Securing Kerio Connect

You can secure your Kerio Connect by:

Configuring your firewall

If you install Kerio Connect in a local network behind a firewall, map these ports as follows:

Service (default port) Incoming connection
SMTPSimple Mail Transport Protocol - An internet standard used for email transmission across IP networks. (25) allow
SMTPS (465) allow
SMTP Submission (587) allow
POP3Post Office Protocol 3 - A protocol used by local email clients to retrieve emails from mailboxes over a TCP/IP connection. (110) deny
POP3S (995) allow
IMAPInternet Message Access Protocol - One of the two most commonly used Internet standard protocols for e-mail retrieval, the other being POP3. (143) deny
IMAPS (993) allow
NNTPNetwork News Transfer Protocol - A transfer protocol for discussion groups over the Internet. (119) deny
NNTPS (563) allow
LDAPLightweight Directory Access Protocol - A protocol that enables users to access centrally managed contacts. (389) deny
LDAPS (636) allow
HTTPHypertext Transfer Protocol - A protocol for exchange of hypertext documents in HTML. (80, 4040, 8800) deny
HTTPSSecure version of secured by SSL. (443, 4040, 8843) allow

Password policy

Read Password policy in Kerio Connect for detailed information on user passwords.

Configuring a secure connection to Kerio Connect

Kerio Connect can do either of the following:

Go to Configuration > Security > Security Policy to select your preferred security policy.

You can define a group of IP addresses that can authenticate insecurely (for example, from local networks).

Securing user authentication

If you select the Require secure authentication option, users must authenticate securely when they access Kerio Connect.

You can select any of the following authentication methods:

If you select more than one method, Kerio Connect performs the first available method.


If users' passwords are saved in the SHA format:

  • Select PLAIN and/or LOGIN.
  • Do not map users from a directory service.

Data Encryption


  • This feature is only available for users running Kerio Connect v9.2.7 and above on Linux.
  • Data Encryption is not supported on external or removable disks and, on multi-volume data storage.
  • The initial encryption and decryption process takes considerable amount of time to complete based on the size of the email data. It is recommended to not interrupt the process as this will result in a corrupted email store. Email delivery is also unavailable during this time.

Enabling Encryption

You can configure Kerio Connect to encrypt user settings, logs, system configuration, and messages saved to the disk.


Encryption is bound to a specific storage device, so if you plan to change the hardware you must first disable encryption. Also, encryption results in more resources being utilized so performance maybe impacted.

  1. In the Kerio Connect administration interface, go to Configuration > Advanced Options > Store Directory.
  2. Go to the Data Encryption section.

The data encryption tab

  1. Key-in the Password and re-enter to confirm the same.


Once encryption is enabled, the password cannot be changed. Remember this password, as you would require it to decrypt data.

  1. Click Encrypt and confirm the action.

Disabling Encryption

To decrypt: data and disable encryption:

  1. In the Kerio Connect administration interface, go to Configuration > Advanced Options > Store Directory.
  2. Go to the Data Encryption section.

The data encryption tab

  1. Click Decrypt.
  2. Key-in the Password set while encrypting and confirm the action.

Encrypting user communication

If you select the Require encrypted connection option, clients connect to any service via an encrypted connection (the communication cannot be tapped).

You must allow the secured version of all service you use on your firewall.


Many SMTP servers do not support SMTPS and STARTTLS. To provide advanced security, the SMTP server requires secure user authentication.