the behaviors that spammers use to send spam. Blocking spam at the SMTP level will help make your MailServer more efficient by reducing the amounts of emails that has to be processed by the more CPU intensive antispam layers.
As you get to know your traffic patterns by reviewing Status and
Logs sections of the Administration Console, the "Security Options", "SMTP
Delivery", and "Queue Options" tabs in the Configuration / SMTP Server
section will lend additional value in the battle against spam.
For
instance, these tabs let you set quotas for e-mail sent per hour, and
limit the number of e-mails that one user (IP address) can send within a
specific time period (significantly reducing the risk of mail server abuse
if a spammer has accidentally acquired trusted user access rights). And a
concurrent connection limit sets the number of concurrent SMTP connections
made from one IP address (one user), preventing the use of specially
designed spam programs that create multiple connections to increase the
number of e-mails being sent to SMTP server.
Next, go to Configuration / Content Filter / Spam Filter / Blacklists. Kerio MailServer is already preconfigured to list RBLs (Real-time Blackhole Lists), which administrators can choose to
block and/or log IP addresses that are found in these blacklists.
ORDB, SORBS, SpamCop, and SpamHaus are non-profit organizations which store IP
addresses of verified open SMTP relays and other IP addresses used
frequently for spam attacks.
Kerio MailServer also adds the
flexibility for administrators can add other 3rd party
blacklists as well as their own custom lists.
To maximize our blacklist protection, select to block and log all ORDB, SORBS, SpamCop, and SpamHaus lists.
If legitimate email are being blocked by one of these lists, you can verify if the sender's email address or mail server IP address are listed in the Logs / Security log. If they are you can simply add their mail server's IP address to the IP address group under the Custom whitelist of IP addresses section.
Back
to top...
Next let's move onto the primary layer
of antispam security for Kerio MailServer, SpamEliminator. SpamEliminator
analyzes each e-mail message against multiple criteria and gives it a
numerical rating. If the message rating exceeds the threshold set by the
user, the message is marked as spam and filtered according to the user's
wishes.
You can access the SpamEliminator in the Configuration /
Content Filter / Spam Filter section of the Administration Console.
Larger
image
You can define custom message rules that can either
force the spam filter to accept or reject matching messages without regard
to the score assigned by SpamEliminator, or increase or decrease the
score. For now, just check the "Enable SpamEliminator Rating"
to assign spam probability scores and check the "Enable scanning of
messages sent from trusted relay agents defined in SMTP relay options",
i.e., our example IP group.
Try adding at least one custom rule to
see how it works by clicking the "Add" button. Define a Custom Rule
called "Empty". In the Custom Rule dialog, enter the following.
- Description: Empty
- Header: From
- Type: is empty
- Then (radio button): reject message
Select
the Spam Rating tab to determine what Kerio MailServer should do if a message's
score is higher than a threshold score you set, or if a message was
rejected by a 'Deny' custom rule.
A threshold setting of "5" is
the default. Balancing the risk of blocked legitimate e-mail, or false
positives, with spam using SpamEliminator settings may vary by
organization. To be safe keep the default settings with the "Mark the
message as spam" radio button selected, and the "Prepend message's
Subject" box checked with "**SPAM**" in the enter field.
Also in
the Configuration / Content Filter / Spam Filter section are the Caller ID and SPF tabs. Caller ID uses
Microsoft's specification and SPF (Sender Policy Framework) is an open source protocol. Both use special DNS records to address the widespread problem of domain
spoofing. Kerio MailServer implements these new specifications to help
detect whether an e-mail message is really coming from whom it says it is.
Add an additional layer of spam prevention by selecting
the "Check the Caller ID of every incoming message" check box in the Caller ID tab and "Enable SPF check of every incoming message" check box in the SPF tab. You have
the flexibility to add a spam score, reject, or log messages with an
invalid IP address. Since this is a relatively
new specification that depends on other companies modifying their domain
name records, not all spoofers will be blocked by Caller ID and SPF yet.
The last tab in the Configuration / Content Filter / Spam Filter section is the Spam Repellent tab. Spam Repellent helps fight off spam zombies and viruses by delaying replies during the SMTP handshake, which trick spammers into thinking that there is no mail server to send emails to. Legitimate emails will not be affected because they will retry its email delivery.
Larger image
When you enable this feature, be sure to enter the local IP addresses that will relay through this MailServer into "Do not apply delay for connections from" to avoid any conenction issues from email clients.
This completes our
review of the Kerio MailServer antispam tools.
Back
to top...
1.13 Encryption and
authentication
Kerio MailServer uses SSL (Secure Sockets
Layer) as merged into the Transport Layer Security (TLS) protocol, the
leading security protocol on the Internet, to secure e-mail transactions.
The principle behind secure services in Kerio MailServer is that
all communication between the client and the server is encrypted to
protect it from intrusion and to prevent misuse of transmitted
information. The SSL encryption protocol used for this purpose uses an
asymmetric cipher first to exchange a symmetric key.
In this case
asymmetric refers to a difference between two opposing modes, i.e.,
typically, a speed disparity. For example, in asymmetric operations it
takes longer to compress and encrypt data than to decompress and decrypt
it. Asymmetric is in contrast to symmetric, in which there is no
difference in opposing modes. For example, in symmetric operations, it
takes the same time to compress and encrypt data as it does to decompress
and decrypt it.
