Category Archives: KC 7.1

Kerio Connect: Use it with free "Let's Encrypt" Certificates on IIS

"Let's Encrypt" is an organisation that provides SSL certificates for free in an automated way. While the use is simple on IIS or Apache web servers, on Kerio Connect it is a bit more complicated as it comes with its own web server. Here is how I set it up (there might be other ways, of course, please feel free to add your comments at the bottom of the page).

First, download "letsencrypt-win-simple" from

This tool simplifies and automates the communication with the Let's Encrypt API.

Then, make sure you have IIS enabled on your Windows 2012 R2 Server, but only have a binding to port 80 (port 443 will be used by Kerio Connect). Bind to IIS.

Make sure that Kerio Connect only has https enabled and not http.

Now, run letsencrypt.exe from the folder where you downloaded it. When run for the first time, it will ask you for your email address and to accept the TOS. It will present you with all the current bindings from IIS. Choose

It will now create the certificate for your mail server. Two files are important

They can be found here:


From Kerio Web Admin > SSL Certificates, import the certificate and make it the default certificates. Delete any other certificates.

This results in 2 files in

C:\Program Files\Kerio\MailServer\sslcert


You should now be able to go to the Kerio Connect login web page with

If you look at the certificate it should list "Let's Encrypt Authority" as the issuer and it shoul show a green padlock.


Let's Encrypt certificates expire after 90 days, so you should create a schedules task that renews the certificates and copies them to

C:\Program Files\Kerio\MailServer\sslcert

overwriting server.crt and server.key

Kerio Connect: Messages in the Security Log and what they mean

Find below a list of messages that can appear in the security log of Kerio Connect 8.0 and what they mean:

SMTP Spam attack detected from, client closed connection before SMTP greeting

This message only appears if Spam Repellent is switched on. It means that the client (sending mail server) hasn't waited the 25 seconds (or whatever is configured in Spam Repellent) for the SMTP greeting. It closed the connection too early. This is indicative of bot net Spam as normal mail servers would not do that.

SMTP Spam attack detected from, client sent data before SMTP greeting

This message only appears if Spam Repellent is switched on. It means that the client (sending mail server) hasn't waited the 25 seconds (or whatever is configured in Spam Repellent) until the SMTP greeting appears. It has started to send commands (such as HELO) and data too early. This is indicative of bot net Spam as normal mail servers would not do that.

IP address found in DNS blacklist SPAMHAUS ZEN, mail from <> to <> rejected

The IP address of the client (sending mail server) is in the indicated black list and is blocked immediately. It will not be allowed to transmit the mail.

IP address found in DNS blacklist UCEPROTECT L1, mail from <> to <>

The IP address of the client (sending mail server) is in the indicated black list, but it is allowed to be delivered. Some Spam score will be added to the message.

Relay attempt from IP address, mail from <> to <> rejected

As the recipient domain is not a domain that the mail server is responsible for it will discard the message. If the client had authenticated, the message would have been allowed. This is to prevent relaying of Spam.

Message from IP address, sender <> rejected: sender domain requires authentication

As the sender domain is hosted on the mail server, the client must authenticate to send the message. This is to prevent sender address spoofing. Without authentication, the message is blocked.

Message from IP address, sender <> rejected: sender domain does not exist

The message is blocked because the sender domain does not exist.

Message from IP address, sender <> temporarily rejected: sender domain does not resolve

The message is temporarily blocked because the sender domain does not resolve. This means that the domain exists, but the authoritative DNS servers are not responding.

Attempt to deliver to unknown recipient <>, from <>, IP address

The message is blocked as there is no recipient with that name on  the recipient domain.

Client with IP address has no reverse DNS entry, connection rejected before SMTP greeting

The IP address of the client (sending mail server) has no reverse DNS entry (PTR record), the message is blocked. A valid mail server must have a reverse DNS entry.

