Administrator's Guide - Kerio Software Archive
Administrator's Guide - Kerio Software Archive Administrator's Guide - Kerio Software Archive
Chapter 10Server’s CertificatesThe principle behind secure services in Kerio MailServer (services encrypted by SSL — e.g.HTTPS, IMAPS, POP3S, etc.) is that all communication between the client and the server isencrypted to protect it from tapping and to prevent it from misuse of transmitted information.The SSL encryption protocol used for this purpose uses an asymmetric cipher first to exchangea symmetric key.The asymmetric cipher uses two keys: a public one for encrypting and a private one for decrypting.As their names suggest, the public (encrypting) key is available to anyone wishing toestablish a connection with the server, whereas the private (decrypting) key is available onlyto the server and must remain secret. The client, however, also needs to be able to identifythe server (to find out if it is truly the server and not an impostor). For this purpose there isa certificate, which contains the public server key, the server name, expiration date and otherdetails. To ensure the authenticity of the certificate it must be certified and signed by a thirdparty, the certification authority.Communication between the client and server then follows this scheme: the client generatesa symmetric key and encrypts it with the public server key (obtained from the server certificate).The server decrypts it with its private key (kept solely by the server). This methodensures that the symmetric key is known only to the server and client.Note: To secure Kerio MailServer as much as possible, allow only SSL-secured traffic. Thiscan be set either by stopping all unencrypted services (see chapter 6) or by setting appropriatesecurity policy (refer to chapter 15.6). Once the server is configured, it is necessary toinstall a certificate (even a self-signed one) or certificates on clients of all users using KerioMailServer’s services.10.1 Kerio MailServer CertificateTo find out how these principles work in practice, look at Secure HTTP. Web browsers candisplay certificate information, as opposed to Secure POP3 or Secure IMAP, where such informationwill not be revealed.When Kerio MailServer (version 6.0 and above) is run for the first time, it generates the selfsignedcertificate automatically. It is saved in the server.crt file in the sslcert folder whereKerio MailServer is installed. The second file in this directory, server.key, contains theserver’s private key.If you attempt to access the Secure HTTP service immediately after installing Kerio MailServera security warning will be displayed with the following information (depending on yourbrowser, name of the computer, etc.):84
10.1 Kerio MailServer CertificateFigure 10.1Security Alert• The certificate was not issued by a company defined as trustworthy in your configuration.This is caused by the fact that the certificate is self-signed. This warning will not bedisplayed if you install the certificate (you can do this because you know the certificate’sorigin).• The certificate date is valid (the certificate is valid for a certain limited period, usually 1-2years).• The name of the certificate does not correspond with the name of the server. The certificateis issued for a certain server name (e.g. mail.company.com), which you must also use inthe client (this certificate has been issued for a fictitious name keriomail).Now, there are two options. One is to keep in Kerio MailServer the self-signed certificate generatedduring the mailserver’s installation, the other option is to get a certificate authorized bya certification authority. It should be possible to install both types of certificates on client stations.In both cases, it is necessary that the certificate is maintained in the Kerio MailServer’sConfiguration → SSL certificates section (see figure 10.2).In SSL certificates, it is possible to create certificates, generate certificate demands for certificationauthorities as well as export certificates. Here is an overview of all options:New...Click on New to specify information about your server and your company. When confirmed,the server.crt and server.key files are created under sslcert.The certificate you create will be original and will be issued to your company by yourcompany (self-signed certificate). This certificate ensures security for your clients as itexplicitly shows the identity of your server. The clients will be notified by their webbrowsers that the certification authority is not trustworthy. However, since they knowwho created the certificate and for what purpose, they can install it. Secure communicationis then ensured for them and no warning will be displayed again because your85
