Nine reasons why not to choose Kerio Connect as your mailserver

Lets say your company is in a legal feud with a customer. For example the customer sent you an business update via email, or some other very important email. Then a couple of days later the customer calls you up, angry because you haven’t gotten back to them. Normally you have a quite rapid response and the customer has gotten used to it. You say you don’t know what email their talking about and asks for them to forward it to you
. You receive an email you’ve never seen before . During the time of the first email you have received a lot of other emails from other customers, and perhaps even other mails from the same customer. Some investigation are in order to see whats wrong with the mail delivery process.

Here where it gets strange, Kerio does not offer any way of tracing an email once it has been received. Almost all other mail-servers keep a rudimentary log of where it placed the email, if some rules moved it

. If the spam-filter flagged it, if it contained virus
. Whatever reason there might be before the email get stored in the inbox. Also when it was flagged as read, deleted or fetched, using what protocol and from what ip the user authenticated
. Kerio’s solution is to enable debug (??), the problem with that are offcourse it will create gigantic log files. And we all know kerio and logfiles are not meant to be.

So then you and your company are in quite a hot seat. So if you ever need to trace an email choose something that works.

As you often experience with a server that are planned to be used for many years its necessary to rename users/resources with ease

. However its simply not possible to rename resources in kerio connect web-administration
. So name your resources with an oracles eye.

There are however a supported way of renaming a resource that includes (you guessed it) taking down the server
.

– Create a new Resource
– Stop Kerio Connect
– Take a copy of the #msgs folder from the old resource and copy into the new resource (By default these will be located at (/opt/kerio/mailserver/store/mail/[domain]/[resource name]
– Start Kerio Connect and remove the old resource

Why this procedure cannot be integrated in the web administration, or via a cli without the need for the entire server to be down are once again due to the lack of intelligent engineering.

The kerio connect will not play nice with your storage if you have heavy users and lots of activity on your server

. Over-dimension your simple storage plan for kerio mail storage

.

You need to be aware that the kerio mailserver uses a lot of I/O more than you may expect and therefor might not be suitable for use in a virtual enviroment. Unless you have a filesystem that likes a huge amount of small files and a lot of file changes to other small files you’re better off choosing some other mailserver.

One mailfile in the mail queue consists of the actual mail and a meta file. One mail in a mailfolder constist of the actual mail stored in one file

. And write to the following files (one sets of files in each folder!) properties.fld, search.fld, status.fld, deleted.fld and index.fld. So if you have a lot of emails in your folder the search file are 10mb+ and it takes time to write a updated copy of that each time a folder changes.

So if you and your users are like most people and store every email you/they ever got in a densely populated mailbox there are a lot of unnecessary I/O operations.

Also beware there are a vmware server 2.02 bug that terminates virtual machines if they use heavy I/O. Something you perhaps cannot blame on kerio, it’s vmwares fault even though intelligent engineering should prevent this excessive use of I/O.

How often do you change your users passwords? Normally i would say never since users on our other mailservers;

1. Changes their own password according to our company password policy
   . You all know must be of X characters long and contain at least X lowercase, X capitals, X numbers. All passwords are valid for X days. They get a mail reminding them to change password and some days later a text reminder
2. If they do forget their password the server can generate a new password identifying them self using a secure site with certificate authentication or get a one time only password sent to their cellphone.

However since there are no password policy in the kerio connect software you as an administrator are forced to change their passwords with a running interval

. There are even no way for users to get their lost password. And if you would like to build one yourself to change XX passwords at once using some script it just cant be done. There are no CLI/Scriptable administration tools available for kerio connect.

Kerio has support for CalDAV but its not quite as implemented as you might think
. There are several hickups that they are working on fixing

. The most irritating for my users are that the server doesn’t present the users with their real name (As expected since its in the webmail) But the users name are ”User accountname@FQDN” an other example of kerio not thinking clearly when delevoping

.

Who the fuck wants to be named User [email protected]?

As most mailservers today they are pretty important, and so should be reliable

. Obvious you may think. As neither you as an administrator like to take the server down nor does the end users have understanding when you need to.

A concept kerio does not understand, almost all of their support solutions include a restart of the server software. There just seems to be accepted by their support
. Implied kerio don’t have any major accounts that demands availability.

So some user of yours have changed their password to 1234 and their email account is being used to send out 1000+ emails each minute

. If its an ongoing outbreak you quickly need to find the user in the log and change their password to a stronger password.

However as you see the queue fill up with more emails you may have a chance in the log-file, not likely but you might
. The other way would be to get more details in the queue window, but there are none (i guess the spammer didn’t set his from address correctly)

.

Even worse are if the spammer has stopped filling your smtp queue with incomming message and you are left to battle the 100 000+ already queued messages, there are no way to stop them all from being delivered that does not involve shutting down the entire server.

There goes the uptime…

Upon the suspicion the law enforcement agencies may come and ask for a detail log to help them combat criminal activity
. There are no way to accomplice this with a kerio connect server

.

The man hours it would take to search, sort and compile the logfiles are many many hours

. As an administrator you probably got more important things to do.

Kerio has support for multiple IP numbers, however the server will mainly use the first IP, even if you configure a specific domain to use a different IP the server will still communicate on the first ip avaible
. This has a major disadvantage if you want to separate your customers/domains

.

Worst case scenario your entire kerio connect server will be blacklisted for one user missbehaved
. Why it cannot keep the same ip as the connection was initiated to is a good question. Its much easier to trace a smtp message if the ip does not change in the handling.