REQUIREMENTS
You can install Carbonio CE as a Single-Server or Multi-Server installation, with the various services and roles distributed across multiple servers.
There are four types of requirements: System Requirements for a Node, Software Requirements for a Node, and RHEL 8 Specific Requirements.
In a Multi-Server environment, we provide software requirements for the Nodes, which are the single server or the servers in a Multi-Server environment. In the Four Nodes Scenario we will present later, we will give specific requirements for the Nodes.
System Requirements for a Node
CPU | Intel/AMD 64-bit 4 cores min./8+ cores vCPU |
RAM | 16 GB min., 32+ GB recommended |
Disk space (operating system and Carbonio CE) | 50 GB |
These requirements are valid for each Node in a Carbonio CE Installation and may vary depending on the size of the infrastructure, which includes the services running on each node and the number and size of each mailbox. This means that if for example you plan to assign a 10GB quota to each of your 20 users, you must increase the Disk space requirements accordingly, i.e., to around 250GB total.
VMware vSphere 6.x |
VMware vSphere 7.x |
XenServer |
KVM |
Virtualbox (testing purposes only) |
Software Requirements for a Node
A vanilla Ubuntu 20.04 LTS Server Edition or RHEL 8 installation can be used with Carbonio CE on 64-bit CPUs only.
While they are not officially supported, Linux distributions compatible with Ubuntu 20.04 (e.g., Debian) and RHEL 8 (e.g., AlmaLinux, Rocky Linux) may be used as base OS for Carbonio CE, provided all dependencies can be satisfied. This may include adding third-party repositories or manually installing software packages.
Moreover, even if Carbonio CE can be installed on an unsupported distribution, it may require some additional effort to have all Carbonio CE Components working, for example to manually edit some configuration file, while some Component may be not working at all. If you face some problems on unsupported distributions or if you successfully installed Carbonio CE on a unsupported distribution and want to share your result, you may want to join the Official Community Forum.
The following requirements must be satisfied before attempting to install Carbonio CE.
1. A public IP address must be assigned to the entire Carbonio CE infrastructure. Domain names associated with IP addresses must match the A records in the DNS (e.g., A mail.example.com)
Hint
You can check a domain’s A record using the CLI utility host:
# host -t A example.com2. Mail can be received by the mail server by setting up an MX record, which should match the A record (e.g. MX: example.com = mail.example.com )
Hint
You can check a domain’s MX record using the CLI utility host:
# host -t MX example.comIn the event that either the A or MX records are not configured correctly, the installation will be temporarily suspended to allow the hostname to be changed.
Details and examples can be found in the dedicated box below.
3. In addition to SPF, DKIM, and DMARC TXT records, you should also define these records for improved email security
4. Depending on the Operating System chosen, Python 3 is the latest version available
5. The latest Perl version available for the selected operating system
6. IPv6 must be disabled. Ensure that the /etc/hosts do not contain any IPv6 entries.
Configuring DNS resolution
To make sure that the DNS is correctly configured for both A and MX records: to do so, you can use any DNS resolution server, including dnsmasq, systemd-resolved, and bind.
We show as an example, only suitable for demo or testing purposes, how to install and configure dnsmasq for DNS resolution.
Follow these simple steps to set up dnsmasq. These instructions are suitable for a demo or testing environment only.
Warning
On Ubuntu 20.04, installing and running dnsmasq may raise a port conflict over port 53 UDP with the default systemd-resolved service, so make sure to disable the latter before continuing with the next steps.
# apt install dnsmasq# dnf install dnsmasqTo configure it, add the following lines to file /etc/dnsmasq.conf:
server=1.1.1.1 mx-host=example.com,mail.example.com,50 host-record=example.com,172.16.0.10 host-record=mail.example.com,172.16.0.10
Remember to replace the 172.16.0.10 IP address with the one of your server. Then, make sure that the etc/resolv.conf contains the line:
nameserver 127.0.0.1
This will ensure that the local running dnsmasq is used for DNS resolution. Finally, restart the dnsmasq service
# systemctl restart dnsmasqSupport for other distributions will be announced in due course when it becomes available.
RHEL 8 Specific Requirements
If you plan to install Carbonio CE on RHEL 8, these tasks are required before attempting the installation.
