Webmail implementation is one of the best available on the Mac or any other platform
Wider range of direct client support than other similar products on the Mac
Integrates into Active Directory and Open Directory environments
Admin tools are both intuitive and powerful
Supports CalDAV, LDAP address books, Public/Shared mail/calendar/contact folders, IMAP/POP/SMTP/HTTP-DAV, and Exchange Active Sync for iPhone and other mobile devices
Web administration feature set is severely limited compared to fat administration client
Outlook support via plug-in that requires updating with new KMS releases
Directory support via separate installs
Odd iCal issues
No Kerberos/SSO client support
More expensive than Mac OS X 10.6 Server’s groupware offering
You can’t use Mac OS X 10.6’s Exchange support with KMS
Can have scaling issues, especially for large numbers of Entourage users
Often, reviewing server software can be frustrating, especially for new releases. You rarely have the kind of time needed to do proper testing, to see how it works in the real world. For Kerio Mail Server, that doesn’t hold true this time. I’ve been running
Kerio Mail Server for over six months in a real world scenario: it’s my company’s groupware server.
While the product is called a “Mail Server” the truth is, it does far more than just serve e-mail. Kerio Mail Server (KMS) 6.7.2 is an e-mail, calendaring, contact, and to-do server that runs on three versions of the Mac OS, three Linux distros, six versions of Windows, as a VMWare virtual appliance, or a Parallels virtual appliance. KMS is nothing if not flexible.
For Mac OS X, you can install it on either Mac OS X client or Mac OS X Server. I currently have it installed on a quad-core Mac Pro with 5GB of RAM, running Mac OS X 10.5.8 client. KMS as installed is talking to Apple’s Open Directory for user authentication, and serving around 200 users via IMAP/SMTP for Apple Mail and Thunderbird, HTTP-DAV for Entourage, CalDAV for iCal and some braver Thunderbird users, (via plug-in), and Exchange ActiveSync for iPhone and Windows Mobile users.
Installation is straightforward; download the server installer, and run it. This installs KMS and the KMS administration console on the mail server. There’s a short, well-done wizard to help with your basic settings. You can download the administrator console separately so that you don’t have to log into the mail server directly to manage KMS. While there is a Web Admin UI, you’ll want to use the administration console application to fully manage KMS.
One thing I greatly appreciate about KMS over other e-mail servers is that the administration tools are both powerful and easy to use. Dealing with them is so much better than either the “We have all the power, but prove you’re worthy” design of some servers or the “Yes, we have a GUI, but really, most of the lower-level stuff is going to require you to work around the GUI tools” of others. (Apple, I look at you fixedly here.) The KMS GUI gives you all the tools you need to run your server in a well thought-out, easy to use application. It’s not perfect; some of the options, like adding port 587 to SMTP services is a little counterintuitive, but in my case, that was more because we wanted it to be more complicated than it was.
Getting KMS to talk to our Open Directory service was fairly simple. KMS has a set of Open Directory extensions that you install on your Open Directory Master and any Replicas, and you tell KMS about that directory and tell it to use Kerberos to communicate with the directory server for authenticating users. The advantage here is that you don’t have to maintain user passwords in KMS. The disadvantage here is that if something happens to your directory server, your e-mail doesn’t work either. This also highlights a longstanding annoyance I have with KMS: The connection between KMS and our directory users Kerberos, but you can’t connect, as a client, using Kerberos.
For most people, this is only a minor issue, as Single-Signon is not a big factor for many. But, if you have to institute regular password changes, you run into an odd annoyance. Password changes, at least with Mac OS X Server, happen based on the number of seconds since the last password change. That means it’s entirely possible for a user’s password counter to hit zero after that user has logged in. Because KMS authenticates against Open Directory every time a client does anything, once that password change hits, KMS can’t authenticate to Open Directory, and the password is rejected. I’ve also seen, when this happens, the Kerberos server gets into a state where the user can’t change their password and it has to be reset by a directory administrator. Once you realize what’s going on, it’s simple enough to deal with, but it’s really annoying. The best answer here is for KMS to support kerberized client connections, but until then, if you have regular password changes as a policy, and KMS is linked into Open Directory, you’re going to hit this problem.
