Securing LDAP
Securing LDAP By default, Carbonio CE’s LDAP passwords employ the SHA-512 method. Although there are no known flaws in this method, some institutions could need a more secure approach.
Since version 23.4.0, Carbonio CE supports the Argon2 algorithm for LDAP password storing.
Although Carbonio CE installations still use SHA-512 by default, it is feasible to enable the new method using a straightforward two-step process.
However, it is advised to create a dump of the LDAP database before beginning the operation, using the instructions and commands listed in Upgrade’s section Preliminary Tasks.
The initial part of the process is up to the administrator, who must run the script below as the zextras user in order to activate the new Argon2 algorithm.
zextras$ /opt/zextras/libexec/scripts/migrate20230217-AddArgon2.pl
Argon2 will be used by default for new passwords after the script has successfully run. All future LDAP passwords will be kept in Argon2 going forward. However, existing passwords will continue to utilise SHA-512.
The second step is, in fact, up to the users: Argon2 will only be used to store each user’s password once they update it.
Hint
The Administrator can force a user to change password from the Carbonio Admin Panel by enabling option This user must change password, that appears in tab General when editing a user under Domains ‣ Accounts. See section Accounts for details.
Switch off Amavis Anti-Virus
When utilising an external anti-virus engine or analysing an MTA issue in a test environment, for example, an administrator may wish or need to stop Carbonio CE’s internal anti-virus engine, amavis.
zextras$ carbonio prov mcf carbonioAmavisDisableVirusCheck TRUE
In certain circumstances, the CLI’s command can be used to manually disable the status of Amavis.
The status of the variable and the service may both be checked at any time with
zextras$ carbonio prov gcf carbonioAmavisDisableVirusCheck
Note
If you never modified the value of the variable, this command may return no output, meaning that amavis is running.