A subscription to the follow repositories must be active (you must be able to fetch from BaseOS and the other main repositories):
# subscription-manager repos --enable=rhel-8-for-x86_64-appstream-rpms
The CodeReady repository enabled:
# subscription-manager repos --enable codeready-builder-for-rhel-8-x86_64-rpms- SELinux
Must be set to disabled or permissive in file
/etc/selinux/config. You can check the current profile using the command# sestatus- Firewall
All the ports needed by Carbonio CE are open on the firewall or the firewall is disabled. To disable the firewall, issue the commands
# systemctl stop firewalld.service # systemctl disable firewalld.service
Additional Requirements
- It’s required to be familiar with CLI use. Unless otherwise specified, all carbonio commands must be issued as the root user, and all other commands must be issued as the zextras user (these commands will display a zextras$ prompt).
Note
The
zextrasuser is created during the Carbonio CE installation process, it is not necessary to create it beforehand. - There may be variations in some commands or command groups between RHEL 8 and Ubuntu. Blue tabs are used to indicate this; select the tab of your choosing to get the appropriate command.
- On Ubuntu and RHEL 8, the commands to execute are the same when no such tabs are provided.
Ports on a firewall
It is important to permit network connectivity on particular ports in order for Carbonio CE to function correctly. Only the ports for External Connections need to be opened in a Single-Server installation because all other traffic stays on the server.
Ports listed under Internal Connections in a Multi-Server installation must be opened on every node, but those listed under External Connections can only be accessed on the node where the associated Role is installed. For instance, only the node hosting the Proxy Role should have port 443 exposed.
All ports indicated in a table must be opened exclusively on the Node on which the Role is installed since ports in Internal and External connections are grouped according to the Roles that require them.
External TCP Connections
Port | Protocol | Service |
|---|---|---|
25 | TCP | Postfix incoming mail |
465 | TCP | deprecated SMTP authentication relay |
587 | TCP | Port for SMTP autenticated relay, requires STARTTLS (or opportunistic SSL/TLS) |
Warning
These ports should be exposed only if really needed, and preferably only accessible from a VPN tunnel, if possible, to reduce the attack surface.
Port | Service | |
|---|---|---|
80 | TCP | unsecured connection to the Carbonio web client |
110 | TCP | external POP3 services |
143 | TCP | external IMAP services |
443 | TCP | secure connection to the Carbonio web client |
993 | TCP | external IMAP secure access |
995 | TCP | external POP3 secure access |
6071 | TCP | secure access to the Admin Panel |
Warning
The IMAP, POP3, and 6071 ports should be exposed only if really needed, and preferably only accessible from a VPN tunnel, if possible, to reduce the attack surface.
Internal TCP Connections
Port | Service | |
|---|---|---|
22 | TCP | SSH access |
8301 | TCP and UDP | management of Gossip protocol in the LAN |
9100 | TCP | Carbonio Monitoring Node exporter |
9256 | TCP | Carbonio Monitoring Process exporter |
Port | Protocol | Service |
|---|---|---|
5432 | TCP | Postgres access |
9187 | TCP | Postgres data export to Carbonio Monitoring |
Port | Protocol | Service |
|---|---|---|
389 | TCP | unsecure LDAP connection |
636 | TCP | secure LDAP connection |
9330 | TCP | LDAP data export to Carbonio Monitoring |
Port | Protocol | Service |
|---|---|---|
25 | TCP | Postfix incoming mail |
465 | TCP | deprecated SMTP authentication relay |
587 | TCP | Port for SMTP autenticated relay, requires STARTTLS (or opportunistic SSL/TLS) |
7026 | TCP | bind address of the Milter service |
Port | Protocol | Service |
|---|---|---|
7025 | TCP | local mail exchange using the LMTP protocol |
7071 | TCP | Port for SOAP services communication |
7072 | TCP | NGINX discovery and authentication |
7073 | TCP | SASL discovery and authentication |
7110 | TCP | internal POP3 services |
7143 | TCP | internal IMAP services |
7993 | TCP | internal IMAP secure access |
7995 | TCP | internal POP3 secure access |
8080 | TCP | internal HTTP services access |
8443 | TCP | internal HTTPS services |
8735 | TCP | Internal mailbox mailbox communication |
8742 | TCP | internal HTTP services, advanced module |
8743 | TCP | internal HTTPS services, advanced module |
Port | Protocol | Service |
|---|---|---|
8188 | TCP | Internal connection |
8090 | TCP | Servlet communication |
Port | Protocol | Service |
|---|---|---|
9113 | TCP | nginx data export to Carbonio Monitoring |
11211 | TCP | memcached access |
Port | Protocol | Service |
|---|---|---|
8300 | TCP | management of incoming requests from other agents |
8302 | TCP and UDP | management of Gossip protocol in the WAN |
9107 | TCP | Carbonio Mesh data export to Carbonio Monitoring |