However, since we’re talking about things going wrong, this is a good time to deal with diagnostics. First, unlike a lot of GUI administrator applications, where getting good information on what’s going on can be tedious, if not impossible, KMS’s log module is fantastic. Not only does it have a number of default logs that cover most of the basics, but you can configure the debug log to track any server operation. Need to monitor conversations with a directory service? Easily done. The log interface also supports regular expressions, (at least for my needs. I haven’t torture-tested this, I haven’t needed to), and allows you to highlight log lines containing terms you’re interested in. That is a very nice touch.
In addition, I have been quite happy with both Kerio’s e-mail support and live phone support. Both have provided the support I needed for real-world issues. Kerio’s knowledge base could use some work, but it’s got good, basic functionality, and has saved me a call or two. Of better use are the Kerio forums, populated not just by customers and Kerio employees, but also by Kerio partners. It’s been an invaluable resource in helping me find the answers to problems before I have to call support.
In terms of client features, KMS covers all the bases. Version 6.7 was a big leap and has had some growing pains, such as iCal Mac OS X 10.6 seeing Kerio CalDAV calendars as read-only, (fixed in 6.7.2), and some issues with auto-complete in iCal, (due to be fixed in an upcoming update), but those issues have been fixed quickly after their discovery, and the updates haven’t caused more problems than they solved. KMS has some nice features, such as Public Folder support that actually works with Apple’s client applications, something Apple would do well to beef up in their own products.
Most of the problems I’ve had with KMS involved working around limitations in Apple’s applications. iCal has been decent to deal with, but Address Book is kind of tedious. Ironically, when it comes to my needs as a sysadmin, the two best applications outside of KMS’s administration application have been Microsoft Entourage, and KMS’s own Webmail. Entourage primarily because it has the most mature support for Public Folders on the Mac, and KMS’s Webmail is just the best Webmail I’ve ever used. (Kerio has told me that support for Exchange Web Services is on their list of features for a future update.)
Kerio goes out of its way to make their Webmail as nice as possible to use. From things like keybindings, so that you can create a new e-mail message via command-N, to having a user-friendly server-side rules setup, Kerio’s attention to detail and care to the overall Webmail experience makes it, if not a joy to use, at least not agonizing.
I have to say, when it comes to Webmail, out of the box, Kerio’s is well, pretty. Considering the rather plain appearances of your average Webmail implementation, (again, looking at Apple here), a pleasant visual experience is kind of nice. Oh, and Kerio supports Exchange Active Sync. So, you get better iPhone support from KMS than you do from Mac OS X 10.6 Server.
Kerio isn’t perfect. It is definitely targeted at the uses where you’ll have less than 1000 users per server, and if you have a lot of Entourage users, that number drops even more. It doesn’t support Exchange Web Services, so you can’t use Mac OS X 10.6’s Exchange Support or Entourage EWS with it. Because CalDAV is still an immature protocol, and iCal can be an “interesting” client, there are some odd issues with CalDAV, Kerio, and iCal, although these are fixed pretty quickly. Outlook support is done via a MAPI plug-in that has to be updated with every new version, and the AD/OD support requires you to install directory extensions on the directory servers. But, you get solid support, an excellent feature set, a really nice administration UI, and better cross-platform client support than Mac OS X 10.6 Server provides. In addition, given Kerio’s breadth of platform support for KMS, you’re not locked into any one platform.
MSRP pricing for Kerio Mail Server, with McAfee Anti-Virus, and 200 users is $599 for the server + 10 users, and $4560 for the additional user licenses, or $24.00/user. Without the McAfee AV, the price for 200 users drops to $4299, or $499 for the server + 10 users, and $3800 for the additional user licenses, or $20/user. It costs more than Mac OS X 10.6 Server’s offerings, but you get more. I can live with that. If you go through a Kerio partner, you can usually get some solid discounts on that price.
Macworld’s buying advice
Kerio Mail Server offers a larger feature set, a wider range of server and client platform support, better iPhone support, and a far better Webmail experience than Mac OS X 10.6 Server, and rather a lot of other products that cost far more. It is also clearly not a product for big enterprise needs. There are some things that could, and should be better, but overall, they should not create unsolvable show-stopper problems when using KMS in a Mac-centric or Mac-only shop. If you have a lot of Entourage users who are not using Entourage EWS yet, Kerio Mail Server is the only server on the Mac to support almost every Exchange feature that Entourage can use. A solid product that’s well-worth the money.
[John C. Welch has been an IT administrator for almost twenty years. Since 1999, he’s been writing about Macs in IT and related topics.