Kerio Mail Server
Volume Number: 20 (2004)
Issue Number: 11
Column Tag: Programming
Patch Panel
Kerio Mail Server
by John Welch
The Best Groupware Server on Mac OS X
One of the biggest holes in Apple's Server offerings is in the realm of groupware. Apple gives
you a solid email server, so-so network address books, (Open Directory has real issues with the
kinds of things you need for Address Books), but no calendaring or scheduling.
Welcome
If you look at the platform there aren't many choices at all. Now and Meeting Maker don't
integrate with any other clients on the Mac. If you have Linux clients, then the only way to use Now
is via a web interface, and Meeting Maker requires Windows for a lot of its higher end
functionality. Oracle bought Steltor to get Corporate Time, but that requires a separate client for
calendaring, and it's a pretty ugly client, even though it has fantastic functionality.
Stalker Software's Communigate Pro can only talk to iCal on the Mac. You can get better groupware
functionality out of it, but only for Outlook on Windows. Communigate has issues with talking to
Open Directory, or any directory server other than the one they ship with it, and recent price
increases have effectively relegated that product to the high end market. Apple doesn't even have
any kind of calendaring server at all, and from what they've released for information on Tiger
Server, they aren't going to have one in 10.4 either.
Kerio
However, there's another, albeit less well-known choice: Kerio MailServer 6, from Kerio, http://www.kerio.com/ . While I haven't had a chance to beat on it
over a long term, or in a large-scale implementation, what I have seen is very nice.
Installation and Initial Setup
Installing Kerio MailServer 6 is as simple as installing almost any other product. You run the
installer, answer the questions in the wizard and you have a server. This is not to say you don't
need to know what you are doing, but that Kerio has done the extra work to make getting the product
installed and running as simple as possible. Yes, yes, a good admin shouldn't need it, but I
appreciate it when a product doesn't require me to pass the labors of Hercules just to get it
installed.
The admin interface is logically laid out and easy to use, even over Apple Remote Desktop. It's
designed so that you can do the simple stuff easily, while not keeping you from the low level
features you sometimes need.
One major bonus is the Open Directory integration features. This is a separate installer that you
run on your Open Directory Master, which adds some Kerio - specific entries to your LDAP directory.
This allows Kerio MailServer to pull user data and authentication information from an existing Open
Directory setup, which allows you to keep your user information in one place.
Kerio can also tie into the Kerberos support in Open Directory, allowing it to participate in the
Open Directory Single Sign On environment. So, if you use email/calendaring clients that support
Kerberos, such as Mail, Eudora, or Mulberry, and your client Macs are MCX clients, then your users
authenticate to Kerio when they log into their Macs. Single Signon does not suck.
Configuration
There are two primary tools for configuring Kerio MailServer; the MailServer Monitor application
and the Administration Console. The MailServer Monitor lets you start/stop the MailServer and open
the Administration Console. It has a nice Dock menu for these tasks, as seen below.
Kerio MailServer Monitor
Dock menu
Kerio MailServer Monitor
application
This brings me to my biggest complaint with Kerio...it places its startupitem in
/System/Library/StartupItems/ and not /Library/StartupItems/. This is in general a bad idea, since
like a lot of folks, I don't back that directory up, since it's easily restored from original media,
and only Apple should be playing in there anyway. This should probably get fixed sooner than later.
The Administration Console is nicely designed, with all the features of the MailServer clearly
labeled and easy to find. Spam is handled via standard SMTP relay settings, and subscription to
various blacklists. MailServer ships with the four or so most popular blacklists, and you can add
your own. You can also limit things like number of messages per hour from a single IP, number of
concurrent SMTP connections from a single IP, harvest attack methods, and so on. MailServer ships
with McAfee's antivirus engine, but can use external once, such as Sophos if you so desire. You can
easily set up attachment filters, and the actions you want to take when a virus, or bad attachment
is encountered.
The individual services MailServer provides can be enabled or disabled as you need, and set to
automatically start when the MailServer launches if you like.
Kerio MailServer
Administration Console
As I noted earlier, Kerio supports using both Active Directory and Open Directory for user
authentication and LDAP services. This allows you to keep your user databases in one place, and not
have to replicate user creation/deletion/changes/etc. between multiple user databases. The
implementation is rather simple. You install the Open Directory adapter on the Open Directory
Master, point MailServer at it, set up your Kerberos Realm information in MailServer and then add
the users. It's five clicks to add the users in your Open Directory domain. The same applies for
groups as well. Again, while an experienced email administrator can do all of this manually, having
a well thought-out UI for this makes dealing with MailServer much nicer, and that's, well, nice.
Kerio supports all the major authentication schemes, such as SSL, Kerberos, CRAM-MD5, and NTLM,
so using MailServer securely is as simple as telling MailServer what to use and how to use it.
Client setup is like any other. You tell your email client what server to use, set up your
authentication type, enter your user ID and password (if you aren't using Kerberos), and you're set.
If you want to use Entourage (v.X and 2004) or Outlook, Kerio's manual has the specific instructions
on how to set this up, and they work nicely. For Outlook, Kerio provides a MAPI connector, and
Entourage uses HTTP-DAV, which is also used by Outlook and Evolution.
No, you aren't going to perfectly replicate an Exchange server, but if you need 100% of Exchange
features, you're using Outlook and Exchange, period. But for 90% of common groupware needs, Kerio
can handle it with ease.
From my own tests, and looking at other tests of email servers, Kerio should have no problems
handling email and groupware needs for almost any size of client base.
Conclusion
This is kind of a hit and run review, but sometimes I don't have the six months to a year I like
to test such things. While there is still desperate need for more choices in groupware servers for
the Mac, the fact is, that if we only have one real choice, having that choice be Kerio is not the
worst thing that can happen. Kerio has wisely chosen to implement groupware support in such a manner
that you can use existing groupware clients in your enterprise, and still get maximum benefit. It
has a setup and configuration that are so well designed and easy to use that they should be copied
everywhere, and a manual that is as well-written as any one I've found. It's rare that I can solve
every problem I have with setting up a product with nothing more than the shipped documentation, and
it's really sweet when a company takes the time and effort to make this happen.
John Welch (jwelch@provar.com is an IT Staff
Member for Kansas City Life Insurance, a Technical Strategist for Provar, (http://www.provar.com/) and the Chief Know-It-All for TackyShirt,
(http://www.tackyshirt.com/. He has over fifteen years of
experience at making Macs work with other computer systems. John specializes in figuring out ways
in which to make the Mac do what nobody thinks it can, showing that the Mac is a superior
administrative platform, and teaching others how to use it in interesting, if sometimes frightening
ways. He also does things that don't involve computertry on occasion, or at least that's the rumor.
