REQUIREMENTS
Carbonio can only be installed in Multi-Server mode. Each node must meet the system and software requirements listed below. Firewall Ports, on the other hand, must only be opened on the Node that hosts the associated service. Port 6071, for example, (safe access to the Admin Panel) must only be opened on the Node that has the Carbonio Admin Panel. If a service isn’t deployed, the relevant port can be disabled to prevent unauthorised access. Access to ports 110 and 995, for example, can be denied if POP3/POPS access is denied.
System Prerequisites
CPU | Intel/AMD 64-bit 4 cores min./8+ cores vCPU |
RAM | 16 GB min., 32+ GB recommended |
Disk space (Operating system and Carbonio) | 40 GB |
These requirements are valid for each Node in a Carbonio Installation and may vary depending on the size on the infrastructure, which includes the number of mailboxes and the services running on each node.
VMware vSphere 6.x |
VMware vSphere 7.x |
XenServer |
KVM |
Virtualbox (testing purposes only) |
Software Prerequisites
Carbonio is only available for 64-bit CPUs and may be installed on top of any vanilla installation of Ubuntu 20.04 LTS Server Edition or RHEL 8.
Before attempting to install Carbonio, the following prerequisites must be met.
- DNS resolution that is valid for both the domain (
MXandArecords) and the FQDN (Arecord)
Warning
If the FQDN is not correctly configured, the installation will be temporarily suspended to allow the change of the hostname
- Python 3, latest version available on the Operating System chosen Perl,
- latest version available on the Operating System chosen IPv6 must be disabled.
- Make also sure that the /etc/hosts does not contain any IPv6 entries.
See the dedicated box below for details and examples.
Support for other distributions will be announced in due course when it becomes available.
Additional Requirements
- A working knowledge of CLI is required. All carbonio commands must be run as the zextras user (a zextras$ prompt will appear), whereas all other commands must be run as the root user, unless otherwise specified.
- Between Ubuntu and RHEL 8, commands or sets of commands may differ. This is shown by blue tabs: click on the tab of your choosing to locate the appropriate command.
- When no such tabs are specified, the instructions to run on Ubuntu and RHEL 8 are the same.
Ports for Firewalls
Carbonio requires network connectivity on specified ports in order to function effectively.
Internal Connections ports must be opened on all nodes, whereas External Connections ports must be opened only on the node where the relevant Role is installed. For example, port 443 should only be opened on the node that hosts the Proxy Role.
Furthermore, ports in Internal and External connections are organised by the Role that requires them, therefore all ports indicated in a table must be opened only on the Node where the Role is installed.
External TCP Connections
Port | Protocol | Service |
|---|---|---|
25 | TCP | Postfix incoming mail |
465 | TCP | deprecated SMTP authentication relay |
587 | TCP | Port for SMTP autenticated relay, requires STARTTLS (or opportunistic SSL/TLS) |
Warning
These ports should be exposed only if really needed, and preferably only accessible from a VPN tunnel, if possible, to reduce the attack surface.
Port | Service | |
|---|---|---|
80 | TCP | unsecured connection to the Carbonio web client |
110 | TCP | external POP3 services |
143 | TCP | external IMAP services |
443 | TCP | secure connection to the Carbonio web client |
993 | TCP | external IMAP secure access |
995 | TCP | external POP3 secure access |
5222 | TCP | XMMP protocol |
6071 | TCP | secure access to the Admin Panel |
8636 | TCP | access to LDAP address books |
Warning
The IMAP, POP3, and 6071 ports should be exposed only if really needed, and preferably only accessible from a VPN tunnel, if possible, to reduce the attack surface.
Port | Protocol | Service |
|---|---|---|
20000-40000 | UDP | Client connections for the audio and video streams |
TCP Internal Connections
Port | Service | |
|---|---|---|
22 | TCP | SSH access |
8301 | TCP and UDP | management of Gossip protocol 2 in the LAN |
9100 | TCP | Carbonio Monitoring Node exporter |
9256 | TCP | Carbonio Monitoring Process exporter |
Port | Protocol | Service |
|---|---|---|
5432 | TCP | Postgres access |
9187 | TCP | Postgres data export to Carbonio Monitoring |
Port | Protocol | Service |
|---|---|---|
389 | TCP | unsecure LDAP connection |
636 | TCP | secure LDAP connection |
9330 | TCP | LDAP data export to Carbonio Monitoring |
Port | Protocol | Service |
|---|---|---|
25 | TCP | Postfix incoming mail |
465 | TCP | deprecated SMTP authentication relay 3 |
587 | TCP | Port for SMTP autenticated relay, requires STARTTLS (or opportunistic SSL/TLS) |
7026 | TCP | bind address of the Milter service |
Port | Protocol | Service |
|---|---|---|
7025 | TCP | local mail exchange using the LMTP protocol |
7071 | TCP | Port for SOAP services communication |
7072 | TCP | NGINX discovery and authentication |
7073 | TCP | SASL discovery and authentication |
7110 | TCP | internal POP3 services |
7143 | TCP | internal IMAP services |
7993 | TCP | internal IMAP secure access |
7995 | TCP | internal POP3 secure access |
8080 | TCP | internal HTTP services access |
8443 | TCP | internal HTTPS services |
8735 | TCP | Internal mailbox mailbox communication |
8742 | TCP | internal HTTP services, advanced module |
8743 | TCP | internal HTTPS services, advanced module |
Port | Protocol | Service |
|---|---|---|
8188 | TCP | Internal connection |
8090 | TCP | Servlet communication |
Port | Protocol | Service |
|---|---|---|
9113 | TCP | nginx data export to Carbonio Monitoring |
11211 | TCP | memcached access |
Port | Protocol | Service |
|---|---|---|
8300 | TCP | management of incoming requests from other agents |
8302 | TCP and UDP | management of Gossip protocol in the WAN |
9107 | TCP | Carbonio Mesh data export to Carbonio Monitoring |