Category Archives: KC 8.2

Kerio Connect: Use it with free "Let's Encrypt" Certificates on IIS

"Let's Encrypt" is an organisation that provides SSL certificates for free in an automated way. While the use is simple on IIS or Apache web servers, on Kerio Connect it is a bit more complicated as it comes with its own web server. Here is how I set it up (there might be other ways, of course, please feel free to add your comments at the bottom of the page).

First, download "letsencrypt-win-simple" from

https://github.com/Lone-Coder/letsencrypt-win-simple

This tool simplifies and automates the communication with the Let's Encrypt API.

Then, make sure you have IIS enabled on your Windows 2012 R2 Server, but only have a binding to port 80 (port 443 will be used by Kerio Connect). Bind http://mail.yourmaildomain.com to IIS.

Make sure that Kerio Connect only has https enabled and not http.

Now, run letsencrypt.exe from the folder where you downloaded it. When run for the first time, it will ask you for your email address and to accept the TOS. It will present you with all the current bindings from IIS. Choose mail.yourmaildomain.com.

It will now create the certificate for your mail server. Two files are important

mail.yourmaildomain.com-crt.pem
mail.yourmaildomain.com-key.pem

They can be found here:

C:\Users\<username>\AppData\Roaming\letsencrypt-win-simple\httpsacme-v01.api.letsencrypt.org

From Kerio Web Admin > SSL Certificates, import the certificate and make it the default certificates. Delete any other certificates.

This results in 2 files in

C:\Program Files\Kerio\MailServer\sslcert

server.crt
server.key

You should now be able to go to the Kerio Connect login web page with

https://mail.yourmaildomain.com

If you look at the certificate it should list "Let's Encrypt Authority" as the issuer and it shoul show a green padlock.

Renewal

Let's Encrypt certificates expire after 90 days, so you should create a schedules task that renews the certificates and copies them to

C:\Program Files\Kerio\MailServer\sslcert

overwriting server.crt and server.key

Kerio Connect: Messages in the Security Log and what they mean

Find below a list of messages that can appear in the security log of Kerio Connect 8.0 and what they mean:

SMTP Spam attack detected from 85.51.174.157, client closed connection before SMTP greeting

This message only appears if Spam Repellent is switched on. It means that the client (sending mail server) hasn't waited the 25 seconds (or whatever is configured in Spam Repellent) for the SMTP greeting. It closed the connection too early. This is indicative of bot net Spam as normal mail servers would not do that.

SMTP Spam attack detected from 69.94.153.232, client sent data before SMTP greeting

This message only appears if Spam Repellent is switched on. It means that the client (sending mail server) hasn't waited the 25 seconds (or whatever is configured in Spam Repellent) until the SMTP greeting appears. It has started to send commands (such as HELO) and data too early. This is indicative of bot net Spam as normal mail servers would not do that.

IP address 93.85.133.206 found in DNS blacklist SPAMHAUS ZEN, mail from <sendername@senderdomain.com> to <myname@mydomain.org> rejected

The IP address of the client (sending mail server) is in the indicated black list and is blocked immediately. It will not be allowed to transmit the mail.

IP address 72.9.146.151 found in DNS blacklist UCEPROTECT L1, mail from <sendername@senderdomain.com> to <myname@mydomain.org>

The IP address of the client (sending mail server) is in the indicated black list, but it is allowed to be delivered. Some Spam score will be added to the message.

Relay attempt from IP address 72.9.146.151, mail from <sendername@senderdomain.com> to <recipient@notmydomain.net> rejected

As the recipient domain is not a domain that the mail server is responsible for it will discard the message. If the client had authenticated, the message would have been allowed. This is to prevent relaying of Spam.

Message from IP address 195.245.231.144, sender <sendername@mydomain.org> rejected: sender domain requires authentication

As the sender domain is hosted on the mail server, the client must authenticate to send the message. This is to prevent sender address spoofing. Without authentication, the message is blocked.

Message from IP address 186.28.185.93, sender <sendername@senderdomain.com> rejected: sender domain does not exist

The message is blocked because the sender domain does not exist.

Message from IP address 72.38.232.36, sender <sendername@senderdomain.com> temporarily rejected: sender domain does not resolve

The message is temporarily blocked because the sender domain does not resolve. This means that the domain exists, but the authoritative DNS servers are not responding.

Attempt to deliver to unknown recipient <unknown@mydomain.org>, from <sendername@senderdomain.com>, IP address 217.200.184.87

The message is blocked as there is no recipient with that name onĀ  the recipient domain.

Client with IP address 202.85.222.166 has no reverse DNS entry, connection rejected before SMTP greeting

The IP address of the client (sending mail server) has no reverse DNS entry (PTR record), the message is blocked. A valid mail server must have a reverse DNS entry.

SPF check failed: The IP address '210.68.71.113' is not in permitted set for sender 'sendername@senderdomain.com' (FAIL)

The sender domain has an SPF (Sender Policy Framework) record setup in its DNS and it indicates that the client IP address is not a valid sender for that domain. The message is accepted but a Spam score is added to it.

Message from <sendername@routemails.top> rejected by header filter: From address contains domain *.top

A custom anti-spam rule has been set up to reject mails that meet a certain criteria. In this example, any mail where the sender uses the .top TLD is rejected.

Kerio Connect: Some sample Sieve Filter Rules

In Kerio Connect, the filtering of personal mails is based on the filter language Sieve. As I didn't find many good samples in the Web, find below some interesting ones. I will update when I have new ones:

if allof (
header :contains "Subject" ["rma *","* rma","* rma *","rma"],
address :all :contains "Cc" "joe@joe.com")
{
fileinto "RMA";
keep;
}

This copies any mails to the folder RMA that match the following criteria: The subject of the mail contains the word RMA and the mail has joe@joe.com in the CC field. Words containing rma (like pharma) do not match.