Documentation for Kerio MailServer

User Accounts

User accounts in Kerio MailServer represent physical email boxes. Users access mailboxes through user name and password authentication. Since Kerio MailServer can serve several independent domains, the user accounts are not valid globally but are only valid for a particular domain. This implies that domains must be defined before user accounts are created (for details, see chapter Domains).

Administrator account

Apart from mailbox access, a user account can also be used for access to Kerio MailServer administration, provided that the user has such rights. The basic administrator account is created during the installation process. It has the same properties as other user accounts and can be deleted by any user with read/write access rights.

The default administration account can create and manage public folders. Public folders can be created using Kerio WebMail (for detailed information, see Kerio WebMail manual) or using MS Outlook, if it contains Kerio Outlook Connector extension (see chapter Kerio Outlook Connector).

The default administrator account also manages archive folders. Any message which passed through Kerio MailServer can be found in the archive.

Administrator can allow other users to access an archive folder (for details, see chapter Public and archive folders). However, since messages of all users are archived, only a confidential administrator (or a tiny group of confidential persons) should be allowed to access these folders.

Warning:Passwords for those user accounts that have full administration rights should be kept close so that they cannot be misused by an unauthorized user.

Special accounts: anyone and authuser

Anyone and authuser are special user accounts which should facilitate administration of rules for individual users. These accounts are not listed in the Users table.

The anyone option allows access for all users. Theauthuser option can be used to allow access for all users authenticated at Kerio MailServer.

Creating a New Account

New user accounts can be defined in the Domain Settings Users section.

First, choose a local domain in the Domain field, in which the accounts will be defined. Each domain may include local accounts as well as accounts saved in a directory service (e.g. Microsoft Active Directory). Both can be displayed in the Users section in the Kerio Administration Console. However, only local accounts can be added (accounts for directory services must be created with the respective administration tools, e.g. Active Directory Users and Computers). Accounts within a directory service cannot be removed and only some of their features can be edited.

Note:
The roles of each column of this window will be better understood through the following descriptions. The only exception the Data source column displays account types:

• Internal the account is defined in Kerio MailServer only (it is saved in Kerio MailServer internal database)

• LDAP the account is saved in a directory service (Active Directory)

Click on the Add button to open a guide to create a new user account. If the domain is configured to be used with directory services (see chapter Domains), a dialog where you can define whether you would like to activate users from a directory service or create a new local account will be displayed.

If a user is activated, a user account is saved into the directory service. Since the activation it can be used by Kerio MailServer. All events and information will be saved into the directory service.

If the Activate user in directory service option is selected, a dialog with user list of the LDAP database used by Kerio MailServer will be opened. Select appropriate users and confirm the selection. You can also use the Select all button to select all users or the Unselect all option to cancel the selection.

The following guide shows how local user accounts can be defined.

Step 1 basic data:

Login name

The login name (Note: if the domain is not local and primary then the user must log in using his/her full email address, for example user@othercompany.com and not just user). Username is not case-sensitive.

Full Name

Usually the user's first name and surname.

Description

User description (e.g. position in the company). The Full Name and Description fields are for informatory purposes only. They can contain any type of information or they can be left blank.

Authentication

The way the user is authenticated (see below).

Password / Confirm Password

Only the local user password can be entered or changed. We strongly recommend to change the password immediately after the account is created.

WAP Service

Kerio MailServer allows access to email using a cellular telephone via the WAP protocol. This interface is called WAPmail (it uses the same ports as HTTP and Secure HTTP services). To enable the service, check Enable access to WAP service and enter at least 4 digits (max. 32 characters) to specify your PIN numeric code. This code will be used for authentication to the service. Warning:Since Kerio MailServer 6.0.5, the PIN code is stored in the new SHA format see in high secure form (SHA)Store password in high secure SHA format (recommended). For this reason, the original PIN will not work if downgraded to a previous version of Kerio MailServer and must be changed.

Store password in high secure SHA Store password in high secure SHA format (recommended)

User passwords are encrypted by a symmetrical key (DES). The Store password in high secure SHA format option allows to use a more secure, non-symmetrical encryption (SHA algorithm), thus there is no possibility to retrieve the password. However, vhen using the SHA encryption, it is not possible to authenticate users against Kerio MailServer by APOP, CRAM-MD5 and Digest-MDP methods. The authentication requires NTLM verification, LOGIN or plaintext verification in case of plaintext, it is strongly recommended to use only SSL connection for communication. After the option is checked, it is necessary to change the user password. This can be done only by the administrator through the Administration Console. Warning:The SHA passwords are supported since Kerio MailServer 6.0.5. If the configuration with SHA passwords is transferred to an older version of Kerio MailServer, the authentication will not work.