SPF check failed: The IP address '' is not in permitted set for sender '' (FAIL)

The sender domain has an SPF (Sender Policy Framework) record setup in its DNS and it indicates that the client IP address is not a valid sender for that domain. The message is accepted but a Spam score is added to it.

Message from <> rejected by header filter: From address contains domain *.top

A custom anti-spam rule has been set up to reject mails that meet a certain criteria. In this example, any mail where the sender uses the .top TLD is rejected.

Kerio Connect: Some sample Sieve Filter Rules

In Kerio Connect, the filtering of personal mails is based on the filter language Sieve. As I didn't find many good samples in the Web, find below some interesting ones. I will update when I have new ones:

if allof (
header :contains "Subject" ["rma *","* rma","* rma *","rma"],
address :all :contains "Cc" "")
fileinto "RMA";

This copies any mails to the folder RMA that match the following criteria: The subject of the mail contains the word RMA and the mail has in the CC field. Words containing rma (like pharma) do not match.

Kerio Connect: Enabling DCC on Spam Assassin

KMS (Kerio Mail Server) comes with the Spamassassin spam protection. Although not officially supported by Kerio, you can change spamassassin by modifying the spamassassin rules and config files. On Windows, all the important files are in

C:\Program Files\Kerio\MailServer\plugins\spamassassin\rules

Before you change anything, you should definitely backup all files in this directory!

The .cf files contain the rules and the scores. They are plain text and you can change them, but you have to know what you are doing. You can also add new ones, for example You need to restart the KMS Mail services to make the changes effective.

Spamassassin comes with three modules that are based on check-sums of mails: Pyzor, Razor2 and DCC. But they are not enabled in KMS. Unfortunately, it is not just a matter of enabling them as the executables for them are missing.

So I spent about 5 hours to figure out how I could get DCC to work (I chose DCC because I don't need Python on my system for it to work).

What is DCC?

The DCC or Distributed Checksum Clearinghouse is a system of servers collecting and counting checksums of millions of mail messages. The counts can be used by SpamAssassin to detect and reject or filter spam. See for details.

I had to do the following steps to get in to work on Windows (similar steps on Unix and Mac, I guess):

  1. Download SpamAssassin for Win32 command-line tools from and unzip it to c:\sa
  2. Make sure that you c:\sa\dccproc.exe is in place. This is the main executable for DCC.
  3. Open a cmd prompt and type

    cd "Documents and Settings\Default User"
    md .spamassassin

  4. Important: On a 64-bit Windows 2008 R2 server, the path is: C:\Windows\SysWOW64\config\systemprofile\.spamassassin
  5. Copy the "map" file from C:\sa\etc\dcc to C:\Documents and Settings\Default User\.spamassassin   This file contains the servers that can be contacted for Spam checksums.
  6. Locate and open C:\Program Files\Kerio\MailServer\plugins\spamassassin\rules\
  7. Add the following lines:

    # Use DCC
    dcc_home c:\sa\etc\dcc
    dcc_path c:\sa\dccproc.exe
    add_header all DCC _DCCB_: _DCCR_
    use_dcc 1

  8. Remove the following line

    score DCC_CHECK 0

  9. In the same directory, open the v310.pre file and uncomment the following line

    loadplugin Mail::SpamAssassin::Plugin::DCC

  10. Restart KMS
  11. Also note that DCC requires that you open your firewall for DCC reply packets on UDP port 6277. Here's sample firewall rules required:
    allow udp local gt 1023 to remote 6277
    allow udp remote 6277 to local gt 1023

From now on you should see an entry in the headers of your incoming mails (if DCC detects it as spam):


The score depends on what you have defined in

Update: This has also been tested on Kerio Connect 7.3 and it is working.

Update 2: According to John's post below, to make DCC work in Kerio Connect 7.4, you have to add some lines to in addition to the steps above. For details, see John's post below. Thanks John for that!

Update 3: This also works in Kerio Connect 8.0.