My colleague and I migrated our mail server this weekend. I wanted to post our steps and experience so others may benefit. Let me know if I need to edit any of it.
Apple Xserve G5
1.33Ghz PPC Processor
OS X Server 10.5.X
Apple Mac Mini
2.66Ghz Intel Core2 Duo
OS X Server 10.6.8
Pre-Kerio installation steps:
1. Configure DNS on new server.
2. Configure firewall rules to point to new DNS server.
3. Configure OD on new server
4. Export OD accounts / groups from old server and import to new server.
5. Set passwords for accounts on new server, test login.
6. Export mailing lists from OSX mailman to *.CSV file to import into Kerio. See the following link for info: http://forums.kerio.com/m/86515/#msg_86515
7. Copy any data files / shares to new server.
Kerio Installation steps:
1. Block inbound email traffic at firewall. Our email filter service "Frontbridge" will hold it for us while we do the migration.
2. Install Kerio Connect and install licenses.
3. Move forward to import OD accounts and import Imap mail stores.
Problem 1: Cannot log into webmail
We imported the OD accounts into Kerio. When we tried to log into webmail to test the import it would not work. The Kerio security logs showed error:
HTTP/WebMail: Invalid password for user xxx<_at_>mydomain.com. Attempt from IP address 192.168.0.125.
1. We verified that Kerberos is running properly on our server using "kinit". http://manuals.kerio.com/connect/adminguide/en/sect-krbmac.h tml
2. Make sure under Configuration -> Domains -> Advanced Tab, that you have the server FQD name. For example (Hermes.mydomain.com)If this field is wrong, the users will fail to authenticate.
Problem 2: Misspelled domain name during Imap store import
We misspelled the domain name during the import process and Kerio imported the messages to the misspelled message store. (/usr/local/kerio/mailserver/store/mail/misspelleddomain.com ) To fix this simply stop Kerio services. Delete the correctly spelled and empty domain folder, rename the incorrectly spelled domain folder to the correct name, make sure the folder permissions are correct, then restart Kerio services. At that point all the imported mail should be in the correct mail boxes.
Problem 3: Incorrect import of SSL Certificate
We purchased an SSL certificate from RapidSSL and had problems installing it correctly. When running the verification process from their site, it would not pass verification. We finally figured out the following... Rapid SSL uses both a root certificate and an intermediate cert. You need to copy both certs into a SINGLE cert file with the proper format. See the following: http://manuals.kerio.com/connect/adminguide/en/sect-kmscert. html. Also, when you initially create the cert request (*.crt file) it is the ONLY time it will create the server private key (*.key file) which you will need to import the purchased cert. BACKUP both the (*.crt and *.key) files BEFORE you try to import your purchased cert. Kerio will DELETE the (*.key) file when you attempt to import the cert. For security reason I think??? Without the (*.key) file you cannot correctly import the cert. If this happens to you, you will need to restart the process by starting another cert request from Kerio. So here is the process step by step...
1. Start a cert request from Kerio
2. Open terminal and browse to the (sslcert) folder
3. Make a backup copy of both the (*.crt, and *.key) files
4. Upload your cert request to your CA
5. You should receive your purchased root and intermediate certs via email
6. Copy both certs into a single file using the format suggested in the web link above
7. Import the cert into Kerio, and point it to your *.key if needed
8. Wait 10min after proper import, and you should be able to verify proper certification
-- At this point we turned the inbound mail traffic back on at the firewall level. --
Problem 4: OSX Mail cannot connect to SMTP services
OSX mail for 10.5.X and 10.6.X could not connect to our SMTP service. Inbound mail was fine but outbound was not working correctly. Error message stated "SMTP Server was not available". We found that OSX mail DOES NOT support (Cram-MD5, Digest-MD5) authentication. So in Kerio -> Configuration -> Advanced Options -> Security Policy, you need to have (LOGIN or PLAIN) authentication enabled. We unchecked (PLAIN) and left (LOGIN) enabled.
Problem 5: Post Kerio Migration **Update 8.15.2012*
Entourage 2008 12.2.0 keeps producing an error message "Unable to establish a secure connection to..." This message states that Entourage for some reason cannot verify the certificate of your server. There are many and various posts on this cryptic error. This issue has not gone away, and I have tried every piece of info I have been able to find on the web. At this time I am testing with Outlook 2011 to see if there is a possible solution.
Also, Ical for OS X 10.6.X keeps producing an error...
"The calendar Https://server.mydomain.com/caldav/users/mydomain.com/userxx x. was not found on the server, make sure the URL is correct.
BTW: Microsoft has NOT release a fix.
https://kb.kerio.com/article/entourage-outlook-2011-is-unabl e-to-establish-secure-connection-after-kerio-connect-upgrade -to-73-769.html
Did not work for us.
This may work for you if your OD or AD server and Kerio server are not the same. But, in our case we are running OD and Kerio on the same server, so this should not be an issue.
Our possible solution:
Since Microsoft states that Entourage 2008 Web Services Edition uses the Exchange communication method instead of Webdav, we have upgrade one of our users as a test subject. Logically speaking, it makes more sense that Entourage WSE would work better with Kerio since they both are speaking Exchange 2007.
--Update-- Upgrading to Entourage WSE has not fixed the issue. We also tried to import the SSL certificate directly into the client using the info here.
No solution yet, but I will update when we find one.
BE WARNED: When you upgrade to Entourage WSE it wipes your local email stores and accounts. You SHOULD make a full email BACKUP before upgrading.
Solution for the Ical errors:
There is a post in the Kerio forums that recommends enabling port 8443 in the Kerio HTTPS services. We did this and changed Icals port to 8443, and the errors stopped.
Our (Directory Service) configuration tab looks like this:
*Map user accounts and groups from a directory service to this domain box IS checked.
*Directory service type: Apple Open Directory (Kerberos 5 authentication)
Secondary Hostname: -Blank-
LDAP Search Suffix: dc=hermes,dc=mydomain,dc=com
Importing SSL Cert to Server 10.6.X
We found that importing the RapidSSL certificate into Server Admin -> Certificate also requires the private key in order for the cert to become trusted and have a "green" icon. Once again, you need to backup and store in a safe location the private key that is created when you initially create your cert request. You will need this key whenever importing the purchased cert.
[Updated on: Wed, 15 August 2012 18:39]
Kerio discussion forums are intended for open communication between forum
members and may contain information and material posted by members which may
be useful in learning about Kerio products. The discussion forums are not
intended to provide technical support for any specific product. Any
information implied or expressed in the discussion forums is that of the
posting member. Kerio is in no way responsible for the information posted in
the forums, or its accuracy. Kerio employees may participate in the
discussions, but their postings do not represent an offical position of the
company on any issues raised or discussed. Kerio reserves the right to
monitor and maintain the forums to promote free and accurate exchange of