Account is disabled

Temporary blocking of the account so that you do not have to remove it.

Possible authentication methods:

Internal user database

The user is only authenticated within Kerio MailServer. In this case a password must be entered in the Password and Confirm Password fields (the user can then change his/her password in the Kerio WebMail interface). Warning:Password can include printable characters (digits, numerals, punctuation marks) and it is case-sensitive.

Windows NT domain

The user will be authenticated in a Windows NT domain. The NT domain name must be entered in the email domain properties (Windows NT domain in the Advanced tab). This authentication method can be used only if Kerio MailServer is running on Windows 2000/XP/2003. For details, see chapter Domains.

Kerberos 5

Authentication is conducted using the Kerberos version 5 authentication system. This authentication method is uses the Active Directory.

PAM service

Authentication using the PAM service (Pluggable Authentication Module), available only in the Linux operating system.

Apple Open Directory

Authentication to Apple Open Directory database (only for Apple Macintosh).

Step 2 email addresses

In this step, all required email addresses of the user can be defined. The primary user address (it cannot be deleted) consists of the username and the domain that includes the account. The other addresses are called aliases. These can be defined either during the user definition or in Domain Settings/Aliases. We recommend to use the first alternative it is easier and the aliases are available through Active Directory.

Note:
If user accounts are maintained in Active Directory (see chapter Domains), their aliases can be defined in Active Directory Users and Computers. Global aliases (in Domain Settings Aliases) cannot be defined this way.

Step 3 forwarding messages to other addresses

Messages for a user can be forwarded to other email accounts if defined. If the Deliver messages to... button is activated, messages will be saved in the local account and forwarded to the addresses defined by user (if not, messages will be forwarded only, not saved).

Note:The same functionality can be accomplished through the Domain Settings Aliases dialog; however, aliases created within the user definition dialog is smoother and easier to follow.

Step 4 Groups

In this dialog window, you can add or remove groups of which the user is a member. Groups must be created first in the Domain Settings Groups section. You can add users to groups during definition of groups. Therefore, it is not important which is created first users or groups.

Step 5 Access rights:

Each user must be assigned one of the following three levels of access rights.

No access to administration

These users do not have any access to Kerio MailServer administration. Most users will have this setting so they will only be able to access their own mailboxes.

Read only access

These users can connect to Kerio MailServer administration but they can only view the logs and settings; they cannot make any changes.

Read/Write access

These users have full rights to administration and are equal to the Admin account. If there is at least one user with such rights, the Admin account can be removed.

Step 6 Quota :

You can set limits for each user's mailbox.

Disk space

The maximum space for a mailbox. For greater ease in entering values you can choose between kilobytes (KB), megabytes (MB) or gigabytes (GB).

Number of messages

The maximum number of messages in the mailbox. Messages exceeding this number will be refused by the mailserver.

The user quota prevents cluttering of the server disk. If either of the limits is reached, any new messages will be refused by the server.

If the quota is exceeded, the user will be notified by email and advised to delete some of the messages in the mailbox.

The value of either of these items can be set to 0 (zero), which means that there is no limit set for the mailbox.

Step 7 advanced settings

Check this option to add a user to public contacts folder.

Note 1:When importing users fromKerio MailServer 5, only the users from the primary domain will be added to public contacts folder.

Editing User Accounts

The Edit button opens a dialog window where you can edit the parameters of the user account. This dialog window contains all of the components of the account creation guide described above, divided into tabs in one window.

Current usage of this quota can be viewed in the Quota tab. Percent usage is not displayed unless the quota is defined (limited).

In the Rights tab, administration of public folders can be allowed or disallowed to a user.

Editing multiple users

Kerio MailServer enables users to edit multiple user accounts at a time. Simply mark the accounts with the mouse while holding the shift key then click Edit.

The dialog box consists of three tabs. Using these tabs, it is possible to change the quota settings, user rights and other general settings (account description, type of authentication, more secure password format, account disabling).

This dialog box allows to edit only the item(s) that are to be changed in all selected accounts. The same is true for Store password in high secure SHA format and Account is disabled on the General tab. The following statuses are available for the options:

• Inactive, grey each of the selected accounts retains their default settings.

