Category Archives: KC 7.4

Kerio Connect: Use it with free "Let's Encrypt" Certificates on IIS

"Let's Encrypt" is an organisation that provides SSL certificates for free in an automated way. While the use is simple on IIS or Apache web servers, on Kerio Connect it is a bit more complicated as it comes with its own web server. Here is how I set it up (there might be other ways, of course, please feel free to add your comments at the bottom of the page).

First, download "letsencrypt-win-simple" from

https://github.com/Lone-Coder/letsencrypt-win-simple

This tool simplifies and automates the communication with the Let's Encrypt API.

Then, make sure you have IIS enabled on your Windows 2012 R2 Server, but only have a binding to port 80 (port 443 will be used by Kerio Connect). Bind http://mail.yourmaildomain.com to IIS.

Make sure that Kerio Connect only has https enabled and not http.

Now, run letsencrypt.exe from the folder where you downloaded it. When run for the first time, it will ask you for your email address and to accept the TOS. It will present you with all the current bindings from IIS. Choose mail.yourmaildomain.com.

It will now create the certificate for your mail server. Two files are important

mail.yourmaildomain.com-crt.pem
mail.yourmaildomain.com-key.pem

They can be found here:

C:\Users\<username>\AppData\Roaming\letsencrypt-win-simple\httpsacme-v01.api.letsencrypt.org

From Kerio Web Admin > SSL Certificates, import the certificate and make it the default certificates. Delete any other certificates.

This results in 2 files in

C:\Program Files\Kerio\MailServer\sslcert

server.crt
server.key

You should now be able to go to the Kerio Connect login web page with

https://mail.yourmaildomain.com

If you look at the certificate it should list "Let's Encrypt Authority" as the issuer and it shoul show a green padlock.

Renewal

Let's Encrypt certificates expire after 90 days, so you should create a schedules task that renews the certificates and copies them to

C:\Program Files\Kerio\MailServer\sslcert

overwriting server.crt and server.key

Kerio Connect: Messages in the Security Log and what they mean

Find below a list of messages that can appear in the security log of Kerio Connect 8.0 and what they mean:

SMTP Spam attack detected from 85.51.174.157, client closed connection before SMTP greeting

This message only appears if Spam Repellent is switched on. It means that the client (sending mail server) hasn't waited the 25 seconds (or whatever is configured in Spam Repellent) for the SMTP greeting. It closed the connection too early. This is indicative of bot net Spam as normal mail servers would not do that.

SMTP Spam attack detected from 69.94.153.232, client sent data before SMTP greeting

This message only appears if Spam Repellent is switched on. It means that the client (sending mail server) hasn't waited the 25 seconds (or whatever is configured in Spam Repellent) until the SMTP greeting appears. It has started to send commands (such as HELO) and data too early. This is indicative of bot net Spam as normal mail servers would not do that.

IP address 93.85.133.206 found in DNS blacklist SPAMHAUS ZEN, mail from <sendername@senderdomain.com> to <myname@mydomain.org> rejected

The IP address of the client (sending mail server) is in the indicated black list and is blocked immediately. It will not be allowed to transmit the mail.

IP address 72.9.146.151 found in DNS blacklist UCEPROTECT L1, mail from <sendername@senderdomain.com> to <myname@mydomain.org>

The IP address of the client (sending mail server) is in the indicated black list, but it is allowed to be delivered. Some Spam score will be added to the message.

Relay attempt from IP address 72.9.146.151, mail from <sendername@senderdomain.com> to <recipient@notmydomain.net> rejected

As the recipient domain is not a domain that the mail server is responsible for it will discard the message. If the client had authenticated, the message would have been allowed. This is to prevent relaying of Spam.

Message from IP address 195.245.231.144, sender <sendername@mydomain.org> rejected: sender domain requires authentication

As the sender domain is hosted on the mail server, the client must authenticate to send the message. This is to prevent sender address spoofing. Without authentication, the message is blocked.

Message from IP address 186.28.185.93, sender <sendername@senderdomain.com> rejected: sender domain does not exist

The message is blocked because the sender domain does not exist.

Message from IP address 72.38.232.36, sender <sendername@senderdomain.com> temporarily rejected: sender domain does not resolve

The message is temporarily blocked because the sender domain does not resolve. This means that the domain exists, but the authoritative DNS servers are not responding.

Attempt to deliver to unknown recipient <unknown@mydomain.org>, from <sendername@senderdomain.com>, IP address 217.200.184.87

The message is blocked as there is no recipient with that name on  the recipient domain.

Client with IP address 202.85.222.166 has no reverse DNS entry, connection rejected before SMTP greeting

The IP address of the client (sending mail server) has no reverse DNS entry (PTR record), the message is blocked. A valid mail server must have a reverse DNS entry.

SPF check failed: The IP address '210.68.71.113' is not in permitted set for sender 'sendername@senderdomain.com' (FAIL)

The sender domain has an SPF (Sender Policy Framework) record setup in its DNS and it indicates that the client IP address is not a valid sender for that domain. The message is accepted but a Spam score is added to it.

Message from <sendername@routemails.top> rejected by header filter: From address contains domain *.top

A custom anti-spam rule has been set up to reject mails that meet a certain criteria. In this example, any mail where the sender uses the .top TLD is rejected.

