Kerio Mail Server
The Kerio Mail Server is a cross platform ( Windows, Linux, and Mac OSX) mail server. I tested it on RedHat Linux 8.
Before we get into the details, let me say that I was very impressed. This is well done, and they have paid attention to important details. I have a few minor nit-picks here and there, but over all I can highly recommend it.
As some of the people reading this will be aware that I also sell the SME Mail Server, I’ll also offer some comparisons between these very different approaches at the end of my review.
This was actually the most annoying part of the entire process. I say that not because it was horribly difficult, but only because it could have been much easier. Neither the enclosed manual nor the CD were particularly helpful. The manual tells you that you install Linux RPMS, but doesn’t tell you where they are on the CD. Of course, they aren’t very hard to find, but the CD directories are Windows/Mac GUI style: imbedded spaces in directory names, making it annoying to navigate from the command line. I’ve said this more than once: just because you CAN use spaces in a directory or file name doesn’t mean that you SHOULD. But as all the regular readers know, I’m a grumpy old curmudgeon and you should ignore me when I start muttering about these things.
(Kerio tech support read this and noted that most people just download the software rather than getting the CD, but did agree that the spaces should be changed to underscores and promised to do that).
I found the kerio-mailserver-5.62-rh7.rpm and the kerio-mailserver-admin-5.62-rh7.rpm and installed both.
The manual tells you to run /opt/kerio/mailserver/wizard for initial configuration, but it is actually “cfgwizard”, not “wizard” (Kerio says they’ll fix that next release of the manual). There is very small notice of things you will have to do to an existing Linux server, such as disabling sendmail and other mail related things you may have running (POP3), changing firewall rules, etc. You probably shouldn’t be installing this if you aren’t comfartable with Linux. Yes, they do have a Windows version, but you can probably well imagine my horror at running a mail server on Windows!
Kerio tech support noted that I missed this:
When you install the RPM, it gives you a note to read /opt/kerio/mailserver/doc/REDHAT-README, which actually contains instructions on how to stop and disable both sendmail and, and how to tell (netstat -tlp) what network servers are running.
The Admin package can administer servers on any platform, so I installed the Mac OS X version of that. That had a few resolution or screen placement problems; some controls were slightly distorted or out of place, but it worked fine. Here’s a screenshot:
Notice the “Edit” button is slightly skewed. No big deal, of course. The Linux admin console had no such glitches administering its own server. This screen also shows the definition of IP Address Groups, which will be mentioned later.
The main Administration Console offers four major groups: Configuration, Domain Settings, Status, and Logs. There is some overlap here and there; for example you can configure basic SMTP access under Configuration->Services, but relaying is configured under Configuration->SMTP Server. That actually makes sense: if, for example, you configure SMTP Services to accept connections only from the local lan, any attempt to access port 25 from outside the lan will be rejected. Within SMTP Server, you can control relaying (even down to individual hosts). This is very welcome.
Every service (SMTP,POP3, Secure POP3, Imap, Secure Imap, Webmail, Secure Webmail, Ldap, Secure Ldap) can be turned on and off, set to start automatically or manually, can be set to run on a non-standard port, and access can be set down to the host level.
Access to services means that your connection attempt will be refused if you aren’t allowed access. By default, all services are running, started automatically, and not blocked at all. To add access control, simply edit the service you wish to control, and check “Allow access only from selected ip address group”. You’ll see this same control in other places, and it is quite well done. Basically you create “groups”. A group can contain specific hosts, ip ranges (by beginning to end or by netmask) and other groups. This lets you be very specific about access control, although there’s no exclusion here, only inclusion (you can blacklist specific hosts/groups at the SMTP server level though). I’d like to see exclusionary capability here, too (of course you could always do this at the Linux firewall level).
Domains can be independent or aliased. For example, I can have “apl.org”, add users to it, and if I add an alias “aplawrence.org”, mail to a user in either domain will go to the same account. However, if I create a separate domain, “foo.org”, a user added there is entirely different from those in “apl.org” and “aplawrence.org”.
Within Domains, you can specify a footer to be added to each email sent from that domain, forwarding to another SMTP server/port for unknown users, and even specify active directory or kerberos servers. A domain can be bound to a specific IP address. Forwarding can be immediate, scheduled or triggered by ETRN from the other server.
Here you have the choice of using direct MX record message delivery, or a relay server. This section also lets you specify how often to retry delivery, when to warn the sender of delivery problems, and how many days to wait before giving up entirely. It is very nice to have such full control.
By default, the server won’t relay (deliver messages to users outside of its own domains) for anyone, not even a user logged on to this machine. You do have the option of setting it to be an open relay, but it’s not likely you’d want to do that. You have the ability to use the access groups as mentioned under Services above, or you can require SMTP authentication, or allow relay if the user has authenticated by POP3 within some period of time you specify.
You can also specify Blacklists. There are built in selections (www.mail-abuse.org and www,ordb.org), and you can specify your own, again using the Access List method. The combination of IP address groups and blacklists gives you very precise control over who can use your server and who can send you mail.
There are more Security options here: you can specify a maximum number of messages per hour from one ip address, a maximum number of concurrent SMTP connections from one address, and also a maximum number of unknown recipients (that could be an indication of spamming). You can specify an access group that these limits do not apply to, which might allow more freedom to local users etc. These types of controls have become much more important in recent years.
