Home » Categories » Kerio Connect » Server configuration » Security
Icon Printer Icon Email      Icon Twitter Icon Digg Icon Stumbleupon Icon de.icio.us Icon FaceBook

Password policy in Kerio Connect

About password policy

To secure users and their passwords in Kerio Connect:

Creating strong user passwords

Strong user passwords should be long and complex. The following guidelines may help you in advising your users:


Passwords should be at least 8 characters long.


Passwords should contain all of the following:

  • Llowercase letters

  • Uppercase letters

  • Numbers

  • Special characters


Users should change their password often.

You can also read this Wikipedia article for more information.

Generating strong passwords

Kerio Connect can generate strong passwords for your users:

  1. Go to the Users section.

  2. Select a user and click Edit.

  3. On the General tab, click Generate.

  4. Copy the generated password and give it to user.

  5. Click OK.

Requiring complex passwords (for local users)

In Kerio Connect, you can force local users to create strong and complex passwords.

Complex password:

  • Must be at least 8 characters long,

  • Must include at least 3 types of characters (lowercase, uppercase, numbers, symbols),

  • Cannot include user's domain and username, and any part of user's fullname (longer than 2 characters).

To configure complex passwords for individual domains:

  1. In the administration interface, go to the Configuration → Domains section.

  2. Select a domain and click Edit.

  3. On the Security tab, enable the User passwords must meet complexity requirements option.

  4. Click OK.


From now on, each time local users changes their password in Kerio Connect Client, they must create a password which complies with the Kerio Connect's complexity requirements.

Remember to enable users to change their passwords in Kerio Connect Client.

This also applies when administrators change passwords via the administration interface.

Enabling password expiry (for local users)

To secure local user passwords, you can enable password expiration.

  1. In the administration interface, go to the Configuration → Domains section.

  2. Select a domain and click Edit.

  3. On the Security tab, enable the User must change password every option.

  4. Set the number of days after which users must change their password.

  5. Click OK.

Any change to these settings (checking/unchecking the option) resets the counter for password expiry.

Notifying about the expiration

Kerio Connect sends notifications to users before their password expires. Kerio Connect sends the notifications 21, 14 and 7 days before expiration, and then every day until the password expires.

Users must change their password in Kerio Connect Client.

If users fail to change their password, they cannot login to their account and must contact their administrator (who changes the password for them in their user settings).

If an administrator password expires, the administrator can login to the administration interface to change their password.

Protecting against password guessing attacks

Kerio Connect can block IP addresses suspicious of password guessing attacks (ten unsuccessful attempts in one minute).

  1. Go to section Configuration → Security → the Security Policy tab.

  2. Select the Block IP addresses suspicious of password guessing attacks option.

    IP address is blocked for individual services. If POP3 is blocked, attacker can attempt logging via IMAP.

  3. You can select a group of trustworthy IP addresses.

  4. To block all services, check option Block user accounts probably targeted by password guessing to lock the affected accounts.

  5. Click OK.


When an account is blocked, user cannot log in. Kerio Connect unlocks the blocked accounts after 5 minutes. For immediate unlocking (throughout all the domains), click Unlock All Accounts Now.

This action is not identical with temporary disabling user accounts.

comments powered by Disqus