Kerio Connect Default Admin Password
Alexia Borson
This is a support problem I hear fairly often: a Kerio demo was setup with a fake domain and then later the real domain is added and set as the primary. The administrator logs out, but when he tries to login again the next day, he can't. Panic! He's certain he knows the password, but it keeps refusing to let him login!
Actually this is almost always simple. The password is correct; it's the user name that is wrong because it needs the domain. If your fake domain was called "localhost", that's where the default admin user was created. You can login as "admin@localhost" (or whatever name you used).
Note: if you are using Unix/Linux "vi", you have to be aware that this is a "dos" file. Your session should recognize that, but if you are creating sections to read into the file, you need to ":set ff=dos" to set NL/CR correctly.
System locales are necessary for supporting WebMail clients in different languages (correct text sorting etc.). By default, only en_US.UTF-8 locale is installed. How to add additional system locale (de, fr, cz etc.):
Log in to the system console (or SSH to it).
Run the configuration wizard for the locales command:
Select the locale you want to install.
always use the UTF-8 version (eg. cs_CZ.UTF-8, de_DE.UTF-8 etc)
Choose which one you want as your default system locale and confirm with Ok.
Modifying server locales
By default, the server is configured to use en_US.UTF-8 system locales for programs and services.
To change the system locales:
Log in to the system console.
To change the locale to e.g. German (ge_GE), run the following commandsudo update-locale LANG=de_DE.UTF-8 LC_MESSAGES=POSIX
To get a list of available locales, run command locale -a in the system console.
Enabling a Graphical desktop interface.
To reduce the size of the VM image, it was decided to implement the Debian VM as a text only interface. However, if you wish to install GNOME, please follow these instructions.
Log on to the system console (or SSH to it).
First we need to make sure that the operating system is up to date, there are two commands to run to do this:
Finally use a VNC client
Finally, test your connection with a program like realVNC or UltraVNC on a Windows machine, or Chicken of the VNC on a Mac. You will need to enter your server address as follows:
Please note, there are two colons :: in the address. The server name is the host name of your mailserver and the 5900 comes from the lsof output you obtained earlier.
Source :
-connect/virtual-appliance-linux/working-with-the-kerio-connect-virtual-appliance-debian-edition-kerio-connect-73x-and-later-784.html
Or, you can use SSH keys. If you don't have one, create one using ssh-keygen (stick to the default for the key, and skip the password if you feel like it). Then do sudo -s (or whatever your preferred method of becoming root is), and add an SSH key to /root/.ssh/authorized_keys:
I had a similar problem to this. I needed two PCs, one on Ubuntu and another on Arch, to sync files through Unison but ran into the same permission denied error. Just for the sake of those who are having the same problem as I was, here's what I did:
First: Installed the same version of Unison on both PCs. This was a bit challenging as the one available on the software center was behind to what was readily available for Arch. So, I couldn't find a higher version for Ubuntu, so I replaced the one on Arch with a lower one instead. Found one here: -2.40.102-linux-x86_64. The same version is in the software center for Ubuntu.
I ran into a problem in step 3 as I tried to ssh-copy. But it was resolved by changing "id_dsa.pub" into "id_rsa.pub" in the "ssh-copy-id -i $HOME/.ssh/id_dsa.pub [email protected]" line. Probably my fault, as I think I forgot to add "-t dsa". Anyway, try the original command first. IF you get an error, then change to rsa.
After following the steps above, I found I still couldn't get Unison to connect to the other server, neither can I log in (without Unison) through ssh to the other server. Finally,after hours of google searching, I was led to this page, and the answer given my Muru sealed the deal.
Background: When the user synchronization is using the Kerio API, the user authentication is performed against Kerio's IMAP server. When a MailStore user tries to log in into MailStore, MailStore passes the provided credentials to the Kerio IMAP servers and performs a log in attempt. Is this attempt successful, the user is able to log in to MailStore.
Problem: MailStore connects to the Kerio IMAP server via IMAP-TLS or IMAP-SSL and the Kerio IMAP server is using a certificate that is not trusted by MailStore. The connection to the IMAP server cannot be established and the provided credentials cannot be verified.
