You can secure your Kerio Connect by:
- Restricting communication on firewall to necessary IP addresses and ports
- Creating a strong passwords policy
- Configuring a security policy
- Configuring an SMTP server
- Using antispam and antivirus
- Enabling DKIM signature
- Enabling sender anti-spoofing protection
- Encrypting data
Configuring your firewall
If you install Kerio Connect in a local network behind a firewall, map these ports as follows:
Password policy
Read Password policy in Kerio Connect for detailed information on user passwords.
Configuring a secure connection to Kerio Connect
Kerio Connect can do either of the following:
- Secure user authentication
- Encrypt the whole communication
Go to Configuration > Security > Security Policy to select your preferred security policy.
You can define a group of IP addresses that can authenticate insecurely (for example, from local networks).
Securing user authentication
If you select the Require secure authentication option, users must authenticate securely when they access Kerio Connect.
You can select any of the following authentication methods:
- CRAM-MD5 — password authentication using MD5 digests
- DIGEST-MD5 — password authentication using MD5 digests
- NTLM — use only with Active Directory
- SSL tunnel if no authentication method is used
If you select more than one method, Kerio Connect performs the first available method.
NOTE
If users' passwords are saved in the SHA format:
- Select PLAIN and/or LOGIN.
- Do not map users from a directory service.
Data Encryption
NOTE
- This feature is only available for users running Kerio Connect v9.2.7 and above on Linux.
- Data Encryption is not supported on external or removable disks and, on multi-volume data storage.
- The initial encryption and decryption process takes considerable amount of time to complete based on the size of the email data. It is recommended to not interrupt the process as this will result in a corrupted email store. Email delivery is also unavailable during this time.
Enabling Encryption
You can configure Kerio Connect to encrypt user settings, logs, system configuration, and messages saved to the disk.
IMPORTANT
Encryption is bound to a specific storage device, so if you plan to change the hardware you must first disable encryption. Also, encryption results in more resources being utilized so performance maybe impacted.
- In the Kerio Connect administration interface, go to Configuration > Advanced Options > Store Directory.
- Go to the Data Encryption section.
The data encryption tab
- Key-in the Password and re-enter to confirm the same.
IMPORTANT
Once encryption is enabled, the password cannot be changed. Remember this password, as you would require it to decrypt data.
- Click Encrypt and confirm the action.
Disabling Encryption
To decrypt: data and disable encryption:
- In the Kerio Connect administration interface, go to Configuration > Advanced Options > Store Directory.
- Go to the Data Encryption section.
The data encryption tab
- Click Decrypt.
- Key-in the Password set while encrypting and confirm the action.
Encrypting user communication
If you select the Require encrypted connection option, clients connect to any service via an encrypted connection (the communication cannot be tapped).
You must allow the secured version of all service you use on your firewall.
NOTE
Many SMTP servers do not support SMTPS and STARTTLS. To provide advanced security, the SMTP server requires secure user authentication.