• Checked the item will be checked in all accounts.

• Unchecked the item will be unchecked in all accounts.

The Rights and Quota tabs are used similarly to editing a single account.

Search

Use the Search field to look up specific items in the user list. When you insert a string in the Search field, the table will list the items that contain the string.

Statistics

User statistics are recorded immediately after Kerio MailServer is installed. To store the statistics even when the server is off, each user's data is saved into the stats.usr file under its parent directory.

Use the Statistics button in the Domain Settings User Accounts section to open the table of statistics that contains selected user accounts, services to which the statistics refer to, last login (day and time of the most recent user authentication to the service) and login count (total number of authentications of individual users).

The Kerio MailServer administrator can customize the way information is displayed in individual sections. Right-click in Statistics dialog to display a pop-up menu with the Modify columns option. When this option is selected, it brings up a dialog box where the administrator can specify the columns to be displayed or hidden.

Click the Default button to restore the default settings, as well as the order of the items. Click the Show All button to check all columns without any changes to their order.

The Move up and Move down buttons move the selected column up and down within the group. This allows users to define the order in which the columns will be displayed.

Import Users

User accounts can be either defined manually or they can be imported from other sources .

Warning:If you use a Windows 2000 or windows 2003 domain (Active Directory), it is easier to set Kerio MailServer so that it cooperates directly with the Active Directory database (see chapter  Domains). When users are imported, local accounts are created in Kerio MailServer. Therefore, when you are editing Active Directory (removing or adding users), the Kerio MailServer configuration must also be edited (new user import or deleting an account).

The Import button placed below the user list will open the dialog for user import. Use the Import users from option to select a source from which users will be imported.

NT Domain

In this case, the only required parameter is the NT domain name. The computer which Kerio MailServer is running on must be a part of this domain. Do NOT import users this way if the domain controller runs the Windows 2000, XP or 2003 Server operating system! In such a case, import them from the Active Directory see below. Warning:Import of NT domain users works only if Kerio MailServer is installed on the MS Windows platform. Figure 16. Import users from NT Domain

Active Directory

To import users from  Microsoft Active Directory, you need to specify the following information: Active Directory domain name the name of the domain users will be imported from (the format is as in DNS domain e.g. domain.com) Import from server the name of the server, on which Active Directory for this domain is running Login as user, Password the username and password of the user who has an account open in the domain. Write access rights are not required for saving and changing settings. LDAP filter using this item, queries to an LDAP server for importing users can be specified. It is recommended that only experienced programmers use this option. For details about the query syntax, see the instruction manual to your LDAP server. Figure 17. Import users from Active Directory

Novell eDirectory

To import users from Novell eDirectory, specify the following items: Figure 18. Import users from Novell eDirectory NDS organization the name of the organization users will be imported from Import from server the name of the server, on which the service for this domain is running Login as user, Password the username and password of the user who has an account open in the domain. Write access rights are not required for saving and changing settings. LDAP filter using this item, queries to an LDAP server for importing users can be specified. It is recommended that only experienced programmers use this option. For details about the query syntax, see the instruction manual to your LDAP server.

If all required information is entered correctly and the appropriate server is accessible, a list of users will be displayed after clicking on the OK button. From there you can select users that will be imported to Kerio MailServer. You can also select a template that will be used for creating these users' accounts in Kerio MailServer. If no template is selected the default template will be used.

If the users are imported from Active Directory, the platform on which Kerio MailServer is running is not important.

The authentication type will be set according to where users were imported from: NT Domain for users imported from an NT domain and Kerberos 5 for users imported from Active Directory (Active Directory uses Kerberos 5 authentication system by default).

Export to Address Book

Information about selected users (local accounts or accounts in a directory service) can be exported to a public file (public address books) by clicking on the Export to Address Book button. This button displays a dialog where a folder for the data and users to be exported can be selected.

If there is no public address book defined, the #public/Contacts folder will be generated automatically during the first export.

Only the full name and email address are exported. Other parameters are irrelevant, however they can be added by users with appropriate rights, e.g. via the Kerio WebMail interface.

Note: Contacts can be exported to the address book by any user that have both read and write rights in the Kerio MailServer administration (see chapter User Accounts). Rights for public folders are not required.

If users have been exported successfully, the result will be displayed in a dialog.