Solution: Replace the certificate used by Kerio with a certificate that is trusted by MailStore or enable the option Accept all certificates in the directory services Authentication section.
Solution: MailStore's "Windows Authentication" only works, when MailStore is synchronized with an Active Directory directly. You have to use "Standard Authentication". The MailStore user's "Login Name" has to be entered as username which is usually the user's email address.
Cause: When a user wants to log in to MailStore, MailStore passes the given user credentials to Kerio Connect's IMAP server. When the IMAP server offers CRAM-MD5 or DIGEST-MD5 authentication in its capabilities, MailStore will use these authentication methods only. These methods require that Kerio Connect knows the clear text password of the user. When Kerio Connect is synchronized with an Active Directory, it never has access to the users' passwords. Therefore, the authentication always fails.
Solution: Log in into Kerio Connect's admin interface. Navigate to Configuration > Security > Security policy > Enabled authentication methods and disable CRAM-MD5 and DIGEST-MD5 authentication methods. Either the authentication method PLAIN or LOGIN or both must be enabled. NTLM is not supported by MailStore, but can be enabled.
Be aware that disabling these authentication methods force IMAP clients to send user passwords as plain text to Kerio Connect. Only STARTTLS and/or IMAPS connections should be allowed then, to add another layer of security.
Note the "More Actions" link at the bottom of the screen when you have one or more users highlighted. Here you can reindex users mailboxes and recover deleted items (assuming you have enabled that; see below).
If you edit a user, note that additional email addresses are like aliases in that they do not consume user licenses, but there are differences. For one, an alias created in the alias section can deliver to a folder rather than a user - see below.
A group address does not consume a license, and allows delivery to multiple users in your domain. While this is obviously useful, in some circumstances using an using an alias that delivers to a public folder can be a better choice.
There is a small security advantage to aliases and additional email addresses: these cannot be used to authenticate. For example, if your real user name is "johnxyz1234" and you have "john" as an alias or additional email address, people can send email to "john", but they cannot use "john" to access your account - only "johnxyz1234" can be used. This provides some extra protection against password gussing attacks.
In Services, you define the services and port numbers for Kerio. Shut off services you aren't using and set their Startup Type to Manual.Here you can also limit services to the local lan if appropriate and set the maximum number of concurrent connections allowed. Choosing a suitable number can keep your server from being loaded down in the event of DOS (Denial of Service) attacks. For example, if you only have forty people in your entire organization, there's no reason to allow 1,000 concurrent HTTPS connections to the server.
In the picture below, I changed the default port for HTTP to 8080 because this server runs a webserver on port 80. Kerio uses HTTP for a limited Web based administration tool (users who have access to that can add and maintain users and change passwords but can't access other Admin functions).
You probably want to enable this option. It makes your life easier when users accidentally delete things they should not have. If this is active, you can just visit the Domain Settings -> Users section and click one button to recover Deleted Items.
The spam and anti-virus sections are easy enough, but you'll need to spend some time in the Attachment Filter section. You need to decide exactly what your policies will be for attachments; which to allow, which to block.
Turning on Blacklists can really help with spam, but you do probably not want to "Block" domains that are on blacklists. Rather, have it increase the spam score. If you do it that way, you can still add Custom Rules that will allow mail from a specific person even if they are on a blacklist. I ask my customers to make a "whitelist" rule for my email address so that important messages are sure to get through.
Be sure you understand that Archiving is done before the mail is delivered to the user or sent out, so all messages will be captured (you have options for only capturing inbound, etc.). Backup is a snapshot in time and also includes the very important configuration files.
Do peek in here. There are more security options that you probably want to set. For example, there's no reason to tell connecting clients your software version, and there is no reason to let anyone know your lan ip scheme. Check those to hide those things.
You want to go here first when setting up a new server. As you can see, Kerio has defaulted to using the common private IP address groups for your local lan. You'll need to edit these to reflect your lan setup and remove any subnets that don't apply. If you have VPN's, you probably want to add those subnets here too.
ff7609af8f