Volume Number: 20 (2004)
Issue Number: 11
Column Tag: Programming

Patch Panel

Kerio Mail Server

by John Welch

The Best Groupware Server on Mac OS X

One of the biggest holes in Apple's Server offerings is in the realm of groupware. Apple gives you a solid email server, so-so network address books, (Open Directory has real issues with the kinds of things you need for Address Books), but no calendaring or scheduling.

Welcome

If you look at the platform there aren't many choices at all. Now and Meeting Maker don't integrate with any other clients on the Mac. If you have Linux clients, then the only way to use Now is via a web interface, and Meeting Maker requires Windows for a lot of its higher end functionality. Oracle bought Steltor to get Corporate Time, but that requires a separate client for calendaring, and it's a pretty ugly client, even though it has fantastic functionality.

Stalker Software's Communigate Pro can only talk to iCal on the Mac. You can get better groupware functionality out of it, but only for Outlook on Windows. Communigate has issues with talking to Open Directory, or any directory server other than the one they ship with it, and recent price increases have effectively relegated that product to the high end market. Apple doesn't even have any kind of calendaring server at all, and from what they've released for information on Tiger Server, they aren't going to have one in 10.4 either.

Kerio

However, there's another, albeit less well-known choice: Kerio MailServer 6, from Kerio, http://www.kerio.com/ . While I haven't had a chance to beat on it over a long term, or in a large-scale implementation, what I have seen is very nice.

Installation and Initial Setup

Installing Kerio MailServer 6 is as simple as installing almost any other product. You run the installer, answer the questions in the wizard and you have a server. This is not to say you don't need to know what you are doing, but that Kerio has done the extra work to make getting the product installed and running as simple as possible. Yes, yes, a good admin shouldn't need it, but I appreciate it when a product doesn't require me to pass the labors of Hercules just to get it installed.

The admin interface is logically laid out and easy to use, even over Apple Remote Desktop. It's designed so that you can do the simple stuff easily, while not keeping you from the low level features you sometimes need.

One major bonus is the Open Directory integration features. This is a separate installer that you run on your Open Directory Master, which adds some Kerio - specific entries to your LDAP directory. This allows Kerio MailServer to pull user data and authentication information from an existing Open Directory setup, which allows you to keep your user information in one place.

Kerio can also tie into the Kerberos support in Open Directory, allowing it to participate in the Open Directory Single Sign On environment. So, if you use email/calendaring clients that support Kerberos, such as Mail, Eudora, or Mulberry, and your client Macs are MCX clients, then your users authenticate to Kerio when they log into their Macs. Single Signon does not suck.

Configuration

There are two primary tools for configuring Kerio MailServer; the MailServer Monitor application and the Administration Console. The MailServer Monitor lets you start/stop the MailServer and open the Administration Console. It has a nice Dock menu for these tasks, as seen below.

This brings me to my biggest complaint with Kerio...it places its startupitem in /System/Library/StartupItems/ and not /Library/StartupItems/. This is in general a bad idea, since like a lot of folks, I don't back that directory up, since it's easily restored from original media, and only Apple should be playing in there anyway. This should probably get fixed sooner than later.

The Administration Console is nicely designed, with all the features of the MailServer clearly labeled and easy to find. Spam is handled via standard SMTP relay settings, and subscription to various blacklists. MailServer ships with the four or so most popular blacklists, and you can add your own. You can also limit things like number of messages per hour from a single IP, number of concurrent SMTP connections from a single IP, harvest attack methods, and so on. MailServer ships with McAfee's antivirus engine, but can use external once, such as Sophos if you so desire. You can easily set up attachment filters, and the actions you want to take when a virus, or bad attachment is encountered.

The individual services MailServer provides can be enabled or disabled as you need, and set to automatically start when the MailServer launches if you like.

As I noted earlier, Kerio supports using both Active Directory and Open Directory for user authentication and LDAP services. This allows you to keep your user databases in one place, and not have to replicate user creation/deletion/changes/etc. between multiple user databases. The implementation is rather simple. You install the Open Directory adapter on the Open Directory Master, point MailServer at it, set up your Kerberos Realm information in MailServer and then add the users. It's five clicks to add the users in your Open Directory domain. The same applies for groups as well. Again, while an experienced email administrator can do all of this manually, having a well thought-out UI for this makes dealing with MailServer much nicer, and that's, well, nice.

Kerio supports all the major authentication schemes, such as SSL, Kerberos, CRAM-MD5, and NTLM, so using MailServer securely is as simple as telling MailServer what to use and how to use it.

Client setup is like any other. You tell your email client what server to use, set up your authentication type, enter your user ID and password (if you aren't using Kerberos), and you're set. If you want to use Entourage (v.X and 2004) or Outlook, Kerio's manual has the specific instructions on how to set this up, and they work nicely. For Outlook, Kerio provides a MAPI connector, and Entourage uses HTTP-DAV, which is also used by Outlook and Evolution.

No, you aren't going to perfectly replicate an Exchange server, but if you need 100% of Exchange features, you're using Outlook and Exchange, period. But for 90% of common groupware needs, Kerio can handle it with ease.

From my own tests, and looking at other tests of email servers, Kerio should have no problems handling email and groupware needs for almost any size of client base.

Conclusion

This is kind of a hit and run review, but sometimes I don't have the six months to a year I like to test such things. While there is still desperate need for more choices in groupware servers for the Mac, the fact is, that if we only have one real choice, having that choice be Kerio is not the worst thing that can happen. Kerio has wisely chosen to implement groupware support in such a manner that you can use existing groupware clients in your enterprise, and still get maximum benefit. It has a setup and configuration that are so well designed and easy to use that they should be copied everywhere, and a manual that is as well-written as any one I've found. It's rare that I can solve every problem I have with setting up a product with nothing more than the shipped documentation, and it's really sweet when a company takes the time and effort to make this happen.

John Welch (jwelch@provar.com is an IT Staff Member for Kansas City Life Insurance, a Technical Strategist for Provar, (http://www.provar.com/) and the Chief Know-It-All for TackyShirt, (http://www.tackyshirt.com/. He has over fifteen years of experience at making Macs work with other computer systems. John specializes in figuring out ways in which to make the Mac do what nobody thinks it can, showing that the Mac is a superior administrative platform, and teaching others how to use it in interesting, if sometimes frightening ways. He also does things that don't involve computertry on occasion, or at least that's the rumor.