How do I configure my Anti-Spam gateway to automatically gather valid addresses from Kerio Connect?

In order to have full control over all incoming and outgoing email, most Anti-Spam gateways implement their own SMTPSimple Mail Transport Protocol - An internet standard used for email transmission across IP networks. server, as opposed to transparently filtering the communication, which is a technique used by many firewalls. When acting as its own Mail Transfer Agent, or SMTP server, the Anti-Spam gateway will receive and store messages before forwarding them to the back-end mail server. This behavior however introduces a fundamental problem in that the SMTP gateway will collect all mail for the destination domain, even if the recipient address does not exist on the back-end mail server. It is therefore necessary for the Anti-Spam gateway to know all recipients of the back-end mail server; otherwise it will be responsible for handling the failure notifications of messages addressed to invalid recipients.

There are several techniques that can be used by Anti-Spam gateways in order to quickly and easily learn or obtain the valid recipients of the back-end mail server. One of the more common techniques involves the use of LDAPLightweight Directory Access Protocol - A protocol that enables users to access centrally managed contacts.. LDAP clients may be used to lookup contacts stored in Kerio Connect, however this method is not ideal, as it is not a true reflection of the real list of recipients stored in Kerio Connect. An LDAP lookup to Kerio Connect will take the account of the authenticated user and look in all contact folders which are accessible to that user.

The preferred method for account verification involves an SMTP command called Verify (VRFY). With this command the SMTP gateway can very quickly identify if an address is valid on the receiving mail server. By default, Kerio Connect does not allow this command as it can be exploited by spammers. This command however can be enabled from the configuration file.

To enable support for the VRFY command, edit the Kerio Connect configuration file (mailserver.cfg). By default, this file can be found in the following location:

  • Mac OSX: /usr/local/kerio/mailserver/
  • Red Hat/SuSE: /opt/kerio/mailserver/
  • Windows: C:\Program Files\Kerio\MailServer\

Search for the following variable:

<variable name="VRFYEnabled">0</variable>

And change its value to 1:

<variable name="VRFYEnabled">1</variable>

Stop Kerio Connect, save the changes to this file, then restart the mail server.

When connecting to Kerio Connect, you should now see the following result from an EHLO command. Notice the line, 250 - VRFY, which is not normally announced by Kerio Connect.




250-SIZE 20971520






250-ETRNExtended Turn is an extension to SMTP that enables you to forward messages to another SMTP server.


250 HELP

After enabling the VRFY command, you may still receive the following notice that the command is not allowed: "252 2.1.5 Verification not supported." This is because Kerio Connect will only allow the VRFY command to be issued from a trusted IP addressAn identifier assigned to devices connected to a TCP/IP network.. If you do receive this message, then you will also need to add the IP address of the Anti-Spam gateway to an address group that is trusted by your relay policy. This setting is located in the Kerio Connect administration console under SMTP Server > Relay Control. Enable the option to allow relay for users of an IP address group, and select the group which includes the IP of your spam gateway. Be aware that this is allowing anonymous relay from your spam gateway, so make sure that your spam gateway does NOT relay any mail addressed to non-local domains. Otherwise your mail server may quickly become an open relay.