Password policy in Kerio Connect

To secure users and their passwords in Kerio Connect:

  • Advise users to create strong passwords
  • Require complex passwords (for local users)
  • Enable password expiry (for local users)
  • Protect against login guessing

Creating strong user passwords

Strong user passwords should be long and complex. The following guidelines may help you in advising your users:

  • Long
  • Passwords should be at least 8 characters long.
  • Complex
  • Passwords should contain all of the following:
  • Lowercase letters
  • Uppercase letters
  • Numbers
  • Special characters

Users should change their password often.

Generating strong passwords

Kerio Connect can generate strong passwords for your users:

  1. Go to the Users section.
  2. Select a user and click Edit.
  3. On the General tab, click Generate.

  1. Copy the generated password and give it to user.
  2. Click OK.

Requiring complex passwords (for local users)

In Kerio Connect, you can force local users to create strong and complex passwords.

Complex password:

  • Must be at least 8 characters long,
  • Must include at least 3 types of characters (lowercase, uppercase, numbers, symbols),
  • Cannot include user's domain and username, and any part of user's fullname (longer than 2 characters).

To configure complex passwords for individual domains:

  1. In the administration interface, go to the Configuration > Domains section.
  2. Select a domain and click Edit.
  3. On the Security tab, enable the User passwords must meet complexity requirements option.
  4. Click OK.

From now on, each time local users changes their password in Kerio Connect Client, they must create a password which complies with the Kerio Connect's complexity requirements.


Remember to enable users to change their passwords in Kerio Connect Client.

This also applies when administrators change passwords via the administration interface.

Enabling password expiry (for local users)

To secure local user passwords, you can enable password expiration.

  1. In the administration interface, go to the Configuration > Domains section.
  2. Select a domain and click Edit.
  3. On the Security tab, enable the User must change password every option.
  4. Set the number of days after which users must change their password.
  5. Click OK.


Any change to these settings (checking/unchecking the option) resets the counter for password expiry.

Notifying about the expiration

Kerio Connect sends notifications to users before their password expires. Kerio Connect sends the notifications 21, 14 and 7 days before expiration, and then every day until the password expires.

Users must change their password in Kerio Connect Client.

If users fail to change their password, they cannot login to their account and must contact their administrator (who changes the password for them in their user settings).

If an administrator password expires, the administrator can login to the administration interface to change their password.

Protecting against password guessing attacks

Kerio Connect can block IP addresses suspicious of password guessing attacks (ten unsuccessful attempts in one minute).

  1. Go to section Configuration > Security > the Security Policy tab.
  2. Select the Block IP addresses suspicious of password guessing attacks option.


IP address is blocked for individual services. If POP3 is blocked, attacker can attempt logging via IMAP.

  1. You can select a group of trustworthy IP addresses.
  2. To block all services, check option Block user accounts probably targeted by password guessing to lock the affected accounts.
  3. Click OK.

When an account is blocked, user cannot log in. Kerio Connect unlocks the blocked accounts after 5 minutes. For immediate unlocking (throughout all the domains), click Unlock All Accounts Now.

This action is not identical with temporary disabling user accounts.

  • 1 Users Found This Useful
Was this answer helpful?

Related Articles

Securing Kerio Connect

You can secure your Kerio Connect by: Restricting communication on firewall to necessary...

Configuring anti-spoofing in Kerio Connect

About Anti-spoofing Spammers can "spoof" your email address and pretend their messages are...

Authenticating messages with DKIM

DomainKeys Identified Mail (DKIM) signs outgoing messages from Kerio Connect with a special...

Configuring DNS for DKIM

Adding a DKIM record to your DNS The process of adding a DKIM record to your DNS may vary...

Configuring SSL/TLS in Kerio Connect

NOTE New in Kerio Connect 8.5! Kerio Connect allows you to enable or disable specific...