Carbonio Email Service provider

Logo
Menu
Logo
Menu
Have a Question?

Carbonio CE Security

On a typical Carbonio CE installation, the rules in this section describe how to implement security.

Place an SSL Certificate in Use

This section describes adding an SSL/TLS certificate to a Carbonio CE installation, including how to add a wildcard certificate as well as a certificate for a single server. Let’s Encrypt certificate installation and maintenance are supported by Carbonio CE; instructions for doing so may be found in a specific post on the Zextras Community portal.

This configuration is required if Carbonio CE is used with mobile apps; it is also advised for any installation to prevent the client browser’s connection-related warning about an invalid certificate.

Installation of Commercial Certificates

We’ll explain the process while accounting for the following circumstance:

  • The FQDN of the server is mail.example.com.
  • There isn’t a valid SSL certificate for the domain.

Replace mail.example.com with your actual server’s FQDN in the remaining text.

There are a few phases to the process, and the Carbonio CE server must be accessible via console.

Step 1: Creation of a Certificate Signing Request

We begin by producing a CSR:

where the subject’s different elements correspond to the required fields for an SSL certificate:

C: The country’s two-digit code

ST: Province or State

L: City

Name of the Organisation

OU stands for Organisation Unit (Department).

Compound Name

These files will be created after the command has been run:

Get the certificates from your SSL supplier in step two.

You must submit the CSR to the SSL provider, obtain a commercial certificate in PEM format, and store it as /opt/zextras/ssl/carbonio/commercial/commercial.crt in order to properly finish this step.


Additionally, SSL providers give a packaged certificate file (referred to as a “Full Chain CA”) that must be stored as /opt/zextras/ssl/carbonio/commercial/commercial_ca.crt. This file also contains the intermediate certificate and the so-called Root CA.

Step 3: Verify and implement

To ensure that the certificate and your private key are compatible, use the instructions below:

  • enter the directory containing the certificates as the zextras user:
  • Check the certifications.
  • You can use the SSL certificate after a successful verification.
  • Restart Carbonio CE to finish.
  • Your certificate ought to now be set up: Run the following command to confirm the certificate’s details:
Installing Wildcard Certificates

We employ the same server with the FQDN mail.example.com to illustrate this process, but in this instance a wildcard SSL certificate for the domain *.example.com already exists and was created on a server different than Carbonio CE’s.

As a result, you possess all the required documents, making the process easier in this instance.

Step 1: Certificate setup

The current PEM certificate must be saved as /opt/zextras/ssl/carbonio/commercial/commercial.crt, and its private key must be saved as /opt/zextras/ssl/carbonio/commercial/commercial.key.

To combine the two certificates into one, navigate to /opt/zextras/ssl/carbonio/commercial/ and do as follows:

Verification and deployment in Step 2

To ensure that the certificate and your private key are compatible, use the instructions below:

  • enter the directory containing the certificates as the zextras user:
  • Check the certifications.
  • You can use the SSL certificate after a successful verification.
  • Restart Carbonio CE to finish.

Your certificate ought to now be set up: Run the following command to confirm the certificate’s details:

The instructions in this section explain how to add a DKIM record to the DNS of a domain that is under the control of a Carbonio CE installation.
Establish a DKIM record.
There are two processes involved in creating a new DKIM record. As per usual, the domain name in our example is example.com; please substitute your own domain name here.
Test and confirm
You may run a number of tests to make that the DKIM has been appropriately added to the domain DNS and is functioning properly to sign outgoing emails.
Securing LDAP By default, Carbonio CE’s LDAP passwords employ the SHA-512 method. Although there are no known flaws in this method, some institutions could need a more secure approach.

Since version 23.4.0, Carbonio CE supports the Argon2 algorithm for LDAP password storing.

Although Carbonio CE installations still use SHA-512 by default, it is feasible to enable the new method using a straightforward two-step process.

However, it is advised to create a dump of the LDAP database before beginning the operation, using the instructions and commands listed in Upgrade’s section Preliminary Tasks.
The initial part of the process is up to the administrator, who must run the script below as the zextras user in order to activate the new Argon2 algorithm.
Argon2 will be used by default for new passwords after the script has successfully run. All future LDAP passwords will be kept in Argon2 going forward. However, existing passwords will continue to utilise SHA-512.

The second step is, in fact, up to the users: Argon2 will only be used to store each user’s password once they update it.
Switch off Amavis Anti-Virus
When utilising an external anti-virus engine or analysing an MTA issue in a test environment, for example, an administrator may wish or need to stop Carbonio CE’s internal anti-virus engine, amavis.

In certain circumstances, the CLI’s command can be used to manually disable the status of Amavis.
The status of the variable and the service may both be checked at any time with