In Kerio MailServer the asymmetric cipher uses two
keys: a public one for encrypting and a private one for decrypting. As
their names suggest, the public (encrypting) key is available to anyone
wishing to establish a connection with the server, whereas the private
(decrypting) key is available only to the server and must remain secret.
The client, however, also needs to be able to identify the server (to find
out if it is truly the server and not an impostor). For this purpose there
is a certificate, which contains the public server key, the server name,
expiration date and other details. To ensure the authenticity of the
certificate it must be certified and signed by a third party, the
certification authority.
Kerio MailServer ships with a test
certificate, created for testing purposes. The test certificate is saved
in the server.crt file in the directory where Kerio MailServer is
installed. The second file in this directory, server.key, contains the
server's private key. Since this is only intended to be a test
certificate, the certificate is identical for all distributions of Kerio
MailServer and simply allows operation of secure services in Kerio
MailServer.
Go to the Configuration / SSL Certificates section of
the Administration Console and click the "New" button to see how to
request a new certificate.
Then go to the Configurations /
Advanced Options section to adjust encryption options in the Security
Policy tab. Here you can require encrypted connections and specify
specific friendly IP addresses from which to accept unencrypted
connections.
Larger
image
For an added measure of security, let's choose the
"Require encrypted connection" option for our security policy.
Back
to top...
The Configurations / Advanced Options section of
the Administration Console also allows us to configure some important
authentication options. The Security Policy tab offers several
authentication methods, and also lets you specify friendly IP addresses
from which to allow insecure authentication.
- The CRAM-MD5 (Message Digest 5) SASL (Simple
Authentication and Security Layer) mechanism uses user name
(authorization identity only) and password to authenticate users. Only a
hashed password is transferred. Users are validated either by having the
SASL mechanism retrieve the raw password from the application and
perform the validation internally, or by calling the application with
the CRAM-MD5 challenge and response to decide. This method of
authentication was at one time proposed as a required mechanism for LDAP
v3 servers, but has since been superseded by DIGEST-MD5.
- DIGEST-MD5 is an algorithm used to create digital
signatures. MD5 is a one-way hash function, meaning that it takes a
message and converts it into a fixed string of digits, also called a
"message digest". When using a one-way hash function, authentication
applications can do a special comparison, called a "hashcheck" to
compare a calculated message digest against the received message digest
to verify that the message was not tampered with.
- The LOGIN mechanism for authentication uses user
name (authorization identity only) and password to authenticate users.
User validation is done either by having the SASL mechanism retrieve the
raw password from the application and perform the validation internally,
or by calling the application with authorization identity and password
to decide.
- For Active Directory, you can allow NTLM (NT
LanMan) authentication, an authentication scheme for HTTP used in
various Microsoft network protocol implementations, for users with
Kerberos authentication.
- The PLAIN mechanism for authentication uses
username (authentication identity and authorization identity) and
password to authenticate users. User validation is accomplished either
by having the SASL mechanism retrieve the raw password from the
application and perform the validation internally, or by calling the
application with authentication identity, so authorization identity and
password decide.
Each of these authentication methods are
effective and commonly used. Choose the authentication methods used within
your organization. For instance, if your organization is Mac-only or
Linux-only, NTLM may not be of concern. For this example, let's enable all
authentication methods in the Security Policy tab as to avoid the
possibility of inadvertently excluding some users.
Back
to top...
You also can determine a domain-specific user
authentication in the Configuration / Domains section. When you
"Add" or "Edit" a domain in this section, the Domain dialog
lets you choose a Kerberos 5 or Windows NT domain authentication.
Larger
image
Another important configuration to consider for
encryption and authentication is POP3 downloads. Kerio MailServer allows
for Secure POP3 in which all communication is encrypted by SSL. So, when
your POP3 users' retrieve messages from their accounts, those messages
cannot be easily tapped.
Open the Configuration / POP3 Download
section of the Administration Console. Click the "Add..." button to
add a new POP3 account called pop3.testdomain.lab, for example, for one of
the test user accounts you created. The Advanced tab of each POP3 Account
dialog includes a "Use SSL" check box to determine SSL mode, e.g., either
a special port or an STLS (STARTTLS) command.
Larger
image
STARTTLS is the SMTP command to "Start Transport Layer
Security"; or, in other words, to turn on SSL. The default port for POP3
SSL is port 995; however, Kerio MailServer adds the flexibility to use any
other port.
You can also choose between Plain and APOP for POP3
authentication. APOP is a POP3 setting that encrypts username and
password, an authentication mechanism designed to protect user POP3
account passwords when checking mail. APOP authentication is helpful
because it does not require a user�s account password to be sent as plain
text to the POP3 Server.
In the Advanced tab check the "Use SSL"
box. For SSL Mode choose a special port, e.g., 995 for default. "Plain"
POP3 authentication is fine for this example.
Note that in
addition to Secure POP, Kerio MailServer also has Secure IMAP (Internet
Message Access Protocol) for mailbox access from multiple location, Secure
Webmail/WAPmail with secured access (HTTPS protocol � SSL encrypted) for
wireless mobile devices, and Secure LDAP using SSL encryption to enabling
users to securely access centrally managed contacts.
This
completes our review of encryption and authentication for Kerio
MailServer. Now that you have successfully installed Kerio MailServer and
reviewed some of the key security features, we are ready to move on to the
next section.
Next
section...
Table of
contents...
Back
to top...
|
|
|