- Page 33 and 34: 2.5 Configuration WizardFigure 2.16
- Page 35 and 36: 2.6 Upgrade and UninstallationWhen
- Page 37 and 38: Chapter 3Product Registration and L
- Page 39 and 40: 3.2 Registration with the administr
- Page 41 and 42: 3.2 Registration with the administr
- Page 43 and 44: 3.3 License information and import
- Page 45 and 46: 3.4 Licensing policyOnce number of
- Page 47 and 48: 4.1 Kerio MailServer MonitorFigure
- Page 49 and 50: 4.2 Standalone processes of the ser
- Page 51 and 52: 5.2 Administration WindowThe same d
- Page 53 and 54: 5.2 Administration WindowStatus bar
- Page 55 and 56: Chapter 6ServicesIn Configuration
- Page 57 and 58: 6.1 Service Parameter Settings• a
- Page 59 and 60: 6.1 Service Parameter SettingsFigur
- Page 61 and 62: 6.3 TroubleshootingFigure 6.5The De
- Page 63 and 64: Chapter 7DomainsKerio MailServer ca
- Page 65 and 66: 7.2 GeneralFigure 7.2Domain setting
- Page 67 and 68: 7.4 FootersFigure 7.3Domain setting
- Page 69 and 70: 7.5 ForwardingFigure 7.5Domain sett
- Page 71 and 72: 7.6 Setting of Directory ServicesFi
- Page 73 and 74: 7.6 Setting of Directory ServicesFi
- Page 75 and 76: 7.7 Advanced7.7 AdvancedIn the Adva
- Page 77 and 78: 7.8 WebMail Logo3. In the Logging m
- Page 79 and 80: 8.2 Sending High Priority MessagesW
- Page 81 and 82: Chapter 9SchedulingKerio MailServer
- Page 83: 9.2 Optimal Scheduling9.2 Optimal S
- Page 87 and 88: 10.1 Kerio MailServer Certificate
- Page 89 and 90: 10.2 Install certificates on client
- Page 91 and 92: 10.2 Install certificates on client
- Page 93 and 94: 10.2 Install certificates on client
- Page 95 and 96: 11.3 LanguageIf there is one of the
- Page 97 and 98: 11.3 LanguageFigure 11.1Dictionary
- Page 99 and 100: 12.2 Time IntervalsClick on Add to
- Page 101 and 102: 12.3 Setting Remote AdministrationF
- Page 103 and 104: 10312.3 Setting Remote Administrati
- Page 105 and 106: 13.2 Creating a user accountWarning
- Page 107 and 108: 13.2 Creating a user accountFigure
- Page 109 and 110: 13.2 Creating a user accountStore p
- Page 111 and 112: 13.2 Creating a user accountNote: T
- Page 113 and 114: 13.2 Creating a user accountFigure
- Page 115 and 116: 13.3 Editing User AccountNote: When
- Page 117 and 118: 13.5 Removing user accountsKerio Ma
- Page 119 and 120: 13.9 Administration of mobile devic
- Page 121 and 122: 13.9 Administration of mobile devic
- Page 123 and 124: 13.10 Import Users• MailAddress
- Page 125 and 126: 13.10 Import UsersFor detailed info
- Page 127 and 128: 13.10 Import UsersFigure 13.24Impor
- Page 129 and 130: 13.12 User Account TemplatesNote: C
- Page 131 and 132: Chapter 14User groupsUser accounts
- Page 133 and 134: 14.1 Creating a User GroupGroup add
10.1 <strong>Kerio</strong> MailServer CertificateFigure 10.1Security Alert• The certificate was not issued by a company defined as trustworthy in your configuration.This is caused by the fact that the certificate is self-signed. This warning will not bedisplayed if you install the certificate (you can do this because you know the certificate’sorigin).• The certificate date is valid (the certificate is valid for a certain limited period, usually 1-2years).• The name of the certificate does not correspond with the name of the server. The certificateis issued for a certain server name (e.g. mail.company.com), which you must also use inthe client (this certificate has been issued for a fictitious name keriomail).Now, there are two options. One is to keep in <strong>Kerio</strong> MailServer the self-signed certificate generatedduring the mailserver’s installation, the other option is to get a certificate authorized bya certification authority. It should be possible to install both types of certificates on client stations.In both cases, it is necessary that the certificate is maintained in the <strong>Kerio</strong> MailServer’sConfiguration → SSL certificates section (see figure 10.2).In SSL certificates, it is possible to create certificates, generate certificate demands for certificationauthorities as well as export certificates. Here is an overview of all options:New...Click on New to specify information about your server and your company. When confirmed,the server.crt and server.key files are created under sslcert.The certificate you create will be original and will be issued to your company by yourcompany (self-signed certificate). This certificate ensures security for your clients as itexplicitly shows the identity of your server. The clients will be notified by their webbrowsers that the certification authority is not trustworthy. However, since they knowwho created the certificate and for what purpose, they can install it. Secure communicationis then ensured for them and no warning will be displayed again because your85