You can block if the sender’s address doesn’t resolve with DNS (another anti-spam control) and specify the maximum number of recipients you will accept in one message. Other useful anti-abuse controls include limiting the number of failed SMTP commands (for example attempts to relay or send to unknown users) and can reject messages that have gone through too many relays prior to getting here. Finally, you can specify a maximum size for messages. That’s a global limit that is above the user quotas that can be applied individually.
The Kerio Mail Server uses SpamAssassin, and gives you full control over its configuration, including the ability to add rules to accept or reject messages regardless of SpamAssassins scoring, or increase/decrease the score. You also get full control over the disposition of messages: add a Spam header, discard it, return to sender, or forward to some other address. I really like that level of control, especially being able to “whitelist” senders.
Kerio offers McAfee as an option, but the server can use other vendors too. In this tab is Attachment handling also: you can separately specify what to do about .exe, .doc files, etc. Messages tagged by the virus scanner or because of attachments can be blocked, have the attachment removed, or forwarded to an administrative address. The sender can be notified or that can only be done if the origination was local. That’s useful – many external virus messages are spam that shouldn’t be replied to, but you’d probably still want to let local users know about viri in their outgoing messages.
No, this isn’t system backup. This rather lets you store automatic copies of messages: Kerio Mail Server Backup Screenshot This is a very important feature for some industries, and could be handy for just about anyone. Notice the options available in the screenshot allow viruses to be stored intact if desired.
The Kerio Mail Server can schedule sending mail, downloading from another POP server, or sending an ETRN to another server. If your server is on dialup, you can allow it to establish a connection if needed. POP and ETRN downloads have their own configuration tabs also, where you can specify multiple servers, sorting rules etc. There’s a lit of flexibility here. You can download from multiple POP servers (while still receiving SMTP mail, of course).
You can generate a self-signed cerificate or import a “real” certificate. Certificates are necessary if you want to use any of the secure protocols.
There are other security related options under Advanced Options. These include requiring specific authentication methods, doing reverse DNS lookups and other more advanced settings. It is really good to see these capabilities made easily available for configuration.
Users are added on a per-domain basis, or can be imported from a Windows NT domain or Active Directory server. It’s too bad that you cannot import from Linux passwd or a Linux LDAP server too, or at the very least from a csv file. (Kerio tech support says):
It is theoretically possible to import from Linux LDAP, if you want to write your own MAP file. Look at the files in /opt/kerio/mailserver/ldapmap/ for examples
The user information is quite complete, including quotas, webmail preferences, how to authenticate each user, forwarding and more. One noticeable lack is any provision for putting a user on vacation. Of course that can easily be done at the Linux level with procmail etc., but I think that function should be part of mail server administration.
Naturally you can also assign groups and aliases. I was pleasantly surprised to see that this handles mailing lists also.
There’s nothing much to configure here. Webmail includes some nice features like shared folders, more message filtering, and cellular phone notification. There’s Wapmail (access by cellphone) also, which could be very handy now and then.
Overall Impressions and comparison to SME Server
This is a very good mail server. As mentioned above, I also sell the Mitel SME Server, so it is interesting to compare these. The most important difference is that this is a package you install on an existing Linux system, while the SME server is a complete Linux distribution which includes many other features not necessarily related to mail (VPN access, firewall, file and print services, etc.). There are advantages and disadvantages to both approaches:
With an all inclusive package like SME, all aspects of the system are under the control of one vendor. You don’t need to worry about general security issues that aren’t related to mail. On the other hand, you are also forced to wait for that vendor to provide security fixes, whereas with a stock Linux install, you can get security updates yourself the moment they are available. Of course you’d need to wait for Kerio to provide any mail related security fixes too.
The SME server, being mostly Open Source, encourages and allows customization. On the other hand, the Kerio Mail Server often offers more configuration capability with its admin tool than the SME server does. You’d need to drop to the Linux command line level to do some of the tasks that the Kerio Admin Console allows. However, if the Kerio console does not offer the function, you may have no way to do it at all, as this is mostly proprietary code.
- Independent Domains:
The Kerio Mail server allows the definition of independent mail domains as noted above. SME server only supports alias domains.
- Other software:
While other software can be installed on an SME server, this can cause conflicts and problems in some cases. This is, of course, because the SME is an integrated OS with a number of very customized sub-systems. As the Kerio Mail Server is only a mail server, other Linux software is not as likely to affect its operation.
The SME server is administered with any web browser, Kerio uses a proprietary tool. The advantage of the web browser approach is that you can immediately administer from anywhere; there’s nothing to install. The Open Source and well documented interface allows third party modules to be easily added. However, this approach also limits what can be easily done: the web interface is sometimes a little clumsy and often is much slower than a dedicated interface like Kerio Mail Server uses.
- OS Knowledge:
The SME server requires almost no OS knowledge for installation or use. The Kerio Mail Server itself requires no OS knowledge, but you will need some for installation.
The SME server comes both in a free (unsupported) version, and a paid, fully supported subscription mode. Kerio Mail Server has a free 30 day demo, but otherwise is subscription only.
The SME server, because it is an entire integrated server, is supported by Mitel and your dealer at all levels: from booting on up. As the Kerio Mail Server is simply an application on your server, they of course only support this part.
Which of these would be better for you? Well, that’s something only you’d know, but it’s easy enough to try either one out to get a hand’s on look. Download the Kerio Mail Server here: http://www.kerio.com/kms_download.html and see http://www.e-smith.org/downloads/ for SME.
A.P. Lawrence provides SCO Unix and Linux consulting services http://www.pcunix.com