Securing Kerio Connect

You can secure your Kerio Connect by:

  • Restricting communication on firewall to necessary IP addresses and ports
  • Creating a strong passwords policy
  • Configuring a security policy
  • Configuring an SMTP server
  • Using antispam and antivirus
  • Enabling DKIM signature
  • Enabling sender anti-spoofing protection
  • Encrypting data

Configuring your firewall

If you install Kerio Connect in a local network behind a firewall, map these ports as follows:

Service (default port) Incoming connection
SMTP (25) allow
SMTPS (465) allow
SMTP Submission (587) allow
POP3 (110) deny
POP3S (995) allow
IMAP (143) deny
IMAPS (993) allow
NNTP (119) deny
NNTPS (563) allow
LDAP (389) deny
LDAPS (636) allow
HTTP (80, 4040, 8800) deny
HTTPS (443, 4040, 8843) allow

Password policy

Read Password policy in Kerio Connect for detailed information on user passwords.

Configuring a secure connection to Kerio Connect

Kerio Connect can do either of the following:

  • Secure user authentication
  • Encrypt the whole communication

Go to Configuration > Security > Security Policy to select your preferred security policy.

You can define a group of IP addresses that can authenticate insecurely (for example, from local networks).

Securing user authentication

If you select the Require secure authentication option, users must authenticate securely when they access Kerio Connect.

You can select any of the following authentication methods:

  • CRAM-MD5 — password authentication using MD5 digests
  • DIGEST-MD5 — password authentication using MD5 digests
  • NTLM — use only with Active Directory
  • SSL tunnel if no authentication method is used

If you select more than one method, Kerio Connect performs the first available method.


If users' passwords are saved in the SHA format:

  • Select PLAIN and/or LOGIN.
  • Do not map users from a directory service.

Data Encryption


  • This feature is only available for users running Kerio Connect v9.2.7 and above on Linux.
  • Data Encryption is not supported on external or removable disks and, on multi-volume data storage.
  • The initial encryption and decryption process takes considerable amount of time to complete based on the size of the email data. It is recommended to not interrupt the process as this will result in a corrupted email store. Email delivery is also unavailable during this time.

Enabling Encryption

You can configure Kerio Connect to encrypt user settings, logs, system configuration, and messages saved to the disk.


Encryption is bound to a specific storage device, so if you plan to change the hardware you must first disable encryption. Also, encryption results in more resources being utilized so performance maybe impacted.

  1. In the Kerio Connect administration interface, go to Configuration > Advanced Options > Store Directory.
  2. Go to the Data Encryption section.


The data encryption tab

  1. Key-in the Password and re-enter to confirm the same.


Once encryption is enabled, the password cannot be changed. Remember this password, as you would require it to decrypt data.

  1. Click Encrypt and confirm the action.

Disabling Encryption

To decrypt: data and disable encryption:

  1. In the Kerio Connect administration interface, go to Configuration > Advanced Options > Store Directory.
  2. Go to the Data Encryption section.


The data encryption tab

  1. Click Decrypt.
  2. Key-in the Password set while encrypting and confirm the action.

Encrypting user communication

If you select the Require encrypted connection option, clients connect to any service via an encrypted connection (the communication cannot be tapped).

You must allow the secured version of all service you use on your firewall.


Many SMTP servers do not support SMTPS and STARTTLS. To provide advanced security, the SMTP server requires secure user authentication.

  • 1 Users Found This Useful
Was this answer helpful?

Related Articles

Configuring anti-spoofing in Kerio Connect

About Anti-spoofing Spammers can "spoof" your email address and pretend their messages are...

Password policy in Kerio Connect

To secure users and their passwords in Kerio Connect: Advise users to create strong...

Authenticating messages with DKIM

DomainKeys Identified Mail (DKIM) signs outgoing messages from Kerio Connect with a special...

Configuring DNS for DKIM

Adding a DKIM record to your DNS The process of adding a DKIM record to your DNS may vary...

Configuring SSL/TLS in Kerio Connect

NOTE New in Kerio Connect 8.5! Kerio Connect allows you to enable or disable specific...