Kerio Connect 7.4: Automatic License Update Failed

Starting 28-July-2012, I see the following entries in the KC warning log once a day:

[28/Jul/2012 xx:xx:xx] License update failed: Automatic license update failed during attempt to contact registration server: (11) Unexpected server response
[29/Jul/2012 xx:xx:xx] License update failed: Automatic license update failed during attempt to contact registration server: (11) Client-Server communication error.: couldn't connect to host
[30/Jul/2012 xx:xx:xx] License update failed: Automatic license update failed, when getting information from registration server: (11) The license number is not valid. Please, check your license number and try to enter it again.
[31/Jul/2012 xx:xx:xx] License update failed: Automatic license update failed, when getting information from registration server: (11) The license number is not valid. Please, check your license number and try to enter it again.
[01/Aug/2012 xx:xx:xx] License update failed: Automatic license update failed, when getting information from registration server: (11) The license number is not valid. Please, check your license number and try to enter it again.

And so on, every day.

It looks like Kerio Connect starts calling home to check the license, it has not done that up to and including versions 7.3.

Once a day or on every restart of KC, it tries to contact the host register.kerio.com (= 195.113.184.8 as of this writing). It tries to POST to URL https://register.kerio.com/registration/LD.php. The user agent string is "Kerio License Downloader (LicenseManager)".

If you want to block KC from calling home, you can add a line to your hosts file:

127.0.0.1 register.kerio.com

Or you can block the IP address in your firewall.

I have not seen any effect on this, KC is still fully functional as of this writing, but this might change after a month or so is over. I will update this thread with any news.

Kerio Connect: Some sample Sieve Filter Rules

In Kerio Connect, the filtering of personal mails is based on the filter language Sieve. As I didn't find many good samples in the Web, find below some interesting ones. I will update when I have new ones:

if allof (
header :contains "Subject" ["rma *","* rma","* rma *","rma"],
address :all :contains "Cc" "joe@joe.com")
{
fileinto "RMA";
keep;
}

This copies any mails to the folder RMA that match the following criteria: The subject of the mail contains the word RMA and the mail has joe@joe.com in the CC field. Words containing rma (like pharma) do not match.

Kerio Connect: Enabling DCC on Spam Assassin

KMS (Kerio Mail Server) comes with the Spamassassin spam protection. Although not officially supported by Kerio, you can change spamassassin by modifying the spamassassin rules and config files. On Windows, all the important files are in

C:\Program Files\Kerio\MailServer\plugins\spamassassin\rules

Before you change anything, you should definitely backup all files in this directory!

The .cf files contain the rules and the scores. They are plain text and you can change them, but you have to know what you are doing. You can also add new ones, for example 80_MyAntiSpamRules.cf. You need to restart the KMS Mail services to make the changes effective.

Spamassassin comes with three modules that are based on check-sums of mails: Pyzor, Razor2 and DCC. But they are not enabled in KMS. Unfortunately, it is not just a matter of enabling them as the executables for them are missing.

So I spent about 5 hours to figure out how I could get DCC to work (I chose DCC because I don't need Python on my system for it to work).

What is DCC?

The DCC or Distributed Checksum Clearinghouse is a system of servers collecting and counting checksums of millions of mail messages. The counts can be used by SpamAssassin to detect and reject or filter spam. See http://www.rhyolite.com/anti-spam/dcc/ for details.

I had to do the following steps to get in to work on Windows (similar steps on Unix and Mac, I guess):

  1. Download SpamAssassin for Win32 command-line tools from http://sawin32.sourceforge.net/ and unzip it to c:\sa
  2. Make sure that you c:\sa\dccproc.exe is in place. This is the main executable for DCC.
  3. Open a cmd prompt and type

    c:
    cd "Documents and Settings\Default User"
    md .spamassassin

  4. Important: On a 64-bit Windows 2008 R2 server, the path is: C:\Windows\SysWOW64\config\systemprofile\.spamassassin
  5. Copy the "map" file from C:\sa\etc\dcc to C:\Documents and Settings\Default User\.spamassassin   This file contains the servers that can be contacted for Spam checksums.
  6. Locate and open C:\Program Files\Kerio\MailServer\plugins\spamassassin\rules\local.cf
  7. Add the following lines:

    # Use DCC
    dcc_home c:\sa\etc\dcc
    dcc_path c:\sa\dccproc.exe
    add_header all DCC _DCCB_: _DCCR_
    use_dcc 1

  8. Remove the following line

    score DCC_CHECK 0

  9. In the same directory, open the v310.pre file and uncomment the following line

    loadplugin Mail::SpamAssassin::Plugin::DCC

  10. Restart KMS
  11. Also note that DCC requires that you open your firewall for DCC reply packets on UDP port 6277. Here's sample firewall rules required:
    allow udp local gt 1023 to remote 6277
    allow udp remote 6277 to local gt 1023

From now on you should see an entry in the headers of your incoming mails (if DCC detects it as spam):

DCC_CHECK: 1.37

The score depends on what you have defined in 50_scores.cf

Update: This has also been tested on Kerio Connect 7.3 and it is working.

Update 2: According to John's post below, to make DCC work in Kerio Connect 7.4, you have to add some lines to Util.pm in addition to the steps above. For details, see John's post below. Thanks John for that!

Update 3: This also works in Kerio Connect 8.0.