Documentation for Kerio MailServer

SMTP Server

SMTP server settings protect the server on which Kerio MailServer is running from misuse.

Antispam protection of the mailserver enables users to define who will be allowed to use this server and what actions he/she can perform. This way, the server is protected from being misused. If the SMTP server is available from the Internet, any client can connect and use the server to send an email message. Thus the server can be misused to send spam messages. Recipients of such email messages will see your SMTP server as the sender in the source text and might block receiving messages sent from this server. Thus your company might be considered a spam sender and your server can be added to a database of spam servers.

Kerio MailServer provides a protection system that enables users to define who will be allowed to send email via this server and where. Anyone can connect to the SMTP server to send messages to local domains. However, only authorized users will be allowed to send email to other domains.

In this section, the delivery parameters can be also set:

Relay Control Tab

Use the Relay control tab to set groups of allowed IP addresses and/or user authentication against SMTP server.

Figure 1. Relay Control tab

Allow relay only for

Use this option to activate user authentication by IP addresses or usernames and passwords (see below). Generally, authenticated users can use email messages to any domain via this server, whereas unauthorized users can send messages only to local domains.

Users from IP address group

Use this option to define a group of IP addresses from which email can be sent to any domain. Use the IP address group menu to choose an item from the list of groups defined in Configuration Definition IP Address Groups. Use the Edit button to edit a selected group or to create a new one (see chapter IP Address Groups).

Users authenticated through SMTP server for outgoing mail

Users authenticated through SMTP server using a valid username and password will be allowed to send email to any domain. Thus, all users that have their own accounts in Kerio MailServer will have this right.

Users authenticated through POP3 from the same IP address

Users authenticated through POP3 (username and password) will be granted relay access from their IP address for a given period of time. The default time period is 30 minutes.

Authentication by IP addresses is independent from authentication by usernames, therefore users must meet at least one of these conditions.

Open relay

In this mode, the SMTP server does not check users who use it to send email. Thus any user can send email messages to any domain. Warning: We recommend you not to use this mode if Kerio MailServer is available from the Internet. If you use this option, your server can be used for sending spam and it might be added to a blacklist of spam SMTP server database (see below).

Blacklists Tab

Kerio MailServer can also block incoming messages from servers that are considered as spam servers. For this purpose, it uses public databases of these servers located in the Internet or its own database (either an IP address group, or a list of servers in the Internet blacklists table).

To define these parameters go to the Blacklists tab in Configuration SMTP Server.

Figure 2. Blacklists tab

Kerio MailServer administrator can use a couple of different databases. These databases are independent and they can be used simultaneously. Users can also add databases in the Denied servers dialog box. This dialog is opened after you click Add.

Figure 3. Internet blacklist addition

ORDB Open Relay Database

This service is free. For details, go to http://www.ordb.org/.

Open Relay Database

Database of SMTP servers that are not protected from spam misuse.

Logs about received email messages can be created for individual groups (the Log option) or messages can be rejected (the Block option). If the Log option is active, information is recorded into the Security log. The analysis of this log can be used to acquire a list of IP addresses of servers from which spam have been sent.

Custom IP address spammers database

This option can be used to select a custom defined IP address group. Use the Edit button to edit the selection or to create a new group.

Security Options Tab

Apart from completely blocking certain senders Kerio MailServer provides options that limit, for example, sending too many messages or opening too many connections (known as DoS attack). These options can be set in the Security Options section.

Figure 4. Security Options tab

Max. number of messages per hour...

Maximum count of messages that can be sent from one IP address per hour. This protects the disc memory from overload by too many messages (often identical and undesirable).

Max. number of concurrent SMTP connections...

Maximum number of concurrent TCP connections to the SMTP server from one IP address. This is a method of protection against DoS attacks (Denial of Service too many concurrent connections overload the system and no other users can connect to the server).

Max. number of unknown recipients ...

Also known as a Directory harvest attack, this condition is met when an application that guesses common usernames of recipients' fails up to the number of allowed unknown recipients.

Do not apply these limits to IP address group

Group of IP addresses on which the limitations will not be applied. This rule is often used for groups of local users (see the Relay Control tab). These users send all their outgoing mail through Kerio MailServer the count of messages sent by these users to this server is therefore much higher than the number of messages sent by external users (servers) that use it only to deliver mail to local domains.

Block if sender's mail domain...

When a message is received Kerio MailServer checks whether the sender's domain has a record in DNS. If not, the message will be rejected. This feature protects from senders with fictional email addresses. Note: This function may slow down Kerio MailServer (responses of DNS servers may take up to several seconds).

Max. number of recipients in a message

Maximum number of message recipients that will be accepted (in the Rcpt To: entry of the SMTP envelope). This will protect your server from possible loops between two or among more SMTP servers.

Max. number of failed commands...

Spam is often sent by special applications that connect to SMTP servers and ignore its error reports. If this option is enabled, Kerio MailServer will close the SMTP connection automatically after the defened number of failed commands has been expired.

Limit maximum incoming SMTP message size to

Maximum size of a message that will be accepted by the SMTP server. This protects the server from being overloaded by large messages. The 0 value means that no limitation is set. For easy definition you can switch between kilobytes (KB) and megabytes (MB).

Maximum number of accepted Received headers (hops)

This parameter helps the server block messages that have been trapped in a loop.

SMTP Delivery

In this section, the delivery parameters can be also set:

Figure 5. SMTP Delivery tab

Deliver directly using DNS MX records

Mail will be delivered directly to destination domains using MX records.

Use relay SMTP server

All outgoing mail will be sent via another relay SMTP server.

Relay server hostname

DNS name or IP address of relay SMTP server.

Relay server port

Port where the relay SMTP is running. Typically the standard port 25 is used (this value is also set as Default).

Relay server requires authentication

Use this option if relay server requires authentication of sender (Kerio MailServer) using username and password. Specify the User and Password entries.

Authentication

Method of authentication at the relay server: SMTP AUTH Command or POP3 before SMTP (users enter local POP3 mailbox first they will be authenticated and allowed to send mail via SMTP server. Username and password used here will be used to login to the mailbox and no messages can be read. Therefore you do not need to define mailbox in Configuration POP3 Download to send an email message.)

Use SSL if supported by remote SMTP server...

When sending a message, SMTP server attempts to use encrypted connection first (SSL). If SSL connection is not supported, unencrypted connection will be used. Thus the maximal possible security of sent mail is ensured.

Queue Options

In this tab, mail queue can be set. It can be viewed in Status Mail Queue.

Figure 6. Queue Options

Maximum number of delivery threads

Maximum number of delivery threads that will send messages from the queue (maximum count of messages sent at one moment). The value should be chosen with respect to processor capacity and to speed of the Internet connection.

Delivery retry interval

Interval that will be used for repeated retry attempts for sending an email message.

Return the message to sender...

If the message cannot be delivered by expiration of this interval, it will be returned to sender. It will be automatically removed from the queue and no more delivery attempts will be taken by the server.

You can also use preset time units (minutes, hours, days) to specify the interval.

However, these time units will not be considered if the messages are delivered via relay SMTP server.

Send warning to sender...

If the message could not be delivered by expiration of this period, sender will be sent a warning (server will continue in sending attempts).

Report language

Language that will be used for error, warning and informative reports. Note:Reports are stored in the reports subdirectory of the directory where Kerio MailServer is installed (UTF-8 coding is used). Administrator can modify individual reports or add a new language report version.