Connect. Communicate. Collaborate. Securely.

Home » Kerio User Forums » Kerio Connect » HTACCESS Possible?
  •  
it-purchasing@uaudio.com

Messages: 10
Karma: 0
Send a private message to this user
I want to set up a basic auth to the webmail, and was wondering if this is possible. I see that Kerio's http/https server is built into mailserver, and am not sure if it supports this or not. If so, how do I set it up?
  •  
scottwilkins

Messages: 654
Karma: 7
Send a private message to this user
If you've already install Kerio, you are done. Just open a browser and put in http://mailservername and you're good to go. If you need access via internet, use your router's ability to point port 80 and 443 to the IP of your mail server, then use the URL or IP of your mail address in your browser. You'll love Kerios webmail as it has almost 100% of everything you see in Outlook for each account. All contacts, calendars, shared stuff, etc etc. It's even WAP (Cell Phone browser) capable.

[Updated on: Wed, 09 August 2006 15:01]

  •  
it-purchasing@uaudio.com

Messages: 10
Karma: 0
Send a private message to this user
I think my question was mis-understood. I already have the webmail up and running.

The question was can you use HTACCESS to put a "Pre"-login on the pages like you can do with an apache websever. What i need is to be able to have a standard log/pass just to view the page where each user enters in his/her person log/pass.

  •  
scottwilkins

Messages: 654
Karma: 7
Send a private message to this user
Sorry, no I didn't understand.

But, I have to ask: Why? Kerio's security is quite good, and their webmail does support SSL. Many security firms state that too much security is actually insecure, in that it causes users to be less concerned with the security and do things that would comprimise the protection put in place. So why would you want two levels of knowledge to enter the web mail?
  •  
it-purchasing@uaudio.com

Messages: 10
Karma: 0
Send a private message to this user
Simply because my boss wants it.
  •  
sedell

Messages: 1168
Karma: 1
Send a private message to this user
Here comes the other problem. Passwords provided for .htaccess don't require SSL, whereas you can require SSL with Kerio. It even automatically redirects to the secure page if you have it set up for secure access only, .htaccess would interfere with this mechanism. You'd actually be making it less secure by requiring an .htaccess username and password.

Scott
  •  
scottwilkins

Messages: 654
Karma: 7
Send a private message to this user
it-purchasing<_at_>uaudio.com wrote on Wed, 09 August 2006 19:28

Simply because my boss wants it.


Ouch! I've been in situations like that before. Sorry.

My statement on "too much security" was taken from a speech from the director of IT security for the FBI. If that's not enough clout to realize what damage over-securing connectity can do, I don't know what is.

Of course the only way to make any system almost perfectly secure is to remove it from the internet. You might try taking an idea like requiring VPN connectivity to access intranet only based web mail.

Good luck with your endevors.

[Updated on: Wed, 09 August 2006 19:47]

  •  
mathieuf

Messages: 9
Karma: 0
Send a private message to this user
sedell wrote on Wed, 09 August 2006 10:39

It even automatically redirects to the secure page if you have it set up for secure access only


How do you get KMS to redirect to https if attempts to connect to http?
I tried disabling the http service but that didn't work.
  •  
sedell

Messages: 1168
Karma: 1
Send a private message to this user
Advanced options -> Security Policy. Set a policy that requires either secure authentication, or encrypted connection and it will redirect automatically.

Scott
  •  
winkelman

Messages: 2119
Karma: 3
Send a private message to this user
Does anyone have a clue how much more load the encryption of HTTPS connection put on the server? I require HTTPS from 'outside', but allow HTTP from the local LAN. If the extra load of all-HTTPS is mild, I may disable HTTP webmail entirely.

(Currently I have about 80 simultaneous HTTP webmail sessions and 2-4 KOC clients. All the HTTP would than change to HTTPS.)
  •  
mbox

Messages: 25
Karma: 1
Send a private message to this user
I see two possible uses of applying HTTP authentication to Kerio web mail. First, you could use it to disable webmail on a per-user basis, which is related to the popular "Service activation per user" Kerio feature request. Secondly, it provides some added protection if there's a security hole in Kerio's webapps since HTTP authentication works at the web-server level (although so does SSL client-side certificates).

I once asked someone at Kerio just that: how to enable webmail on a per-user basis. He suggested HTTP authentication can probably do it. I'm not sure how this might be done in Kerio's web server since it's not Apache, but I guess you could put a reverse proxy in-front of Kerio's web server to do this. That not as ideal since it probably won't work with other protocols including ActiveSync. As scottwilkins suggested, this may even be less secure since you'll need to keep BOTH Kerio and the reverse proxy patched and secured. It would be better if Kerio supported that feature.
  •  
marook

Messages: 520

Karma: 3
Send a private message to this user
it-purchasing<_at_>uaudio.com wrote on Wed, 09 August 2006 19:28
Simply because my boss wants it.


1: Get a new boss!

2: If that does not compute, try again!... Wink

Sorry, but maybe we have to move to step 3....

3: Tell your boss that doing so would be close to the same as simply turning OFF webmail completely! Actually, it would be the same.. why??

Because none of the services that uses HTTP(S) to connect will be able to connect!
And here we're not only talking about user initiated webmail, but also CalDAV + CardDAV services, Kerio Sync and Active Sync (ie iPhone/Smartphone access!).

If your boss wants to try to play 'security by obscurity' then the best would be to simply change the portnumbers on the HTTP & HTTPS services.

If he needs further arguments, then ask if you also have another 'login' infront of IMAP and do you force the use of SMTP Delivery on port 587? (no client submitted mail via SMTP port 25)

Please, please, please show him this responce if you need to, as I think he should find another job, if he does not get this... Wink

All the best!

Edit: spelling.. sorry..

[Updated on: Sun, 25 April 2010 23:31]


Regards,

Jakob Peterhänsel
Consultant - Humac A/S

Apple Certified Support Professional (ACSP)
Apple Certified Technical Coordinator (ACTC)
AppleSeed/CQF member since 1998
Kerio Messaging Partner
  •  
marook

Messages: 520

Karma: 3
Send a private message to this user
Other point:

- Adding two logins would simply move people away from using it (besides all the services that Can't use it)

- With this 'extra' security, I trus your boss is on top of using Directory baed accounts, that have a good password policy in working order... right?

If not, that is a MUCH better place to start, that changing portnumbers and putting strange .htaccess workarounds in place that would just break everything you bought Kerio for in the first place!

Regards,

Jakob Peterhänsel
Consultant - Humac A/S

Apple Certified Support Professional (ACSP)
Apple Certified Technical Coordinator (ACTC)
AppleSeed/CQF member since 1998
Kerio Messaging Partner
Previous Topic: iPhone sync problem
Next Topic: Thousands of Contacts?
Goto Forum:
  


Disclaimer:
Kerio discussion forums are intended for open communication between forum members and may contain information and material posted by members which may be useful in learning about Kerio products. The discussion forums are not intended to provide technical support for any specific product. Any information implied or expressed in the discussion forums is that of the posting member. Kerio is in no way responsible for the information posted in the forums, or its accuracy. Kerio employees may participate in the discussions, but their postings do not represent an offical position of the company on any issues raised or discussed. Kerio reserves the right to monitor and maintain the forums to promote free and accurate exchange of information.

Current Time: Tue Oct 24 07:40:06 CEST 2017

Total time taken to generate the page: 0.00529 seconds
.:: Contact :: Home ::.
Powered by: FUDforum 3.0.4.